From 4b27ae034ba9885960e72f77b3f687a9b7fea824 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Wed, 21 Nov 2018 12:47:43 +0800 Subject: [PATCH 2/3] mok: fix the mirroring of RT variables When there is no key in MokList, import_mok_state() just skipped MokList even though it should always mirror the vendor cert. Besides, the faulty check of 'present' and 'addend' invalidates the mirroring of MokListXRT, MokSBStateRT, and MokIgnoreDB. https://github.com/rhboot/shim/issues/154 Signed-off-by: Gary Lin --- mok.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/mok.c b/mok.c index 00dd1ad3034..41925abbb49 100644 --- a/mok.c +++ b/mok.c @@ -231,12 +231,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) &v->data, &v->data_size, *v->guid, &attrs); if (efi_status == EFI_NOT_FOUND) { - if (v->rtname && addend) { - efi_status = mirror_one_mok_variable(v); - if (EFI_ERROR(efi_status) && - ret != EFI_SECURITY_VIOLATION) - ret = efi_status; - } + if (addend) + goto mirror_addend; /* * after possibly adding, we can continue, no * further checks to be done. @@ -316,7 +312,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) } } - if (v->rtname && present && addend) { +mirror_addend: + if (v->rtname && (present || addend)) { if (v->flags & MOK_MIRROR_DELETE_FIRST) LibDeleteVariable(v->rtname, v->guid); -- 2.20.1