]>
Commit | Line | Data |
---|---|---|
da1e6d75 MG |
1 | Variables used by Shim and Mokmanager |
2 | ||
3 | Request variables: | |
4 | ||
5 | MokPW: Set by MokUtil when setting a password. A SHA-256 hash of the | |
6 | UCS-2 representation of the password. The user will be asked to | |
7 | re-enter the password to confirm. If the hash of the entered password | |
8 | matches the contents of MokPW, the user will be prompted to copy MokPW | |
9 | into MokPWState. BS,RT,NV | |
10 | ||
11 | MokSB: Set by MokUtil when requesting a change in state of signature | |
12 | validation. A packed structure as follows: | |
13 | ||
14 | typedef struct { | |
15 | UINT32 MokSBState; | |
16 | UINT32 PWLen; | |
17 | CHAR16 Password[PASSWORD_MAX]; | |
18 | } __attribute__ ((packed)) MokSBvar; | |
19 | ||
20 | If MokSBState is 0, the user will be prompted to disable signature | |
21 | validation. Otherwise, the user will be prompted to enable it. PWLen | |
22 | is the length of the password, in characters. Password is a UCS-2 | |
23 | representation of the password. The user will be prompted to enter | |
24 | three randomly chosen characters from the password. If successful, | |
25 | they will then be prompted to change the signature validation | |
26 | according to MokSBState. BS,RT,NV | |
27 | ||
ef0383d0 JB |
28 | MokDB: Set by MokUtil when requesting a change in state of validation |
29 | using db hashes and certs. A packed structure as follows: | |
30 | ||
31 | typedef struct { | |
32 | UINT32 MokDBState; | |
33 | UINT32 PWLen; | |
34 | CHAR16 Password[PASSWORD_MAX]; | |
35 | } __attribute__ ((packed)) MokDBvar; | |
36 | ||
37 | If MokDBState is 0, the user will be prompted to disable usage of db for | |
38 | validation. Otherwise, the user will be prompted to allow it. PWLen | |
39 | is the length of the password, in characters. Password is a UCS-2 | |
40 | representation of the password. The user will be prompted to enter | |
41 | three randomly chosen characters from the password. If successful, | |
42 | they will then be prompted to change the signature validation | |
43 | according to MokDBState. BS,RT,NV | |
44 | ||
da1e6d75 MG |
45 | MokNew: Set by MokUtil when requesting the addition or removal of keys |
46 | from MokList. Is an EFI_SIGNATURE_LIST as described in the UEFI | |
47 | specification. BS,RT,NV | |
48 | ||
49 | MokAuth: A hash dependent upon the contents of MokNew and the sealing | |
50 | password. The user's password in UCS-2 form should be appended to the | |
51 | contents of MokNew and a SHA-256 hash generated and stored in MokAuth. | |
52 | The hash will be regenerated by MokManager after the user is requested | |
53 | to enter their password to confirm enrolment of the keys. If the hash | |
54 | matches MokAuth, the user will be prompted to enrol the keys. BS,RT,NV | |
55 | ||
56 | State variables: | |
57 | ||
58 | MokList: A list of whitelisted keys and hashes. An EFI_SIGNATURE_LIST | |
59 | as described in the UEFI specification. BS,NV | |
60 | ||
61 | MokListRT: A copy of MokList made available to the kernel at runtime. RT | |
62 | ||
63 | MokSBState: An 8-bit unsigned integer. If 1, shim will switch to | |
64 | insecure mode. BS,NV | |
65 | ||
ef0383d0 JB |
66 | MokDBState: An 8-bit unsigned integer. If 1, shim will not use db for |
67 | verification. BS,NV | |
68 | ||
69 | MokIgnoreDB: An 8-bit unsigned integer. This allows the OS to query whether | |
70 | or not to import DB certs for its own verification purposes. | |
71 | ||
da1e6d75 MG |
72 | MokPWStore: A SHA-256 representation of the password set by the user |
73 | via MokPW. The user will be prompted to enter this password in order | |
74 | to interact with MokManager. |