| From: Josh Boyer <jwboyer@fedoraproject.org> |
| Date: Tue, 5 Feb 2013 19:25:05 -0500 |
| Subject: [PATCH] efi: Disable secure boot if shim is in insecure mode |
| |
| A user can manually tell the shim boot loader to disable validation of |
| images it loads. When a user does this, it creates a UEFI variable called |
| MokSBState that does not have the runtime attribute set. Given that the |
| user explicitly disabled validation, we can honor that and not enable |
| secure boot mode if that variable is set. |
| |
| Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> |
| |
| arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++- |
| 1 file changed, 19 insertions(+), 1 deletion(-) |
| |
| diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c |
| index 975d11bfaf5b..94bf7819857a 100644 |
| |
| |
| @@ -817,8 +817,9 @@ out: |
| |
| static int get_secure_boot(void) |
| { |
| - u8 sb, setup; |
| + u8 sb, setup, moksbstate; |
| unsigned long datasize = sizeof(sb); |
| + u32 attr; |
| efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; |
| efi_status_t status; |
| |
| @@ -842,6 +843,23 @@ static int get_secure_boot(void) |
| if (setup == 1) |
| return 0; |
| |
| + /* See if a user has put shim into insecure_mode. If so, and the variable |
| + * doesn't have the runtime attribute set, we might as well honor that. |
| + */ |
| + var_guid = EFI_SHIM_LOCK_GUID; |
| + status = efi_early->call((unsigned long)sys_table->runtime->get_variable, |
| + L"MokSBState", &var_guid, &attr, &datasize, |
| + &moksbstate); |
| + |
| + /* If it fails, we don't care why. Default to secure */ |
| + if (status != EFI_SUCCESS) |
| + return 1; |
| + |
| + if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) { |
| + if (moksbstate == 1) |
| + return 0; |
| + } |
| + |
| return 1; |
| } |
| |
| -- |
| 1.9.3 |
| |