[efi] Support versions of shim that perform SBAT verification

The UEFI shim implements a fairly nicely designed revocation mechanism
designed around the concept of security generations.  Unfortunately
nobody in the shim community has thus far added the relevant metadata
to the Linux kernel, with the result that current versions of shim are
incapable of booting current versions of the Linux kernel.

Experience shows that there is unfortunately no point in trying to get
a fix for this upstreamed into shim.  We therefore default to working
around this undesirable behaviour by patching data read from the
"SbatLevel" variable used to hold SBAT configuration.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

2 files changed, 3 insertions, 1 deletions

diff --git a/src/include/ipxe/efi/efi_shim.h b/src/include/ipxe/efi/efi_shim.h
index ad8d24dc..21f24315 100644
--- a/src/include/ipxe/efi/efi_shim.h
+++ b/src/include/ipxe/efi/efi_shim.h
@@ -14,6 +14,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 
 extern int efi_shim_require_loader;
 extern int efi_shim_allow_pxe;
+extern int efi_shim_allow_sbat;
 extern struct image_tag efi_shim __image_tag;
 
 extern int efi_shim_install ( struct image *shim, EFI_HANDLE handle,
diff --git a/src/include/usr/shimmgmt.h b/src/include/usr/shimmgmt.h
index 5030607a..0c59f54a 100644
--- a/src/include/usr/shimmgmt.h
+++ b/src/include/usr/shimmgmt.h
@@ -11,6 +11,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 
 #include <ipxe/image.h>
 
-extern int shim ( struct image *image, int require_loader, int allow_pxe );
+extern int shim ( struct image *image, int require_loader, int allow_pxe,
+		  int allow_sbat );
 
 #endif /* _USR_SHIMMGMT_H */