fix(shim): avoid masking the underlying error when shim verify fails

2025-12-19 13:50:16 +00:00 · 2025-11-02 00:27:45 -04:00
parent 3b4a66879f
commit 1a6ed0af99
2 changed files with 3 additions and 3 deletions
--- a/src/integrations/shim.rs
+++ b/src/integrations/shim.rs
@@ -111,7 +111,7 @@ impl<'a> ShimInput<'a> {
 /// to actually boot.
 pub enum ShimVerificationOutput {
    /// The verification failed.
-    VerificationFailed,
+    VerificationFailed(Status),
    /// The data provided to the verifier was already a buffer.
    VerifiedDataNotLoaded,
    /// Verifying the data resulted in loading the data from the source.
@@ -206,7 +206,7 @@ impl ShimSupport {

        // If the verification failed, return the verification failure output.
        if !status.is_success() {
-            return Ok(ShimVerificationOutput::VerificationFailed);
+            return Ok(ShimVerificationOutput::VerificationFailed(status));
        }

        // If verification succeeded, return the validation output,
--- a/src/integrations/shim/hook.rs
+++ b/src/integrations/shim/hook.rs
@@ -58,7 +58,7 @@ impl SecurityHook {
        match ShimSupport::verify(input) {
            Ok(output) => match output {
                // If the verification failed, return the access-denied status.
-                ShimVerificationOutput::VerificationFailed => Status::ACCESS_DENIED,
+                ShimVerificationOutput::VerificationFailed(status) => status,
                // If the verification succeeded, return the success status.
                ShimVerificationOutput::VerifiedDataNotLoaded => Status::SUCCESS,
                ShimVerificationOutput::VerifiedDataBuffer(_) => Status::SUCCESS,