efi: Disable secure boot if shim is in insecure mode

A user can manually tell the shim boot loader to disable validation of
images it loads.  When a user does this, it creates a UEFI variable called
MokSBState that does not have the runtime attribute set.  Given that the
user explicitly disabled validation, we can honor that and not enable
secure boot mode if that variable is set.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name efi-disable-secure-boot-if-shim-is-in-insecure-mode.patch

diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index 4a7d64ef72689a06fbd239dd7c7fa7b6f4603268..e042f00cd9f7b5adbf373c1ce0fac494de02ca60 100644 (file)
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -713,8 +713,9 @@ void setup_graphics(struct boot_params *boot_params)
 
 static int get_secure_boot(void)
 {
-       u8 sb, setup;
+       u8 sb, setup, moksbstate;
        unsigned long datasize = sizeof(sb);
+       u32 attr;
        efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
        efi_status_t status;
 
@@ -738,6 +739,23 @@ static int get_secure_boot(void)
        if (setup == 1)
                return 0;
 
+       /* See if a user has put shim into insecure_mode.  If so, and the variable
+        * doesn't have the runtime attribute set, we might as well honor that.
+        */
+       var_guid = EFI_SHIM_LOCK_GUID;
+       status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
+                               L"MokSBState", &var_guid, &attr, &datasize,
+                               &moksbstate);
+
+       /* If it fails, we don't care why.  Default to secure */
+       if (status != EFI_SUCCESS)
+               return 1;
+
+       if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
+               if (moksbstate == 1)
+                       return 0;
+       }
+
        return 1;
 }
 

diff --git a/include/linux/efi.h b/include/linux/efi.h
index cba7177cbec74ec682f70b667d5d133cbe184138..b020dd370d3271cd205f4172980eac9fd2b6a4f1 100644 (file)
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -631,6 +631,9 @@ typedef struct {
 #define EFI_1_10_SYSTEM_TABLE_REVISION  ((1 << 16) | (10))
 #define EFI_1_02_SYSTEM_TABLE_REVISION  ((1 << 16) | (02))
 
+#define EFI_SHIM_LOCK_GUID \
+    EFI_GUID(  0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 )
+
 typedef struct {
        efi_table_hdr_t hdr;
        u64 fw_vendor;  /* physical addr of CHAR16 vendor string */