Optionally allow to keep shim protocol installed

If the SHIM_RETAIN_PROTOCOL variable is set, avoid uninstalling our protocol. For example, this allows sd-stub in a UKI to use the shim protocol to validate PE binaries, even if it is executed by a second stage, before the kernel is loaded. Example use case in sd-boot/sd-stub: systemd/systemd#27358 Signed-off-by: Luca Boccassi <bluca@debian.org>
bluca · Apr 25, 2023 · e129532 · e129532
1 parent f23883c
commit e129532
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/replacements.c b/replacements.c
@@ -78,8 +78,20 @@ replacement_start_image(EFI_HANDLE image_handle, UINTN *exit_data_size, CHAR16 *
 	unhook_system_services();
 
 	if (image_handle == last_loaded_image) {
+		UINT8 *data = NULL;
+		UINTN dataSize = 0;
+
 		loader_is_participating = 1;
-		uninstall_shim_protocols();
+
+		/* If a later stage asks us, keep our protocol around - it will be used to validate
+		 * further PE payloads (e.g.: by the UKI stub, before the kernel is booted). */
+		efi_status = get_variable(SHIM_RETAIN_PROTOCOL_VAR_NAME, &data, &dataSize,
+					  SHIM_LOCK_GUID);
+		if (EFI_ERROR(efi_status)) {
+			uninstall_shim_protocols();
+		} else {
+			FreePool(data);
+		}
 	}
 	efi_status = BS->StartImage(image_handle, exit_data_size, exit_data);
 	if (EFI_ERROR(efi_status)) {

diff --git a/shim.h b/shim.h
@@ -305,6 +305,8 @@ verify_buffer (char *data, int datasize,
 #define DEBUG_VAR_NAME L"SHIM_DEBUG"
 #endif
 
+#define SHIM_RETAIN_PROTOCOL_VAR_NAME L"SHIM_RETAIN_PROTOCOL"
+
 char *translate_slashes(char *out, const char *str);
 
 #endif /* SHIM_H_ */