[efi] Support versions of shim that perform SBAT verificationshim5

The UEFI shim implements a fairly nicely designed revocation mechanism
designed around the concept of security generations.  Unfortunately
nobody in the shim community has thus far added the relevant metadata
to the Linux kernel, with the result that current versions of shim are
incapable of booting current versions of the Linux kernel.

Experience shows that there is unfortunately no point in trying to get
a fix for this upstreamed into shim.  We therefore default to working
around this undesirable behaviour by patching data read from the
"SbatLevel" variable used to hold SBAT configuration.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

1 files changed, 6 insertions, 1 deletions

diff --git a/src/hci/commands/shim_cmd.c b/src/hci/commands/shim_cmd.c
index 00bd0acb1..9150af3fd 100644
--- a/src/hci/commands/shim_cmd.c
+++ b/src/hci/commands/shim_cmd.c
@@ -44,6 +44,8 @@ struct shim_options {
 	int require_loader;
 	/** Allow PXE base code protocol */
 	int allow_pxe;
+	/** Allow SBAT variable access */
+	int allow_sbat;
 };
 
 /** "shim" option list */
@@ -54,6 +56,8 @@ static struct option_descriptor shim_opts[] = {
 		      struct shim_options, require_loader, parse_flag ),
 	OPTION_DESC ( "allow-pxe", 'p', no_argument,
 		      struct shim_options, allow_pxe, parse_flag ),
+	OPTION_DESC ( "allow-sbat", 's', no_argument,
+		      struct shim_options, allow_sbat, parse_flag ),
 };
 
 /** "shim" command descriptor */
@@ -94,7 +98,8 @@ static int shim_exec ( int argc, char **argv ) {
 	}
 
 	/* (Un)register as shim */
-	if ( ( rc = shim ( image, opts.require_loader, opts.allow_pxe ) ) != 0 )
+	if ( ( rc = shim ( image, opts.require_loader, opts.allow_pxe,
+			   opts.allow_sbat ) ) != 0 )
 		goto err_shim;
 
  err_shim: