From: David Howells <dhowells@redhat.com>
To: ard.biesheuvel@linaro.org
Cc: matthew.garrett@nebula.com, linux-efi@vger.kernel.org,
linux-kernel@vger.kernel.org, dhowells@redhat.com,
linux-security-module@vger.kernel.org,
Josh Boyer <jwboyer@fedoraproject.org>
Subject: [PATCH 2/5] efi: Add EFI_SECURE_BOOT bit
Date: Thu, 06 Apr 2017 13:50:05 +0100 [thread overview]
Message-ID: <149148300512.3427.7213689013157799404.stgit@warthog.procyon.org.uk> (raw)
In-Reply-To: <149148299794.3427.549144000807596903.stgit@warthog.procyon.org.uk>
From: Josh Boyer <jwboyer@fedoraproject.org>
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
that can be passed to efi_enabled() to find out whether secure boot is
enabled.
This will be used by the SysRq+x handler, registered by the x86 arch, to
find out whether secure boot mode is enabled so that it can be disabled.
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: linux-efi@vger.kernel.org
---
drivers/firmware/efi/secure_boot.c | 1 +
include/linux/efi.h | 1 +
2 files changed, 2 insertions(+)
diff --git a/drivers/firmware/efi/secure_boot.c b/drivers/firmware/efi/secure_boot.c
index cf5bccae15e8..730518061a14 100644
--- a/drivers/firmware/efi/secure_boot.c
+++ b/drivers/firmware/efi/secure_boot.c
@@ -24,6 +24,7 @@ void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
pr_info("Secure boot disabled\n");
break;
case efi_secureboot_mode_enabled:
+ set_bit(EFI_SECURE_BOOT, &efi.flags);
pr_info("Secure boot enabled\n");
break;
default:
diff --git a/include/linux/efi.h b/include/linux/efi.h
index d8938a780290..536a10111bde 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -1069,6 +1069,7 @@ extern int __init efi_setup_pcdp_console(char *);
#define EFI_DBG 8 /* Print additional debug info at runtime */
#define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */
#define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
+#define EFI_SECURE_BOOT 11 /* Are we in Secure Boot mode? */
#ifdef CONFIG_EFI
/*
WARNING: multiple messages have this Message-ID (diff)
From: dhowells@redhat.com (David Howells)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 2/5] efi: Add EFI_SECURE_BOOT bit
Date: Thu, 06 Apr 2017 13:50:05 +0100 [thread overview]
Message-ID: <149148300512.3427.7213689013157799404.stgit@warthog.procyon.org.uk> (raw)
In-Reply-To: <149148299794.3427.549144000807596903.stgit@warthog.procyon.org.uk>
From: Josh Boyer <jwboyer@fedoraproject.org>
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
that can be passed to efi_enabled() to find out whether secure boot is
enabled.
This will be used by the SysRq+x handler, registered by the x86 arch, to
find out whether secure boot mode is enabled so that it can be disabled.
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: linux-efi at vger.kernel.org
---
drivers/firmware/efi/secure_boot.c | 1 +
include/linux/efi.h | 1 +
2 files changed, 2 insertions(+)
diff --git a/drivers/firmware/efi/secure_boot.c b/drivers/firmware/efi/secure_boot.c
index cf5bccae15e8..730518061a14 100644
--- a/drivers/firmware/efi/secure_boot.c
+++ b/drivers/firmware/efi/secure_boot.c
@@ -24,6 +24,7 @@ void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
pr_info("Secure boot disabled\n");
break;
case efi_secureboot_mode_enabled:
+ set_bit(EFI_SECURE_BOOT, &efi.flags);
pr_info("Secure boot enabled\n");
break;
default:
diff --git a/include/linux/efi.h b/include/linux/efi.h
index d8938a780290..536a10111bde 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -1069,6 +1069,7 @@ extern int __init efi_setup_pcdp_console(char *);
#define EFI_DBG 8 /* Print additional debug info at runtime */
#define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */
#define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
+#define EFI_SECURE_BOOT 11 /* Are we in Secure Boot mode? */
#ifdef CONFIG_EFI
/*
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-04-06 12:51 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-06 12:49 [PATCH 1/5] efi: Move the x86 secure boot switch to generic code David Howells
2017-04-06 12:49 ` David Howells
2017-04-06 12:49 ` David Howells
2017-04-06 12:50 ` David Howells [this message]
2017-04-06 12:50 ` [PATCH 2/5] efi: Add EFI_SECURE_BOOT bit David Howells
2017-04-06 12:50 ` [PATCH 3/5] Add the ability to lock down access to the running kernel image David Howells
2017-04-06 12:50 ` David Howells
2017-04-06 22:45 ` James Morris
2017-04-06 22:45 ` James Morris
2017-04-06 22:45 ` James Morris
2017-04-06 12:50 ` [PATCH 4/5] efi: Lock down the kernel if booted in secure boot mode David Howells
2017-04-06 12:50 ` David Howells
2017-04-06 12:50 ` [PATCH 5/5] Add a sysrq option to exit " David Howells
2017-04-06 12:50 ` David Howells
2017-04-06 12:50 ` David Howells
2017-04-06 12:54 ` [PATCH 1/5] efi: Move the x86 secure boot switch to generic code David Howells
2017-04-06 12:54 ` David Howells
2017-05-02 9:28 ` David Howells
2017-05-02 9:28 ` David Howells
2017-05-02 9:28 ` David Howells
2017-05-19 14:00 ` Ard Biesheuvel
2017-05-19 14:00 ` Ard Biesheuvel
2017-05-19 14:00 ` Ard Biesheuvel
2017-05-24 13:54 ` David Howells
2017-05-24 13:54 ` David Howells
2017-05-24 14:04 ` Ard Biesheuvel
2017-05-24 14:04 ` Ard Biesheuvel
2017-05-24 14:04 ` Ard Biesheuvel
2017-05-24 14:45 [PATCH 0/5] security, efi: Set lockdown if in secure boot mode David Howells
2017-05-24 14:45 ` [PATCH 2/5] efi: Add EFI_SECURE_BOOT bit David Howells
2017-05-24 14:45 ` David Howells
2017-05-24 14:45 ` David Howells
2017-05-26 8:06 ` joeyli
2017-05-26 8:06 ` joeyli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=149148300512.3427.7213689013157799404.stgit@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=ard.biesheuvel@linaro.org \
--cc=jwboyer@fedoraproject.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthew.garrett@nebula.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.