From 3e6e3de0aa0a25d4e2ddc43e19ed4686353ceb44 Mon Sep 17 00:00:00 2001
From: "Simon J. Gerraty" <sjg@FreeBSD.org>
Date: Fri, 12 Jun 2020 21:55:30 +0000
Subject: [PATCH] verify_pcr_export: bump kenv_mvallen if needed

The loader.ve.hashed list can easily exceed KENV_MVALLEN.
If so, bump kenv_mvallen to a multiple of KENV_MVALLEN to
accommodate the value.

Reviewed by:	stevek
MFC after:	1 week
---
 lib/libsecureboot/verify_file.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/lib/libsecureboot/verify_file.c b/lib/libsecureboot/verify_file.c
index 20fc0ae4ae78..ca7c59abeffc 100644
--- a/lib/libsecureboot/verify_file.c
+++ b/lib/libsecureboot/verify_file.c
@@ -31,6 +31,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/param.h>
 #include <string.h>
 #include <sys/queue.h>
+#include <sys/kenv.h>
 
 #include "libsecureboot.h"
 #include <verify_file.h>
@@ -532,6 +533,19 @@ verify_pcr_export(void)
 				DEBUG_PRINTF(1,
 				    ("%s: setenv(loader.ve.hashed, %s\n",
 					__func__, hinfo));
+				if ((hlen = strlen(hinfo)) > KENV_MVALLEN) {
+					/*
+					 * bump kenv_mvallen
+					 * roundup to multiple of KENV_MVALLEN
+					 */
+					char mvallen[16];
+
+					hlen += KENV_MVALLEN -
+					    (hlen % KENV_MVALLEN);
+					if (snprintf(mvallen, sizeof(mvallen),
+						"%d", (int) hlen) < sizeof(mvallen))
+						setenv("kenv_mvallen", mvallen, 1);
+				}
 				free(hinfo);
 			}
 		}