[PATCH v2 4/6] efi_loader: correct secure boot state transition

Thu, 26 Aug 2021 06:48:51 -0700 

Variable PK must be deleted when switching either to setup mode or to audit
mode.
Variable AuditMode must be writable in setup mode and user mode.
Variable DeployedMode must only be writable in user mode; simplify the
logic.

Signed-off-by: Heinrich Schuchardt <heinrich.schucha...@canonical.com>
---
v2:
        no change
---
 lib/efi_loader/efi_var_common.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c
index b0c5b672c5..63ad6fea9e 100644
--- a/lib/efi_loader/efi_var_common.c
+++ b/lib/efi_loader/efi_var_common.c
@@ -240,7 +240,7 @@ static efi_status_t efi_set_secure_state(u8 secure_boot, u8 
setup_mode,
                goto err;
 
        ret = efi_set_variable_int(L"AuditMode", &efi_global_variable_guid,
-                                  audit_mode || setup_mode ?
+                                  audit_mode || deployed_mode ?
                                   attributes_ro : attributes_rw,
                                   sizeof(audit_mode), &audit_mode, false);
        if (ret != EFI_SUCCESS)
@@ -248,7 +248,7 @@ static efi_status_t efi_set_secure_state(u8 secure_boot, u8 
setup_mode,
 
        ret = efi_set_variable_int(L"DeployedMode",
                                   &efi_global_variable_guid,
-                                  audit_mode || deployed_mode || setup_mode ?
+                                  deployed_mode || setup_mode ?
                                   attributes_ro : attributes_rw,
                                   sizeof(deployed_mode), &deployed_mode,
                                   false);
@@ -273,17 +273,20 @@ static efi_status_t efi_transfer_secure_state(enum 
efi_secure_mode mode)
        EFI_PRINT("Switching secure state from %d to %d\n", efi_secure_mode,
                  mode);
 
-       if (mode == EFI_MODE_DEPLOYED) {
-               ret = efi_set_secure_state(1, 0, 0, 1);
-               if (ret != EFI_SUCCESS)
-                       goto err;
-       } else if (mode == EFI_MODE_AUDIT) {
+       if (mode == EFI_MODE_SETUP || mode == EFI_MODE_AUDIT) {
                ret = efi_set_variable_int(L"PK", &efi_global_variable_guid,
                                           EFI_VARIABLE_BOOTSERVICE_ACCESS |
                                           EFI_VARIABLE_RUNTIME_ACCESS,
                                           0, NULL, false);
+               if (ret != EFI_NOT_FOUND && ret != EFI_SUCCESS)
+                       goto err;
+       }
+
+       if (mode == EFI_MODE_DEPLOYED) {
+               ret = efi_set_secure_state(1, 0, 0, 1);
                if (ret != EFI_SUCCESS)
                        goto err;
+       } else if (mode == EFI_MODE_AUDIT) {
 
                ret = efi_set_secure_state(0, 1, 1, 0);
                if (ret != EFI_SUCCESS)
-- 
2.30.2

Reply via email to