From: David Howells <dhowells@redhat.com> To: ard.biesheuvel@linaro.org Cc: matthew.garrett@nebula.com, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-security-module@vger.kernel.org, Josh Boyer <jwboyer@fedoraproject.org> Subject: [PATCH 2/5] efi: Add EFI_SECURE_BOOT bit Date: Thu, 06 Apr 2017 13:50:05 +0100 [thread overview] Message-ID: <149148300512.3427.7213689013157799404.stgit@warthog.procyon.org.uk> (raw) In-Reply-To: <149148299794.3427.549144000807596903.stgit@warthog.procyon.org.uk> From: Josh Boyer <jwboyer@fedoraproject.org> UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit that can be passed to efi_enabled() to find out whether secure boot is enabled. This will be used by the SysRq+x handler, registered by the x86 arch, to find out whether secure boot mode is enabled so that it can be disabled. Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> Signed-off-by: David Howells <dhowells@redhat.com> cc: linux-efi@vger.kernel.org --- drivers/firmware/efi/secure_boot.c | 1 + include/linux/efi.h | 1 + 2 files changed, 2 insertions(+) diff --git a/drivers/firmware/efi/secure_boot.c b/drivers/firmware/efi/secure_boot.c index cf5bccae15e8..730518061a14 100644 --- a/drivers/firmware/efi/secure_boot.c +++ b/drivers/firmware/efi/secure_boot.c @@ -24,6 +24,7 @@ void __init efi_set_secure_boot(enum efi_secureboot_mode mode) pr_info("Secure boot disabled\n"); break; case efi_secureboot_mode_enabled: + set_bit(EFI_SECURE_BOOT, &efi.flags); pr_info("Secure boot enabled\n"); break; default: diff --git a/include/linux/efi.h b/include/linux/efi.h index d8938a780290..536a10111bde 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -1069,6 +1069,7 @@ extern int __init efi_setup_pcdp_console(char *); #define EFI_DBG 8 /* Print additional debug info at runtime */ #define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */ #define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */ +#define EFI_SECURE_BOOT 11 /* Are we in Secure Boot mode? */ #ifdef CONFIG_EFI /*
WARNING: multiple messages have this Message-ID (diff)
From: dhowells@redhat.com (David Howells) To: linux-security-module@vger.kernel.org Subject: [PATCH 2/5] efi: Add EFI_SECURE_BOOT bit Date: Thu, 06 Apr 2017 13:50:05 +0100 [thread overview] Message-ID: <149148300512.3427.7213689013157799404.stgit@warthog.procyon.org.uk> (raw) In-Reply-To: <149148299794.3427.549144000807596903.stgit@warthog.procyon.org.uk> From: Josh Boyer <jwboyer@fedoraproject.org> UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit that can be passed to efi_enabled() to find out whether secure boot is enabled. This will be used by the SysRq+x handler, registered by the x86 arch, to find out whether secure boot mode is enabled so that it can be disabled. Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> Signed-off-by: David Howells <dhowells@redhat.com> cc: linux-efi at vger.kernel.org --- drivers/firmware/efi/secure_boot.c | 1 + include/linux/efi.h | 1 + 2 files changed, 2 insertions(+) diff --git a/drivers/firmware/efi/secure_boot.c b/drivers/firmware/efi/secure_boot.c index cf5bccae15e8..730518061a14 100644 --- a/drivers/firmware/efi/secure_boot.c +++ b/drivers/firmware/efi/secure_boot.c @@ -24,6 +24,7 @@ void __init efi_set_secure_boot(enum efi_secureboot_mode mode) pr_info("Secure boot disabled\n"); break; case efi_secureboot_mode_enabled: + set_bit(EFI_SECURE_BOOT, &efi.flags); pr_info("Secure boot enabled\n"); break; default: diff --git a/include/linux/efi.h b/include/linux/efi.h index d8938a780290..536a10111bde 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -1069,6 +1069,7 @@ extern int __init efi_setup_pcdp_console(char *); #define EFI_DBG 8 /* Print additional debug info at runtime */ #define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */ #define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */ +#define EFI_SECURE_BOOT 11 /* Are we in Secure Boot mode? */ #ifdef CONFIG_EFI /* -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-04-06 12:51 UTC|newest] Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-04-06 12:49 [PATCH 1/5] efi: Move the x86 secure boot switch to generic code David Howells 2017-04-06 12:49 ` David Howells 2017-04-06 12:49 ` David Howells 2017-04-06 12:50 ` David Howells [this message] 2017-04-06 12:50 ` [PATCH 2/5] efi: Add EFI_SECURE_BOOT bit David Howells 2017-04-06 12:50 ` [PATCH 3/5] Add the ability to lock down access to the running kernel image David Howells 2017-04-06 12:50 ` David Howells 2017-04-06 22:45 ` James Morris 2017-04-06 22:45 ` James Morris 2017-04-06 22:45 ` James Morris 2017-04-06 12:50 ` [PATCH 4/5] efi: Lock down the kernel if booted in secure boot mode David Howells 2017-04-06 12:50 ` David Howells 2017-04-06 12:50 ` [PATCH 5/5] Add a sysrq option to exit " David Howells 2017-04-06 12:50 ` David Howells 2017-04-06 12:50 ` David Howells 2017-04-06 12:54 ` [PATCH 1/5] efi: Move the x86 secure boot switch to generic code David Howells 2017-04-06 12:54 ` David Howells 2017-05-02 9:28 ` David Howells 2017-05-02 9:28 ` David Howells 2017-05-02 9:28 ` David Howells 2017-05-19 14:00 ` Ard Biesheuvel 2017-05-19 14:00 ` Ard Biesheuvel 2017-05-19 14:00 ` Ard Biesheuvel 2017-05-24 13:54 ` David Howells 2017-05-24 13:54 ` David Howells 2017-05-24 14:04 ` Ard Biesheuvel 2017-05-24 14:04 ` Ard Biesheuvel 2017-05-24 14:04 ` Ard Biesheuvel 2017-05-24 14:45 [PATCH 0/5] security, efi: Set lockdown if in secure boot mode David Howells 2017-05-24 14:45 ` [PATCH 2/5] efi: Add EFI_SECURE_BOOT bit David Howells 2017-05-24 14:45 ` David Howells 2017-05-24 14:45 ` David Howells 2017-05-26 8:06 ` joeyli 2017-05-26 8:06 ` joeyli
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=149148300512.3427.7213689013157799404.stgit@warthog.procyon.org.uk \ --to=dhowells@redhat.com \ --cc=ard.biesheuvel@linaro.org \ --cc=jwboyer@fedoraproject.org \ --cc=linux-efi@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=matthew.garrett@nebula.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.