Re: [PATCH v4 10/16] cmd: env: use appropriate guid for authenticated UEFI variable

Tue, 21 Jan 2020 17:03:12 -0800 

On Tue, Jan 21, 2020 at 08:13:06AM +0100, Heinrich Schuchardt wrote:
> On 12/18/19 1:45 AM, AKASHI Takahiro wrote:
> >A signature database variable is associated with a specific guid.
> >For convenience, if user doesn't supply any guid info, "env set|print -e"
> >should complement it.
> >
> >Signed-off-by: AKASHI Takahiro <takahiro.aka...@linaro.org>
> >---
> >  cmd/nvedit_efi.c | 18 ++++++++++++++----
> >  1 file changed, 14 insertions(+), 4 deletions(-)
> >
> >diff --git a/cmd/nvedit_efi.c b/cmd/nvedit_efi.c
> >index 8ea0da01283f..579cf430593c 100644
> >--- a/cmd/nvedit_efi.c
> >+++ b/cmd/nvedit_efi.c
> >@@ -41,6 +41,11 @@ static const struct {
> >  } efi_guid_text[] = {
> >     /* signature database */
> >     {EFI_GLOBAL_VARIABLE_GUID, "EFI_GLOBAL_VARIABLE_GUID"},
> >+    {EFI_IMAGE_SECURITY_DATABASE_GUID, "EFI_IMAGE_SECURITY_DATABASE_GUID"},
> >+    /* certificate type */
> >+    {EFI_CERT_SHA256_GUID, "EFI_CERT_SHA256_GUID"},
> >+    {EFI_CERT_X509_GUID, "EFI_CERT_X509_GUID"},
> >+    {EFI_CERT_TYPE_PKCS7_GUID, "EFI_CERT_TYPE_PKCS7_GUID"},
> >  };
> >
> >  /* "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" */
> >@@ -525,9 +530,9 @@ int do_env_set_efi(cmd_tbl_t *cmdtp, int flag, int argc, 
> >char * const argv[])
> >                     if (*ep != ',')
> >                             return CMD_RET_USAGE;
> >
> >+                    /* 0 should be allowed for delete */
> >                     size = simple_strtoul(++ep, NULL, 16);
> >-                    if (!size)
> >-                            return CMD_RET_FAILURE;
> >+
> >                     value_on_memory = true;
> >             } else if (!strcmp(argv[0], "-v")) {
> >                     verbose = true;
> >@@ -539,8 +544,13 @@ int do_env_set_efi(cmd_tbl_t *cmdtp, int flag, int 
> >argc, char * const argv[])
> >             return CMD_RET_USAGE;
> >
> >     var_name = argv[0];
> >-    if (default_guid)
> >-            guid = efi_global_variable_guid;
> >+    if (default_guid) {
> >+            if (!strcmp(var_name, "db") || !strcmp(var_name, "dbx") ||
> >+                !strcmp(var_name, "dbt"))
> 
> Why is "dbr" missing?

Because it is not yet supported and I have no plan to support it
in short term.

> I guess dbDefault, dbrDefault, dbxDefault, dbtDefault use
> EFI_GLOBAL_VARIABLE?

Yes.
I have a patch for supporting those *Default now, but will submit it
once my core secure boot patch is accepted.

Thanks,
-Takahiro Akashi

> Best regards
> 
> Heinrich
> 
> >+                    guid = efi_guid_image_security_database;
> >+            else
> >+                    guid = efi_global_variable_guid;
> >+    }
> >
> >     if (verbose) {
> >             printf("GUID: %s\n", efi_guid_to_str((const efi_guid_t *)
> >
>

Reply via email to