aboutsummaryrefslogtreecommitdiff
path: root/libstb
diff options
context:
space:
mode:
authorNayna Jain <nayna@linux.ibm.com>2020-09-16 11:21:13 -0500
committerOliver O'Halloran <oohall@gmail.com>2020-10-01 13:44:06 +1000
commitf65d51cdfefec2efdcdd718137c097b4e8197753 (patch)
tree64dc6a30cdb22632949ebe6d36f32a5f79f4d1e9 /libstb
parent9cc5f24b72aba38e4e1bfb93806c4c2743fd9343 (diff)
downloadskiboot-f65d51cdfefec2efdcdd718137c097b4e8197753.zip
skiboot-f65d51cdfefec2efdcdd718137c097b4e8197753.tar.gz
skiboot-f65d51cdfefec2efdcdd718137c097b4e8197753.tar.bz2
libstb/secureboot: OS Secure Boot is enabled only if FW secureboot is enabled
OS Secure Boot establishes a chain of trust from firmware to the OS. However, OS Secure Boot can only be secure if the chain of trust beneath it - from hardware to firmware - has been established by Firmware Secure Boot. This patch ensures that OS Secure Boot is enabled only if Firmware Secure Boot is enabled. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Signed-off-by: Eric Richter <erichte@linux.ibm.com> Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
Diffstat (limited to 'libstb')
-rw-r--r--libstb/secureboot.c5
-rw-r--r--libstb/secureboot.h1
2 files changed, 6 insertions, 0 deletions
diff --git a/libstb/secureboot.c b/libstb/secureboot.c
index 6032480..f8cce28 100644
--- a/libstb/secureboot.c
+++ b/libstb/secureboot.c
@@ -62,6 +62,11 @@ bool secureboot_is_compatible(struct dt_node *node, int *version, const char **c
return false;
}
+bool is_fw_secureboot(void)
+{
+ return secure_mode;
+}
+
void secureboot_init(void)
{
struct dt_node *node;
diff --git a/libstb/secureboot.h b/libstb/secureboot.h
index 721b28d..74e93c8 100644
--- a/libstb/secureboot.h
+++ b/libstb/secureboot.h
@@ -18,6 +18,7 @@ enum secureboot_version {
void secureboot_enforce(void);
bool secureboot_is_compatible(struct dt_node *node, int *version, const char **compat);
void secureboot_init(void);
+bool is_fw_secureboot(void);
/**
* secureboot_verify - verify a PNOR partition content