All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] efi: libstub: treat missing SecureBoot/SetupMode vars as SB disabled
@ 2017-02-16 17:56 Ard Biesheuvel
       [not found] ` <1487267794-4691-1-git-send-email-ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
  0 siblings, 1 reply; 2+ messages in thread
From: Ard Biesheuvel @ 2017-02-16 17:56 UTC (permalink / raw)
  To: linux-efi-u79uwXL29TY76Z2rM5mHXA, dhowells-H+wXaHxf7aLQT0dZR+AlfA
  Cc: matt-mF/unelCI9GS6iBeEJttW/XRex20P6io,
	jwboyer-rxtnV0ftBwyoClj4AeEUq9i2O/JbrIOy, Ard Biesheuvel

The newly refactored code that infers the firmware's Secure Boot state
prints the following error when the variables 'SecureBoot' or 'SetupMode'
are missing.

  EFI stub: ERROR: Could not determine UEFI Secure Boot status.

However, these variables are only guaranteed to be defined on a system
that is Secure Boot capable to begin with, and so it is not an error if
they are missing. So report Secure Boot as disabled in this case, without
printing any error messages.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
---
 drivers/firmware/efi/libstub/secureboot.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/firmware/efi/libstub/secureboot.c b/drivers/firmware/efi/libstub/secureboot.c
index 766ac06dac84..1987410e8242 100644
--- a/drivers/firmware/efi/libstub/secureboot.c
+++ b/drivers/firmware/efi/libstub/secureboot.c
@@ -47,12 +47,16 @@ enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg)
 	size = sizeof(secboot);
 	status = get_efi_var(efi_SecureBoot_name, &efi_variable_guid,
 			     NULL, &size, &secboot);
+	if (status == EFI_NOT_FOUND)
+		return efi_secureboot_mode_disabled;
 	if (status != EFI_SUCCESS)
 		goto out_efi_err;
 
 	size = sizeof(setupmode);
 	status = get_efi_var(efi_SetupMode_name, &efi_variable_guid,
 			     NULL, &size, &setupmode);
+	if (status == EFI_NOT_FOUND)
+		return efi_secureboot_mode_disabled;
 	if (status != EFI_SUCCESS)
 		goto out_efi_err;
 
@@ -80,7 +84,5 @@ enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg)
 
 out_efi_err:
 	pr_efi_err(sys_table_arg, "Could not determine UEFI Secure Boot status.\n");
-	if (status == EFI_NOT_FOUND)
-		return efi_secureboot_mode_disabled;
 	return efi_secureboot_mode_unknown;
 }
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] efi: libstub: treat missing SecureBoot/SetupMode vars as SB disabled
       [not found] ` <1487267794-4691-1-git-send-email-ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
@ 2017-02-16 17:59   ` Ard Biesheuvel
  0 siblings, 0 replies; 2+ messages in thread
From: Ard Biesheuvel @ 2017-02-16 17:59 UTC (permalink / raw)
  To: linux-efi-u79uwXL29TY76Z2rM5mHXA, David Howells
  Cc: Matt Fleming, Josh Boyer, Ard Biesheuvel

On 16 February 2017 at 17:56, Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org> wrote:
> The newly refactored code that infers the firmware's Secure Boot state
> prints the following error when the variables 'SecureBoot' or 'SetupMode'
> are missing.
>
>   EFI stub: ERROR: Could not determine UEFI Secure Boot status.
>
> However, these variables are only guaranteed to be defined on a system
> that is Secure Boot capable to begin with, and so it is not an error if
> they are missing. So report Secure Boot as disabled in this case, without
> printing any error messages.
>
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
> ---
>  drivers/firmware/efi/libstub/secureboot.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/firmware/efi/libstub/secureboot.c b/drivers/firmware/efi/libstub/secureboot.c
> index 766ac06dac84..1987410e8242 100644
> --- a/drivers/firmware/efi/libstub/secureboot.c
> +++ b/drivers/firmware/efi/libstub/secureboot.c
> @@ -47,12 +47,16 @@ enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg)
>         size = sizeof(secboot);
>         status = get_efi_var(efi_SecureBoot_name, &efi_variable_guid,
>                              NULL, &size, &secboot);
> +       if (status == EFI_NOT_FOUND)
> +               return efi_secureboot_mode_disabled;
>         if (status != EFI_SUCCESS)
>                 goto out_efi_err;
>
>         size = sizeof(setupmode);
>         status = get_efi_var(efi_SetupMode_name, &efi_variable_guid,
>                              NULL, &size, &setupmode);
> +       if (status == EFI_NOT_FOUND)
> +               return efi_secureboot_mode_disabled;

Hmm, I hit 'send' a little quick: if SecureBoot exists and SetupMode
doesn't, I think we are in a situation where we should report
'unknown' rather than disabled.

>         if (status != EFI_SUCCESS)
>                 goto out_efi_err;
>
> @@ -80,7 +84,5 @@ enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg)
>
>  out_efi_err:
>         pr_efi_err(sys_table_arg, "Could not determine UEFI Secure Boot status.\n");
> -       if (status == EFI_NOT_FOUND)
> -               return efi_secureboot_mode_disabled;
>         return efi_secureboot_mode_unknown;
>  }
> --
> 2.7.4
>

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-02-16 17:59 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-02-16 17:56 [PATCH] efi: libstub: treat missing SecureBoot/SetupMode vars as SB disabled Ard Biesheuvel
     [not found] ` <1487267794-4691-1-git-send-email-ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
2017-02-16 17:59   ` Ard Biesheuvel

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.