From 8b48ec5c70cd97d37f48581a4eab8139c1a95a1f Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 19 Nov 2013 10:15:55 -0500
Subject: [PATCH 11/19] Don't hook system services if shim has no built-in keys
Shim should only need to enforce its security policy when its launching
binaries signed with its built-in key. Binaries signed by keys in db or
Mokdb should be able to rely on their own security policy.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
---
shim.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/shim.c b/shim.c
index 524f5fc..cf93d65 100644
--- a/shim.c
+++ b/shim.c
@@ -1757,11 +1757,15 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
Print(L"Booting in insecure mode\n");
uefi_call_wrapper(BS->Stall, 1, 2000000);
} else if (secure_mode()) {
- /*
- * Install our hooks for ExitBootServices() and StartImage()
- */
- hook_system_services(systab);
- loader_is_participating = 0;
+ if (vendor_cert_size || vendor_dbx_size) {
+ /*
+ * If shim includes its own certificates then ensure
+ * that anything it boots has performed some
+ * validation of the next image.
+ */
+ hook_system_services(systab);
+ loader_is_participating = 0;
+ }
}
/*
--
1.8.5.3