Mirror some more efi variables to mok-variables

Some machines have EFI Boot Services variables but not Runtime variables, and thus it can be quite difficult to figure out what's going on once the system is booted. This changes mok variable mirroring to also mirror the following variables to the mok variable config table: AuditMode BootOrder BootCurrent BootNext Boot0000 Boot0001 Boot0002 Boot0003 Boot0004 Boot0005 Boot0006 DeployedMode SecureBoot SetupMode SignatureSupport Timeout PK KEK db dbx Kernel_SkuSiStatus There's no attempt to do anything involving creating runtime or boot-services only variables, it just mirrors them into the config table so they'll be exposed there. Signed-off-by: Peter Jones <pjones@redhat.com>
rhboot · Feb 21, 2025 · 6fbdcd3 · 6fbdcd3
1 parent 11e2f49
commit 6fbdcd3
Show file tree

Hide file tree

Showing 2 changed files with 161 additions and 0 deletions.
diff --git a/mok.c b/mok.c
@@ -262,6 +262,153 @@ struct mok_state_variable mok_state_variable_data[] = {
 	 .flags = MOK_VARIABLE_CONFIG_ONLY,
 	 .format = format_hsi_status,
 	},
+	{.name = L"AuditMode",
+	 .name8 = "AuditMode",
+	 .rtname = L"AuditMode",
+	 .rtname8 = "AuditMode",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"BootOrder",
+	 .name8 = "BootOrder",
+	 .rtname = L"BootOrder",
+	 .rtname8 = "BootOrder",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"BootCurrent",
+	 .name8 = "BootCurrent",
+	 .rtname = L"BootCurrent",
+	 .rtname8 = "BootCurrent",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"BootNext",
+	 .name8 = "BootNext",
+	 .rtname = L"BootNext",
+	 .rtname8 = "BootNext",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"Boot0000",
+	 .name8 = "Boot0000",
+	 .rtname = L"Boot0000",
+	 .rtname8 = "Boot0000",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"Boot0001",
+	 .name8 = "Boot0001",
+	 .rtname = L"Boot0001",
+	 .rtname8 = "Boot0001",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"Boot0002",
+	 .name8 = "Boot0002",
+	 .rtname = L"Boot0002",
+	 .rtname8 = "Boot0002",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"Boot0003",
+	 .name8 = "Boot0003",
+	 .rtname = L"Boot0003",
+	 .rtname8 = "Boot0003",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"Boot0004",
+	 .name8 = "Boot0004",
+	 .rtname = L"Boot0004",
+	 .rtname8 = "Boot0004",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"Boot0005",
+	 .name8 = "Boot0005",
+	 .rtname = L"Boot0005",
+	 .rtname8 = "Boot0005",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"Boot0006",
+	 .name8 = "Boot0006",
+	 .rtname = L"Boot0006",
+	 .rtname8 = "Boot0006",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"DeployedMode",
+	 .name8 = "DeployedMode",
+	 .rtname = L"DeployedMode",
+	 .rtname8 = "DeployedMode",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"SecureBoot",
+	 .name8 = "SecureBoot",
+	 .rtname = L"SecureBoot",
+	 .rtname8 = "SecureBoot",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"SetupMode",
+	 .name8 = "SetupMode",
+	 .rtname = L"SetupMode",
+	 .rtname8 = "SetupMode",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"SignatureSupport",
+	 .name8 = "SignatureSupport",
+	 .rtname = L"SignatureSupport",
+	 .rtname8 = "SignatureSupport",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"Timeout",
+	 .name8 = "Timeout",
+	 .rtname = L"Timeout",
+	 .rtname8 = "Timeout",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"PK",
+	 .name8 = "PK",
+	 .rtname = L"PK",
+	 .rtname8 = "PK",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"KEK",
+	 .name8 = "KEK",
+	 .rtname = L"KEK",
+	 .rtname8 = "KEK",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"db",
+	 .name8 = "db",
+	 .rtname = L"db",
+	 .rtname8 = "db",
+	 .guid = &SIG_DB,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"dbx",
+	 .name8 = "dbx",
+	 .rtname = L"dbx",
+	 .rtname8 = "dbx",
+	 .guid = &SIG_DB,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"Kernel_SkuSiStatus",
+	 .name8 = "Kernel_SkuSiStatus",
+	 .rtname = L"Kernel_SkuSiStatus",
+	 .rtname8 = "Kernel_SkuSiStatus",
+	 .guid = &SECUREBOOT_EFI_NAMESPACE_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
 	{ NULL, }
 };
 size_t n_mok_state_variables = sizeof(mok_state_variable_data) / sizeof(mok_state_variable_data[0]);

diff --git a/test-mock-variables.c b/test-mock-variables.c
@@ -207,6 +207,13 @@ test_gnvn_helper(char *testvars)
 	const char *mok_rt_vars[n_mok_state_variables];
 
 	for (size_t i = 0; i < n_mok_state_variables; i++) {
+		/*
+		 * We don't want to filter out the variables we've added to
+		 * mok mirroring that aren't really from mok; right now
+		 * this is a reasonable heuristic for that.
+		 */
+		if (mok_state_variables[i].flags & MOK_VARIABLE_CONFIG_ONLY)
+			continue;
 		mok_rt_vars[i] = mok_state_variables[i].rtname8;
 	}
 
@@ -301,6 +308,13 @@ test_get_variable_0(void)
 	const char *mok_rt_vars[n_mok_state_variables];
 
 	for (size_t i = 0; i < n_mok_state_variables; i++) {
+		/*
+		 * We don't want to filter out the variables we've added to
+		 * mok mirroring that aren't really from mok; right now
+		 * this is a reasonable heuristic for that.
+		 */
+		if (mok_state_variables[i].flags & MOK_VARIABLE_CONFIG_ONLY)
+			continue;
 		mok_rt_vars[i] = mok_state_variables[i].rtname8;
 	}