From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Leo Sandoval Date: Fri, 25 Apr 2025 13:07:10 -0600 Subject: [PATCH] mokutil: introduce --is-sb-enabled parameter The result would be 0 if SB is enable, 1 otherwise (or -1 in case of error). This is a different outcome when using --sb-state, where it returns 0 no matter the SB status (or -1 in case of error). Signed-off-by: Leo Sandoval --- man/mokutil.1 | 5 +++++ src/mokutil.c | 30 ++++++++++++++++++++++++++++-- 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/man/mokutil.1 b/man/mokutil.1 index ccb285c..6b30610 100644 --- a/man/mokutil.1 +++ b/man/mokutil.1 @@ -40,6 +40,8 @@ mokutil \- utility to manipulate machine owner keys .br \fBmokutil\fR [--sb-state] .br +\fBmokutil\fR [--is-sb-enabled] +.br \fBmokutil\fR [--test-key \fIkeyfile\fR | -t \fIkeyfile\fR] ([--mokx | -X] | [--ca-check] | [--ignore-keyring]) .br @@ -133,6 +135,9 @@ Enable the validation process in shim \fB--sb-state\fR Show SecureBoot State .TP +\fB--is-sb-enabled\fR +Indicates if SecureBoot is enabled +.TP \fB-t, --test-key\fR Test if the key is enrolled or not .TP diff --git a/src/mokutil.c b/src/mokutil.c index e40579b..918ca06 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -89,6 +89,7 @@ #define UNTRUST_MOK (1 << 28) #define SET_SBAT (1 << 29) #define SET_SSP (1 << 30) +#define IS_SB_ENABLED (1 << 31) #define DEFAULT_CRYPT_METHOD SHA512_BASED #define DEFAULT_SALT_SIZE SHA512_SALT_MAX @@ -129,6 +130,7 @@ print_help () printf (" --disable-validation\t\t\tDisable signature validation\n"); printf (" --enable-validation\t\t\tEnable signature validation\n"); printf (" --sb-state\t\t\t\tShow SecureBoot State\n"); + printf (" --is-sb-enabled\t\t\tIndicates if SecureBoot is enabled or not\n"); printf (" --test-key, -t \t\tTest if the key is enrolled or not\n"); printf (" --reset\t\t\t\tReset MOK list\n"); printf (" --generate-hash[=password], -g\tGenerate the password hash\n"); @@ -1400,7 +1402,7 @@ enable_validation(void) } static int -sb_state () +sb_state_internal () { uint8_t *data = NULL; size_t data_size; @@ -1408,6 +1410,7 @@ sb_state () int32_t secureboot = -1; int32_t setupmode = -1; int32_t moksbstate = -1; + int ret = 0; if (efi_get_variable (efi_guid_global, "SecureBoot", &data, &data_size, &attributes) < 0) { @@ -1453,17 +1456,34 @@ sb_state () if (secureboot == 1 && setupmode == 0) { printf ("SecureBoot enabled\n"); + ret = 0; if (moksbstate == 1) printf ("SecureBoot validation is disabled in shim\n"); } else if (secureboot == 0 || setupmode == 1) { printf ("SecureBoot disabled\n"); + ret = 1; if (setupmode == 1) printf ("Platform is in Setup Mode\n"); } else { printf ("Cannot determine secure boot state.\n"); } - return 0; + return ret; +} + +static int +sb_state () +{ + int ret = sb_state_internal (); + + /* in this case, ignore the ret value except on failure */ + return (ret < 0)? ret: 0; +} + +static int +is_sb_enabled () +{ + return sb_state_internal (); } static inline int @@ -1855,6 +1875,7 @@ main (int argc, char *argv[]) {"disable-validation", no_argument, 0, 0 }, {"enable-validation", no_argument, 0, 0 }, {"sb-state", no_argument, 0, 0 }, + {"is-sb-enabled", no_argument, 0, 0 }, {"test-key", required_argument, 0, 't'}, {"reset", no_argument, 0, 0 }, {"hash-file", required_argument, 0, 'f'}, @@ -1908,6 +1929,8 @@ main (int argc, char *argv[]) command |= ENABLE_VALIDATION; } else if (strcmp (option, "sb-state") == 0) { command |= SB_STATE; + } else if (strcmp (option, "is-sb-enabled") == 0) { + command |= IS_SB_ENABLED; } else if (strcmp (option, "reset") == 0) { command |= RESET; } else if (strcmp (option, "ignore-db") == 0) { @@ -2258,6 +2281,9 @@ main (int argc, char *argv[]) case SB_STATE: ret = sb_state (); break; + case IS_SB_ENABLED: + ret = is_sb_enabled (); + break; case TEST_KEY: ret = test_key (ENROLL_MOK, key_file); break;