Set secure_boot flag in Kernel Zero-Page (#7482)

Setting the secure_boot flag, avoids getting the printout "EFI stub: UEFI Secure Boot is enabled." when booting a Linux kernel with linuxx64.efi.stub and EFI SecureBoot enabled. This is mainly a cosmetic fixup, as the "quiet" kernel parameter does not silence pr_efi printouts in the linux kernel (this only works using the efi stub from the linux source tree)
2025-01-11 09:18:07 +03:00 · 2017-12-06 15:29:52 +01:00 · 2017-12-06 15:29:52 +01:00 · b4f9f2a62f
commit b4f9f2a62f
parent b1891d2aaf
3 changed files with 14 additions and 3 deletions
--- a/src/boot/efi/linux.c
+++ b/src/boot/efi/linux.c
@ -85,7 +85,7 @@ static inline VOID linux_efi_handover(EFI_HANDLE image, struct SetupHeader *setu
 EFI_STATUS linux_exec(EFI_HANDLE *image,
                      CHAR8 *cmdline, UINTN cmdline_len,
                      UINTN linux_addr,
-                      UINTN initrd_addr, UINTN initrd_size) {
+                      UINTN initrd_addr, UINTN initrd_size, BOOLEAN secure) {
        struct SetupHeader *image_setup;
        struct SetupHeader *boot_setup;
        EFI_PHYSICAL_ADDRESS addr;
@ -108,6 +108,17 @@ EFI_STATUS linux_exec(EFI_HANDLE *image,
        CopyMem(boot_setup, image_setup, sizeof(struct SetupHeader));
        boot_setup->loader_id = 0xff;

+        if (secure) {
+                /* set secure boot flag in linux kernel zero page, see
+                   - Documentation/x86/zero-page.txt
+                   - arch/x86/include/uapi/asm/bootparam.h
+                   - drivers/firmware/efi/libstub/secureboot.c
+                   in the linux kernel source tree
+                   Possible values: 0 (unassigned), 1 (undetected), 2 (disabled), 3 (enabled)
+                */
+                boot_setup->boot_sector[0x1ec] = 3;
+        }
+
        boot_setup->code32_start = (UINT32)linux_addr + (image_setup->setup_secs+1) * 512;

        if (cmdline) {
--- a/src/boot/efi/linux.h
+++ b/src/boot/efi/linux.h
@ -19,5 +19,5 @@
 EFI_STATUS linux_exec(EFI_HANDLE *image,
                      CHAR8 *cmdline, UINTN cmdline_size,
                      UINTN linux_addr,
-                      UINTN initrd_addr, UINTN initrd_size);
+                      UINTN initrd_addr, UINTN initrd_size, BOOLEAN secure);
 #endif
--- a/src/boot/efi/stub.c
+++ b/src/boot/efi/stub.c
@ -109,7 +109,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {

        err = linux_exec(image, cmdline, cmdline_len,
                         (UINTN)loaded_image->ImageBase + addrs[1],
-                         (UINTN)loaded_image->ImageBase + addrs[2], szs[2]);
+                         (UINTN)loaded_image->ImageBase + addrs[2], szs[2], secure);

        graphics_mode(FALSE);
        Print(L"Execution of embedded linux image failed: %r\n", err);