Request variables:
-MokPW: Set by MokUtil when setting a password. A SHA-256 hash of the
-UCS-2 representation of the password. The user will be asked to
-re-enter the password to confirm. If the hash of the entered password
-matches the contents of MokPW, the user will be prompted to copy MokPW
+MokPW: Set by MokUtil when setting a password. A SHA-256 hash of the
+UCS-2 representation of the password. The user will be asked to
+re-enter the password to confirm. If the hash of the entered password
+matches the contents of MokPW, the user will be prompted to copy MokPW
into MokPWState. BS,RT,NV
-MokSB: Set by MokUtil when requesting a change in state of signature
+MokSB: Set by MokUtil when requesting a change in state of signature
validation. A packed structure as follows:
typedef struct {
CHAR16 Password[PASSWORD_MAX];
} __attribute__ ((packed)) MokSBvar;
-If MokSBState is 0, the user will be prompted to disable signature
-validation. Otherwise, the user will be prompted to enable it. PWLen
-is the length of the password, in characters. Password is a UCS-2
-representation of the password. The user will be prompted to enter
-three randomly chosen characters from the password. If successful,
-they will then be prompted to change the signature validation
+If MokSBState is 0, the user will be prompted to disable signature
+validation. Otherwise, the user will be prompted to enable it. PWLen
+is the length of the password, in characters. Password is a UCS-2
+representation of the password. The user will be prompted to enter
+three randomly chosen characters from the password. If successful,
+they will then be prompted to change the signature validation
according to MokSBState. BS,RT,NV
-MokNew: Set by MokUtil when requesting the addition or removal of keys
-from MokList. Is an EFI_SIGNATURE_LIST as described in the UEFI
+MokDB: Set by MokUtil when requesting a change in state of validation
+using db hashes and certs. A packed structure as follows:
+
+typedef struct {
+ UINT32 MokDBState;
+ UINT32 PWLen;
+ CHAR16 Password[PASSWORD_MAX];
+} __attribute__ ((packed)) MokDBvar;
+
+If MokDBState is 0, the user will be prompted to disable usage of db for
+validation. Otherwise, the user will be prompted to allow it. PWLen
+is the length of the password, in characters. Password is a UCS-2
+representation of the password. The user will be prompted to enter
+three randomly chosen characters from the password. If successful,
+they will then be prompted to change the signature validation
+according to MokDBState. BS,RT,NV
+
+MokNew: Set by MokUtil when requesting the addition or removal of keys
+from MokList. Is an EFI_SIGNATURE_LIST as described in the UEFI
specification. BS,RT,NV
-MokAuth: A hash dependent upon the contents of MokNew and the sealing
-password. The user's password in UCS-2 form should be appended to the
-contents of MokNew and a SHA-256 hash generated and stored in MokAuth.
-The hash will be regenerated by MokManager after the user is requested
-to enter their password to confirm enrolment of the keys. If the hash
+MokAuth: A hash dependent upon the contents of MokNew and the sealing
+password. The user's password in UCS-2 form should be appended to the
+contents of MokNew and a SHA-256 hash generated and stored in MokAuth.
+The hash will be regenerated by MokManager after the user is requested
+to enter their password to confirm enrolment of the keys. If the hash
matches MokAuth, the user will be prompted to enrol the keys. BS,RT,NV
State variables:
-MokList: A list of whitelisted keys and hashes. An EFI_SIGNATURE_LIST
+MokList: A list of authorized keys and hashes. An EFI_SIGNATURE_LIST
as described in the UEFI specification. BS,NV
MokListRT: A copy of MokList made available to the kernel at runtime. RT
-MokSBState: An 8-bit unsigned integer. If 1, shim will switch to
+MokListX: A list of forbidden keys and hashes. An EFI_SIGNATURE_LIST
+as described in the UEFI specification. BS,NV
+
+MokListXRT: A copy of MokListX made available to the kernel at runtime. RT
+
+MokSBState: An 8-bit unsigned integer. If 1, shim will switch to
insecure mode. BS,NV
-MokPWStore: A SHA-256 representation of the password set by the user
-via MokPW. The user will be prompted to enter this password in order
+MokDBState: An 8-bit unsigned integer. If 1, shim will not use db for
+verification. BS,NV
+
+MokIgnoreDB: An 8-bit unsigned integer. This allows the OS to query whether
+or not to import DB certs for its own verification purposes.
+
+MokPWStore: A SHA-256 representation of the password set by the user
+via MokPW. The user will be prompted to enter this password in order
to interact with MokManager.