Skip to content

Commit

Permalink
Try to load revocations.efi even if directory read fails
Browse files Browse the repository at this point in the history
Network booting tends to expose things like a tfpt server
as a filesystem that doesn't implement directory listing
This will blindly try to ingest a revocations.efi file in
those cases, even if that may result in some console noise
when the file does not exist.

Signed-off-by: Jan Setje-Eilers <[email protected]>
  • Loading branch information
jsetje authored and vathpela committed Jan 22, 2024
1 parent a23e2f0 commit 993a345
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 1 deletion.
2 changes: 2 additions & 0 deletions include/sbat.h
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@
#define POLICY_RESET 3
#define POLICY_NOTREAD 255

#define REVOCATIONFILE L"revocations.efi"

extern UINTN _sbat, _esbat;

struct sbat_var_entry {
Expand Down
9 changes: 8 additions & 1 deletion shim.c
Original file line number Diff line number Diff line change
Expand Up @@ -1590,6 +1590,13 @@ load_unbundled_trust(EFI_HANDLE image_handle)
if (EFI_ERROR(efi_status)) {
dprint(L"Failed to find fs on local drive (netboot?): %r \n",
efi_status);
/*
* Network boot cases do not support reading a directory. Try
* to read revocations.efi to pull in any unbundled SBATLevel
* updates unconditionally in those cases. This may produce
* console noise when the file is not present.
*/
load_cert_file(image_handle, REVOCATIONFILE, PathName);
goto done;
}

Expand Down Expand Up @@ -1668,7 +1675,7 @@ load_unbundled_trust(EFI_HANDLE image_handle)
* revocations.efi file then to search for shim_certificate.efi
*/
if (search_revocations &&
StrCaseCmp(info->FileName, L"revocations.efi") == 0) {
StrCaseCmp(info->FileName, REVOCATIONFILE) == 0) {
load_revocations_file(image_handle, PathName);
search_revocations = FALSE;
efi_status = root->Open(root, &dir, PathName,
Expand Down

0 comments on commit 993a345

Please sign in to comment.