Skip to content

Commit

Permalink
Uninstall shim protocols before re-installing them
Browse files Browse the repository at this point in the history
Make sure if we chainload things, a chainloaded bootloader will be able to use
the latest systab replacements and protocols. They need to match for things
to validate correctly.

Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
  • Loading branch information
Mathieu Trudel-Lapierre authored and vathpela committed Feb 1, 2018
1 parent 02e2fc6 commit c8ca1c5
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 13 deletions.
13 changes: 0 additions & 13 deletions replacements.c
Original file line number Diff line number Diff line change
Expand Up @@ -100,19 +100,6 @@ start_image(EFI_HANDLE image_handle, UINTN *exit_data_size, CHAR16 **exit_data)
EFI_STATUS status;
unhook_system_services();

/* We have to uninstall shim's protocol here, because if we're
* On the fallback.efi path, then our call pathway is:
*
* shim->fallback->shim->grub
* ^ ^ ^
* | | \- gets protocol #0
* | \- installs its protocol (#1)
* \- installs its protocol (#0)
* and if we haven't removed this, then grub will get the *first*
* shim's protocol, but it'll get the second shim's systab
* replacements. So even though it will participate and verify
* the kernel, the systab never finds out.
*/
if (image_handle == last_loaded_image) {
loader_is_participating = 1;
uninstall_shim_protocols();
Expand Down
22 changes: 22 additions & 0 deletions shim.c
Original file line number Diff line number Diff line change
Expand Up @@ -2726,11 +2726,33 @@ EFI_STATUS
install_shim_protocols(void)
{
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
SHIM_LOCK *shim_lock;
EFI_STATUS efi_status;

if (!secure_mode())
return EFI_SUCCESS;

/*
* Did another instance of shim earlier already install the
* protocol? If so, get rid of it.
*
* We have to uninstall shim's protocol here, because if we're
* On the fallback.efi path, then our call pathway is:
*
* shim->fallback->shim->grub
* ^ ^ ^
* | | \- gets protocol #0
* | \- installs its protocol (#1)
* \- installs its protocol (#0)
* and if we haven't removed this, then grub will get the *first*
* shim's protocol, but it'll get the second shim's systab
* replacements. So even though it will participate and verify
* the kernel, the systab never finds out.
*/
efi_status = LibLocateProtocol(&shim_lock_guid, (VOID **)&shim_lock);
if (!EFI_ERROR(efi_status))
uninstall_shim_protocols();

/*
* Install the protocol
*/
Expand Down

0 comments on commit c8ca1c5

Please sign in to comment.