]>
Commit | Line | Data |
---|---|---|
da1e6d75 MG |
1 | Variables used by Shim and Mokmanager |
2 | ||
3 | Request variables: | |
4 | ||
a6c726fc PJ |
5 | MokPW: Set by MokUtil when setting a password. A SHA-256 hash of the |
6 | UCS-2 representation of the password. The user will be asked to | |
7 | re-enter the password to confirm. If the hash of the entered password | |
8 | matches the contents of MokPW, the user will be prompted to copy MokPW | |
da1e6d75 MG |
9 | into MokPWState. BS,RT,NV |
10 | ||
a6c726fc | 11 | MokSB: Set by MokUtil when requesting a change in state of signature |
da1e6d75 MG |
12 | validation. A packed structure as follows: |
13 | ||
14 | typedef struct { | |
15 | UINT32 MokSBState; | |
16 | UINT32 PWLen; | |
17 | CHAR16 Password[PASSWORD_MAX]; | |
18 | } __attribute__ ((packed)) MokSBvar; | |
19 | ||
a6c726fc PJ |
20 | If MokSBState is 0, the user will be prompted to disable signature |
21 | validation. Otherwise, the user will be prompted to enable it. PWLen | |
22 | is the length of the password, in characters. Password is a UCS-2 | |
23 | representation of the password. The user will be prompted to enter | |
24 | three randomly chosen characters from the password. If successful, | |
25 | they will then be prompted to change the signature validation | |
da1e6d75 MG |
26 | according to MokSBState. BS,RT,NV |
27 | ||
a6c726fc | 28 | MokDB: Set by MokUtil when requesting a change in state of validation |
ef0383d0 JB |
29 | using db hashes and certs. A packed structure as follows: |
30 | ||
31 | typedef struct { | |
32 | UINT32 MokDBState; | |
33 | UINT32 PWLen; | |
34 | CHAR16 Password[PASSWORD_MAX]; | |
35 | } __attribute__ ((packed)) MokDBvar; | |
36 | ||
a6c726fc PJ |
37 | If MokDBState is 0, the user will be prompted to disable usage of db for |
38 | validation. Otherwise, the user will be prompted to allow it. PWLen | |
39 | is the length of the password, in characters. Password is a UCS-2 | |
40 | representation of the password. The user will be prompted to enter | |
41 | three randomly chosen characters from the password. If successful, | |
42 | they will then be prompted to change the signature validation | |
ef0383d0 JB |
43 | according to MokDBState. BS,RT,NV |
44 | ||
a6c726fc PJ |
45 | MokNew: Set by MokUtil when requesting the addition or removal of keys |
46 | from MokList. Is an EFI_SIGNATURE_LIST as described in the UEFI | |
da1e6d75 MG |
47 | specification. BS,RT,NV |
48 | ||
a6c726fc PJ |
49 | MokAuth: A hash dependent upon the contents of MokNew and the sealing |
50 | password. The user's password in UCS-2 form should be appended to the | |
51 | contents of MokNew and a SHA-256 hash generated and stored in MokAuth. | |
52 | The hash will be regenerated by MokManager after the user is requested | |
53 | to enter their password to confirm enrolment of the keys. If the hash | |
da1e6d75 MG |
54 | matches MokAuth, the user will be prompted to enrol the keys. BS,RT,NV |
55 | ||
56 | State variables: | |
57 | ||
a6c726fc | 58 | MokList: A list of whitelisted keys and hashes. An EFI_SIGNATURE_LIST |
da1e6d75 MG |
59 | as described in the UEFI specification. BS,NV |
60 | ||
61 | MokListRT: A copy of MokList made available to the kernel at runtime. RT | |
62 | ||
9abedc47 PJ |
63 | MokListX: A list of blacklisted keys and hashes. An EFI_SIGNATURE_LIST |
64 | as described in the UEFI specification. BS,NV | |
65 | ||
66 | MokListXRT: A copy of MokListX made available to the kernel at runtime. RT | |
67 | ||
a6c726fc | 68 | MokSBState: An 8-bit unsigned integer. If 1, shim will switch to |
da1e6d75 MG |
69 | insecure mode. BS,NV |
70 | ||
a6c726fc | 71 | MokDBState: An 8-bit unsigned integer. If 1, shim will not use db for |
ef0383d0 JB |
72 | verification. BS,NV |
73 | ||
74 | MokIgnoreDB: An 8-bit unsigned integer. This allows the OS to query whether | |
75 | or not to import DB certs for its own verification purposes. | |
76 | ||
a6c726fc PJ |
77 | MokPWStore: A SHA-256 representation of the password set by the user |
78 | via MokPW. The user will be prompted to enter this password in order | |
da1e6d75 | 79 | to interact with MokManager. |