From ed8363efd22f9ad4e29a7848615a75e471396610 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 16 Jun 2015 11:41:32 -0400
Subject: Copy the MOK blacklist to a RT variable

Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
 shim.c | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

(limited to 'shim.c')

diff --git a/shim.c b/shim.c
index c0bf7d62..a2ca2a11 100644
--- a/shim.c
+++ b/shim.c
@@ -1764,6 +1764,33 @@ EFI_STATUS mirror_mok_list()
 	return efi_status;
 }
 
+/*
+ * Copy the boot-services only MokListX variable to the runtime-accessible
+ * MokListXRT variable. It's not marked NV, so the OS can't modify it.
+ */
+EFI_STATUS mirror_mok_list_x()
+{
+	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
+	EFI_STATUS efi_status;
+	UINT8 *Data = NULL;
+	UINTN DataSize = 0;
+
+	efi_status = get_variable(L"MokListX", &Data, &DataSize, shim_lock_guid);
+	if (efi_status != EFI_SUCCESS)
+		return efi_status;
+
+	efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListXRT",
+				       &shim_lock_guid,
+				       EFI_VARIABLE_BOOTSERVICE_ACCESS
+				       | EFI_VARIABLE_RUNTIME_ACCESS,
+				       DataSize, Data);
+	if (efi_status != EFI_SUCCESS) {
+		console_error(L"Failed to set MokListRT", efi_status);
+	}
+
+	return efi_status;
+}
+
 /*
  * Check if a variable exists
  */
@@ -2160,6 +2187,8 @@ EFI_STATUS efi_main (EFI_HANDLE passed_image_handle,
 	 */
 	efi_status = mirror_mok_list();
 
+	efi_status = mirror_mok_list_x();
+
 	/*
 	 * Create the runtime MokIgnoreDB variable so the kernel can
 	 * make use of it
-- 
cgit v1.2.3