[PATCH] efi_loader: don't load shims MOK database from file

* [PATCH] efi_loader: don't load shims MOK database from file
@ 2021-10-06 12:32 Heinrich Schuchardt
  0 siblings, 0 replies; only message in thread
From: Heinrich Schuchardt @ 2021-10-06 12:32 UTC (permalink / raw)
  To: u-boot; +Cc: Alexander Graf, Ilias Apalodimas, Heinrich Schuchardt

When using a file to store UEFI variables we must make sure that secure
boot related variables are not loaded from this file. With commit
9ef82e29478c ("efi_loader: don't load signature database from file")
this has already been implemented for variables defined in the UEFI
specification. As most Linux distributions use Shim we should do the same
for Shim's MOK database.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
---
 lib/efi_loader/efi_var_file.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/efi_loader/efi_var_file.c b/lib/efi_loader/efi_var_file.c
index c7c6805ed0..76a2ff9e41 100644
--- a/lib/efi_loader/efi_var_file.c
+++ b/lib/efi_loader/efi_var_file.c
@@ -19,6 +19,13 @@
 
 #define PART_STR_LEN 10
 
+/* GUID used by Shim to store the MOK database */
+#define SHIM_LOCK_GUID \
+	EFI_GUID(0x605dab50, 0xe046, 0x4300, \
+		 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23)
+
+static const efi_guid_t shim_lock_guid = SHIM_LOCK_GUID;
+
 /**
  * efi_set_blk_dev_to_system_partition() - select EFI system partition
  *
@@ -175,6 +182,7 @@ efi_status_t efi_var_restore(struct efi_var_file *buf, bool safe)
 		if (!safe &&
 		    (efi_auth_var_get_type(var->name, &var->guid) !=
 		     EFI_AUTH_VAR_NONE ||
+		     !guidcmp(&var->guid, &shim_lock_guid) ||
 		     !(var->attr & EFI_VARIABLE_NON_VOLATILE)))
 			continue;
 		if (!var->length)
-- 
2.32.0


^ permalink raw reply related	[flat|nested] only message in thread