From: Daniel Kiper <daniel.kiper@oracle.com>
To: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: jgross@suse.com, eric.snowberg@oracle.com,
linux-efi@vger.kernel.org, ard.biesheuvel@linaro.org,
x86@kernel.org, linux-kernel@vger.kernel.org, mingo@redhat.com,
hpa@zytor.com, xen-devel@lists.xenproject.org,
boris.ostrovsky@oracle.com, tglx@linutronix.de
Subject: Re: [PATCH v2] x86/xen/efi: Initialize UEFI secure boot state during dom0 boot
Date: Tue, 3 Apr 2018 18:07:12 +0200 [thread overview]
Message-ID: <20180403160712.GL26100__29995.4950264238$1522771599$gmane$org@olila.local.net-space.pl> (raw)
In-Reply-To: <1522770281.4522.14.camel@HansenPartnership.com>
On Tue, Apr 03, 2018 at 08:44:41AM -0700, James Bottomley wrote:
> On Tue, 2018-04-03 at 16:39 +0200, Daniel Kiper wrote:
> > Initialize UEFI secure boot state during dom0 boot. Otherwise the
> > kernel
> > may not even know that it runs on secure boot enabled platform.
> >
> > Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
> > ---
> > arch/x86/xen/efi.c | 57
> > +++++++++++++++++++++++++++++
> > drivers/firmware/efi/libstub/secureboot.c | 3 ++
> > 2 files changed, 60 insertions(+)
> >
> > diff --git a/arch/x86/xen/efi.c b/arch/x86/xen/efi.c
> > index a18703b..1804b27 100644
> > --- a/arch/x86/xen/efi.c
> > +++ b/arch/x86/xen/efi.c
> > @@ -115,6 +115,61 @@ static efi_system_table_t __init
> > *xen_efi_probe(void)
> > return &efi_systab_xen;
> > }
> >
> > +/*
> > + * Determine whether we're in secure boot mode.
> > + *
> > + * Please keep the logic in sync with
> > + * drivers/firmware/efi/libstub/secureboot.c:efi_get_secureboot().
> > + */
> > +static enum efi_secureboot_mode xen_efi_get_secureboot(void)
> > +{
> > + static efi_guid_t efi_variable_guid =
> > EFI_GLOBAL_VARIABLE_GUID;
> > + static efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID;
> > + efi_status_t status;
> > + u8 moksbstate, secboot, setupmode;
> > + unsigned long size;
> > +
> > + size = sizeof(secboot);
> > + status = efi.get_variable(L"SecureBoot", &efi_variable_guid,
> > + NULL, &size, &secboot);
> > +
> > + if (status == EFI_NOT_FOUND)
> > + return efi_secureboot_mode_disabled;
> > +
> > + if (status != EFI_SUCCESS)
> > + goto out_efi_err;
> > +
> > + size = sizeof(setupmode);
> > + status = efi.get_variable(L"SetupMode", &efi_variable_guid,
> > + NULL, &size, &setupmode);
> > +
> > + if (status != EFI_SUCCESS)
> > + goto out_efi_err;
> > +
> > + if (secboot == 0 || setupmode == 1)
> > + return efi_secureboot_mode_disabled;
> > +
> > + /* See if a user has put the shim into insecure mode. */
> > + size = sizeof(moksbstate);
> > + status = efi.get_variable(L"MokSBStateRT", &shim_guid,
> > + NULL, &size, &moksbstate);
> > +
> > + /* If it fails, we don't care why. Default to secure. */
> > + if (status != EFI_SUCCESS)
> > + goto secure_boot_enabled;
> > +
> > + if (moksbstate == 1)
> > + return efi_secureboot_mode_disabled;
> > +
> > + secure_boot_enabled:
> > + pr_info("UEFI Secure Boot is enabled.\n");
> > + return efi_secureboot_mode_enabled;
> > +
> > + out_efi_err:
> > + pr_err("Could not determine UEFI Secure Boot status.\n");
> > + return efi_secureboot_mode_unknown;
> > +}
> > +
>
> This looks like a bad idea: you're duplicating the secure boot check in
>
> drivers/firmware/efi/libstub/secureboot.c
>
> Which is an implementation of policy. If we have to have policy in the
> kernel, it should really only be in one place to prevent drift; why
> can't you simply use the libstub efi_get_secureboot() so we're not
> duplicating the implementation of policy?
Well, here is the first version of this patch: https://lkml.org/lkml/2018/1/9/496
Ard did not like it. I was not happy too. In general both approaches are not perfect.
More you can find in the discussion around this patchset. If you have better idea
how to do that I am happy to implement it.
Daniel
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
next prev parent reply other threads:[~2018-04-03 16:07 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-03 14:39 [PATCH v2] x86/xen/efi: Initialize UEFI secure boot state during dom0 boot Daniel Kiper
2018-04-03 15:44 ` James Bottomley
2018-04-03 16:07 ` Daniel Kiper
2018-04-03 17:00 ` James Bottomley
2018-04-03 17:00 ` James Bottomley
2018-04-04 10:38 ` Daniel Kiper
2018-04-04 10:38 ` Daniel Kiper
2018-04-11 8:56 ` Daniel Kiper
2018-04-11 8:56 ` Daniel Kiper
2018-04-16 8:15 ` Ard Biesheuvel
2018-04-16 8:15 ` Ard Biesheuvel
2018-04-16 9:04 ` Daniel Kiper
2018-04-16 9:04 ` Daniel Kiper
2018-04-03 16:07 ` Daniel Kiper [this message]
2018-04-03 15:44 ` James Bottomley
2018-04-03 14:39 Daniel Kiper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='20180403160712.GL26100__29995.4950264238$1522771599$gmane$org@olila.local.net-space.pl' \
--to=daniel.kiper@oracle.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=ard.biesheuvel@linaro.org \
--cc=boris.ostrovsky@oracle.com \
--cc=eric.snowberg@oracle.com \
--cc=hpa@zytor.com \
--cc=jgross@suse.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.