kernel/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch

From d687d79620ea20511b2dbf77e74fdcf4d94981f9 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 5 Feb 2013 19:25:05 -0500
Subject: [PATCH 12/20] efi: Disable secure boot if shim is in insecure mode

A user can manually tell the shim boot loader to disable validation of
images it loads.  When a user does this, it creates a UEFI variable called
MokSBState that does not have the runtime attribute set.  Given that the
user explicitly disabled validation, we can honor that and not enable
secure boot mode if that variable is set.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
---
 arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index ebc85c1eefd6..50e027f388d8 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -540,8 +540,9 @@ static void setup_efi_pci(struct boot_params *params)
 
 static int get_secure_boot(void)
 {
-	u8 sb, setup;
+	u8 sb, setup, moksbstate;
 	unsigned long datasize = sizeof(sb);
+	u32 attr;
 	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
 	efi_status_t status;
 
@@ -565,6 +566,23 @@ static int get_secure_boot(void)
 	if (setup == 1)
 		return 0;
 
+	/* See if a user has put shim into insecure_mode.  If so, and the variable
+	 * doesn't have the runtime attribute set, we might as well honor that.
+	 */
+	var_guid = EFI_SHIM_LOCK_GUID;
+	status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
+				L"MokSBState", &var_guid, &attr, &datasize,
+				&moksbstate);
+
+	/* If it fails, we don't care why.  Default to secure */
+	if (status != EFI_SUCCESS)
+		return 1;
+
+	if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
+		if (moksbstate == 1)
+			return 0;
+	}
+
 	return 1;
 }
 
-- 
2.9.3
Refresh SB patchset to fix bisectability issue 2016-10-27 14:49:53 +00:00			`From d687d79620ea20511b2dbf77e74fdcf4d94981f9 Mon Sep 17 00:00:00 2001`
Patch file cleanup Do a couple things here: - Split the mega-patches into individual patches. Should help with rebasing. - Make all patches 'git am' acceptable. There should be no functional or actual code differences from before 2014-08-20 17:22:24 +00:00			`From: Josh Boyer <jwboyer@fedoraproject.org>`
			`Date: Tue, 5 Feb 2013 19:25:05 -0500`
Refresh SB patchset to fix bisectability issue 2016-10-27 14:49:53 +00:00			`Subject: [PATCH 12/20] efi: Disable secure boot if shim is in insecure mode`
Patch file cleanup Do a couple things here: - Split the mega-patches into individual patches. Should help with rebasing. - Make all patches 'git am' acceptable. There should be no functional or actual code differences from before 2014-08-20 17:22:24 +00:00
			`A user can manually tell the shim boot loader to disable validation of`
			`images it loads. When a user does this, it creates a UEFI variable called`
			`MokSBState that does not have the runtime attribute set. Given that the`
			`user explicitly disabled validation, we can honor that and not enable`
			`secure boot mode if that variable is set.`

			`Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>`
			`---`
			`arch/x86/boot/compressed/eboot.c \| 20 +++++++++++++++++++-`
			`1 file changed, 19 insertions(+), 1 deletion(-)`

			`diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c`
Refresh SB patchset to fix bisectability issue 2016-10-27 14:49:53 +00:00			`index ebc85c1eefd6..50e027f388d8 100644`
Patch file cleanup Do a couple things here: - Split the mega-patches into individual patches. Should help with rebasing. - Make all patches 'git am' acceptable. There should be no functional or actual code differences from before 2014-08-20 17:22:24 +00:00			`--- a/arch/x86/boot/compressed/eboot.c`
			`+++ b/arch/x86/boot/compressed/eboot.c`
Refresh SB patchset to fix bisectability issue 2016-10-27 14:49:53 +00:00			`@@ -540,8 +540,9 @@ static void setup_efi_pci(struct boot_params *params)`
Patch file cleanup Do a couple things here: - Split the mega-patches into individual patches. Should help with rebasing. - Make all patches 'git am' acceptable. There should be no functional or actual code differences from before 2014-08-20 17:22:24 +00:00
			`static int get_secure_boot(void)`
			`{`
			`- u8 sb, setup;`
			`+ u8 sb, setup, moksbstate;`
			`unsigned long datasize = sizeof(sb);`
			`+ u32 attr;`
			`efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;`
			`efi_status_t status;`

Refresh SB patchset to fix bisectability issue 2016-10-27 14:49:53 +00:00			`@@ -565,6 +566,23 @@ static int get_secure_boot(void)`
Patch file cleanup Do a couple things here: - Split the mega-patches into individual patches. Should help with rebasing. - Make all patches 'git am' acceptable. There should be no functional or actual code differences from before 2014-08-20 17:22:24 +00:00			`if (setup == 1)`
			`return 0;`

			`+ /* See if a user has put shim into insecure_mode. If so, and the variable`
			`+ * doesn't have the runtime attribute set, we might as well honor that.`
			`+ */`
			`+ var_guid = EFI_SHIM_LOCK_GUID;`
			`+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable,`
			`+ L"MokSBState", &var_guid, &attr, &datasize,`
			`+ &moksbstate);`
			`+`
			`+ /* If it fails, we don't care why. Default to secure */`
			`+ if (status != EFI_SUCCESS)`
			`+ return 1;`
			`+`
			`+ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {`
			`+ if (moksbstate == 1)`
			`+ return 0;`
			`+ }`
			`+`
			`return 1;`
			`}`

Linux v4.2-10637-ga794b4f32921 - Rework secure boot patchset 2015-09-09 15:10:06 +00:00			`--`
Refresh SB patchset to fix bisectability issue 2016-10-27 14:49:53 +00:00			`2.9.3`
Linux v4.2-10637-ga794b4f32921 - Rework secure boot patchset 2015-09-09 15:10:06 +00:00