Small comment fixes (#38252)

2026-04-14 00:14:32 +09:00 · 2025-07-17 22:56:28 +01:00
parent 681e45716a f1f1ade0d3
commit 0ae3a8d147
3 changed files with 28 additions and 18 deletions
--- a/src/boot/linux.c
+++ b/src/boot/linux.c
@@ -106,22 +106,28 @@ EFI_STATUS linux_exec(
        if (err != EFI_SUCCESS)
                return log_error_status(err, "Bad kernel image: %m");

-        EFI_LOADED_IMAGE_PROTOCOL* parent_loaded_image;
+        EFI_LOADED_IMAGE_PROTOCOL *parent_loaded_image;
        err = BS->HandleProtocol(
                        parent, MAKE_GUID_PTR(EFI_LOADED_IMAGE_PROTOCOL), (void **) &parent_loaded_image);
        if (err != EFI_SUCCESS)
                return log_error_status(err, "Cannot get parent loaded image: %m");

-        /* If shim provides LoadImage, it comes from version 16.1 or later and does the following:
-         * - It keeps a database of all PE sections that it already authenticated.
-         * - shim's LoadImage always verifies PE images against denylists: dbx, mokx, sbat.
-         * - If the PE image was not authenticated as a PE section it will also:
-         *   + verify it against allowlists: db, mok
-         *   + measure it on PCR 4
+        /* If shim provides LoadImage, it comes from the new SHIM_IMAGE_LOADER interface added in shim 16,
+         * and implements the following:
+         * - shim hashes PE sections of PE binaries it authenticates and stores the hashes in a global
+         *   database.
+         * - shim's LoadImage always verifies PE images against denylists: DBX, MOKX, SBAT.
+         * - If the PE image was _not_ authenticated as a PE section it will also:
+         *   + verify it against allowlists: DB, MOK,
+         *   + measure it on PCR 4.
         *
-         * In our case, we are loading a PE section that was already authenticated as part of the UKI.
-         * So in contrast to a normal UEFI LoadImage, shim will verify extra denylists (mokx, sbat),
-         * while skipping all allowlists and measurements.
+         * (Compared to standard UEFI LoadImage(), the patched shim version of LoadImage() is both stricter —
+         * as it checks SBAT + MOKX for all PE payloads — and more relaxed — as it disables DB checks for PE
+         * payloads it has seen as part of another PE binary before.)
+         *
+         * In our case, we are loading a PE section that was already authenticated as part of the UKI. In
+         * contrast to a normal UEFI LoadImage, shim will verify extra denylists (MOKX, SBAT), but skip all
+         * allowlists and measurements.
         *
         * See https://github.com/rhboot/shim/blob/main/README.md#shim-loader-protocol
         */
@@ -187,8 +193,8 @@ EFI_STATUS linux_exec(
                .FilePath = file_path,
                .ImageBase = loaded_kernel,
                .ImageSize = kernel_size_in_memory,
-                .ImageCodeType = /*EFI_LOADER_CODE*/1,
-                .ImageDataType = /*EFI_LOADER_DATA*/2,
+                .ImageCodeType = 1 /* EFI_LOADER_CODE */,
+                .ImageDataType = 2 /* EFI_LOADER_DATA */,
        };

        if (cmdline) {
--- a/src/boot/shim.c
+++ b/src/boot/shim.c
@@ -42,11 +42,7 @@ bool shim_loaded(void) {
        return BS->LocateProtocol(MAKE_GUID_PTR(SHIM_LOCK), NULL, (void **) &shim_lock) == EFI_SUCCESS;
 }

-/* The shim lock protocol is for pre-v16 shim, where it was not hooked up to the BS->LoadImage() system
- * table and friends, and it has to be checked manually via the shim_validate() helper. If the shim image
- * loader protocol is available (shim v16 and newer), then it will have overridden BS->LoadImage() and
- * friends in the system table, so no specific helper is needed, and the standard BS->LoadImage() and
- * friends can be called instead. */
+/* Check if SHIM_IMAGE_LOADER is available, shim 16 or newer. */
 bool shim_loader_available(void) {
        void *shim_image_loader;

@@ -104,7 +100,15 @@ EFI_STATUS shim_load_image(
        assert(device_path);
        assert(ret_image);

+        /* The shim lock protocol is for pre-v16 shim, where it was not hooked up to the BS->LoadImage()
+         * system table and friends, and it has to be checked manually via the shim_validate() helper. If the
+         * shim image loader protocol is available (shim v16 and newer), then it will have overridden
+         * BS->LoadImage() and friends in the system table, so no specific helper is needed, and the standard
+         * BS->LoadImage() and friends can be called instead.
+         */
+
        // TODO: drop lock protocol and just use plain BS->LoadImage once Shim < 16 is no longer supported
+
        bool have_shim = shim_loaded() && !shim_loader_available();

        if (have_shim)
--- a/src/shared/conf-parser.c
+++ b/src/shared/conf-parser.c
@@ -618,7 +618,7 @@ int config_parse_many(
        r = conf_files_list_dropins(&files, dropin_dirname, root, conf_file_dirs);
        if (r < 0)
                return log_full_errno(FLAGS_SET(flags, CONFIG_PARSE_WARN) ? LOG_WARNING : LOG_DEBUG, r,
-                                      "Failed to list up drop-in configs in %s: %m", dropin_dirname);
+                                      "Failed to list drop-ins in %s: %m", dropin_dirname);

        r = config_parse_many_files(root, conf_files, files, sections, lookup, table, flags, userdata, ret_stats_by_path);
        if (r < 0)