Skip to content

Commit

Permalink
netboot can try to load shim_certificate_[0..9].efi
Browse files Browse the repository at this point in the history 
Since we can't read the directory, we can try to load
shim_certificate_[0..9].efi explicitly and give up after
the first one that fails to load.

Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
  • Loading branch information
@jsetje
jsetje committed Feb 5, 2025
1 parent a1bf486 commit 398b5a2
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 4 deletions.
2 changes: 1 addition & 1 deletion include/sbat.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@
#define POLICY_NOTREAD 255

#define SBATREVOCATIONFILE L"revocations_sbat.efi"
#define SKUSIREVOCATIONFILE L"revocations_skusi.efi"
#define SKUSIREVOCATIONFILE L"revocations_sku.efi"

extern UINTN _sbat, _esbat;

Expand Down
14 changes: 11 additions & 3 deletions shim.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
#include <Library/BaseCryptLib.h>

#include <stdint.h>
#include <stdio.h>

#define OID_EKU_MODSIGN "1.3.6.1.4.1.2312.16.1.2"

Expand Down Expand Up @@ -1487,7 +1488,8 @@ load_revocations_file(EFI_HANDLE image_handle, CHAR16 *FileName, CHAR16 *PathNam
}

EFI_STATUS
load_cert_file(EFI_HANDLE image_handle, CHAR16 *filename, CHAR16 *PathName)
load_cert_file(EFI_HANDLE image_handle, CHAR16 *filename, CHAR16 *PathName,
int flags)
{
EFI_STATUS efi_status;
PE_COFF_LOADER_IMAGE_CONTEXT context;
Expand All @@ -1501,8 +1503,7 @@ load_cert_file(EFI_HANDLE image_handle, CHAR16 *filename, CHAR16 *PathName)
int i;

efi_status = read_image(image_handle, filename, &PathName,
&data, &datasize,
SUPPRESS_NETBOOT_OPEN_FAILURE_NOISE);
&data, &datasize, flags);
if (EFI_ERROR(efi_status))
return efi_status;

Expand Down Expand Up @@ -1564,13 +1565,15 @@ load_unbundled_trust(EFI_HANDLE image_handle)
EFI_STATUS efi_status;
EFI_LOADED_IMAGE *li = NULL;
CHAR16 *PathName = NULL;
static CHAR16 FileName[] = L"shim_certificate_0.efi";
EFI_FILE *root, *dir;
EFI_FILE_INFO *info;
EFI_HANDLE device;
EFI_FILE_IO_INTERFACE *drive;
UINTN buffersize = 0;
void *buffer = NULL;
BOOLEAN search_revocations = TRUE;
int i = 0;

efi_status = gBS->HandleProtocol(image_handle, &EFI_LOADED_IMAGE_GUID,
(void **)&li);
Expand All @@ -1597,6 +1600,11 @@ load_unbundled_trust(EFI_HANDLE image_handle)
*/
load_revocations_file(image_handle, SKUSIREVOCATIONFILE, PathName);
load_revocations_file(image_handle, SBATREVOCATIONFILE, PathName);
while (load_cert_file(image_handle, FileName, PathName,
SUPPRESS_NETBOOT_OPEN_FAILURE_NOISE) == EFI_SUCCESS
&& i++ < 10) {
FileName[17]++;
}
goto done;
}

Expand Down

0 comments on commit 398b5a2

Please sign in to comment.