summaryrefslogtreecommitdiff
path: root/include/test-data-efivars-1.h
AgeCommit message (Collapse)Author
2025-02-25Add shim's current NX_COMPAT status to HSIStatusPeter Jones
hughsie asked me to also make it observable at runtime whether the shim binary that was used to boot was set as NX_COMPAT or not. This adds that into the HSIStatus data as "shim-has-nx-compat-set". Signed-off-by: Peter Jones <pjones@redhat.com>
2025-02-24Add DXE Services information to HSIPeter Jones
This adds three more entries to our HSI data: has-dxe-services-table: technically only tells us if UEFI's LocateProtocol will give us a DXE services table, but practically also tells us if the machine is implementing DXE in any way. has-get-memory-space-descriptor: tells us if DXE->GetMemorySpaceDescriptor is populated has-set-memory-space-descriptor: tells us if DXE->SetMemorySpaceDescriptor is populated Signed-off-by: Peter Jones <pjones@redhat.com>
2025-02-24shim: add HSIStatus featurePeter Jones
hughsie asked me if I can make shim tell userland what kinds of accesses are allowed to the heap, stack, and allocations on the running platform, so that these could be reported up through fwupd's Host Security ID program (see https://fwupd.github.io/libfwupdplugin/hsi.html ). This adds a new config-only (i.e. not a UEFI variable) variable generated during boot, "/sys/firmware/efi/mok-variables/HSIStatus", which tells us those properties as well as if the EFI Memory Attribute Protocol is present. Signed-off-by: Peter Jones <pjones@redhat.com>
2022-05-04Allow MokListTrusted to be enabled by defaultEric Snowberg
Within previous versions of shim the MokListTrusted var did not exist. The user had to opt in to using the feature. Change the default behavior to an opt out model. Since old shims will not have the BS MokListTrusted set, use inverse logic that sets the MokListTrustedRT to 1 when the boot service variable is missing. Many Linux distros carry out of tree patches to trust the mok keys by default. These out of tree patches can be dropped when using a Linux kernel that supports MokListTrustedRT. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
2021-09-07tests: Add a unit test for mok mirroringPeter Jones
Test that our mok mirroring doesn't ever try to delete any variable that it has previously created, and that it properly mirrors at least MokList, MokListX, and SbatLevel, at least when variables actually work. These tests will fail (rather a lot) without 7f64fd6da9458b73c4. Currently valgrind shows a memory leak in this code which is not introduced in this patch series. Since all of our memory is freed on Exit() or when kernel does ExitBootServices(), this doesn't have any significant repercussions. Signed-off-by: Peter Jones <pjones@redhat.com>
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-26 22:20:59 +0000