• Lenny Szubowicz's avatar
    integrity: Load certs from the EFI MOK config table · 726bd896
    Lenny Szubowicz authored
    Because of system-specific EFI firmware limitations, EFI volatile
    variables may not be capable of holding the required contents of
    the Machine Owner Key (MOK) certificate store when the certificate
    list grows above some size. Therefore, an EFI boot loader may pass
    the MOK certs via a EFI configuration table created specifically for
    this purpose to avoid this firmware limitation.
    
    An EFI configuration table is a much more primitive mechanism
    compared to EFI variables and is well suited for one-way passage
    of static information from a pre-OS environment to the kernel.
    
    This patch adds the support to load certs from the MokListRT
    entry in the MOK variable configuration table, if it's present.
    The pre-existing support to load certs from the MokListRT EFI
    variable remains and is used if the EFI MOK configuration table
    isn't present or can't be successfully used.
    Signed-off-by: default avatarLenny Szubowicz <lszubowi@redhat.com>
    Link: https://lore.kernel.org/r/20200905013107.10457-4-lszubowi@redhat.comSigned-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
    726bd896
load_uefi.c 4.7 KB