From 398b5a2040ec5cfce09f699dcae6e4e14d8f6091 Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Fri, 16 Aug 2024 16:07:47 -0700
Subject: [PATCH] netboot can try to load shim_certificate_[0..9].efi

Since we can't read the directory, we can try to load
shim_certificate_[0..9].efi explicitly and give up after
the first one that fails to load.

Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
---
 include/sbat.h |  2 +-
 shim.c         | 14 +++++++++++---
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/include/sbat.h b/include/sbat.h
index 57279c09d..093bb64a5 100644
--- a/include/sbat.h
+++ b/include/sbat.h
@@ -39,7 +39,7 @@
 #define POLICY_NOTREAD		255
 
 #define SBATREVOCATIONFILE L"revocations_sbat.efi"
-#define SKUSIREVOCATIONFILE L"revocations_skusi.efi"
+#define SKUSIREVOCATIONFILE L"revocations_sku.efi"
 
 extern UINTN _sbat, _esbat;
 
diff --git a/shim.c b/shim.c
index f1bad1570..dd22a9f7a 100644
--- a/shim.c
+++ b/shim.c
@@ -32,6 +32,7 @@
 #include <Library/BaseCryptLib.h>
 
 #include <stdint.h>
+#include <stdio.h>
 
 #define OID_EKU_MODSIGN "1.3.6.1.4.1.2312.16.1.2"
 
@@ -1487,7 +1488,8 @@ load_revocations_file(EFI_HANDLE image_handle, CHAR16 *FileName, CHAR16 *PathNam
 }
 
 EFI_STATUS
-load_cert_file(EFI_HANDLE image_handle, CHAR16 *filename, CHAR16 *PathName)
+load_cert_file(EFI_HANDLE image_handle, CHAR16 *filename, CHAR16 *PathName,
+		int flags)
 {
 	EFI_STATUS efi_status;
 	PE_COFF_LOADER_IMAGE_CONTEXT context;
@@ -1501,8 +1503,7 @@ load_cert_file(EFI_HANDLE image_handle, CHAR16 *filename, CHAR16 *PathName)
 	int i;
 
 	efi_status = read_image(image_handle, filename, &PathName,
-				&data, &datasize,
-				SUPPRESS_NETBOOT_OPEN_FAILURE_NOISE);
+				&data, &datasize, flags);
 	if (EFI_ERROR(efi_status))
 		return efi_status;
 
@@ -1564,6 +1565,7 @@ load_unbundled_trust(EFI_HANDLE image_handle)
 	EFI_STATUS efi_status;
 	EFI_LOADED_IMAGE *li = NULL;
 	CHAR16 *PathName = NULL;
+	static CHAR16 FileName[] = L"shim_certificate_0.efi";
 	EFI_FILE *root, *dir;
 	EFI_FILE_INFO *info;
 	EFI_HANDLE device;
@@ -1571,6 +1573,7 @@ load_unbundled_trust(EFI_HANDLE image_handle)
 	UINTN buffersize = 0;
 	void *buffer = NULL;
 	BOOLEAN search_revocations = TRUE;
+	int i = 0;
 
 	efi_status = gBS->HandleProtocol(image_handle, &EFI_LOADED_IMAGE_GUID,
 					 (void **)&li);
@@ -1597,6 +1600,11 @@ load_unbundled_trust(EFI_HANDLE image_handle)
 		 */
 		load_revocations_file(image_handle, SKUSIREVOCATIONFILE, PathName);
 		load_revocations_file(image_handle, SBATREVOCATIONFILE, PathName);
+		while (load_cert_file(image_handle, FileName, PathName,
+			SUPPRESS_NETBOOT_OPEN_FAILURE_NOISE) == EFI_SUCCESS
+			&& i++ < 10) {
+			FileName[17]++;
+		}
 		goto done;
 	}