1640d5b323
Update to 0.7, include upstream patches, and support MOK blacklist OBS-URL: https://build.opensuse.org/request/show/209456 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=52
50 lines
1.6 KiB
Diff
50 lines
1.6 KiB
Diff
commit 11495d4019d44dce1487939f91f7d751ffbb9730
|
|
Author: Andrew Boie <andrew.p.boie@intel.com>
|
|
Date: Mon Apr 15 14:11:17 2013 -0700
|
|
|
|
fix verify_mok()
|
|
|
|
() Fix the return value semantics. If the MokList doesn't
|
|
exist, we are OK. If the MokList was compromised but we
|
|
were able to erase it, that is OK too. Only if the list
|
|
can't be nuked do we return an error.
|
|
|
|
() Fix use of potentially uninitialized attribute variable
|
|
|
|
() Actually use the return value when called from verify_buffer.
|
|
|
|
Change-Id: If16df21d79c52a1726928df96d133390cde4cb7e
|
|
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
|
|
diff --git a/shim.c b/shim.c
|
|
index 23dd0ee..dcb36d0 100644
|
|
--- a/shim.c
|
|
+++ b/shim.c
|
|
@@ -670,13 +670,12 @@ static EFI_STATUS verify_mok (void) {
|
|
status = get_variable_attr(L"MokList", &MokListData, &MokListDataSize,
|
|
shim_lock_guid, &attributes);
|
|
|
|
- if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
|
|
+ if (!EFI_ERROR(status) && attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
|
|
Print(L"MokList is compromised!\nErase all keys in MokList!\n");
|
|
if (LibDeleteVariable(L"MokList", &shim_lock_guid) != EFI_SUCCESS) {
|
|
Print(L"Failed to erase MokList\n");
|
|
+ return EFI_ACCESS_DENIED;
|
|
}
|
|
- status = EFI_ACCESS_DENIED;
|
|
- return status;
|
|
}
|
|
|
|
if (MokListData)
|
|
@@ -722,7 +721,9 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
|
|
/*
|
|
* Check that the MOK database hasn't been modified
|
|
*/
|
|
- verify_mok();
|
|
+ status = verify_mok();
|
|
+ if (status != EFI_SUCCESS)
|
|
+ return status;
|
|
|
|
/*
|
|
* Ensure that the binary isn't blacklisted
|