| Age | Commit message (Collapse) | Author |
|---|
|
If a callback returns any kind of failure, wait for a keypress in order to
give the user an opportunity to read any failure messages.
|
|
If we're configured to run untrusted code, print a message and skip the
validation checks.
|
|
If we're configured to run untrusted code, print a message and skip the
validation checks.
|
|
Provide a mechanism for a physically present end user to disable signature
verification. This is handled by the OS passing down a variable that
contains a UINT32 and a SHA256 hash. If this variable is present, MokManager
prompts the user to choose whether to enable or disable signature validation
(depending on the value of the UINT32). They are then asked to type the
passphrase that matches the hash. This then saves a boot services variable
which is checked by shim, and if set will skip verification of signatures.
|
|
Provide a mechanism for a physically present end user to disable signature
verification. This is handled by the OS passing down a variable that
contains a UINT32 and a SHA256 hash. If this variable is present, MokManager
prompts the user to choose whether to enable or disable signature validation
(depending on the value of the UINT32). They are then asked to type the
passphrase that matches the hash. This then saves a boot services variable
which is checked by shim, and if set will skip verification of signatures.
|
|
Provide a little more contextual information when people are in shim
menus.
|
|
Provide a little more contextual information when people are in shim
menus.
|
|
|
|
|
|
The size of the DevPath string array was not sufficient to append
the volume label. This patch extends the size for the label and
re-enables the menu freeing.
|
|
The size of the DevPath string array was not sufficient to append
the volume label. This patch extends the size for the label and
re-enables the menu freeing.
|
|
Some systems will show an error dialog if LoadImage() returned
EFI_ACCESS_DENIED, which then requires physical user interaction to skip.
Let's just remove the LoadImage/StartImage code, since the built-in code
is theoretically equivalent.
|
|
Some systems will show an error dialog if LoadImage() returned
EFI_ACCESS_DENIED, which then requires physical user interaction to skip.
Let's just remove the LoadImage/StartImage code, since the built-in code
is theoretically equivalent.
|
|
Using the same format as the UEFI key databases makes it easier for the
kernel to parse and extract keys from MOK, and also permits MOK to contain
multiple key or hash types. Additionally, add support for enrolling hashes.
|
|
Using the same format as the UEFI key databases makes it easier for the
kernel to parse and extract keys from MOK, and also permits MOK to contain
multiple key or hash types. Additionally, add support for enrolling hashes.
|
|
We want to be able to generate hashes, so split out the hash generation
function from the verification function
|
|
We want to be able to generate hashes, so split out the hash generation
function from the verification function
|
|
|
|
|
|
In theory vendors could blacklist binaries with SHA1, so make sure we
calculate and check that hash as well.
|
|
In theory vendors could blacklist binaries with SHA1, so make sure we
calculate and check that hash as well.
|
|
Add a basic header to the menu to make it clearer what's going on.
Define SHIM_VENDOR in order to override the default.
|
|
Add a basic header to the menu to make it clearer what's going on.
Define SHIM_VENDOR in order to override the default.
|
|
|
|
|
|
We should time out if there aren't any keypresses at the top level menu
within a reasonable timeframe.
|
|
We should time out if there aren't any keypresses at the top level menu
within a reasonable timeframe.
|
|
|
|
|
|
The newline character shouldn't be present in the menu item string
|
|
The newline character shouldn't be present in the menu item string
|
|
The size of MokNew was missing and it caused crash when enrolling new MOKs
with mokutil
|
|
The size of MokNew was missing and it caused crash when enrolling new MOKs
with mokutil
|
|
|
|
before LoadImage. Addresses an issue where Lenovo's SecureBoot
implementation pops an error message on any verification failure - avoid
calling LoadImage at all unless we have to.
|
|
|
|
|
|
|
|
|
|
The filesystem callback was failing to account for the additional menu
item to return to the filesystem list, and so the last file entry in the
root directory would be missing from the list.
|
|
The filesystem callback was failing to account for the additional menu
item to return to the filesystem list, and so the last file entry in the
root directory would be missing from the list.
|
|
We would always enrol a single key, deleting any existing keys in the
database. Fix that up.
|
|
We would always enrol a single key, deleting any existing keys in the
database. Fix that up.
|
|
If the user is manually installing keys from a filesystem then we don't need
to ask for the key password.
|
|
If the user is manually installing keys from a filesystem then we don't need
to ask for the key password.
|
|
Packing this lets us use MokListNode with the binary MokList representation.
|
|
Packing this lets us use MokListNode with the binary MokList representation.
|
|
This looks like it ought to work, but is currently failing. Leaking here
isn't a big deal, so just disable it until I figure out what's wrong.
|
|
This looks like it ought to work, but is currently failing. Leaking here
isn't a big deal, so just disable it until I figure out what's wrong.
|
|
Menucount wasn't being incremented for the final top level menu, so
the file explorer menu item wasn't appearing.
|
