efi: generalize efi_get_secureboot
Generalize the efi_get_secureboot() function so not only efistub but also other subsystems can use it. Note that the MokSbState handling is not factored out: the variable is boot time only, and so it cannot be parameterized as easily. Also, the IMA code will switch to this version in a future patch, and it does not incorporate the MokSbState exception in the first place. Note that the new efi_get_secureboot_mode() helper treats any failures to read SetupMode as setup mode being disabled. Co-developed-by: Chester Lin <clin@suse.com> Signed-off-by: Chester Lin <clin@suse.com> Acked-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
This commit is contained in:
parent
6edcf9dc2e
commit
e1ac4b2406
@ -35,7 +35,7 @@ cflags-$(CONFIG_X86_32) := -march=i386
|
||||
cflags-$(CONFIG_X86_64) := -mcmodel=small -mno-red-zone
|
||||
KBUILD_CFLAGS += $(cflags-y)
|
||||
KBUILD_CFLAGS += -mno-mmx -mno-sse
|
||||
KBUILD_CFLAGS += -ffreestanding
|
||||
KBUILD_CFLAGS += -ffreestanding -fshort-wchar
|
||||
KBUILD_CFLAGS += -fno-stack-protector
|
||||
KBUILD_CFLAGS += $(call cc-disable-warning, address-of-packed-member)
|
||||
KBUILD_CFLAGS += $(call cc-disable-warning, gnu)
|
||||
|
@ -848,4 +848,6 @@ asmlinkage void __noreturn efi_enter_kernel(unsigned long entrypoint,
|
||||
|
||||
void efi_handle_post_ebs_state(void);
|
||||
|
||||
enum efi_secureboot_mode efi_get_secureboot(void);
|
||||
|
||||
#endif
|
||||
|
@ -12,15 +12,16 @@
|
||||
|
||||
#include "efistub.h"
|
||||
|
||||
/* BIOS variables */
|
||||
static const efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
|
||||
static const efi_char16_t efi_SecureBoot_name[] = L"SecureBoot";
|
||||
static const efi_char16_t efi_SetupMode_name[] = L"SetupMode";
|
||||
|
||||
/* SHIM variables */
|
||||
static const efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID;
|
||||
static const efi_char16_t shim_MokSBState_name[] = L"MokSBState";
|
||||
|
||||
static efi_status_t get_var(efi_char16_t *name, efi_guid_t *vendor, u32 *attr,
|
||||
unsigned long *data_size, void *data)
|
||||
{
|
||||
return get_efi_var(name, vendor, attr, data_size, data);
|
||||
}
|
||||
|
||||
/*
|
||||
* Determine whether we're in secure boot mode.
|
||||
*
|
||||
@ -30,26 +31,18 @@ static const efi_char16_t shim_MokSBState_name[] = L"MokSBState";
|
||||
enum efi_secureboot_mode efi_get_secureboot(void)
|
||||
{
|
||||
u32 attr;
|
||||
u8 secboot, setupmode, moksbstate;
|
||||
unsigned long size;
|
||||
enum efi_secureboot_mode mode;
|
||||
efi_status_t status;
|
||||
u8 moksbstate;
|
||||
|
||||
size = sizeof(secboot);
|
||||
status = get_efi_var(efi_SecureBoot_name, &efi_variable_guid,
|
||||
NULL, &size, &secboot);
|
||||
if (status == EFI_NOT_FOUND)
|
||||
return efi_secureboot_mode_disabled;
|
||||
if (status != EFI_SUCCESS)
|
||||
goto out_efi_err;
|
||||
|
||||
size = sizeof(setupmode);
|
||||
status = get_efi_var(efi_SetupMode_name, &efi_variable_guid,
|
||||
NULL, &size, &setupmode);
|
||||
if (status != EFI_SUCCESS)
|
||||
goto out_efi_err;
|
||||
|
||||
if (secboot == 0 || setupmode == 1)
|
||||
return efi_secureboot_mode_disabled;
|
||||
mode = efi_get_secureboot_mode(get_var);
|
||||
if (mode == efi_secureboot_mode_unknown) {
|
||||
efi_err("Could not determine UEFI Secure Boot status.\n");
|
||||
return efi_secureboot_mode_unknown;
|
||||
}
|
||||
if (mode != efi_secureboot_mode_enabled)
|
||||
return mode;
|
||||
|
||||
/*
|
||||
* See if a user has put the shim into insecure mode. If so, and if the
|
||||
@ -69,8 +62,4 @@ enum efi_secureboot_mode efi_get_secureboot(void)
|
||||
secure_boot_enabled:
|
||||
efi_info("UEFI Secure Boot is enabled.\n");
|
||||
return efi_secureboot_mode_enabled;
|
||||
|
||||
out_efi_err:
|
||||
efi_err("Could not determine UEFI Secure Boot status.\n");
|
||||
return efi_secureboot_mode_unknown;
|
||||
}
|
||||
|
@ -1089,7 +1089,28 @@ enum efi_secureboot_mode {
|
||||
efi_secureboot_mode_disabled,
|
||||
efi_secureboot_mode_enabled,
|
||||
};
|
||||
enum efi_secureboot_mode efi_get_secureboot(void);
|
||||
|
||||
static inline
|
||||
enum efi_secureboot_mode efi_get_secureboot_mode(efi_get_variable_t *get_var)
|
||||
{
|
||||
u8 secboot, setupmode = 0;
|
||||
efi_status_t status;
|
||||
unsigned long size;
|
||||
|
||||
size = sizeof(secboot);
|
||||
status = get_var(L"SecureBoot", &EFI_GLOBAL_VARIABLE_GUID, NULL, &size,
|
||||
&secboot);
|
||||
if (status == EFI_NOT_FOUND)
|
||||
return efi_secureboot_mode_disabled;
|
||||
if (status != EFI_SUCCESS)
|
||||
return efi_secureboot_mode_unknown;
|
||||
|
||||
size = sizeof(setupmode);
|
||||
get_var(L"SetupMode", &EFI_GLOBAL_VARIABLE_GUID, NULL, &size, &setupmode);
|
||||
if (secboot == 0 || setupmode == 1)
|
||||
return efi_secureboot_mode_disabled;
|
||||
return efi_secureboot_mode_enabled;
|
||||
}
|
||||
|
||||
#ifdef CONFIG_RESET_ATTACK_MITIGATION
|
||||
void efi_enable_reset_attack_mitigation(void);
|
||||
|
Loading…
x
Reference in New Issue
Block a user