diff options
Diffstat (limited to 'libstb/stb.c')
-rw-r--r-- | libstb/stb.c | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/libstb/stb.c b/libstb/stb.c index 8c8f380..4dc28a9 100644 --- a/libstb/stb.c +++ b/libstb/stb.c @@ -19,6 +19,7 @@ #include <platform.h> #include <string.h> #include <stdio.h> +#include <nvram.h> #include "stb.h" #include "status_codes.h" #include "container.h" @@ -100,7 +101,7 @@ static void sb_enforce(void) void stb_init(void) { - const struct dt_node *ibm_secureboot; + struct dt_node *ibm_secureboot; /* * The ibm,secureboot device tree properties are documented in * 'doc/device-tree/ibm,secureboot.rst' @@ -117,8 +118,21 @@ void stb_init(void) #else secure_mode = dt_has_node_property(ibm_secureboot, "secure-enabled", NULL); - prlog(PR_NOTICE, "STB: secure mode %s\n", - secure_mode ? "on" : "off"); + + if (nvram_query_eq("force-secure-mode", "always")) { + prlog(PR_NOTICE, "STB: secure mode on (FORCED by nvram)\n"); + secure_mode = true; + } else if (nvram_query_eq("force-secure-mode", "true")) { + prlog(PR_NOTICE, "STB: secure mode %s\n", + (secure_mode) ? "on, *not* partial" : "off"); + } else if (secure_mode) { + prlog(PR_NOTICE, "STB: secure mode on (but not enforced, core secure mode only)\n"); + dt_check_del_prop(ibm_secureboot, "secure-enabled"); + dt_add_property(ibm_secureboot, "partial-secure-enabled", NULL, 0); + secure_mode = false; + } else { + prlog(PR_NOTICE, "STB: secure mode off\n"); + } #endif #ifdef STB_FORCE_TRUSTED_MODE @@ -127,6 +141,10 @@ void stb_init(void) #else trusted_mode = dt_has_node_property(ibm_secureboot, "trusted-enabled", NULL); + if (nvram_query_eq("force-trusted-mode", "true")) { + prlog(PR_NOTICE, "STB: trusted mode ON (from NVRAM)\n"); + trusted_mode = true; + } prlog(PR_NOTICE, "STB: trusted mode %s\n", trusted_mode ? "on" : "off"); #endif |