netboot cleanup for additional files #686
Conversation
| @@ -1464,7 +1464,10 @@ load_revocations_file(EFI_HANDLE image_handle, CHAR16 *PathName) | |||
| uint8_t *ssps_latest = NULL; | |||
| uint8_t *sspv_latest = NULL; | |||
|
|
|||
| efi_status = read_image(image_handle, L"revocations.efi", &PathName, | |||
| efi_status = read_image(image_handle, L"revocations_sbat.efi", &PathName, | |||
| &data, &datasize, | |||
There was a problem hiding this comment.
are you missing a check for efi_status here?
There was a problem hiding this comment.
Thanks for catching that!! Yes, kind of. If they both fail, then we should bail out. Fixing...
| while (load_cert_file(image_handle, FileName, PathName, | ||
| SUPPRESS_NETBOOT_OPEN_FAILURE_NOISE) | ||
| == EFI_SUCCESS && i++ < 10) { | ||
| FileName[17]++; |
There was a problem hiding this comment.
I think it's going to be confusing having to rename shim_certificate_sbat.efi to shim_certificate_0.efi, shim_certificate_ski.efi to shim_certificate_1.efi etc. Can't we just use those names?
There was a problem hiding this comment.
For the netboot case we can't do a reddir. So fining something like shim_certificate_<vendor_name>.efi would require an awful lot permutations to try, and I really don't think that's the right thing to do.
So I'm putting it on whoever deploys the netboot config to deal with renaming or linking. It's not wonderful, but does seem better to have this flexibility in place.
e9aef68 to
b121552
Compare
Reading files during a netboot comes with the caveat that fetching files from a network does not support anything like listing a directory. In the past this has meant that we do not try to open optional files during a netboot. However at least the revocation.efi file is now tested during a netboot, which will print an error when it is not found. Since that error is spurious we should allow for those errors to be suppressed. This is also desirable since we will likely go looking for additional files in the near future. Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
While a revocations.efi binary can contain either SBAT revocations, SkuSi revocations, or both, it is desirable to package them separately so that higher level tools such as fwupd can decide which ones to put in place at a given moment. This changes revocations.efi to revocations_sbat.efi and revocations_sku.efi Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
Bugfix: In the netboot case revocations.efi files were read, but processed as shim_certificate.efi files which is simply wrong. Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
Since we can't read the directory, we can try to load shim_certificate_[0..9].efi explicitly and give up after the first one that fails to load. Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
b121552 to
4d4f2ed
Compare
|
I should re-test some of the failure variations. I'll make a note here when that's done. I'm explicitly not including sbat level in dbx since, while it's a neat way to deliver revocations without a reboot, it also seems like a great way to make a mistake that can't be undone. |
These proposed changes are ready for comments, especially around the naming. Some XXX's in the commit comments.
These are all pretty simple changes, I've not included the SbatLevel index in dbx which isn't pretty (yet).