efi: set EFIVAR to stop Shim from uninstalling its protocol

We'll use it from the stub to validate files. Requires Shim 5.18.
By default, Shim uninstalls its protocol when calling StartImage(),
so when loading systemd-boot via shim and then loading an UKI, the
UKI's sd-stub will no longer be able to use the shim verification
protocol by default.

src/boot/efi/boot.c

@@ -2641,6 +2641,10 @@ static EFI_STATUS run(EFI_HANDLE image) {
 
         init_usec = time_usec();
 
+        /* Ask Shim to leave its protocol around, so that the stub can use it to validate PEs.
+         * By default, Shim uninstalls its protocol when calling StartImage(). */
+        shim_retain_protocol();
+
         err = BS->OpenProtocol(
                         image,
                         MAKE_GUID_PTR(EFI_LOADED_IMAGE_PROTOCOL),

src/boot/efi/shim.c

@@ -97,3 +97,12 @@ EFI_STATUS shim_load_image(EFI_HANDLE parent, const EFI_DEVICE_PATH *device_path
 
         return ret;
 }
+
+void shim_retain_protocol(void) {
+        uint8_t value = 1;
+
+        /* Ask Shim to avoid uninstalling its security protocol, so that we can use it from sd-stub to
+         * validate PE addons. By default, Shim uninstalls its protocol when calling StartImage().
+         * Requires Shim 15.8. */
+        (void) efivar_set_raw(MAKE_GUID_PTR(SHIM_LOCK), u"ShimRetainProtocol", &value, sizeof(value), 0);
+}

src/boot/efi/shim.h

@@ -13,3 +13,4 @@
 
 bool shim_loaded(void);
 EFI_STATUS shim_load_image(EFI_HANDLE parent, const EFI_DEVICE_PATH *device_path, EFI_HANDLE *ret_image);
+void shim_retain_protocol(void);