efi-boot-shim.git - (mirror of https://github.com/vyos/efi-boot-shim.git)

Age	Commit message (Collapse)	Author
2023-05-02	Optionally allow to keep shim protocol installed	Luca Boccassi
	If the ShimRetainProtocol variable is set, avoid uninstalling our protocol. For example, this allows sd-stub in a UKI to use the shim protocol to validate PE binaries, even if it is executed by a second stage, before the kernel is loaded. Ensure that the variable is volatile and for BootServices access. Also delete it on startup, so that we can be sure it was really set by a second stage. Example use case in sd-boot/sd-stub: https://github.com/systemd/systemd/pull/27358 Signed-off-by: Luca Boccassi <bluca@debian.org>
2021-11-03	Introduce a new MOK variable called MokListTrustedRT	Eric Snowberg
	Introduce a new MOK variable called MokListTrustedRT. It allows an end-user to decide if they want to trust MOKList keys within the soon to be booted Linux kernel. This variable does not change any functionality within shim itself. When Linux boots, if MokListTrustedRT is set and EFI_VARIABLE_NON_VOLATILE is not set, keys in MokListRT are loaded into the .machine keyring instead of the .platform keyring. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
2021-02-16	Rename check_{white,black}list to check_{allow,deny}list	Chris Coulson
	v2 - updated for conflicts and to include documentation (pjones)
2021-02-16	Fix a bunch of trivial trailing whitespace issues.	Peter Jones
	Signed-off-by: Peter Jones <pjones@redhat.com>
2017-08-03	Add MokListX to MokVars.txt	Peter Jones
	Signed-off-by: Peter Jones <pjones@redhat.com>
2013-10-02	Add support for disabling db for verification	Josh Boyer
	Provide a mechanism for a physically present end user to disable the use of db when doing signature verification. This is handled by the OS passing down a variable that contains a UINT32 and a SHA256 hash. If this variable is present, MokManager prompts the user to choose whether to enable or disable the use of db for verification purposes (depending on the value of the UINT32). They are then asked to type the passphrase that matches the hash. This then saves a boot services variable which is checked by shim, and if set will cause shim to not use db for verification purposes. If db is to be ignored, shim will export a runtime variable called 'MokIgnoreDB' for the OS to query at runtime. Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
2012-10-30	Add documentation of the Mok variables	Matthew Garrett
	Brief overview of the function and format of the various variables used by Shim and MokManager.