59 lines
		
	
	
		
			1.8 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
			
		
		
	
	
			59 lines
		
	
	
		
			1.8 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
| From 9ef94251448aa463c5937ee8e8e27d6fd9529509 Mon Sep 17 00:00:00 2001
 | |
| From: Josh Boyer <jwboyer@fedoraproject.org>
 | |
| Date: Tue, 5 Feb 2013 19:25:05 -0500
 | |
| Subject: [PATCH 11/20] efi: Disable secure boot if shim is in insecure mode
 | |
| 
 | |
| A user can manually tell the shim boot loader to disable validation of
 | |
| images it loads.  When a user does this, it creates a UEFI variable called
 | |
| MokSBState that does not have the runtime attribute set.  Given that the
 | |
| user explicitly disabled validation, we can honor that and not enable
 | |
| secure boot mode if that variable is set.
 | |
| 
 | |
| Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
 | |
| ---
 | |
|  arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++-
 | |
|  1 file changed, 19 insertions(+), 1 deletion(-)
 | |
| 
 | |
| diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
 | |
| index b4de3faa3f29..5cc2ef570390 100644
 | |
| --- a/arch/x86/boot/compressed/eboot.c
 | |
| +++ b/arch/x86/boot/compressed/eboot.c
 | |
| @@ -830,8 +830,9 @@ out:
 | |
|  
 | |
|  static int get_secure_boot(void)
 | |
|  {
 | |
| -	u8 sb, setup;
 | |
| +	u8 sb, setup, moksbstate;
 | |
|  	unsigned long datasize = sizeof(sb);
 | |
| +	u32 attr;
 | |
|  	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
 | |
|  	efi_status_t status;
 | |
|  
 | |
| @@ -855,6 +856,23 @@ static int get_secure_boot(void)
 | |
|  	if (setup == 1)
 | |
|  		return 0;
 | |
|  
 | |
| +	/* See if a user has put shim into insecure_mode.  If so, and the variable
 | |
| +	 * doesn't have the runtime attribute set, we might as well honor that.
 | |
| +	 */
 | |
| +	var_guid = EFI_SHIM_LOCK_GUID;
 | |
| +	status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
 | |
| +				L"MokSBState", &var_guid, &attr, &datasize,
 | |
| +				&moksbstate);
 | |
| +
 | |
| +	/* If it fails, we don't care why.  Default to secure */
 | |
| +	if (status != EFI_SUCCESS)
 | |
| +		return 1;
 | |
| +
 | |
| +	if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
 | |
| +		if (moksbstate == 1)
 | |
| +			return 0;
 | |
| +	}
 | |
| +
 | |
|  	return 1;
 | |
|  }
 | |
|  
 | |
| -- 
 | |
| 2.4.3
 | |
| 
 |