2014-08-20 17:22:24 +00:00
|
|
|
From: Josh Boyer <jwboyer@fedoraproject.org>
|
|
|
|
Date: Tue, 5 Feb 2013 19:25:05 -0500
|
|
|
|
Subject: [PATCH] efi: Disable secure boot if shim is in insecure mode
|
|
|
|
|
|
|
|
A user can manually tell the shim boot loader to disable validation of
|
|
|
|
images it loads. When a user does this, it creates a UEFI variable called
|
|
|
|
MokSBState that does not have the runtime attribute set. Given that the
|
|
|
|
user explicitly disabled validation, we can honor that and not enable
|
|
|
|
secure boot mode if that variable is set.
|
|
|
|
|
|
|
|
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
|
|
|
---
|
|
|
|
arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++-
|
|
|
|
1 file changed, 19 insertions(+), 1 deletion(-)
|
|
|
|
|
|
|
|
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
|
2014-09-29 13:54:15 +00:00
|
|
|
index 975d11bfaf5b..94bf7819857a 100644
|
2014-08-20 17:22:24 +00:00
|
|
|
--- a/arch/x86/boot/compressed/eboot.c
|
|
|
|
+++ b/arch/x86/boot/compressed/eboot.c
|
2014-09-29 13:54:15 +00:00
|
|
|
@@ -817,8 +817,9 @@ out:
|
2014-08-20 17:22:24 +00:00
|
|
|
|
|
|
|
static int get_secure_boot(void)
|
|
|
|
{
|
|
|
|
- u8 sb, setup;
|
|
|
|
+ u8 sb, setup, moksbstate;
|
|
|
|
unsigned long datasize = sizeof(sb);
|
|
|
|
+ u32 attr;
|
|
|
|
efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
|
|
|
|
efi_status_t status;
|
|
|
|
|
2014-09-29 13:54:15 +00:00
|
|
|
@@ -842,6 +843,23 @@ static int get_secure_boot(void)
|
2014-08-20 17:22:24 +00:00
|
|
|
if (setup == 1)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
+ /* See if a user has put shim into insecure_mode. If so, and the variable
|
|
|
|
+ * doesn't have the runtime attribute set, we might as well honor that.
|
|
|
|
+ */
|
|
|
|
+ var_guid = EFI_SHIM_LOCK_GUID;
|
|
|
|
+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
|
|
|
|
+ L"MokSBState", &var_guid, &attr, &datasize,
|
|
|
|
+ &moksbstate);
|
|
|
|
+
|
|
|
|
+ /* If it fails, we don't care why. Default to secure */
|
|
|
|
+ if (status != EFI_SUCCESS)
|
|
|
|
+ return 1;
|
|
|
|
+
|
|
|
|
+ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
|
|
|
|
+ if (moksbstate == 1)
|
|
|
|
+ return 0;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
--
|
|
|
|
1.9.3
|
|
|
|
|