[efi-boot-shim.git] / MokVars.txt

Variables used by Shim and Mokmanager

Request variables:

MokPW: Set by MokUtil when setting a password. A SHA-256 hash of the
UCS-2 representation of the password. The user will be asked to
re-enter the password to confirm. If the hash of the entered password
matches the contents of MokPW, the user will be prompted to copy MokPW
into MokPWState. BS,RT,NV

MokSB: Set by MokUtil when requesting a change in state of signature
validation. A packed structure as follows:

typedef struct {
        UINT32 MokSBState;
        UINT32 PWLen;
        CHAR16 Password[PASSWORD_MAX];
} __attribute__ ((packed)) MokSBvar;

If MokSBState is 0, the user will be prompted to disable signature
validation. Otherwise, the user will be prompted to enable it. PWLen
is the length of the password, in characters. Password is a UCS-2
representation of the password. The user will be prompted to enter
three randomly chosen characters from the password. If successful,
they will then be prompted to change the signature validation
according to MokSBState. BS,RT,NV

MokDB: Set by MokUtil when requesting a change in state of validation
using db hashes and certs. A packed structure as follows:

typedef struct {
        UINT32 MokDBState;
        UINT32 PWLen;
        CHAR16 Password[PASSWORD_MAX];
} __attribute__ ((packed)) MokDBvar;

If MokDBState is 0, the user will be prompted to disable usage of db for
validation. Otherwise, the user will be prompted to allow it. PWLen
is the length of the password, in characters. Password is a UCS-2
representation of the password. The user will be prompted to enter
three randomly chosen characters from the password. If successful,
they will then be prompted to change the signature validation
according to MokDBState. BS,RT,NV

MokNew: Set by MokUtil when requesting the addition or removal of keys
from MokList. Is an EFI_SIGNATURE_LIST as described in the UEFI
specification. BS,RT,NV

MokAuth: A hash dependent upon the contents of MokNew and the sealing
password. The user's password in UCS-2 form should be appended to the
contents of MokNew and a SHA-256 hash generated and stored in MokAuth.
The hash will be regenerated by MokManager after the user is requested
to enter their password to confirm enrolment of the keys. If the hash
matches MokAuth, the user will be prompted to enrol the keys. BS,RT,NV

State variables:

MokList: A list of authorized keys and hashes. An EFI_SIGNATURE_LIST
as described in the UEFI specification. BS,NV

MokListRT: A copy of MokList made available to the kernel at runtime. RT

MokListX: A list of forbidden keys and hashes.  An EFI_SIGNATURE_LIST
as described in the UEFI specification. BS,NV

MokListXRT: A copy of MokListX made available to the kernel at runtime. RT

MokSBState: An 8-bit unsigned integer. If 1, shim will switch to
insecure mode. BS,NV

MokDBState: An 8-bit unsigned integer. If 1, shim will not use db for
verification. BS,NV

MokIgnoreDB: An 8-bit unsigned integer.  This allows the OS to query whether
or not to import DB certs for its own verification purposes.

MokPWStore: A SHA-256 representation of the password set by the user
via MokPW. The user will be prompted to enter this password in order
to interact with MokManager.
Commit	Line	Data
da1e6d75 MG	1	Variables used by Shim and Mokmanager
	2
	3	Request variables:
	4
a6c726fc PJ	5	MokPW: Set by MokUtil when setting a password. A SHA-256 hash of the
	6	UCS-2 representation of the password. The user will be asked to
	7	re-enter the password to confirm. If the hash of the entered password
	8	matches the contents of MokPW, the user will be prompted to copy MokPW
da1e6d75 MG	9	into MokPWState. BS,RT,NV
da1e6d75 MG	10
a6c726fc	11	MokSB: Set by MokUtil when requesting a change in state of signature
da1e6d75 MG	12	validation. A packed structure as follows:
	13
	14	typedef struct {
	15	UINT32 MokSBState;
	16	UINT32 PWLen;
	17	CHAR16 Password[PASSWORD_MAX];
	18	} __attribute__ ((packed)) MokSBvar;
	19
a6c726fc PJ	20	If MokSBState is 0, the user will be prompted to disable signature
	21	validation. Otherwise, the user will be prompted to enable it. PWLen
	22	is the length of the password, in characters. Password is a UCS-2
	23	representation of the password. The user will be prompted to enter
	24	three randomly chosen characters from the password. If successful,
	25	they will then be prompted to change the signature validation
da1e6d75 MG	26	according to MokSBState. BS,RT,NV
da1e6d75 MG	27
a6c726fc	28	MokDB: Set by MokUtil when requesting a change in state of validation
ef0383d0 JB	29	using db hashes and certs. A packed structure as follows:
	30
	31	typedef struct {
	32	UINT32 MokDBState;
	33	UINT32 PWLen;
	34	CHAR16 Password[PASSWORD_MAX];
	35	} __attribute__ ((packed)) MokDBvar;
	36
a6c726fc PJ	37	If MokDBState is 0, the user will be prompted to disable usage of db for
	38	validation. Otherwise, the user will be prompted to allow it. PWLen
	39	is the length of the password, in characters. Password is a UCS-2
	40	representation of the password. The user will be prompted to enter
	41	three randomly chosen characters from the password. If successful,
	42	they will then be prompted to change the signature validation
ef0383d0 JB	43	according to MokDBState. BS,RT,NV
ef0383d0 JB	44
a6c726fc PJ	45	MokNew: Set by MokUtil when requesting the addition or removal of keys
a6c726fc PJ	46	from MokList. Is an EFI_SIGNATURE_LIST as described in the UEFI
da1e6d75 MG	47	specification. BS,RT,NV
da1e6d75 MG	48
a6c726fc PJ	49	MokAuth: A hash dependent upon the contents of MokNew and the sealing
	50	password. The user's password in UCS-2 form should be appended to the
	51	contents of MokNew and a SHA-256 hash generated and stored in MokAuth.
	52	The hash will be regenerated by MokManager after the user is requested
	53	to enter their password to confirm enrolment of the keys. If the hash
da1e6d75 MG	54	matches MokAuth, the user will be prompted to enrol the keys. BS,RT,NV
	55
	56	State variables:
	57
25c83246	58	MokList: A list of authorized keys and hashes. An EFI_SIGNATURE_LIST
da1e6d75 MG	59	as described in the UEFI specification. BS,NV
	60
	61	MokListRT: A copy of MokList made available to the kernel at runtime. RT
	62
25c83246	63	MokListX: A list of forbidden keys and hashes. An EFI_SIGNATURE_LIST
9abedc47 PJ	64	as described in the UEFI specification. BS,NV
	65
	66	MokListXRT: A copy of MokListX made available to the kernel at runtime. RT
	67
a6c726fc	68	MokSBState: An 8-bit unsigned integer. If 1, shim will switch to
da1e6d75 MG	69	insecure mode. BS,NV
da1e6d75 MG	70
a6c726fc	71	MokDBState: An 8-bit unsigned integer. If 1, shim will not use db for
ef0383d0 JB	72	verification. BS,NV
	73
	74	MokIgnoreDB: An 8-bit unsigned integer. This allows the OS to query whether
	75	or not to import DB certs for its own verification purposes.
	76
a6c726fc PJ	77	MokPWStore: A SHA-256 representation of the password set by the user
a6c726fc PJ	78	via MokPW. The user will be prompted to enter this password in order
da1e6d75	79	to interact with MokManager.