efi_loader: don't load Shim's MOK database from file

When using a file to store UEFI variables we must make sure that secure boot related variables are not loaded from this file. With commit 9ef82e29478c ("efi_loader: don't load signature database from file") this has already been implemented for variables defined in the UEFI specification. As most Linux distributions use Shim we should do the same for Shim's MOK database. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
author: Heinrich Schuchardt 2021-10-06 14:10:14 +0200
committer: Heinrich Schuchardt 2021-10-21 03:46:04 +0200
commit: fa00b6fc3f86c88bf7afe00253340f529eeacb6d (patch)
tree: e3d036dc6e0cc983157d7debb70e24605ab546e3 /lib
parent: 567dfef2fe4affe28e8e65b54677f24995b98a5e (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/efi_loader/efi_var_file.c b/lib/efi_loader/efi_var_file.c
index c7c6805ed05..76a2ff9e412 100644
--- a/lib/efi_loader/efi_var_file.c
+++ b/lib/efi_loader/efi_var_file.c
@@ -19,6 +19,13 @@
 
 #define PART_STR_LEN 10
 
+/* GUID used by Shim to store the MOK database */
+#define SHIM_LOCK_GUID \
+	EFI_GUID(0x605dab50, 0xe046, 0x4300, \
+		 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23)
+
+static const efi_guid_t shim_lock_guid = SHIM_LOCK_GUID;
+
 /**
  * efi_set_blk_dev_to_system_partition() - select EFI system partition
  *
@@ -175,6 +182,7 @@ efi_status_t efi_var_restore(struct efi_var_file *buf, bool safe)
 		if (!safe &&
 		    (efi_auth_var_get_type(var->name, &var->guid) !=
 		     EFI_AUTH_VAR_NONE ||
+		     !guidcmp(&var->guid, &shim_lock_guid) ||
 		     !(var->attr & EFI_VARIABLE_NON_VOLATILE)))
 			continue;
 		if (!var->length)
author	Heinrich Schuchardt	2021-10-06 14:10:14 +0200
committer	Heinrich Schuchardt	2021-10-21 03:46:04 +0200
commit	fa00b6fc3f86c88bf7afe00253340f529eeacb6d (patch)
tree	e3d036dc6e0cc983157d7debb70e24605ab546e3 /lib
parent	567dfef2fe4affe28e8e65b54677f24995b98a5e (diff)