]>
Commit | Line | Data |
---|---|---|
da1e6d75 MG |
1 | Variables used by Shim and Mokmanager |
2 | ||
3 | Request variables: | |
4 | ||
5 | MokPW: Set by MokUtil when setting a password. A SHA-256 hash of the | |
6 | UCS-2 representation of the password. The user will be asked to | |
7 | re-enter the password to confirm. If the hash of the entered password | |
8 | matches the contents of MokPW, the user will be prompted to copy MokPW | |
9 | into MokPWState. BS,RT,NV | |
10 | ||
11 | MokSB: Set by MokUtil when requesting a change in state of signature | |
12 | validation. A packed structure as follows: | |
13 | ||
14 | typedef struct { | |
15 | UINT32 MokSBState; | |
16 | UINT32 PWLen; | |
17 | CHAR16 Password[PASSWORD_MAX]; | |
18 | } __attribute__ ((packed)) MokSBvar; | |
19 | ||
20 | If MokSBState is 0, the user will be prompted to disable signature | |
21 | validation. Otherwise, the user will be prompted to enable it. PWLen | |
22 | is the length of the password, in characters. Password is a UCS-2 | |
23 | representation of the password. The user will be prompted to enter | |
24 | three randomly chosen characters from the password. If successful, | |
25 | they will then be prompted to change the signature validation | |
26 | according to MokSBState. BS,RT,NV | |
27 | ||
28 | MokNew: Set by MokUtil when requesting the addition or removal of keys | |
29 | from MokList. Is an EFI_SIGNATURE_LIST as described in the UEFI | |
30 | specification. BS,RT,NV | |
31 | ||
32 | MokAuth: A hash dependent upon the contents of MokNew and the sealing | |
33 | password. The user's password in UCS-2 form should be appended to the | |
34 | contents of MokNew and a SHA-256 hash generated and stored in MokAuth. | |
35 | The hash will be regenerated by MokManager after the user is requested | |
36 | to enter their password to confirm enrolment of the keys. If the hash | |
37 | matches MokAuth, the user will be prompted to enrol the keys. BS,RT,NV | |
38 | ||
39 | State variables: | |
40 | ||
41 | MokList: A list of whitelisted keys and hashes. An EFI_SIGNATURE_LIST | |
42 | as described in the UEFI specification. BS,NV | |
43 | ||
44 | MokListRT: A copy of MokList made available to the kernel at runtime. RT | |
45 | ||
46 | MokSBState: An 8-bit unsigned integer. If 1, shim will switch to | |
47 | insecure mode. BS,NV | |
48 | ||
49 | MokPWStore: A SHA-256 representation of the password set by the user | |
50 | via MokPW. The user will be prompted to enter this password in order | |
51 | to interact with MokManager. |