forked from rpms/shim-unsigned-aarch64
48 lines
1.8 KiB
Diff
48 lines
1.8 KiB
Diff
|
From 741c61abba7d5c74166f8d0c1b9ee8001ebcd186 Mon Sep 17 00:00:00 2001
|
||
|
From: Patrick Uiterwijk <patrick@puiterwijk.org>
|
||
|
Date: Thu, 6 Dec 2018 10:08:45 +0100
|
||
|
Subject: [PATCH] Make EFI variable copying fatal only on secureboot enabled
|
||
|
systems
|
||
|
|
||
|
I have come across systems that are unwilling to reserve enough memory for
|
||
|
a MokListRT big enough for big certificates.
|
||
|
This seems to be the case with firmware implementations that do not support
|
||
|
secureboot, which is probably the reason they went with much lower variable
|
||
|
storage.
|
||
|
|
||
|
This patch set makes sure we can still boot on those systems, by only
|
||
|
making the copy action fatal if the system has secure boot enabled, or if
|
||
|
the error was anything other than EFI_INVALID_PARAMETER.
|
||
|
|
||
|
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
|
||
|
---
|
||
|
shim.c | 12 +++++++++++-
|
||
|
1 file changed, 11 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/shim.c b/shim.c
|
||
|
index 7d25ad6fe70..aee4727fe67 100644
|
||
|
--- a/shim.c
|
||
|
+++ b/shim.c
|
||
|
@@ -2639,7 +2639,17 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
|
||
|
* boot-services-only state variables are what we think they are.
|
||
|
*/
|
||
|
efi_status = import_mok_state(image_handle);
|
||
|
- if (EFI_ERROR(efi_status)) {
|
||
|
+ if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) {
|
||
|
+ /*
|
||
|
+ * Make copy failures fatal only if secure_mode is enabled, or
|
||
|
+ * the error was anything else than EFI_INVALID_PARAMETER.
|
||
|
+ * There are non-secureboot firmware implementations that don't
|
||
|
+ * reserve enough EFI variable memory to fit the variable.
|
||
|
+ */
|
||
|
+ console_print(L"Importing MOK states has failed: %s: %r\n",
|
||
|
+ msgs[msg], efi_status);
|
||
|
+ console_print(L"Continuing boot since secure mode is disabled");
|
||
|
+ } else if (EFI_ERROR(efi_status)) {
|
||
|
die:
|
||
|
console_print(L"Something has gone seriously wrong: %s: %r\n",
|
||
|
msgs[msg], efi_status);
|
||
|
--
|
||
|
2.21.0
|
||
|
|