MokVars.txt

   1 Variables used by Shim and Mokmanager
   2
   3 Request variables:
   4
   5 MokPW: Set by MokUtil when setting a password. A SHA-256 hash of the
   6 UCS-2 representation of the password. The user will be asked to
   7 re-enter the password to confirm. If the hash of the entered password
   8 matches the contents of MokPW, the user will be prompted to copy MokPW
   9 into MokPWState. BS,RT,NV
  10
  11 MokSB: Set by MokUtil when requesting a change in state of signature
  12 validation. A packed structure as follows:
  13
  14 typedef struct {
  15         UINT32 MokSBState;
  16         UINT32 PWLen;
  17         CHAR16 Password[PASSWORD_MAX];
  18 } __attribute__ ((packed)) MokSBvar;
  19
  20 If MokSBState is 0, the user will be prompted to disable signature
  21 validation. Otherwise, the user will be prompted to enable it. PWLen
  22 is the length of the password, in characters. Password is a UCS-2
  23 representation of the password. The user will be prompted to enter
  24 three randomly chosen characters from the password. If successful,
  25 they will then be prompted to change the signature validation
  26 according to MokSBState. BS,RT,NV
  27
  28 MokDB: Set by MokUtil when requesting a change in state of validation
  29 using db hashes and certs. A packed structure as follows:
  30
  31 typedef struct {
  32         UINT32 MokDBState;
  33         UINT32 PWLen;
  34         CHAR16 Password[PASSWORD_MAX];
  35 } __attribute__ ((packed)) MokDBvar;
  36
  37 If MokDBState is 0, the user will be prompted to disable usage of db for
  38 validation. Otherwise, the user will be prompted to allow it. PWLen
  39 is the length of the password, in characters. Password is a UCS-2
  40 representation of the password. The user will be prompted to enter
  41 three randomly chosen characters from the password. If successful,
  42 they will then be prompted to change the signature validation
  43 according to MokDBState. BS,RT,NV
  44
  45 MokNew: Set by MokUtil when requesting the addition or removal of keys
  46 from MokList. Is an EFI_SIGNATURE_LIST as described in the UEFI
  47 specification. BS,RT,NV
  48
  49 MokAuth: A hash dependent upon the contents of MokNew and the sealing
  50 password. The user's password in UCS-2 form should be appended to the
  51 contents of MokNew and a SHA-256 hash generated and stored in MokAuth.
  52 The hash will be regenerated by MokManager after the user is requested
  53 to enter their password to confirm enrolment of the keys. If the hash
  54 matches MokAuth, the user will be prompted to enrol the keys. BS,RT,NV
  55
  56 State variables:
  57
  58 MokList: A list of whitelisted keys and hashes. An EFI_SIGNATURE_LIST
  59 as described in the UEFI specification. BS,NV
  60
  61 MokListRT: A copy of MokList made available to the kernel at runtime. RT
  62
  63 MokListX: A list of blacklisted keys and hashes.  An EFI_SIGNATURE_LIST
  64 as described in the UEFI specification. BS,NV
  65
  66 MokListXRT: A copy of MokListX made available to the kernel at runtime. RT
  67
  68 MokSBState: An 8-bit unsigned integer. If 1, shim will switch to
  69 insecure mode. BS,NV
  70
  71 MokDBState: An 8-bit unsigned integer. If 1, shim will not use db for
  72 verification. BS,NV
  73
  74 MokIgnoreDB: An 8-bit unsigned integer.  This allows the OS to query whether
  75 or not to import DB certs for its own verification purposes.
  76
  77 MokPWStore: A SHA-256 representation of the password set by the user
  78 via MokPW. The user will be prompted to enter this password in order
  79 to interact with MokManager.