mirrors/sprout
1
0
Fork 0
mirror of https://github.com/edera-dev/sprout.git synced 2025-12-19 15:20:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(shim): only call into shim if it is available AND secure boot is enabled

Browse Source
This commit is contained in:
Alex Zenla
2025-11-02 01:52:21 -05:00
parent 84d60e09be
commit 9c31dba6fa
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/integrations/shim.rs
View File

@@ -1,4 +1,5 @@
use crate::integrations::shim::hook::SecurityHook; use crate::integrations::shim::hook::SecurityHook;
use crate::secure::SecureBoot;
use crate::utils; use crate::utils;
use crate::utils::ResolvedPath; use crate::utils::ResolvedPath;
use crate::utils::variables::{VariableClass, VariableController}; use crate::utils::variables::{VariableClass, VariableController};
@@ -218,6 +219,10 @@ impl ShimSupport {
/// Load the image specified by the `input` and returns an image handle. /// Load the image specified by the `input` and returns an image handle.
pub fn load(current_image: Handle, input: ShimInput) -> Result<Handle> { pub fn load(current_image: Handle, input: ShimInput) -> Result<Handle> {
// Determine whether Secure Boot is enabled.
let secure_boot =
SecureBoot::enabled().context("unable to determine if secure boot is enabled")?;
// Determine whether the shim is loaded. // Determine whether the shim is loaded.
let shim_loaded = Self::loaded().context("unable to determine if shim is loaded")?; let shim_loaded = Self::loaded().context("unable to determine if shim is loaded")?;
@@ -228,7 +233,7 @@ impl ShimSupport {
// Determines whether LoadImage in Boot Services must be patched. // Determines whether LoadImage in Boot Services must be patched.
// Version 16 of the shim doesn't require extra effort to load Secure Boot binaries. // Version 16 of the shim doesn't require extra effort to load Secure Boot binaries.
// If the image loader is installed, we can skip over the security hook. // If the image loader is installed, we can skip over the security hook.
let requires_security_hook = shim_loaded && !shim_loader_available; let requires_security_hook = secure_boot && shim_loaded && !shim_loader_available;
// If the security hook is required, we will bail for now. // If the security hook is required, we will bail for now.
if requires_security_hook { if requires_security_hook {