From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: matt@codeblueprint.co.uk, Ingo Molnar <mingo@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
"H . Peter Anvin" <hpa@zytor.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org,
David Howells <dhowells@redhat.com>
Subject: [PATCH 5/7] efi: Disable secure boot if shim is in insecure mode
Date: Mon, 6 Feb 2017 11:22:44 +0000 [thread overview]
Message-ID: <1486380166-31868-6-git-send-email-ard.biesheuvel@linaro.org> (raw)
In-Reply-To: <1486380166-31868-1-git-send-email-ard.biesheuvel@linaro.org>
From: Josh Boyer <jwboyer@fedoraproject.org>
A user can manually tell the shim boot loader to disable validation of
images it loads. When a user does this, it creates a UEFI variable called
MokSBState that does not have the runtime attribute set. Given that the
user explicitly disabled validation, we can honor that and not enable
secure boot mode if that variable is set.
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
drivers/firmware/efi/libstub/secureboot.c | 25 ++++++++++++++++++++++++-
1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/drivers/firmware/efi/libstub/secureboot.c b/drivers/firmware/efi/libstub/secureboot.c
index 62d6904da800..766ac06dac84 100644
--- a/drivers/firmware/efi/libstub/secureboot.c
+++ b/drivers/firmware/efi/libstub/secureboot.c
@@ -23,6 +23,12 @@ static const efi_char16_t const efi_SetupMode_name[] = {
'S', 'e', 't', 'u', 'p', 'M', 'o', 'd', 'e', 0
};
+/* SHIM variables */
+static const efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID;
+static efi_char16_t const shim_MokSBState_name[] = {
+ 'M', 'o', 'k', 'S', 'B', 'S', 't', 'a', 't', 'e', 0
+};
+
#define get_efi_var(name, vendor, ...) \
efi_call_runtime(get_variable, \
(efi_char16_t *)(name), (efi_guid_t *)(vendor), \
@@ -33,7 +39,8 @@ static const efi_char16_t const efi_SetupMode_name[] = {
*/
enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg)
{
- u8 secboot, setupmode;
+ u32 attr;
+ u8 secboot, setupmode, moksbstate;
unsigned long size;
efi_status_t status;
@@ -52,6 +59,22 @@ enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg)
if (secboot == 0 || setupmode == 1)
return efi_secureboot_mode_disabled;
+ /*
+ * See if a user has put shim into insecure mode. If so, and if the
+ * variable doesn't have the runtime attribute set, we might as well
+ * honor that.
+ */
+ size = sizeof(moksbstate);
+ status = get_efi_var(shim_MokSBState_name, &shim_guid,
+ &attr, &size, &moksbstate);
+
+ /* If it fails, we don't care why. Default to secure */
+ if (status != EFI_SUCCESS)
+ goto secure_boot_enabled;
+ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS) && moksbstate == 1)
+ return efi_secureboot_mode_disabled;
+
+secure_boot_enabled:
pr_efi(sys_table_arg, "UEFI Secure Boot is enabled.\n");
return efi_secureboot_mode_enabled;
--
2.7.4
next prev parent reply other threads:[~2017-02-06 11:23 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-06 11:22 [GIT PULL 0/7] EFI updates for v4.11 part 2 Ard Biesheuvel
2017-02-06 11:22 ` [PATCH 1/7] x86/efi: Allow invocation of arbitrary runtime services Ard Biesheuvel
2017-02-07 9:45 ` [tip:efi/core] " tip-bot for David Howells
2017-02-06 11:22 ` [PATCH 2/7] arm/efi: " Ard Biesheuvel
2017-02-07 9:46 ` [tip:efi/core] " tip-bot for David Howells
2017-02-06 11:22 ` [PATCH 3/7] efi: Add SHIM and image security database GUID definitions Ard Biesheuvel
2017-02-07 7:52 ` Ingo Molnar
2017-02-07 8:07 ` Ard Biesheuvel
2017-02-07 9:23 ` David Howells
2017-02-07 9:42 ` Ingo Molnar
2017-02-07 9:46 ` [tip:efi/core] " tip-bot for Josh Boyer
2017-02-06 11:22 ` [PATCH 4/7] efi: Get the secure boot status Ard Biesheuvel
2017-02-07 9:47 ` [tip:efi/core] efi: Get and store " tip-bot for David Howells
2017-02-06 11:22 ` Ard Biesheuvel [this message]
2017-02-07 9:48 ` [tip:efi/core] efi: Disable secure boot if shim is in insecure mode tip-bot for Josh Boyer
2017-02-06 11:22 ` [PATCH 6/7] efi: Print the secure boot status in x86 setup_arch() Ard Biesheuvel
2017-02-07 9:48 ` [tip:efi/core] " tip-bot for David Howells
2017-02-06 11:22 ` [PATCH 7/7] efi: libstub: Make file I/O chunking x86-specific Ard Biesheuvel
2017-02-07 9:49 ` [tip:efi/core] efi/libstub: " tip-bot for Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1486380166-31868-6-git-send-email-ard.biesheuvel@linaro.org \
--to=ard.biesheuvel@linaro.org \
--cc=dhowells@redhat.com \
--cc=hpa@zytor.com \
--cc=jwboyer@fedoraproject.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=matt@codeblueprint.co.uk \
--cc=mingo@kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).