67 lines
2.2 KiB
Diff
67 lines
2.2 KiB
Diff
From: Josh Boyer <jwboyer@fedoraproject.org>
|
|
Date: Tue, 5 Feb 2013 19:25:05 -0500
|
|
Subject: [13/18] efi: Disable secure boot if shim is in insecure mode
|
|
Origin: https://github.com/mjg59/linux/commit/f444a5ecb0ab09d6cf661b4520dd8e6fffacb8be
|
|
|
|
A user can manually tell the shim boot loader to disable validation of
|
|
images it loads. When a user does this, it creates a UEFI variable called
|
|
MokSBState that does not have the runtime attribute set. Given that the
|
|
user explicitly disabled validation, we can honor that and not enable
|
|
secure boot mode if that variable is set.
|
|
|
|
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
|
---
|
|
arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++-
|
|
include/linux/efi.h | 3 +++
|
|
2 files changed, 22 insertions(+), 1 deletion(-)
|
|
|
|
--- a/arch/x86/boot/compressed/eboot.c
|
|
+++ b/arch/x86/boot/compressed/eboot.c
|
|
@@ -1053,8 +1053,9 @@ void setup_graphics(struct boot_params *
|
|
|
|
static int get_secure_boot(void)
|
|
{
|
|
- u8 sb, setup;
|
|
+ u8 sb, setup, moksbstate;
|
|
unsigned long datasize = sizeof(sb);
|
|
+ u32 attr;
|
|
efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
|
|
efi_status_t status;
|
|
|
|
@@ -1078,6 +1079,23 @@ static int get_secure_boot(void)
|
|
if (setup == 1)
|
|
return 0;
|
|
|
|
+ /* See if a user has put shim into insecure_mode. If so, and the variable
|
|
+ * doesn't have the runtime attribute set, we might as well honor that.
|
|
+ */
|
|
+ var_guid = EFI_SHIM_LOCK_GUID;
|
|
+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
|
|
+ L"MokSBState", &var_guid, &attr, &datasize,
|
|
+ &moksbstate);
|
|
+
|
|
+ /* If it fails, we don't care why. Default to secure */
|
|
+ if (status != EFI_SUCCESS)
|
|
+ return 1;
|
|
+
|
|
+ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
|
|
+ if (moksbstate == 1)
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
return 1;
|
|
}
|
|
|
|
--- a/include/linux/efi.h
|
|
+++ b/include/linux/efi.h
|
|
@@ -629,6 +629,9 @@ typedef struct {
|
|
#define EFI_1_10_SYSTEM_TABLE_REVISION ((1 << 16) | (10))
|
|
#define EFI_1_02_SYSTEM_TABLE_REVISION ((1 << 16) | (02))
|
|
|
|
+#define EFI_SHIM_LOCK_GUID \
|
|
+ EFI_GUID( 0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 )
|
|
+
|
|
typedef struct {
|
|
efi_table_hdr_t hdr;
|
|
u64 fw_vendor; /* physical addr of CHAR16 vendor string */
|