Fix the issue that the gBS->LoadImage pointer was empty.

[jinlun123123123]

The interface shouldn't be replaced at the shim_fini
stage When the vendor certificate doesn't exist.

[kukrimate]

		if (vendor_authorized_size || vendor_deauthorized_size) {
			/*
			 * If shim includes its own certificates then ensure
			 * that anything it boots has performed some
			 * validation of the next image.
			 */
			hook_system_services(systab);
			loader_is_participating = 0;
		}

The above is the hook installation code from shim_init. Hook is indeed only installed when moklist or moklistx is non-empty.

I hope there are no signed shims on the UEFI 3rd party CA with this condition.

EDIT: I initially thought this might be an exploitable UAF, but looks like the pointers written to the system table are always NULL, and I don't think there is any signed UEFI application that would allow an attacker to put shellcode there so maybe it's just an annoying crash.

[xcfxr]

		if (vendor_authorized_size || vendor_deauthorized_size) {
			/*
			 * If shim includes its own certificates then ensure
			 * that anything it boots has performed some
			 * validation of the next image.
			 */
			hook_system_services(systab);
			loader_is_participating = 0;
		}

The above is the hook installation code from shim_init. Hook is indeed only installed when moklist or moklistx is non-empty.

I hope there are no signed shims on the UEFI 3rd party CA with this condition.

EDIT: I initially thought this might be an exploitable UAF, but looks like the pointers written to the system table are always NULL, and I don't think there is any signed UEFI application that would allow an attacker to put shellcode there so maybe it's just an annoying crash.

From the perspective of the logical integrity of the code, shim_fini needs to make the same judgment when uninstalling the hook, so this pr is meaningful.