2 files changed, 72 insertions, 0 deletions

diff --git a/debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch b/debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch
new file mode 100644
index 00000000..61117d80
--- /dev/null
+++ b/debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch
@@ -0,0 +1,71 @@
+From 1681bd7282e606e961c0d1bfafcf807a32bc912d Mon Sep 17 00:00:00 2001
+From: Ivan Hu <ivan.hu@canonical.com>
+Date: Tue, 22 Nov 2016 06:26:01 +0800
+Subject: [PATCH] shim: fix the mirroring MokSBState fail
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1644806
+
+Some machines have already embedded MokSBStateRT varaible with
+EFI_VARIABLE_NON_VOLATILE attribute, and some users might disable shim
+vailidation manually by creating MokSBStateRT. It causes mirroring MokSBState
+fail because the variable cannot be set with different attribute again, and gets
+error massage every time when booting.
+
+Fix it with checking the MokSBStateRT existence and deleting it before
+mirroring it.
+
+Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
+Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
+---
+ shim.c | 34 ++++++++++++++++++++++++----------
+ 1 file changed, 24 insertions(+), 10 deletions(-)
+
+diff --git a/shim.c b/shim.c
+index c69961b..90ea784 100644
+--- a/shim.c
++++ b/shim.c
+@@ -2013,18 +2013,32 @@ EFI_STATUS mirror_mok_sb_state()
+ 	UINTN DataSize = 0;
+ 
+ 	efi_status = get_variable(L"MokSBState", &Data, &DataSize, shim_lock_guid);
+-	if (efi_status != EFI_SUCCESS)
+-		return efi_status;
++	if (efi_status == EFI_SUCCESS) {
++		UINT8 *Data_RT = NULL;
++		UINTN DataSize_RT = 0;
++
++		efi_status = get_variable(L"MokSBStateRT", &Data_RT,
++					  &DataSize_RT, shim_lock_guid);
++		if (efi_status == EFI_SUCCESS) {
++			efi_status = uefi_call_wrapper(RT->SetVariable, 5,
++						L"MokSBStateRT",
++						&shim_lock_guid,
++						EFI_VARIABLE_BOOTSERVICE_ACCESS
++						| EFI_VARIABLE_RUNTIME_ACCESS
++						| EFI_VARIABLE_NON_VOLATILE,
++						0, NULL);
++		}
+ 
+-	efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokSBStateRT",
+-				       &shim_lock_guid,
+-				       EFI_VARIABLE_BOOTSERVICE_ACCESS
+-				       | EFI_VARIABLE_RUNTIME_ACCESS,
+-				       DataSize, Data);
+-	if (efi_status != EFI_SUCCESS) {
+-		console_error(L"Failed to set MokSBStateRT", efi_status);
++		efi_status = uefi_call_wrapper(RT->SetVariable, 5,
++					       L"MokSBStateRT",
++					       &shim_lock_guid,
++					       EFI_VARIABLE_BOOTSERVICE_ACCESS
++					       | EFI_VARIABLE_RUNTIME_ACCESS,
++					       DataSize, Data);
++		if (efi_status != EFI_SUCCESS) {
++			console_error(L"Failed to set MokSBStateRT", efi_status);
++		}
+ 	}
+-
+ 	return efi_status;
+ }
+ 
+-- 
+2.7.4
+
diff --git a/debian/patches/series b/debian/patches/series
index a5f3392d..34c3f92b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 second-stage-path
 sbsigntool-not-pesign
+0001-shim-fix-the-mirroring-MokSBState-fail.patch