Mirror some more efi variables to mok-variables

vathpela · vathpela · commit fc0cface403b · 2025-02-24T15:26:20.000-05:00
Some machines have EFI Boot Services variables but not Runtime
variables, and thus it can be quite difficult to figure out what's going
on once the system is booted.

This changes mok variable mirroring to also mirror the following
variables to the mok variable config table:

  AuditMode
  BootOrder
  BootCurrent
  BootNext
  Boot0000
  Boot0001
  Boot0002
  Boot0003
  Boot0004
  Boot0005
  Boot0006
  DeployedMode
  SecureBoot
  SetupMode
  SignatureSupport
  Timeout
  PK
  KEK
  db
  dbx
  Kernel_SkuSiStatus

There's no attempt to do anything involving creating runtime or
boot-services only variables, it just mirrors them into the config
table so they'll be exposed there.

Signed-off-by: Peter Jones &lt;pjones@redhat.com&gt;
diff --git a/mok.c b/mok.c
@@ -262,6 +262,153 @@ struct mok_state_variable mok_state_variable_data[] = {
 	 .flags = MOK_VARIABLE_CONFIG_ONLY,
 	 .format = format_hsi_status,
 	},
+	{.name = L"AuditMode",
+	 .name8 = "AuditMode",
+	 .rtname = L"AuditMode",
+	 .rtname8 = "AuditMode",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"BootOrder",
+	 .name8 = "BootOrder",
+	 .rtname = L"BootOrder",
+	 .rtname8 = "BootOrder",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"BootCurrent",
+	 .name8 = "BootCurrent",
+	 .rtname = L"BootCurrent",
+	 .rtname8 = "BootCurrent",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"BootNext",
+	 .name8 = "BootNext",
+	 .rtname = L"BootNext",
+	 .rtname8 = "BootNext",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"Boot0000",
+	 .name8 = "Boot0000",
+	 .rtname = L"Boot0000",
+	 .rtname8 = "Boot0000",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"Boot0001",
+	 .name8 = "Boot0001",
+	 .rtname = L"Boot0001",
+	 .rtname8 = "Boot0001",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"Boot0002",
+	 .name8 = "Boot0002",
+	 .rtname = L"Boot0002",
+	 .rtname8 = "Boot0002",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"Boot0003",
+	 .name8 = "Boot0003",
+	 .rtname = L"Boot0003",
+	 .rtname8 = "Boot0003",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"Boot0004",
+	 .name8 = "Boot0004",
+	 .rtname = L"Boot0004",
+	 .rtname8 = "Boot0004",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"Boot0005",
+	 .name8 = "Boot0005",
+	 .rtname = L"Boot0005",
+	 .rtname8 = "Boot0005",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"Boot0006",
+	 .name8 = "Boot0006",
+	 .rtname = L"Boot0006",
+	 .rtname8 = "Boot0006",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"DeployedMode",
+	 .name8 = "DeployedMode",
+	 .rtname = L"DeployedMode",
+	 .rtname8 = "DeployedMode",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"SecureBoot",
+	 .name8 = "SecureBoot",
+	 .rtname = L"SecureBoot",
+	 .rtname8 = "SecureBoot",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"SetupMode",
+	 .name8 = "SetupMode",
+	 .rtname = L"SetupMode",
+	 .rtname8 = "SetupMode",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"SignatureSupport",
+	 .name8 = "SignatureSupport",
+	 .rtname = L"SignatureSupport",
+	 .rtname8 = "SignatureSupport",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"Timeout",
+	 .name8 = "Timeout",
+	 .rtname = L"Timeout",
+	 .rtname8 = "Timeout",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"PK",
+	 .name8 = "PK",
+	 .rtname = L"PK",
+	 .rtname8 = "PK",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"KEK",
+	 .name8 = "KEK",
+	 .rtname = L"KEK",
+	 .rtname8 = "KEK",
+	 .guid = &GV_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"db",
+	 .name8 = "db",
+	 .rtname = L"db",
+	 .rtname8 = "db",
+	 .guid = &SIG_DB,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"dbx",
+	 .name8 = "dbx",
+	 .rtname = L"dbx",
+	 .rtname8 = "dbx",
+	 .guid = &SIG_DB,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
+	{.name = L"Kernel_SkuSiStatus",
+	 .name8 = "Kernel_SkuSiStatus",
+	 .rtname = L"Kernel_SkuSiStatus",
+	 .rtname8 = "Kernel_SkuSiStatus",
+	 .guid = &SECUREBOOT_EFI_NAMESPACE_GUID,
+	 .flags = MOK_VARIABLE_CONFIG_ONLY,
+	},
 	{ NULL, }
 };
 size_t n_mok_state_variables = sizeof(mok_state_variable_data) / sizeof(mok_state_variable_data[0]);
diff --git a/test-mock-variables.c b/test-mock-variables.c
@@ -207,6 +207,13 @@ test_gnvn_helper(char *testvars)
 	const char *mok_rt_vars[n_mok_state_variables];
 
 	for (size_t i = 0; i < n_mok_state_variables; i++) {
+		/*
+		 * We don't want to filter out the variables we've added to
+		 * mok mirroring that aren't really from mok; right now
+		 * this is a reasonable heuristic for that.
+		 */
+		if (mok_state_variables[i].flags & MOK_VARIABLE_CONFIG_ONLY)
+			continue;
 		mok_rt_vars[i] = mok_state_variables[i].rtname8;
 	}
 
@@ -301,6 +308,13 @@ test_get_variable_0(void)
 	const char *mok_rt_vars[n_mok_state_variables];
 
 	for (size_t i = 0; i < n_mok_state_variables; i++) {
+		/*
+		 * We don't want to filter out the variables we've added to
+		 * mok mirroring that aren't really from mok; right now
+		 * this is a reasonable heuristic for that.
+		 */
+		if (mok_state_variables[i].flags & MOK_VARIABLE_CONFIG_ONLY)
+			continue;
 		mok_rt_vars[i] = mok_state_variables[i].rtname8;
 	}
 
