netboot can try to load shim_certificate_[0..9].efi

Since we can't read the directory, we can try to load shim_certificate_[0..9].efi explicitly and give up after the first one that fails to load. Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
rhboot · Feb 18, 2025 · 6b8e40c · 6b8e40c
1 parent c66ce2a
commit 6b8e40c
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/shim.c b/shim.c
@@ -1488,7 +1488,8 @@ load_revocations_file(EFI_HANDLE image_handle, CHAR16 *FileName, CHAR16 *PathNam
 }
 
 EFI_STATUS
-load_cert_file(EFI_HANDLE image_handle, CHAR16 *filename, CHAR16 *PathName)
+load_cert_file(EFI_HANDLE image_handle, CHAR16 *filename, CHAR16 *PathName,
+		int flags)
 {
 	EFI_STATUS efi_status;
 	PE_COFF_LOADER_IMAGE_CONTEXT context;
@@ -1502,8 +1503,7 @@ load_cert_file(EFI_HANDLE image_handle, CHAR16 *filename, CHAR16 *PathName)
 	int i;
 
 	efi_status = read_image(image_handle, filename, &PathName,
-				&data, &datasize,
-				SUPPRESS_NETBOOT_OPEN_FAILURE_NOISE);
+				&data, &datasize, flags);
 	if (EFI_ERROR(efi_status))
 		return efi_status;
 
@@ -1565,13 +1565,15 @@ load_unbundled_trust(EFI_HANDLE image_handle)
 	EFI_STATUS efi_status;
 	EFI_LOADED_IMAGE *li = NULL;
 	CHAR16 *PathName = NULL;
+	static CHAR16 FileName[] = L"shim_certificate_0.efi";
 	EFI_FILE *root, *dir;
 	EFI_FILE_INFO *info;
 	EFI_HANDLE device;
 	EFI_FILE_IO_INTERFACE *drive;
 	UINTN buffersize = 0;
 	void *buffer = NULL;
 	BOOLEAN search_revocations = TRUE;
+	int i = 0;
 
 	efi_status = gBS->HandleProtocol(image_handle, &EFI_LOADED_IMAGE_GUID,
 					 (void **)&li);
@@ -1598,6 +1600,11 @@ load_unbundled_trust(EFI_HANDLE image_handle)
 		 */
 		load_revocations_file(image_handle, SKUSIREVOCATIONFILE, PathName);
 		load_revocations_file(image_handle, SBATREVOCATIONFILE, PathName);
+		while (load_cert_file(image_handle, FileName, PathName,
+			SUPPRESS_NETBOOT_OPEN_FAILURE_NOISE) == EFI_SUCCESS
+			&& i++ < 10) {
+			FileName[17]++;
+		}
 		goto done;
 	}