boot: Skip safety countdown when running in a VM

2025-01-25 06:03:40 +03:00 · 2022-08-04 10:21:15 +02:00 · 2022-08-04 10:21:15 +02:00 · bafc594528
commit bafc594528
parent adb9485acb
4 changed files with 34 additions and 22 deletions
--- a/src/boot/efi/secure-boot.c
+++ b/src/boot/efi/secure-boot.c
@ -49,6 +49,11 @@ EFI_STATUS secure_boot_enroll_at(EFI_FILE *root_dir, const char16_t *path) {

        unsigned timeout_sec = 15;
        for(;;) {
+                /* Enrolling secure boot keys is safe to do in virtualized environments as there is nothing
+                 * we can brick there. */
+                if (in_hypervisor())
+                        break;
+
                PrintAt(0, ST->ConOut->Mode->CursorRow, L"Enrolling in %2u s, press any key to abort.", timeout_sec);

                uint64_t key;
--- a/src/boot/efi/ticks.c
+++ b/src/boot/efi/ticks.c
@ -2,35 +2,17 @@

 #include <efi.h>
 #include <efilib.h>
-#if defined(__i386__) || defined(__x86_64__)
-#include <cpuid.h>
-#endif
-#include <stdbool.h>

 #include "ticks.h"
-
-#if defined(__i386__) || defined(__x86_64__)
-static bool in_hypervisor(void) {
-        uint32_t eax, ebx, ecx, edx;
-
-        /* The TSC might or might not be virtualized in VMs (and thus might not be accurate or start at zero
-         * at boot), depending on hypervisor and CPU functionality. If it's not virtualized it's not useful
-         * for keeping time, hence don't attempt to use it.
-         *
-         * This is a dumbed down version of src/basic/virt.c's detect_vm() that safely works in the UEFI
-         * environment. */
-
-        if (__get_cpuid(1, &eax, &ebx, &ecx, &edx) == 0)
-                return false;
-
-        return !!(ecx & 0x80000000U);
-}
-#endif
+#include "util.h"

 #ifdef __x86_64__
 static uint64_t ticks_read(void) {
        uint64_t a, d;

+        /* The TSC might or might not be virtualized in VMs (and thus might not be accurate or start at zero
+         * at boot), depending on hypervisor and CPU functionality. If it's not virtualized it's not useful
+         * for keeping time, hence don't attempt to use it. */
        if (in_hypervisor())
                return 0;

--- a/src/boot/efi/util.c
+++ b/src/boot/efi/util.c
@ -2,6 +2,9 @@

 #include <efi.h>
 #include <efilib.h>
+#if defined(__i386__) || defined(__x86_64__)
+#  include <cpuid.h>
+#endif

 #include "ticks.h"
 #include "util.h"
@ -768,3 +771,17 @@ EFI_STATUS make_file_device_path(EFI_HANDLE device, const char16_t *file, EFI_DE
        SetDevicePathEndNode(dp);
        return EFI_SUCCESS;
 }
+
+#if defined(__i386__) || defined(__x86_64__)
+bool in_hypervisor(void) {
+        uint32_t eax, ebx, ecx, edx;
+
+        /* This is a dumbed down version of src/basic/virt.c's detect_vm() that safely works in the UEFI
+         * environment. */
+
+        if (__get_cpuid(1, &eax, &ebx, &ecx, &edx) == 0)
+                return false;
+
+        return !!(ecx & 0x80000000U);
+}
+#endif
--- a/src/boot/efi/util.h
+++ b/src/boot/efi/util.h
@ -179,3 +179,11 @@ static inline void beep(UINTN beep_count) {}

 EFI_STATUS open_volume(EFI_HANDLE device, EFI_FILE **ret_file);
 EFI_STATUS make_file_device_path(EFI_HANDLE device, const char16_t *file, EFI_DEVICE_PATH **ret_dp);
+
+#if defined(__i386__) || defined(__x86_64__)
+bool in_hypervisor(void);
+#else
+static inline bool in_hypervisor(void) {
+        return false;
+}
+#endif