]> git.proxmox.com Git - efi-boot-shim.git/blob - MokVars.txt
projects / efi-boot-shim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Import new upstream snapshot
[efi-boot-shim.git] / MokVars.txt
1 Variables used by Shim and Mokmanager
2
3 Request variables:
4
5 MokPW: Set by MokUtil when setting a password. A SHA-256 hash of the
6 UCS-2 representation of the password. The user will be asked to
7 re-enter the password to confirm. If the hash of the entered password
8 matches the contents of MokPW, the user will be prompted to copy MokPW
9 into MokPWState. BS,RT,NV
10
11 MokSB: Set by MokUtil when requesting a change in state of signature
12 validation. A packed structure as follows:
13
14 typedef struct {
15 UINT32 MokSBState;
16 UINT32 PWLen;
17 CHAR16 Password[PASSWORD_MAX];
18 } __attribute__ ((packed)) MokSBvar;
19
20 If MokSBState is 0, the user will be prompted to disable signature
21 validation. Otherwise, the user will be prompted to enable it. PWLen
22 is the length of the password, in characters. Password is a UCS-2
23 representation of the password. The user will be prompted to enter
24 three randomly chosen characters from the password. If successful,
25 they will then be prompted to change the signature validation
26 according to MokSBState. BS,RT,NV
27
28 MokNew: Set by MokUtil when requesting the addition or removal of keys
29 from MokList. Is an EFI_SIGNATURE_LIST as described in the UEFI
30 specification. BS,RT,NV
31
32 MokAuth: A hash dependent upon the contents of MokNew and the sealing
33 password. The user's password in UCS-2 form should be appended to the
34 contents of MokNew and a SHA-256 hash generated and stored in MokAuth.
35 The hash will be regenerated by MokManager after the user is requested
36 to enter their password to confirm enrolment of the keys. If the hash
37 matches MokAuth, the user will be prompted to enrol the keys. BS,RT,NV
38
39 State variables:
40
41 MokList: A list of whitelisted keys and hashes. An EFI_SIGNATURE_LIST
42 as described in the UEFI specification. BS,NV
43
44 MokListRT: A copy of MokList made available to the kernel at runtime. RT
45
46 MokSBState: An 8-bit unsigned integer. If 1, shim will switch to
47 insecure mode. BS,NV
48
49 MokPWStore: A SHA-256 representation of the password set by the user
50 via MokPW. The user will be prompted to enter this password in order
51 to interact with MokManager.
shim, a first-stage UEFI bootloader adapted for Proxmox projects