From b6c3fc750a34dd1f069e7ddc840d6706fcacb8f3 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Thu, 8 May 2025 00:49:25 +0100 Subject: [PATCH] boot: skip shim-specific logic when running with new shim Since shim 16 the plain BS->LoadImage() will just work (TM), we do not need anymore to set up manual overrides and manually call in the shim-specific lock protocol or to set shim-specific EFIVAR to make addons work or to load shim-signed kernels. Check if the new protocol added in v16 is present, and if so, skip all that. Once versions < 16 are no longer supported/revoked, all the code can be dropped entirely. --- src/boot/shim.c | 21 ++++++++++++++++++++- src/boot/shim.h | 1 + 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/src/boot/shim.c b/src/boot/shim.c index 87d7dff1915..09d87df530a 100644 --- a/src/boot/shim.c +++ b/src/boot/shim.c @@ -33,12 +33,26 @@ struct ShimLock { #define SHIM_LOCK_GUID \ { 0x605dab50, 0xe046, 0x4300, { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } } +#define SHIM_IMAGE_LOADER_GUID \ + { 0x1f492041, 0xfadb, 0x4e59, { 0x9e, 0x57, 0x7c, 0xaf, 0xe7, 0x3a, 0x55, 0xab } } + bool shim_loaded(void) { struct ShimLock *shim_lock; return BS->LocateProtocol(MAKE_GUID_PTR(SHIM_LOCK), NULL, (void **) &shim_lock) == EFI_SUCCESS; } +/* The shim lock protocol is for pre-v16 shim, where it was not hooked up to the BS->LoadImage() system + * table and friends, and it has to be checked manually via the shim_validate() helper. If the shim image + * loader protocol is available (shim v16 and newer), then it will have overridden BS->LoadImage() and + * friends in the system table, so no specific helper is needed, and the standard BS->LoadImage() and + * friends can be called instead. */ +bool shim_loader_available(void) { + void *shim_image_loader; + + return BS->LocateProtocol(MAKE_GUID_PTR(SHIM_IMAGE_LOADER), NULL, (void **) &shim_image_loader) == EFI_SUCCESS; +} + static bool shim_validate( const void *ctx, const EFI_DEVICE_PATH *device_path, const void *file_buffer, size_t file_size) { @@ -90,7 +104,8 @@ EFI_STATUS shim_load_image( assert(device_path); assert(ret_image); - bool have_shim = shim_loaded(); + // TODO: drop lock protocol and just use plain BS->LoadImage once Shim < 16 is no longer supported + bool have_shim = shim_loaded() && !shim_loader_available(); if (have_shim) install_security_override(shim_validate, NULL); @@ -111,6 +126,10 @@ EFI_STATUS shim_load_image( void shim_retain_protocol(void) { uint8_t value = 1; + // TODO: drop setting this var once Shim < 16 is no longer supported, as the lock protocol is no longer needed + if (shim_loader_available() || !shim_loaded()) + return; + /* Ask Shim to avoid uninstalling its security protocol, so that we can use it from sd-stub to * validate PE addons. By default, Shim uninstalls its protocol when calling StartImage(). * Requires Shim 15.8. */ diff --git a/src/boot/shim.h b/src/boot/shim.h index ef9dc7ba276..ed181ed26b2 100644 --- a/src/boot/shim.h +++ b/src/boot/shim.h @@ -12,5 +12,6 @@ #include "efi.h" bool shim_loaded(void); +bool shim_loader_available(void); EFI_STATUS shim_load_image(EFI_HANDLE parent, const EFI_DEVICE_PATH *device_path, bool boot_policy, EFI_HANDLE *ret_image); void shim_retain_protocol(void); -- 2.47.3