-
Notifications
You must be signed in to change notification settings - Fork 303
/
Copy pathMokVars.txt
113 lines (89 loc) · 5.12 KB
/
MokVars.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
Variables used by Shim and Mokmanager
Request variables:
MokPW: Set by MokUtil when setting a password. A SHA-256 hash of the
UCS-2 representation of the password. The user will be asked to
re-enter the password to confirm. If the hash of the entered password
matches the contents of MokPW, the user will be prompted to copy MokPW
into MokPWState. BS,RT,NV
MokSB: Set by MokUtil when requesting a change in state of signature
validation. A packed structure as follows:
typedef struct {
UINT32 MokSBState;
UINT32 PWLen;
CHAR16 Password[PASSWORD_MAX];
} __attribute__ ((packed)) MokSBvar;
If MokSBState is 0, the user will be prompted to disable signature
validation. Otherwise, the user will be prompted to enable it. PWLen
is the length of the password, in characters. Password is a UCS-2
representation of the password. The user will be prompted to enter
three randomly chosen characters from the password. If successful,
they will then be prompted to change the signature validation
according to MokSBState. BS,RT,NV
MokDB: Set by MokUtil when requesting a change in state of validation
using db hashes and certs. A packed structure as follows:
typedef struct {
UINT32 MokDBState;
UINT32 PWLen;
CHAR16 Password[PASSWORD_MAX];
} __attribute__ ((packed)) MokDBvar;
If MokDBState is 0, the user will be prompted to disable usage of db for
validation. Otherwise, the user will be prompted to allow it. PWLen
is the length of the password, in characters. Password is a UCS-2
representation of the password. The user will be prompted to enter
three randomly chosen characters from the password. If successful,
they will then be prompted to change the signature validation
according to MokDBState. BS,RT,NV
MokNew: Set by MokUtil when requesting the addition or removal of keys
from MokList. Is an EFI_SIGNATURE_LIST as described in the UEFI
specification. BS,RT,NV
MokAuth: A hash dependent upon the contents of MokNew and the sealing
password. The user's password in UCS-2 form should be appended to the
contents of MokNew and a SHA-256 hash generated and stored in MokAuth.
The hash will be regenerated by MokManager after the user is requested
to enter their password to confirm enrolment of the keys. If the hash
matches MokAuth, the user will be prompted to enrol the keys. BS,RT,NV
ShimRetainProtocol: UINT8, read by Shim before uninstalling protocol.
If set to non-zero, Shim will keep the protocol in place. It can be
used by second stages to ensure the protocol is still available for
later stages, and can thus be used to verify additional PE files. BS,RT.
State variables:
MokList: A list of authorized keys and hashes. An EFI_SIGNATURE_LIST
as described in the UEFI specification. BS,NV
MokListRT: A copy of MokList made available to the kernel at runtime. BS,RT
MokListX: A list of forbidden keys and hashes. An EFI_SIGNATURE_LIST
as described in the UEFI specification. BS,NV
MokListXRT: A copy of MokListX made available to the kernel at runtime. BS,RT
MokSBState: An 8-bit unsigned integer. If 1, shim will switch to
insecure mode. BS,NV
MokSBStateRT: A copy of MokSBState made available to the kernel at runtime.
This allows the OS to query the shim secure mode setting for its own
verification purposes. BS,RT
MokDBState: An 8-bit unsigned integer. If 1, shim will not use db for
verification. BS,NV
MokIgnoreDB: A copy of MokDBState made available to the kernel at runtime.
This allows the OS to query whether or not to import DB certs for its own
verification purposes. BS,RT
MokPWStore: A SHA-256 representation of the password set by the user
via MokPW. The user will be prompted to enter this password in order
to interact with MokManager. BS,NV
MokListTrusted: An 8-bit unsigned integer. If 1, it signifies to Linux
to trust CA keys in the MokList. BS,NV
MokListTrustedRT: A copy of MokListTrusted made available to the kernel
at runtime. BS,RT
HSIStatus: Status of various security features:
heap-is-executable: 0: heap allocations are not executable by default
1: heap allocations are executable
stack-is-executable: 0: UEFI stack is not executable
1: UEFI stack is executable
ro-sections-are-writable: 0: read-only sections are not writable
1: read-only sections are writable
has-memory-attribute-protocol: 0: platform does not provide the EFI Memory Attribute Protocol
1: platform does provide the EFI Memory Attribute Protocol
has-dxe-services-table: 0: platform does not provide the DXE Services Table
1: platform does provide the DXE Services Table
has-get-memory-space-descriptor: 0: platform's DST does not populate GetMemorySpaceDescriptor
1: platform's DST does populate GetMemorySpaceDescriptor
has-set-memory-space-descriptor: 0: platform's DST does not populate SetMemorySpaceDescriptor
1: platform's DST does populate SetMemorySpaceDescriptor
shim-has-nx-compat-set: 0: the running shim binary does not have NX_COMPAT bit set
1: the running shim binary does have the NX_COMPAT bit set