mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
sd-boot: add support for support enrolling dbx
usage: (1) get latest revocation list for your architecture from https://uefi.org/revocationlistfile (2) copy the file to $ESP/loader/keys/$name/dbx.auth
This commit is contained in:
parent
e33d43b059
commit
57ea8012d6
@ -380,7 +380,7 @@
|
||||
similar, to extend the native firmware support.</para>
|
||||
|
||||
<para>Enrollment of Secure Boot variables can be performed manually or automatically if files are available
|
||||
under <filename>/loader/keys/<replaceable>NAME</replaceable>/{db,KEK,PK}.auth</filename>, <replaceable>NAME</replaceable>
|
||||
under <filename>/loader/keys/<replaceable>NAME</replaceable>/{db,dbx,KEK,PK}.auth</filename>, <replaceable>NAME</replaceable>
|
||||
being the display name for the set of variables in the menu. If one of the sets is named <filename>auto</filename>
|
||||
then it might be enrolled automatically depending on whether <literal>secure-boot-enroll</literal> is set
|
||||
to force or not.</para>
|
||||
|
@ -124,18 +124,20 @@ EFI_STATUS secure_boot_enroll_at(EFI_FILE *root_dir, const char16_t *path, bool
|
||||
const char16_t *name;
|
||||
const char16_t *filename;
|
||||
const EFI_GUID vendor;
|
||||
bool required;
|
||||
char *buffer;
|
||||
size_t size;
|
||||
} sb_vars[] = {
|
||||
{ u"db", u"db.auth", EFI_IMAGE_SECURITY_DATABASE_GUID, NULL, 0 },
|
||||
{ u"KEK", u"KEK.auth", EFI_GLOBAL_VARIABLE, NULL, 0 },
|
||||
{ u"PK", u"PK.auth", EFI_GLOBAL_VARIABLE, NULL, 0 },
|
||||
{ u"db", u"db.auth", EFI_IMAGE_SECURITY_DATABASE_GUID, true, NULL, 0 },
|
||||
{ u"dbx", u"dbx.auth", EFI_IMAGE_SECURITY_DATABASE_GUID, false, NULL, 0 },
|
||||
{ u"KEK", u"KEK.auth", EFI_GLOBAL_VARIABLE, true, NULL, 0 },
|
||||
{ u"PK", u"PK.auth", EFI_GLOBAL_VARIABLE, true, NULL, 0 },
|
||||
};
|
||||
|
||||
/* Make sure all keys files exist before we start enrolling them by loading them from the disk first. */
|
||||
for (size_t i = 0; i < ELEMENTSOF(sb_vars); i++) {
|
||||
err = file_read(dir, sb_vars[i].filename, 0, 0, &sb_vars[i].buffer, &sb_vars[i].size);
|
||||
if (err != EFI_SUCCESS) {
|
||||
if (err != EFI_SUCCESS && sb_vars[i].required) {
|
||||
log_error_status(err, "Failed reading file %ls\\%ls: %m", path, sb_vars[i].filename);
|
||||
goto out_deallocate;
|
||||
}
|
||||
@ -172,6 +174,8 @@ EFI_STATUS secure_boot_enroll_at(EFI_FILE *root_dir, const char16_t *path, bool
|
||||
EFI_VARIABLE_RUNTIME_ACCESS |
|
||||
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
|
||||
|
||||
if (sb_vars[i].size == 0)
|
||||
continue;
|
||||
err = efivar_set_raw(&sb_vars[i].vendor, sb_vars[i].name, sb_vars[i].buffer, sb_vars[i].size, sb_vars_opts);
|
||||
if (err != EFI_SUCCESS) {
|
||||
log_error_status(err, "Failed to write %ls secure boot variable: %m", sb_vars[i].name);
|
||||
|
Loading…
Reference in New Issue
Block a user