-
Notifications
You must be signed in to change notification settings - Fork 294
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
netboot cleanup for additional files #686
base: main
Are you sure you want to change the base?
Conversation
Reading files during a netboot comes with the caveat that fetching files from a network does not support anything like listing a directory. In the past this has meant that we do not try to open optional files during a netboot. However at least the revocation.efi file is now tested during a netboot, which will print an error when it is not found. Since that error is spurious we should allow for those errors to be suppressed. This is also desirable since we will likely go looking for additional files in the near future.
While a revocations.efi binary can contain either SBAT revocations, SkuSi revocations, or both, it is desirable to package them separately so that higher level tools such as fwupd can decide which ones to put in place at a given moment. This changes revocations.efi to revocations_sbat.efi and revocations_sku.efi XXX: Retain support a common revocations.efi file? Constrain the sections to match the file?
Bugfix: In the netboot case revocations.efi files were read, but processed as shim_certificate.efi files which is simply wrong.
Since we can't read the directory, we can try to load shim_certificate_[0..9].efi explicitly and give up after the first one that fails to load. XXX: should we just bring in snprintf()? support more than 10? nameing scheme
@@ -1464,7 +1464,10 @@ load_revocations_file(EFI_HANDLE image_handle, CHAR16 *PathName) | |||
uint8_t *ssps_latest = NULL; | |||
uint8_t *sspv_latest = NULL; | |||
|
|||
efi_status = read_image(image_handle, L"revocations.efi", &PathName, | |||
efi_status = read_image(image_handle, L"revocations_sbat.efi", &PathName, | |||
&data, &datasize, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
are you missing a check for efi_status here?
while (load_cert_file(image_handle, FileName, PathName, | ||
SUPPRESS_NETBOOT_OPEN_FAILURE_NOISE) | ||
== EFI_SUCCESS && i++ < 10) { | ||
FileName[17]++; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's going to be confusing having to rename shim_certificate_sbat.efi to shim_certificate_0.efi, shim_certificate_ski.efi to shim_certificate_1.efi etc. Can't we just use those names?
These proposed changes are ready for comments, especially around the naming. Some XXX's in the commit comments.
These are all pretty simple changes, I've not included the SbatLevel index in dbx which isn't pretty (yet).