• Josh Boyer's avatar
    Add support for disabling db for verification · 47ebeb62
    Josh Boyer authored
    Provide a mechanism for a physically present end user to disable the use
    of db when doing signature verification.  This is handled by the OS passing
    down a variable that contains a UINT32 and a SHA256 hash.  If this variable
    is present, MokManager prompts the user to choose whether to enable or
    disable the use of db for verification purposes (depending on the value of
    the UINT32).  They are then asked to type the passphrase that matches the
    hash.  This then saves a boot services variable which is checked by shim,
    and if set will cause shim to not use db for verification purposes.  If
    db is to be ignored, shim will export a runtime variable called
    'MokIgnoreDB' for the OS to query at runtime.
    Signed-off-by: default avatarJosh Boyer <jwboyer@fedoraproject.org>
MokVars.txt 2.99 KB