Writing variables AuditMode or Deployed Mode must update the secure boot
state.
Signed-off-by: Heinrich Schuchardt <heinrich.schucha...@canonical.com>
---
v2:
correct variable name in lib/efi_loader/efi_variable_tee.c
---
include/efi_variable.h | 1 +
lib/efi_loader/efi_var_common.c | 2 ++
lib/efi_loader/efi_variable.c | 6 +++---
lib/efi_loader/efi_variable_tee.c | 4 +++-
4 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/include/efi_variable.h b/include/efi_variable.h
index 2d97655e1f..0440d356bc 100644
--- a/include/efi_variable.h
+++ b/include/efi_variable.h
@@ -12,6 +12,7 @@
enum efi_auth_var_type {
EFI_AUTH_VAR_NONE = 0,
+ EFI_AUTH_MODE,
EFI_AUTH_VAR_PK,
EFI_AUTH_VAR_KEK,
EFI_AUTH_VAR_DB,
diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c
index 63ad6fea9e..6fabcfe72c 100644
--- a/lib/efi_loader/efi_var_common.c
+++ b/lib/efi_loader/efi_var_common.c
@@ -34,6 +34,8 @@ static const struct efi_auth_var_name_type name_type[] = {
{u"dbx", &efi_guid_image_security_database, EFI_AUTH_VAR_DBX},
{u"dbt", &efi_guid_image_security_database, EFI_AUTH_VAR_DBT},
{u"dbr", &efi_guid_image_security_database, EFI_AUTH_VAR_DBR},
+ {u"AuditMode", &efi_global_variable_guid, EFI_AUTH_MODE},
+ {u"DeployedMode", &efi_global_variable_guid, EFI_AUTH_MODE},
};
static bool efi_secure_boot;
diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c
index a7d305ffbc..80996d0f47 100644
--- a/lib/efi_loader/efi_variable.c
+++ b/lib/efi_loader/efi_variable.c
@@ -247,7 +247,7 @@ efi_status_t efi_set_variable_int(u16 *variable_name, const
efi_guid_t *vendor,
return EFI_WRITE_PROTECTED;
if (IS_ENABLED(CONFIG_EFI_VARIABLES_PRESEED)) {
- if (var_type != EFI_AUTH_VAR_NONE)
+ if (var_type >= EFI_AUTH_VAR_PK)
return EFI_WRITE_PROTECTED;
}
@@ -268,7 +268,7 @@ efi_status_t efi_set_variable_int(u16 *variable_name, const
efi_guid_t *vendor,
return EFI_NOT_FOUND;
}
- if (var_type != EFI_AUTH_VAR_NONE) {
+ if (var_type >= EFI_AUTH_VAR_PK) {
/* authentication is mandatory */
if (!(attributes &
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)) {
@@ -328,7 +328,7 @@ efi_status_t efi_set_variable_int(u16 *variable_name, const
efi_guid_t *vendor,
if (ret != EFI_SUCCESS)
return ret;
- if (var_type == EFI_AUTH_VAR_PK)
+ if (var_type == EFI_AUTH_VAR_PK || var_type == EFI_AUTH_MODE)
ret = efi_init_secure_state();
else
ret = EFI_SUCCESS;
diff --git a/lib/efi_loader/efi_variable_tee.c
b/lib/efi_loader/efi_variable_tee.c
index 51920bcb51..a6d5752045 100644
--- a/lib/efi_loader/efi_variable_tee.c
+++ b/lib/efi_loader/efi_variable_tee.c
@@ -512,6 +512,7 @@ efi_status_t efi_set_variable_int(u16 *variable_name, const
efi_guid_t *vendor,
efi_uintn_t payload_size;
efi_uintn_t name_size;
u8 *comm_buf = NULL;
+ enum efi_auth_var_type var_type;
bool ro;
if (!variable_name || variable_name[0] == 0 || !vendor) {
@@ -590,7 +591,8 @@ efi_status_t efi_set_variable_int(u16 *variable_name, const
efi_guid_t *vendor,
if (alt_ret != EFI_SUCCESS)
goto out;
- if (!u16_strcmp(variable_name, L"PK"))
+ var_type = efi_auth_var_get_type(variable_name, vendor);
+ if (var_type == EFI_AUTH_VAR_PK || var_type == EFI_AUTH_MODE)
alt_ret = efi_init_secure_state();
out:
free(comm_buf);
--
2.30.2
