From 4b27ae034ba9885960e72f77b3f687a9b7fea824 Mon Sep 17 00:00:00 2001

From: Gary Lin <glin@suse.com>

Date: Wed, 21 Nov 2018 12:47:43 +0800

Subject: [PATCH 2/3] mok: fix the mirroring of RT variables

When there is no key in MokList, import_mok_state() just skipped MokList

even though it should always mirror the vendor cert. Besides, the faulty

check of 'present' and 'addend' invalidates the mirroring of MokListXRT,

MokSBStateRT, and MokIgnoreDB.

https://github.com/rhboot/shim/issues/154

Signed-off-by: Gary Lin <glin@suse.com>

---

 mok.c | 11 ++++-------

 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/mok.c b/mok.c

index 00dd1ad3034..41925abbb49 100644

--- a/mok.c

+++ b/mok.c

@@ -231,12 +231,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)

 					       &v->data, &v->data_size,

 					       *v->guid, &attrs);

 		if (efi_status == EFI_NOT_FOUND) {

-			if (v->rtname && addend) {

-				efi_status = mirror_one_mok_variable(v);

-				if (EFI_ERROR(efi_status) &&

-				    ret != EFI_SECURITY_VIOLATION)

-					ret = efi_status;

-			}

+			if (addend)

+				goto mirror_addend;

 			/*

 			 * after possibly adding, we can continue, no

 			 * further checks to be done.

@@ -316,7 +312,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)

 			}

 		}

-		if (v->rtname && present && addend) {

+mirror_addend:

+		if (v->rtname && (present || addend)) {

 			if (v->flags & MOK_MIRROR_DELETE_FIRST)

 				LibDeleteVariable(v->rtname, v->guid);

-- 

2.20.1