From 37f526e25a7b0f5b257d48a184d10db6523ef6e4 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 5 Feb 2013 19:25:05 -0500 Subject: [PATCH] efi: Disable secure boot if shim is in insecure mode A user can manually tell the shim boot loader to disable validation of images it loads. When a user does this, it creates a UEFI variable called MokSBState that does not have the runtime attribute set. Given that the user explicitly disabled validation, we can honor that and not enable secure boot mode if that variable is set. Signed-off-by: Josh Boyer Gbp-Pq: Topic features/all/securelevel Gbp-Pq: Name efi-disable-secure-boot-if-shim-is-in-insecure-mode.patch --- arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++- include/linux/efi.h | 3 +++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c index 2f80a7cae37..d0abbf674be 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -747,8 +747,9 @@ void setup_graphics(struct boot_params *boot_params) static int get_secure_boot(void) { - u8 sb, setup; + u8 sb, setup, moksbstate; unsigned long datasize = sizeof(sb); + u32 attr; efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; efi_status_t status; @@ -772,6 +773,23 @@ static int get_secure_boot(void) if (setup == 1) return 0; + /* See if a user has put shim into insecure_mode. If so, and the variable + * doesn't have the runtime attribute set, we might as well honor that. + */ + var_guid = EFI_SHIM_LOCK_GUID; + status = efi_early->call((unsigned long)sys_table->runtime->get_variable, + L"MokSBState", &var_guid, &attr, &datasize, + &moksbstate); + + /* If it fails, we don't care why. Default to secure */ + if (status != EFI_SUCCESS) + return 1; + + if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) { + if (moksbstate == 1) + return 0; + } + return 1; } diff --git a/include/linux/efi.h b/include/linux/efi.h index 0148a3046b4..7c299443c71 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -628,6 +628,9 @@ typedef struct { #define EFI_1_10_SYSTEM_TABLE_REVISION ((1 << 16) | (10)) #define EFI_1_02_SYSTEM_TABLE_REVISION ((1 << 16) | (02)) +#define EFI_SHIM_LOCK_GUID \ + EFI_GUID( 0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 ) + typedef struct { efi_table_hdr_t hdr; u64 fw_vendor; /* physical addr of CHAR16 vendor string */ -- 2.30.2