|
 |
f2fa6b |
From 8b48ec5c70cd97d37f48581a4eab8139c1a95a1f Mon Sep 17 00:00:00 2001
|
|
|
f2fa6b |
From: Matthew Garrett <matthew.garrett@nebula.com>
|
|
|
f2fa6b |
Date: Tue, 19 Nov 2013 10:15:55 -0500
|
|
|
f2fa6b |
Subject: [PATCH 11/19] Don't hook system services if shim has no built-in keys
|
|
|
f2fa6b |
|
|
|
f2fa6b |
Shim should only need to enforce its security policy when its launching
|
|
|
f2fa6b |
binaries signed with its built-in key. Binaries signed by keys in db or
|
|
|
f2fa6b |
Mokdb should be able to rely on their own security policy.
|
|
|
f2fa6b |
|
|
|
f2fa6b |
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
|
|
f2fa6b |
---
|
|
|
f2fa6b |
shim.c | 14 +++++++++-----
|
|
|
f2fa6b |
1 file changed, 9 insertions(+), 5 deletions(-)
|
|
|
f2fa6b |
|
|
|
f2fa6b |
diff --git a/shim.c b/shim.c
|
|
|
f2fa6b |
index 524f5fc..cf93d65 100644
|
|
|
f2fa6b |
--- a/shim.c
|
|
|
f2fa6b |
+++ b/shim.c
|
|
|
f2fa6b |
@@ -1757,11 +1757,15 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
|
|
|
f2fa6b |
Print(L"Booting in insecure mode\n");
|
|
|
f2fa6b |
uefi_call_wrapper(BS->Stall, 1, 2000000);
|
|
|
f2fa6b |
} else if (secure_mode()) {
|
|
|
f2fa6b |
- /*
|
|
|
f2fa6b |
- * Install our hooks for ExitBootServices() and StartImage()
|
|
|
f2fa6b |
- */
|
|
|
f2fa6b |
- hook_system_services(systab);
|
|
|
f2fa6b |
- loader_is_participating = 0;
|
|
|
f2fa6b |
+ if (vendor_cert_size || vendor_dbx_size) {
|
|
|
f2fa6b |
+ /*
|
|
|
f2fa6b |
+ * If shim includes its own certificates then ensure
|
|
|
f2fa6b |
+ * that anything it boots has performed some
|
|
|
f2fa6b |
+ * validation of the next image.
|
|
|
f2fa6b |
+ */
|
|
|
f2fa6b |
+ hook_system_services(systab);
|
|
|
f2fa6b |
+ loader_is_participating = 0;
|
|
|
f2fa6b |
+ }
|
|
|
f2fa6b |
}
|
|
|
f2fa6b |
|
|
|
f2fa6b |
/*
|
|
|
f2fa6b |
--
|
|
|
f2fa6b |
1.8.5.3
|
|
|
f2fa6b |
|