From 9a2dd0a945720634b9f3608c3b3dfb99fafd4465 Mon Sep 17 00:00:00 2001

From: Patrick Uiterwijk <patrick@puiterwijk.org>

Date: Thu, 6 Dec 2018 10:08:45 +0100

Subject: [PATCH] Make EFI variable copying fatal only on secureboot enabled

 systems

I have come across systems that are unwilling to reserve enough memory for

a MokListRT big enough for big certificates.

This seems to be the case with firmware implementations that do not support

secureboot, which is probably the reason they went with much lower variable

storage.

This patch set makes sure we can still boot on those systems, by only

making the copy action fatal if the system has secure boot enabled, or if

the error was anything other than EFI_INVALID_PARAMETER.

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>

---

 shim.c | 14 +++++++++++---

 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/shim.c b/shim.c

index fcc11eb3..89ef0036 100644

--- a/shim.c

+++ b/shim.c

@@ -2632,9 +2632,17 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)

 die:

 		console_print(L"Something has gone seriously wrong: %s: %r\n",

 			      msgs[msg], efi_status);

-		msleep(5000000);

-		gRT->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION,

-				 0, NULL);

+		/*

+		 * Make copy failures fatal only if secure_mode is enabled, or

+		 * the error was anything else than EFI_INVALID_PARAMETER.

+		 * There are non-secureboot firmware implementations that don't

+		 * reserve enough EFI variable memory to fit the variable.

+		 */

+		if (secure_mode() || efi_status != EFI_INVALID_PARAMETER) {

+			msleep(5000000);

+			gRT->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION,

+					 0, NULL);

+		}

 	}

 	efi_status = shim_init();