Blob Blame History Raw
From 4b27ae034ba9885960e72f77b3f687a9b7fea824 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 21 Nov 2018 12:47:43 +0800
Subject: [PATCH 2/3] mok: fix the mirroring of RT variables

When there is no key in MokList, import_mok_state() just skipped MokList
even though it should always mirror the vendor cert. Besides, the faulty
check of 'present' and 'addend' invalidates the mirroring of MokListXRT,
MokSBStateRT, and MokIgnoreDB.

https://github.com/rhboot/shim/issues/154

Signed-off-by: Gary Lin <glin@suse.com>
---
 mok.c | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/mok.c b/mok.c
index 00dd1ad3034..41925abbb49 100644
--- a/mok.c
+++ b/mok.c
@@ -231,12 +231,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
 					       &v->data, &v->data_size,
 					       *v->guid, &attrs);
 		if (efi_status == EFI_NOT_FOUND) {
-			if (v->rtname && addend) {
-				efi_status = mirror_one_mok_variable(v);
-				if (EFI_ERROR(efi_status) &&
-				    ret != EFI_SECURITY_VIOLATION)
-					ret = efi_status;
-			}
+			if (addend)
+				goto mirror_addend;
 			/*
 			 * after possibly adding, we can continue, no
 			 * further checks to be done.
@@ -316,7 +312,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
 			}
 		}
 
-		if (v->rtname && present && addend) {
+mirror_addend:
+		if (v->rtname && (present || addend)) {
 			if (v->flags & MOK_MIRROR_DELETE_FIRST)
 				LibDeleteVariable(v->rtname, v->guid);
 
-- 
2.20.1