From 092c2b2bbed950727e41cf450b61c794881c33e7 Mon Sep 17 00:00:00 2001

From: Eric Snowberg <eric.snowberg@oracle.com>

Date: Fri, 17 Jun 2022 12:37:28 -0400

Subject: [PATCH 02/13] Reference MokListRT instead of MokList

When calling back into shim from grub, the MokListRT may contain additional

entries not available in the original MokList, an example being the certs

included via user_cert. Use the MokListRT instead when calling check_db_cert

and check_db_hash.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>

---

 shim.c | 8 ++++----

 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/shim.c b/shim.c

index fdd205ef995..27b74ce06c3 100644

--- a/shim.c

+++ b/shim.c

@@ -397,22 +397,22 @@ static EFI_STATUS check_allowlist (WIN_CERTIFICATE_EFI_PKCS *cert,

 	}

 #endif

-	if (check_db_hash(L"MokList", SHIM_LOCK_GUID, sha256hash,

+	if (check_db_hash(L"MokListRT", SHIM_LOCK_GUID, sha256hash,

 			  SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID)

 				== DATA_FOUND) {

 		verification_method = VERIFIED_BY_HASH;

 		update_verification_method(VERIFIED_BY_HASH);

 		return EFI_SUCCESS;

 	} else {

-		LogError(L"check_db_hash(MokList, sha256hash) != DATA_FOUND\n");

+		LogError(L"check_db_hash(MokListRT, sha256hash) != DATA_FOUND\n");

 	}

-	if (cert && check_db_cert(L"MokList", SHIM_LOCK_GUID, cert, sha256hash)

+	if (cert && check_db_cert(L"MokListRT", SHIM_LOCK_GUID, cert, sha256hash)

 			== DATA_FOUND) {

 		verification_method = VERIFIED_BY_CERT;

 		update_verification_method(VERIFIED_BY_CERT);

 		return EFI_SUCCESS;

 	} else if (cert) {

-		LogError(L"check_db_cert(MokList, sha256hash) != DATA_FOUND\n");

+		LogError(L"check_db_cert(MokListRT, sha256hash) != DATA_FOUND\n");

 	}

 	update_verification_method(VERIFIED_BY_NOTHING);

-- 

2.37.1