[PATCH 1/4] efi/stub: Extract efi_get_secureboot() to separate file
We have to call efi_get_secureboot() from early Xen dom0 boot code to properly initialize boot_params.secure_boot. Sadly it lives in the EFI stub. Hence, it is not readily reachable from the kernel proper. So, move efi_get_secureboot() to separate file which can be included from the core kernel code. Subsequent patch will add efi_get_secureboot() call from Xen dom0 boot code. There is no functional change. Signed-off-by: Daniel Kiper--- drivers/firmware/efi/libstub/secureboot-core.c | 77 drivers/firmware/efi/libstub/secureboot.c | 66 +--- 2 files changed, 78 insertions(+), 65 deletions(-) create mode 100644 drivers/firmware/efi/libstub/secureboot-core.c diff --git a/drivers/firmware/efi/libstub/secureboot-core.c b/drivers/firmware/efi/libstub/secureboot-core.c new file mode 100644 index 000..11a4feb --- /dev/null +++ b/drivers/firmware/efi/libstub/secureboot-core.c @@ -0,0 +1,77 @@ +/* + * Secure boot handling. + * + * Copyright (C) 2013,2014 Linaro Limited + * Roy Franz + * Copyright (C) 2013 Red Hat, Inc. + * Mark Salter + * + * This file is part of the Linux kernel, and is made available under the + * terms of the GNU General Public License version 2. + */ + +/* BIOS variables */ +static const efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID; +static const efi_char16_t efi_SecureBoot_name[] = { + 'S', 'e', 'c', 'u', 'r', 'e', 'B', 'o', 'o', 't', 0 +}; +static const efi_char16_t efi_SetupMode_name[] = { + 'S', 'e', 't', 'u', 'p', 'M', 'o', 'd', 'e', 0 +}; + +/* SHIM variables */ +static const efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID; +static const efi_char16_t shim_MokSBState_name[] = { + 'M', 'o', 'k', 'S', 'B', 'S', 't', 'a', 't', 'e', 0 +}; + +/* + * Determine whether we're in secure boot mode. + */ +enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg) +{ + u32 attr; + u8 secboot, setupmode, moksbstate; + unsigned long size; + efi_status_t status; + + size = sizeof(secboot); + status = get_efi_var(efi_SecureBoot_name, _variable_guid, +NULL, , ); + if (status == EFI_NOT_FOUND) + return efi_secureboot_mode_disabled; + if (status != EFI_SUCCESS) + goto out_efi_err; + + size = sizeof(setupmode); + status = get_efi_var(efi_SetupMode_name, _variable_guid, +NULL, , ); + if (status != EFI_SUCCESS) + goto out_efi_err; + + if (secboot == 0 || setupmode == 1) + return efi_secureboot_mode_disabled; + + /* +* See if a user has put the shim into insecure mode. If so, and if the +* variable doesn't have the runtime attribute set, we might as well +* honor that. +*/ + size = sizeof(moksbstate); + status = get_efi_var(shim_MokSBState_name, _guid, +, , ); + + /* If it fails, we don't care why. Default to secure */ + if (status != EFI_SUCCESS) + goto secure_boot_enabled; + if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS) && moksbstate == 1) + return efi_secureboot_mode_disabled; + +secure_boot_enabled: + pr_efi(sys_table_arg, "UEFI Secure Boot is enabled.\n"); + return efi_secureboot_mode_enabled; + +out_efi_err: + pr_efi_err(sys_table_arg, "Could not determine UEFI Secure Boot status.\n"); + return efi_secureboot_mode_unknown; +} diff --git a/drivers/firmware/efi/libstub/secureboot.c b/drivers/firmware/efi/libstub/secureboot.c index 959777e..4a6159f 100644 --- a/drivers/firmware/efi/libstub/secureboot.c +++ b/drivers/firmware/efi/libstub/secureboot.c @@ -14,73 +14,9 @@ #include "efistub.h" -/* BIOS variables */ -static const efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID; -static const efi_char16_t efi_SecureBoot_name[] = { - 'S', 'e', 'c', 'u', 'r', 'e', 'B', 'o', 'o', 't', 0 -}; -static const efi_char16_t efi_SetupMode_name[] = { - 'S', 'e', 't', 'u', 'p', 'M', 'o', 'd', 'e', 0 -}; - -/* SHIM variables */ -static const efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID; -static efi_char16_t const shim_MokSBState_name[] = { - 'M', 'o', 'k', 'S', 'B', 'S', 't', 'a', 't', 'e', 0 -}; - #define get_efi_var(name, vendor, ...) \ efi_call_runtime(get_variable, \ (efi_char16_t *)(name), (efi_guid_t *)(vendor), \ __VA_ARGS__); -/* - * Determine whether we're in secure boot mode. - */ -enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg) -{ - u32 attr; - u8 secboot, setupmode, moksbstate; - unsigned long size; - efi_status_t status; - - size = sizeof(secboot); - status = get_efi_var(efi_SecureBoot_name, _variable_guid, -NULL, , ); - if
[PATCH 1/4] efi/stub: Extract efi_get_secureboot() to separate file
We have to call efi_get_secureboot() from early Xen dom0 boot code to properly initialize boot_params.secure_boot. Sadly it lives in the EFI stub. Hence, it is not readily reachable from the kernel proper. So, move efi_get_secureboot() to separate file which can be included from the core kernel code. Subsequent patch will add efi_get_secureboot() call from Xen dom0 boot code. There is no functional change. Signed-off-by: Daniel Kiper --- drivers/firmware/efi/libstub/secureboot-core.c | 77 drivers/firmware/efi/libstub/secureboot.c | 66 +--- 2 files changed, 78 insertions(+), 65 deletions(-) create mode 100644 drivers/firmware/efi/libstub/secureboot-core.c diff --git a/drivers/firmware/efi/libstub/secureboot-core.c b/drivers/firmware/efi/libstub/secureboot-core.c new file mode 100644 index 000..11a4feb --- /dev/null +++ b/drivers/firmware/efi/libstub/secureboot-core.c @@ -0,0 +1,77 @@ +/* + * Secure boot handling. + * + * Copyright (C) 2013,2014 Linaro Limited + * Roy Franz + * Copyright (C) 2013 Red Hat, Inc. + * Mark Salter + * + * This file is part of the Linux kernel, and is made available under the + * terms of the GNU General Public License version 2. + */ + +/* BIOS variables */ +static const efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID; +static const efi_char16_t efi_SecureBoot_name[] = { + 'S', 'e', 'c', 'u', 'r', 'e', 'B', 'o', 'o', 't', 0 +}; +static const efi_char16_t efi_SetupMode_name[] = { + 'S', 'e', 't', 'u', 'p', 'M', 'o', 'd', 'e', 0 +}; + +/* SHIM variables */ +static const efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID; +static const efi_char16_t shim_MokSBState_name[] = { + 'M', 'o', 'k', 'S', 'B', 'S', 't', 'a', 't', 'e', 0 +}; + +/* + * Determine whether we're in secure boot mode. + */ +enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg) +{ + u32 attr; + u8 secboot, setupmode, moksbstate; + unsigned long size; + efi_status_t status; + + size = sizeof(secboot); + status = get_efi_var(efi_SecureBoot_name, _variable_guid, +NULL, , ); + if (status == EFI_NOT_FOUND) + return efi_secureboot_mode_disabled; + if (status != EFI_SUCCESS) + goto out_efi_err; + + size = sizeof(setupmode); + status = get_efi_var(efi_SetupMode_name, _variable_guid, +NULL, , ); + if (status != EFI_SUCCESS) + goto out_efi_err; + + if (secboot == 0 || setupmode == 1) + return efi_secureboot_mode_disabled; + + /* +* See if a user has put the shim into insecure mode. If so, and if the +* variable doesn't have the runtime attribute set, we might as well +* honor that. +*/ + size = sizeof(moksbstate); + status = get_efi_var(shim_MokSBState_name, _guid, +, , ); + + /* If it fails, we don't care why. Default to secure */ + if (status != EFI_SUCCESS) + goto secure_boot_enabled; + if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS) && moksbstate == 1) + return efi_secureboot_mode_disabled; + +secure_boot_enabled: + pr_efi(sys_table_arg, "UEFI Secure Boot is enabled.\n"); + return efi_secureboot_mode_enabled; + +out_efi_err: + pr_efi_err(sys_table_arg, "Could not determine UEFI Secure Boot status.\n"); + return efi_secureboot_mode_unknown; +} diff --git a/drivers/firmware/efi/libstub/secureboot.c b/drivers/firmware/efi/libstub/secureboot.c index 959777e..4a6159f 100644 --- a/drivers/firmware/efi/libstub/secureboot.c +++ b/drivers/firmware/efi/libstub/secureboot.c @@ -14,73 +14,9 @@ #include "efistub.h" -/* BIOS variables */ -static const efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID; -static const efi_char16_t efi_SecureBoot_name[] = { - 'S', 'e', 'c', 'u', 'r', 'e', 'B', 'o', 'o', 't', 0 -}; -static const efi_char16_t efi_SetupMode_name[] = { - 'S', 'e', 't', 'u', 'p', 'M', 'o', 'd', 'e', 0 -}; - -/* SHIM variables */ -static const efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID; -static efi_char16_t const shim_MokSBState_name[] = { - 'M', 'o', 'k', 'S', 'B', 'S', 't', 'a', 't', 'e', 0 -}; - #define get_efi_var(name, vendor, ...) \ efi_call_runtime(get_variable, \ (efi_char16_t *)(name), (efi_guid_t *)(vendor), \ __VA_ARGS__); -/* - * Determine whether we're in secure boot mode. - */ -enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg) -{ - u32 attr; - u8 secboot, setupmode, moksbstate; - unsigned long size; - efi_status_t status; - - size = sizeof(secboot); - status = get_efi_var(efi_SecureBoot_name, _variable_guid, -NULL, , ); - if (status == EFI_NOT_FOUND) - return