shim-unsigned-x64/0009-MokManager-Stop-using-EFI_VARIABLE_APPEND_WRITE.patch
Peter Jones 34668cd0d4 Pull in the RHEL CVE fixes.
Related: rhbz#1915194

Signed-off-by: Peter Jones <pjones@redhat.com>
2021-08-06 13:10:11 -05:00

44 lines
1.5 KiB
Diff

From 85c837d67fef9cd831a3126398ed8da1421f61c5 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Fri, 11 May 2018 16:59:03 +0800
Subject: [PATCH 09/62] MokManager: Stop using EFI_VARIABLE_APPEND_WRITE
When writing MokList with EFI_VARIABLE_APPEND_WRITE, some HP laptops
may just return EFI_SUCCESS without writing the content into the flash,
so we have no way to detect if MokList is updated or not. Now we always
read MokList first and write it back with the new content.
https://github.com/rhboot/shim/issues/105
Signed-off-by: Gary Lin <glin@suse.com>
Upstream-commit-id: f442c8424b4
---
MokManager.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index 0767e4a6cde..df9b6fe6912 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -880,14 +880,9 @@ static EFI_STATUS write_db(CHAR16 * db_name, void *MokNew, UINTN MokNewSize)
UINTN old_size;
UINTN new_size;
- efi_status = gRT->SetVariable(db_name, &SHIM_LOCK_GUID,
- EFI_VARIABLE_NON_VOLATILE |
- EFI_VARIABLE_BOOTSERVICE_ACCESS |
- EFI_VARIABLE_APPEND_WRITE,
- MokNewSize, MokNew);
- if (!EFI_ERROR(efi_status) || efi_status != EFI_INVALID_PARAMETER) {
- return efi_status;
- }
+ /* Do not use EFI_VARIABLE_APPEND_WRITE due to faulty firmwares.
+ * ref: https://github.com/rhboot/shim/issues/55
+ * https://github.com/rhboot/shim/issues/105 */
efi_status = get_variable_attr(db_name, (UINT8 **)&old_data, &old_size,
SHIM_LOCK_GUID, &attributes);
--
2.26.2