Re: [PATCH v3 2/2] arm64/efi: check SetupMode when determining Secure Boot status

From: Ard Biesheuvel
Date: Fri Mar 04 2016 - 03:01:21 EST

Next message: Yong Wu: "Re: [PATCH] arm64/dma-mapping: Add DMA_ATTR_ALLOC_SINGLE_PAGES support"
Previous message: Michael Ellerman: "Re: [PATCH][v4] livepatch/ppc: Enable livepatching on powerpc"
In reply to: Linn Crosetto: "[PATCH v3 2/2] arm64/efi: check SetupMode when determining Secure Boot status"
Next in thread: Linn Crosetto: "[PATCH v3 1/2] arm64/efi: report unexpected errors when determining Secure Boot status"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 3 March 2016 at 22:45, Linn Crosetto <linn@xxxxxxx> wrote:
> According to the UEFI specification (version 2.5 Errata A, page 87):
>
> The platform firmware is operating in secure boot mode if the value of
> the SetupMode variable is 0 and the SecureBoot variable is set to 1. A
> platform cannot operate in secure boot mode if the SetupMode variable
> is set to 1.
>
> Check the value of the SetupMode variable when determining the state of
> Secure Boot. Minor cleanup, change sizeof to match kernel style guidelines.
>
> Signed-off-by: Linn Crosetto <linn@xxxxxxx>

Reviewed-by: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>

> ---
> v2:
> - Reformat quote from UEFI specification and note cleanup (Mark Rutland)
> - Restructure code on top of changes in patch 1/2
>
> drivers/firmware/efi/libstub/arm-stub.c | 32 +++++++++++++++++++++++++-------
> 1 file changed, 25 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c
> index 1e98fb7..c049d41 100644
> --- a/drivers/firmware/efi/libstub/arm-stub.c
> +++ b/drivers/firmware/efi/libstub/arm-stub.c
> @@ -20,21 +20,39 @@
>
> static int efi_get_secureboot(efi_system_table_t *sys_table_arg)
> {
> - static efi_guid_t const var_guid = EFI_GLOBAL_VARIABLE_GUID;
> - static efi_char16_t const var_name[] = {
> + static efi_char16_t const sb_var_name[] = {
> 'S', 'e', 'c', 'u', 'r', 'e', 'B', 'o', 'o', 't', 0 };
> + static efi_char16_t const sm_var_name[] = {
> + 'S', 'e', 't', 'u', 'p', 'M', 'o', 'd', 'e', 0 };
>
> + efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
> efi_get_variable_t *f_getvar = sys_table_arg->runtime->get_variable;
> - unsigned long size = sizeof(u8);
> - efi_status_t status;
> u8 val;
> + unsigned long size = sizeof(val);
> + efi_status_t status;
>
> - status = f_getvar((efi_char16_t *)var_name, (efi_guid_t *)&var_guid,
> + status = f_getvar((efi_char16_t *)sb_var_name, (efi_guid_t *)&var_guid,
> NULL, &size, &val);
>
> + if (status != EFI_SUCCESS)
> + goto out_efi_err;
> +
> + if (val == 0)
> + return 0;
> +
> + status = f_getvar((efi_char16_t *)sm_var_name, (efi_guid_t *)&var_guid,
> + NULL, &size, &val);
> +
> + if (status != EFI_SUCCESS)
> + goto out_efi_err;
> +
> + if (val == 1)
> + return 0;
> +
> + return 1;
> +
> +out_efi_err:
> switch (status) {
> - case EFI_SUCCESS:
> - return val;
> case EFI_NOT_FOUND:
> return 0;
> case EFI_DEVICE_ERROR:
> --
> 2.1.4
>

Next message: Yong Wu: "Re: [PATCH] arm64/dma-mapping: Add DMA_ATTR_ALLOC_SINGLE_PAGES support"
Previous message: Michael Ellerman: "Re: [PATCH][v4] livepatch/ppc: Enable livepatching on powerpc"
In reply to: Linn Crosetto: "[PATCH v3 2/2] arm64/efi: check SetupMode when determining Secure Boot status"
Next in thread: Linn Crosetto: "[PATCH v3 1/2] arm64/efi: report unexpected errors when determining Secure Boot status"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]