File shim-fix-verify-mok.patch of Package shim

Overview Repositories Revisions Requests Users Attributes Meta

File shim-fix-verify-mok.patch of Package shim

commit 11495d4019d44dce1487939f91f7d751ffbb9730
Author: Andrew Boie <andrew.p.boie@intel.com>
Date:   Mon Apr 15 14:11:17 2013 -0700

fix verify_mok()
    
    () Fix the return value semantics. If the MokList doesn't
    exist, we are OK. If the MokList was compromised but we
    were able to erase it, that is OK too. Only if the list
    can't be nuked do we return an error.
    
    () Fix use of potentially uninitialized attribute variable
    
    () Actually use the return value when called from verify_buffer.
    
    Change-Id: If16df21d79c52a1726928df96d133390cde4cb7e
    Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>

diff --git a/shim.c b/shim.c
index 23dd0ee..dcb36d0 100644
--- a/shim.c
+++ b/shim.c
@@ -670,13 +670,12 @@ static EFI_STATUS verify_mok (void) {
 	status = get_variable_attr(L"MokList", &MokListData, &MokListDataSize,
 				   shim_lock_guid, &attributes);
 
-	if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
+	if (!EFI_ERROR(status) && attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
 		Print(L"MokList is compromised!\nErase all keys in MokList!\n");
 		if (LibDeleteVariable(L"MokList", &shim_lock_guid) != EFI_SUCCESS) {
 			Print(L"Failed to erase MokList\n");
+                        return EFI_ACCESS_DENIED;
 		}
-		status = EFI_ACCESS_DENIED;
-		return status;
 	}
 
 	if (MokListData)
@@ -722,7 +721,9 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
 	/*
 	 * Check that the MOK database hasn't been modified
 	 */
-	verify_mok();
+	status = verify_mok();
+	if (status != EFI_SUCCESS)
+		return status;
 
 	/*
 	 * Ensure that the binary isn't blacklisted

Places

File shim-fix-verify-mok.patch of Package shim

Places