[efi-boot-shim.git] / MokVars.txt

Variables used by Shim and Mokmanager

Request variables:

MokPW: Set by MokUtil when setting a password. A SHA-256 hash of the 
UCS-2 representation of the password. The user will be asked to 
re-enter the password to confirm. If the hash of the entered password 
matches the contents of MokPW, the user will be prompted to copy MokPW 
into MokPWState. BS,RT,NV

MokSB: Set by MokUtil when requesting a change in state of signature 
validation. A packed structure as follows:

typedef struct {
        UINT32 MokSBState;
        UINT32 PWLen;
        CHAR16 Password[PASSWORD_MAX];
} __attribute__ ((packed)) MokSBvar;

If MokSBState is 0, the user will be prompted to disable signature 
validation. Otherwise, the user will be prompted to enable it. PWLen 
is the length of the password, in characters. Password is a UCS-2 
representation of the password. The user will be prompted to enter 
three randomly chosen characters from the password. If successful, 
they will then be prompted to change the signature validation 
according to MokSBState. BS,RT,NV

MokNew: Set by MokUtil when requesting the addition or removal of keys 
from MokList. Is an EFI_SIGNATURE_LIST as described in the UEFI 
specification. BS,RT,NV

MokAuth: A hash dependent upon the contents of MokNew and the sealing 
password. The user's password in UCS-2 form should be appended to the 
contents of MokNew and a SHA-256 hash generated and stored in MokAuth. 
The hash will be regenerated by MokManager after the user is requested 
to enter their password to confirm enrolment of the keys. If the hash 
matches MokAuth, the user will be prompted to enrol the keys. BS,RT,NV

State variables:

MokList: A list of whitelisted keys and hashes. An EFI_SIGNATURE_LIST 
as described in the UEFI specification. BS,NV

MokListRT: A copy of MokList made available to the kernel at runtime. RT

MokSBState: An 8-bit unsigned integer. If 1, shim will switch to 
insecure mode. BS,NV

MokPWStore: A SHA-256 representation of the password set by the user 
via MokPW. The user will be prompted to enter this password in order 
to interact with MokManager.
Commit	Line	Data
da1e6d75 MG	1	Variables used by Shim and Mokmanager
	2
	3	Request variables:
	4
	5	MokPW: Set by MokUtil when setting a password. A SHA-256 hash of the
	6	UCS-2 representation of the password. The user will be asked to
	7	re-enter the password to confirm. If the hash of the entered password
	8	matches the contents of MokPW, the user will be prompted to copy MokPW
	9	into MokPWState. BS,RT,NV
	10
	11	MokSB: Set by MokUtil when requesting a change in state of signature
	12	validation. A packed structure as follows:
	13
	14	typedef struct {
	15	UINT32 MokSBState;
	16	UINT32 PWLen;
	17	CHAR16 Password[PASSWORD_MAX];
	18	} __attribute__ ((packed)) MokSBvar;
	19
	20	If MokSBState is 0, the user will be prompted to disable signature
	21	validation. Otherwise, the user will be prompted to enable it. PWLen
	22	is the length of the password, in characters. Password is a UCS-2
	23	representation of the password. The user will be prompted to enter
	24	three randomly chosen characters from the password. If successful,
	25	they will then be prompted to change the signature validation
	26	according to MokSBState. BS,RT,NV
	27
	28	MokNew: Set by MokUtil when requesting the addition or removal of keys
	29	from MokList. Is an EFI_SIGNATURE_LIST as described in the UEFI
	30	specification. BS,RT,NV
	31
	32	MokAuth: A hash dependent upon the contents of MokNew and the sealing
	33	password. The user's password in UCS-2 form should be appended to the
	34	contents of MokNew and a SHA-256 hash generated and stored in MokAuth.
	35	The hash will be regenerated by MokManager after the user is requested
	36	to enter their password to confirm enrolment of the keys. If the hash
	37	matches MokAuth, the user will be prompted to enrol the keys. BS,RT,NV
	38
	39	State variables:
	40
	41	MokList: A list of whitelisted keys and hashes. An EFI_SIGNATURE_LIST
	42	as described in the UEFI specification. BS,NV
	43
	44	MokListRT: A copy of MokList made available to the kernel at runtime. RT
	45
	46	MokSBState: An 8-bit unsigned integer. If 1, shim will switch to
	47	insecure mode. BS,NV
	48
	49	MokPWStore: A SHA-256 representation of the password set by the user
	50	via MokPW. The user will be prompted to enter this password in order
	51	to interact with MokManager.