File shim-bsc1187696-avoid-deleting-rt-variables.patch of Package shim-susesigned.20757

Overview Repositories Revisions Requests Users Attributes Meta

File shim-bsc1187696-avoid-deleting-rt-variables.patch of Package shim-susesigned.20757

From 14f6e10b8272ce34d3c373e000c583e5345b526b Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 30 Jun 2021 16:34:51 +0800
Subject: [PATCH] mok: delete the existing RT variables only when
 only_first=TRUE

For the firmware without the variable writing issues, MOK variables are
mirrored when only_first=TRUE. However, LibDeleteVariable() was called
in maybe_mirror_one_mok_variable() when only_first=FALSE, and this
could delete MOK variables that were just mirrored in the first round.

This bug was hidden since LibDeleteVariable() deletes BS+RT+NV variables
while we mirror MOK variables as BS+RT, and the firmware refused to
delete the mirrored MOK variable due to mismatching attributes. However,
some firmwares, such as VMWare, didn't enforce the attribute check and
just deleted the variables with matched name and GUID. In such system,
MokListRT was always removed before it reached OS.

Fixes: https://github.com/rhboot/shim/issues/386

Signed-off-by: Gary Lin <glin@suse.com>
---
 mok.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mok.c b/mok.c
index beac0ff6..5ea39d54 100644
--- a/mok.c
+++ b/mok.c
@@ -863,7 +863,7 @@ maybe_mirror_one_mok_variable(struct mok_state_variable *v,
 	BOOLEAN present = FALSE;
 
 	if (v->rtname) {
-		if (!only_first && (v->flags & MOK_MIRROR_DELETE_FIRST)) {
+		if (only_first && (v->flags & MOK_MIRROR_DELETE_FIRST)) {
 			dprint(L"deleting \"%s\"\n", v->rtname);
 			efi_status = LibDeleteVariable(v->rtname, v->guid);
 			dprint(L"LibDeleteVariable(\"%s\",...) => %r\n", v->rtname, efi_status);
-- 
2.31.1

Places

File shim-bsc1187696-avoid-deleting-rt-variables.patch of Package shim-susesigned.20757

Places