fix(shim): avoid masking the underlying error when shim verify fails

src/integrations/shim.rs

@@ -111,7 +111,7 @@ impl<'a> ShimInput<'a> {
 /// to actually boot.
 pub enum ShimVerificationOutput {
     /// The verification failed.
-    VerificationFailed,
+    VerificationFailed(Status),
     /// The data provided to the verifier was already a buffer.
     VerifiedDataNotLoaded,
     /// Verifying the data resulted in loading the data from the source.
@@ -206,7 +206,7 @@ impl ShimSupport {
 
         // If the verification failed, return the verification failure output.
         if !status.is_success() {
-            return Ok(ShimVerificationOutput::VerificationFailed);
+            return Ok(ShimVerificationOutput::VerificationFailed(status));
         }
 
         // If verification succeeded, return the validation output,

src/integrations/shim/hook.rs

@@ -58,7 +58,7 @@ impl SecurityHook {
         match ShimSupport::verify(input) {
             Ok(output) => match output {
                 // If the verification failed, return the access-denied status.
-                ShimVerificationOutput::VerificationFailed => Status::ACCESS_DENIED,
+                ShimVerificationOutput::VerificationFailed(status) => status,
                 // If the verification succeeded, return the success status.
                 ShimVerificationOutput::VerifiedDataNotLoaded => Status::SUCCESS,
                 ShimVerificationOutput::VerifiedDataBuffer(_) => Status::SUCCESS,