From 8b48ec5c70cd97d37f48581a4eab8139c1a95a1f Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 19 Nov 2013 10:15:55 -0500
Subject: [PATCH 11/19] Don't hook system services if shim has no built-in keys

Shim should only need to enforce its security policy when its launching
binaries signed with its built-in key. Binaries signed by keys in db or
Mokdb should be able to rely on their own security policy.

Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
---
 shim.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/shim.c b/shim.c
index 524f5fc..cf93d65 100644
--- a/shim.c
+++ b/shim.c
@@ -1757,11 +1757,15 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
 		Print(L"Booting in insecure mode\n");
 		uefi_call_wrapper(BS->Stall, 1, 2000000);
 	} else if (secure_mode()) {
-		/*
-		 * Install our hooks for ExitBootServices() and StartImage()
-		 */
-		hook_system_services(systab);
-		loader_is_participating = 0;
+		if (vendor_cert_size || vendor_dbx_size) {
+			/*
+			 * If shim includes its own certificates then ensure
+			 * that anything it boots has performed some
+			 * validation of the next image.
+			 */
+			hook_system_services(systab);
+			loader_is_participating = 0;
+		}
 	}
 
 	/*
-- 
1.8.5.3