acidanthera · mikebeaton · Aug 31, 2023 · Aug 30, 2023
diff --git a/Changelog.md b/Changelog.md
@@ -4,6 +4,7 @@ OpenCore Changelog
 - Fixed GUID formatting for legacy NVRAM saving
 - Fixed inability to open files in root directory on an NTFS filesystem
 - Fixed hang while unloading NTFS driver
+- Added UEFI quirk `ShimRetainProtocol`, allowing OpenCore chained from shim to verify Linux using shim's certificates
 
 #### v0.9.4
 - Fixed kext blocker `Exclude` strategy for prelinked on 32-bit versions of macOS

diff --git a/Docs/Configuration.md5 b/Docs/Configuration.md5
@@ -1 +1 @@
-f76478ccad236e36b407501d184f7754
+c15af17c57ec36e58d80e0c3ddb05b29
diff --git a/Docs/Configuration.pdf b/Docs/Configuration.pdf
diff --git a/Docs/Configuration.tex b/Docs/Configuration.tex
@@ -8875,7 +8875,7 @@ \subsection{Quirks Properties}\label{uefiquirkprops}
   or corrupted in any way.
   \end{itemize}
 
-\item
+  \item
   \texttt{ResizeUsePciRbIo}\\
   \textbf{Type}: \texttt{plist\ boolean}\\
   \textbf{Failsafe}: \texttt{false}\\
@@ -8886,6 +8886,16 @@ \subsection{Quirks Properties}\label{uefiquirkprops}
   Resizable BAR results in \texttt{Capability I/O Error}. Typically this is required on
   older systems which have been modified with \href{https://github.com/xCuri0/ReBarUEFI}{ReBarUEFI}.
 
+  \item
+  \texttt{ShimRetainProtocol}\\
+  \textbf{Type}: \texttt{plist\ boolean}\\
+  \textbf{Failsafe}: \texttt{false}\\
+  \textbf{Description}: Request Linux shim to keep protocol installed for subsequent image loads.
+
+  This option is only required if chaining OpenCore from shim. It must be set in order to allow
+  OpenCore to launch items which are verified by certificates present in shim, but not in the
+  system Secure Boot database.
+
 \item
   \texttt{ResizeGpuBars}\\
   \textbf{Type}: \texttt{plist\ integer}\\

diff --git a/Docs/Differences/Differences.pdf b/Docs/Differences/Differences.pdf
diff --git a/Docs/Differences/Differences.tex b/Docs/Differences/Differences.tex
@@ -1,7 +1,7 @@
 \documentclass[]{article}
 %DIF LATEXDIFF DIFFERENCE FILE
-%DIF DEL PreviousConfiguration.tex   Sun Aug 13 12:38:11 2023
-%DIF ADD ../Configuration.tex        Sun Aug 13 12:38:11 2023
+%DIF DEL PreviousConfiguration.tex   Sun Aug 13 19:03:22 2023
+%DIF ADD ../Configuration.tex        Wed Aug 30 22:12:39 2023
 
 \usepackage{lmodern}
 \usepackage{amssymb,amsmath}
@@ -8935,7 +8935,7 @@ \subsection{Quirks Properties}\label{uefiquirkprops}
   or corrupted in any way.
   \end{itemize}
 
-\item
+  \item
   \texttt{ResizeUsePciRbIo}\\
   \textbf{Type}: \texttt{plist\ boolean}\\
   \textbf{Failsafe}: \texttt{false}\\
@@ -8944,7 +8944,19 @@ \subsection{Quirks Properties}\label{uefiquirkprops}
   The quirk makes \texttt{ResizeGpuBars} and \texttt{ResizeAppleGpuBars} use \texttt{PciRootBridgeIo} instead of PciIo.
   This is needed on systems with a buggy \texttt{PciIo} implementation where trying to configure
   Resizable BAR results in \texttt{Capability I/O Error}. Typically this is required on
-  older systems which have been modified with \href{https://github.com/xCuri0/ReBarUEFI}{ReBarUEFI}.
+  older systems which have been modified with \href{https://github.com/xCuri0/ReBarUEFI}{ReBarUEFI}\DIFaddbegin \DIFadd{.
+}
+
+  \item
+  \texttt{\DIFadd{ShimRetainProtocol}}\\
+  \textbf{\DIFadd{Type}}\DIFadd{: }\texttt{\DIFadd{plist\ boolean}}\\
+  \textbf{\DIFadd{Failsafe}}\DIFadd{: }\texttt{\DIFadd{false}}\\
+  \textbf{\DIFadd{Description}}\DIFadd{: Request Linux shim to keep protocol installed for subsequent image loads.
+}
+
+  \DIFadd{This option is only required if chaining OpenCore from shim. It must be set in order to allow
+  OpenCore to launch items which are verified by certificates present in shim, but not in the
+  system Secure Boot database}\DIFaddend .
 
 \item
   \texttt{ResizeGpuBars}\\

diff --git a/Docs/Errata/Errata.pdf b/Docs/Errata/Errata.pdf
diff --git a/Docs/Sample.plist b/Docs/Sample.plist
@@ -1950,6 +1950,8 @@
 			<integer>-1</integer>
 			<key>ResizeUsePciRbIo</key>
 			<false/>
+			<key>ShimRetainProtocol</key>
+			<false/>
 			<key>TscSyncTimeout</key>
 			<integer>0</integer>
 			<key>UnblockFsConnect</key>

diff --git a/Docs/SampleCustom.plist b/Docs/SampleCustom.plist
@@ -2318,6 +2318,8 @@
 			<integer>-1</integer>
 			<key>ResizeUsePciRbIo</key>
 			<false/>
+			<key>ShimRetainProtocol</key>
+			<false/>
 			<key>TscSyncTimeout</key>
 			<integer>0</integer>
 			<key>UnblockFsConnect</key>

diff --git a/Include/Acidanthera/Library/OcConfigurationLib.h b/Include/Acidanthera/Library/OcConfigurationLib.h
@@ -748,6 +748,7 @@ OC_DECLARE (OC_UEFI_PROTOCOL_OVERRIDES)
   _(BOOLEAN                     , ReleaseUsbOwnership         ,     , FALSE  , ()) \
   _(BOOLEAN                     , ReloadOptionRoms            ,     , FALSE  , ()) \
   _(BOOLEAN                     , RequestBootVarRouting       ,     , FALSE  , ()) \
+  _(BOOLEAN                     , ShimRetainProtocol          ,     , FALSE  , ()) \
   _(BOOLEAN                     , UnblockFsConnect            ,     , FALSE  , ()) \
   _(BOOLEAN                     , ForceOcWriteFlash           ,     , FALSE  , ())
 OC_DECLARE (OC_UEFI_QUIRKS)

diff --git a/Include/Acidanthera/Library/OcVariableLib.h b/Include/Acidanthera/Library/OcVariableLib.h
@@ -344,4 +344,14 @@ OcSwitchToFallbackLegacyNvram (
   VOID
   );
 
+/**
+  If Required is TRUE set volatile BS-only ShimRetainProtocol variable to 1.
+
+  @param[in]  Required        Is ShimRetainProtocol required.
+**/
+EFI_STATUS
+OcShimRetainProtocol (
+  IN BOOLEAN  Required
+  );
+
 #endif // OC_VARIABLE_LIB_H
diff --git a/Include/Grub2/Guid/ShimLock.h b/Include/Grub2/Guid/ShimLock.h
@@ -0,0 +1,25 @@
+/** @file
+  GRUB2 shim GUID values.
+
+  Copyright (c) 2023, Mike Beaton. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-3-Clause
+**/
+
+#ifndef __SHIM_GUID_H
+#define __SHIM_GUID_H
+
+#include <Uefi.h>
+
+///
+/// Shim lock protocol GUID.
+///
+#define SHIM_LOCK_GUID                  \
+  { 0x605DAB50, 0xE046, 0x4300,         \
+    { 0xAB, 0xB6, 0x3D, 0xD8, 0x10, 0xDD, 0x8B, 0x23 }}
+
+///
+/// Exported GUID identifiers.
+///
+extern EFI_GUID  gShimLockGuid;
+
+#endif // __SHIM_GUID_H
diff --git a/Include/Grub2/ShimVars.h b/Include/Grub2/ShimVars.h
@@ -0,0 +1,18 @@
+/** @file
+  GRUB2 shim values.
+
+  Copyright (c) 2023, Mike Beaton. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-3-Clause
+**/
+
+#ifndef __SHIM_H
+#define __SHIM_H
+
+#include <Guid/ShimLock.h>
+
+//
+// Variable to set to retain shim lock protocol for subsequent image loads.
+//
+#define SHIM_RETAIN_PROTOCOL  L"ShimRetainProtocol"
+
+#endif // __SHIM_H
diff --git a/Library/OcConfigurationLib/OcConfigurationLib.c b/Library/OcConfigurationLib/OcConfigurationLib.c
@@ -727,6 +727,7 @@ OC_SCHEMA
   OC_SCHEMA_BOOLEAN_IN ("RequestBootVarRouting",    OC_GLOBAL_CONFIG, Uefi.Quirks.RequestBootVarRouting),
   OC_SCHEMA_INTEGER_IN ("ResizeGpuBars",            OC_GLOBAL_CONFIG, Uefi.Quirks.ResizeGpuBars),
   OC_SCHEMA_BOOLEAN_IN ("ResizeUsePciRbIo",         OC_GLOBAL_CONFIG, Uefi.Quirks.ResizeUsePciRbIo),
+  OC_SCHEMA_BOOLEAN_IN ("ShimRetainProtocol",       OC_GLOBAL_CONFIG, Uefi.Quirks.ShimRetainProtocol),
   OC_SCHEMA_INTEGER_IN ("TscSyncTimeout",           OC_GLOBAL_CONFIG, Uefi.Quirks.TscSyncTimeout),
   OC_SCHEMA_BOOLEAN_IN ("UnblockFsConnect",         OC_GLOBAL_CONFIG, Uefi.Quirks.UnblockFsConnect)
 };

diff --git a/Library/OcMainLib/OpenCoreMisc.c b/Library/OcMainLib/OpenCoreMisc.c
@@ -43,6 +43,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 
 #include <Protocol/OcInterface.h>
 
+#include <ShimVars.h>
+
 STATIC
 VOID
 OcStoreLoadPath (
@@ -452,6 +454,11 @@ OcMiscEarlyInit (
     return EFI_UNSUPPORTED; ///< Should be unreachable.
   }
 
+  Status = OcShimRetainProtocol (Config->Uefi.Quirks.ShimRetainProtocol);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_WARN, "OC: Failed to set %g:%s\n", &gShimLockGuid, SHIM_RETAIN_PROTOCOL));
+  }
+
   OcLoadDrivers (Storage, Config, NULL, TRUE);
 
   OcVariableInit (Config->Uefi.Quirks.ForceOcWriteFlash);

diff --git a/Library/OcVariableLib/OcVariableLib.inf b/Library/OcVariableLib/OcVariableLib.inf
@@ -17,6 +17,7 @@
   OcVariableLib.c
   LegacyNvramSupport.c
   LegacyNvramWrapper.c
+  Shim.c
   Sip.c
   VariableManagement.c
 
@@ -41,6 +42,7 @@
   gOcReadOnlyVariableGuid                       ## SOMETIMES_CONSUMES
   gOcVendorVariableGuid                         ## SOMETIMES_CONSUMES
   gOcWriteOnlyVariableGuid                      ## SOMETIMES_CONSUMES
+  gShimLockGuid                                 ## SOMETIMES_CONSUMES
 
 [Protocols]
   gOcFirmwareRuntimeProtocolGuid                ## SOMETIMES_CONSUMES

diff --git a/Library/OcVariableLib/Shim.c b/Library/OcVariableLib/Shim.c
@@ -0,0 +1,32 @@
+/** @file
+  Manage variables for GRUB2 shim.
+
+  Copyright (C) 2023, Mike Beaton. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-3-Clause
+**/
+
+#include <Uefi.h>
+#include <ShimVars.h>
+#include <Library/UefiRuntimeServicesTableLib.h>
+
+EFI_STATUS
+OcShimRetainProtocol (
+  IN BOOLEAN  Required
+  )
+{
+  UINT8  ShimRetainProtocol;
+
+  if (!Required) {
+    return EFI_SUCCESS;
+  }
+
+  ShimRetainProtocol = 1;
+
+  return gRT->SetVariable (
+                SHIM_RETAIN_PROTOCOL,
+                &gShimLockGuid,
+                EFI_VARIABLE_BOOTSERVICE_ACCESS,
+                sizeof (ShimRetainProtocol),
+                &ShimRetainProtocol
+                );
+}
diff --git a/OpenCorePkg.dec b/OpenCorePkg.dec
@@ -24,6 +24,7 @@
   Include/Acidanthera
   Include/Apple
   Include/Generic
+  Include/Grub2
   Include/Intel
   Include/Microsoft
   Include/Nvidia
@@ -470,6 +471,9 @@
   ## Include/Microsoft/Guid/MicrosoftVariable.h
   gMicrosoftVariableGuid                     = { 0x77FA9ABD, 0x0359, 0x4D32, { 0xBD, 0x60, 0x28, 0xF4, 0xE7, 0x8F, 0x78, 0x4B }}
 
+  ## Include/Shim/Guid/ShimLock.h
+  gShimLockGuid                              = { 0x605DAB50, 0xE046, 0x4300, { 0xAB, 0xB6, 0x3D, 0xD8, 0x10, 0xDD, 0x8B, 0x23 }}
+
 [Protocols]
   ## Include/Acidanthera/Protocol/AudioDecode.h
   gEfiAudioDecodeProtocolGuid                = { 0xAF3F6C23, 0x8132, 0x4880, { 0xB3, 0x29, 0x04, 0x8D, 0xF7, 0x1D, 0xD8, 0x6A }}