diff options
| author | Heinrich Schuchardt <xypron.glpk@gmx.de> | 2021-09-02 07:11:45 +0200 |
|---|---|---|
| committer | Heinrich Schuchardt <xypron.glpk@gmx.de> | 2021-09-04 12:03:57 +0200 |
| commit | 7219856daee8cd28872d2f7ef7405704af07bd7d (patch) | |
| tree | c4c7de1a34eae50090b872d09e763be7e4158bbf /lib/efi_loader | |
| parent | b191aa429e509ba6bf9eb446ae27b1a4fcd83276 (diff) | |
| download | u-boot-7219856daee8cd28872d2f7ef7405704af07bd7d.zip u-boot-7219856daee8cd28872d2f7ef7405704af07bd7d.tar.gz u-boot-7219856daee8cd28872d2f7ef7405704af07bd7d.tar.bz2 | |
efi_loader: correct determination of secure boot state
When U-Boot is started we have to use the existing variables to determine
in which secure boot state we are.
* If a platform key PK is present and DeployedMode=1, we are in deployed
mode.
* If no platform key PK is present and AuditMode=1, we are in audit mode.
* Otherwise if a platform key is present, we are in user mode.
* Otherwise if no platform key is present, we are in setup mode.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Diffstat (limited to 'lib/efi_loader')
| -rw-r--r-- | lib/efi_loader/efi_var_common.c | 39 |
1 files changed, 31 insertions, 8 deletions
diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c index c744e2f..a00bbf1 100644 --- a/lib/efi_loader/efi_var_common.c +++ b/lib/efi_loader/efi_var_common.c @@ -314,17 +314,40 @@ err: efi_status_t efi_init_secure_state(void) { - enum efi_secure_mode mode = EFI_MODE_SETUP; + enum efi_secure_mode mode; u8 efi_vendor_keys = 0; - efi_uintn_t size = 0; + efi_uintn_t size; efi_status_t ret; - - ret = efi_get_variable_int(L"PK", &efi_global_variable_guid, - NULL, &size, NULL, NULL); - if (ret == EFI_BUFFER_TOO_SMALL) { - if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT)) - mode = EFI_MODE_USER; + u8 deployed_mode = 0; + u8 audit_mode = 0; + u8 setup_mode = 1; + + if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT)) { + size = sizeof(deployed_mode); + ret = efi_get_variable_int(u"DeployedMode", &efi_global_variable_guid, + NULL, &size, &deployed_mode, NULL); + size = sizeof(audit_mode); + ret = efi_get_variable_int(u"AuditMode", &efi_global_variable_guid, + NULL, &size, &audit_mode, NULL); + size = 0; + ret = efi_get_variable_int(u"PK", &efi_global_variable_guid, + NULL, &size, NULL, NULL); + if (ret == EFI_BUFFER_TOO_SMALL) { + setup_mode = 0; + audit_mode = 0; + } else { + setup_mode = 1; + deployed_mode = 0; + } } + if (deployed_mode) + mode = EFI_MODE_DEPLOYED; + else if (audit_mode) + mode = EFI_MODE_AUDIT; + else if (setup_mode) + mode = EFI_MODE_SETUP; + else + mode = EFI_MODE_USER; ret = efi_transfer_secure_state(mode); if (ret != EFI_SUCCESS) |