File shim-bsc1185261-relax-import_mok_state-check.patch of Package shim-susesigned.20757

From 3e33205b9c957624df7e30a2e5e2847f23d37989 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 11 May 2021 10:41:43 +0800
Subject: [PATCH] Relax the check for import_mok_state()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

An openSUSE user reported(*) that shim 15.4 failed to boot the system
with the following message:

  "Could not create MokListXRT: Out of Resources"

In the beginning, I thought it's caused by the growing size of
vendor-dbx. However, we found the following messages after set
SHIM_VERBOSE:

  max_var_sz:8000 remaining_sz:85EC max_storage_sz:9000
  SetVariable(“MokListXRT”, ... varsz=0x1404) = Out of Resources

Even though the firmware claimed the remaining storage size is 0x85EC,
it still rejected MokListXRT with size 0x1404. It seems that the return
values from QueryVariableInfo() are not reliable. Since this firmware
didn't really support Secure Boot, the variable mirroring is not so
critical, so we can just accept the failure of import_mok_state() and
continue boot.

(*) https://bugzilla.suse.com/show_bug.cgi?id=1185261

Signed-off-by: Gary Lin <glin@suse.com>
---
 shim.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/shim.c b/shim.c
index c5cfbb83..d38ae2f0 100644
--- a/shim.c
+++ b/shim.c
@@ -1973,10 +1973,13 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
 	 * boot-services-only state variables are what we think they are.
 	 */
 	efi_status = import_mok_state(image_handle);
-	if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) {
+	if (!secure_mode() && 
+	    (efi_status == EFI_INVALID_PARAMETER ||
+	     efi_status == EFI_OUT_OF_RESOURCES)) {
 		/*
 		 * Make copy failures fatal only if secure_mode is enabled, or
-		 * the error was anything else than EFI_INVALID_PARAMETER.
+		 * the error was anything else than EFI_INVALID_PARAMETER or
+		 * EFI_OUT_OF_RESOURCES.
 		 * There are non-secureboot firmware implementations that don't
 		 * reserve enough EFI variable memory to fit the variable.
 		 */
-- 
2.31.1