[PATCH v2] xen/efi: Do not check kernel signature if it was embedded

[Frediano Ziglio <frediano.ziglio@xxxxxxxxx>]

Using UKI it's possible to embed Linux kernel into xen.efi file.
In this case the signature for Secure Boot is applied to the
whole xen.efi, including the kernel.
So checking for specific signature for the kernel is not
needed.

Signed-off-by: Frediano Ziglio <frediano.ziglio@xxxxxxxxx>
---
Changes since v1:
- updated commit message and code comment;
- renamed kernel_was_verified to kernel_verified.
---
 xen/common/efi/boot.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c
index e39fbc3529..fb3b120982 100644
--- a/xen/common/efi/boot.c
+++ b/xen/common/efi/boot.c
@@ -1291,6 +1291,7 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE 
ImageHandle,
     bool base_video = false;
     const char *option_str;
     bool use_cfg_file;
+    bool kernel_verified = false;
     int dt_modules_found;
 
     __set_bit(EFI_BOOT, &efi_flags);
@@ -1461,6 +1462,11 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE 
ImageHandle,
             read_file(dir_handle, s2w(&name), &kernel, option_str);
             efi_bs->FreePool(name.w);
         }
+        else
+        {
+            /* Kernel was embedded so Xen signature includes it. */
+            kernel_verified = true;
+        }
 
         if ( !read_section(loaded_image, L"ramdisk", &ramdisk, NULL) )
         {
@@ -1534,6 +1540,7 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE 
ImageHandle,
      * verify it.
      */
     if ( kernel.ptr &&
+         !kernel_verified &&
          !EFI_ERROR(efi_bs->LocateProtocol(&shim_lock_guid, NULL,
                                            (void **)&shim_lock)) &&
          (status = shim_lock->Verify(kernel.ptr, kernel.size)) != EFI_SUCCESS )
-- 
2.43.0