efi_loader: don't load Shim's MOK database from file

When using a file to store UEFI variables we must make sure that secure boot related variables are not loaded from this file. With commit 9ef82e2947 ("efi_loader: don't load signature database from file") this has already been implemented for variables defined in the UEFI specification. As most Linux distributions use Shim we should do the same for Shim's MOK database. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2024-11-28 15:41:40 +00:00 · 2021-10-06 14:10:14 +02:00 · 2021-10-06 14:10:14 +02:00 · fa00b6fc3f
commit fa00b6fc3f
parent 567dfef2fe
1 changed files with 8 additions and 0 deletions
--- a/lib/efi_loader/efi_var_file.c
+++ b/lib/efi_loader/efi_var_file.c
@ -19,6 +19,13 @@

 #define PART_STR_LEN 10

+/* GUID used by Shim to store the MOK database */
+#define SHIM_LOCK_GUID \
+	EFI_GUID(0x605dab50, 0xe046, 0x4300, \
+		 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23)
+
+static const efi_guid_t shim_lock_guid = SHIM_LOCK_GUID;
+
 /**
 * efi_set_blk_dev_to_system_partition() - select EFI system partition
 *
@ -175,6 +182,7 @@ efi_status_t efi_var_restore(struct efi_var_file *buf, bool safe)
 		if (!safe &&
 		    (efi_auth_var_get_type(var->name, &var->guid) !=
 		     EFI_AUTH_VAR_NONE ||
+		     !guidcmp(&var->guid, &shim_lock_guid) ||
 		     !(var->attr & EFI_VARIABLE_NON_VOLATILE)))
 			continue;
 		if (!var->length)