[GIT PULL] efi: Pass secure boot mode to kernel

From: David Howells
Date: Thu Dec 08 2016 - 06:45:25 EST

Hi Matt, Ard,

Is it too late to request this for the upcoming merge window? Also, I've made
Lukas's requested changes and reposted just that patch in my reply to him. Do
you want me to repost the lot?

Here's a set of patches that can determine the secure boot state of the
UEFI BIOS and pass that along to the main kernel image. This involves
generalising ARM's efi_get_secureboot() function and making it mixed-mode


Ver 6:
- Removed unnecessary variable init and trimmed comment.
- Return efi_secureboot_mode_disabled directly rather than going to a
place that just returns it.
- Switched the last two patches.

Ver 5:
- Fix i386 compilation error (rsi should've been changed to esi).
- Fix arm64 compilation error ('sys_table_arg' is a hidden macro parameter).

Ver 4:
- Use an enum to tell the kernel whether secure boot mode is enabled,
disabled, couldn't be determined or wasn't even tried due to not being
in EFI mode.
- Support the UEFI-2.6 DeployedMode flag.
- Don't clear boot_params->secure_boot in x86 sanitize_boot_params().
- Preclear the boot_params->secure_boot on x86 head_*.S entry if we may
not go through efi_main().

The following changes since commit 018edcfac4c3b140366ad51b0907f3becb5bb624:

efi/libstub: Make efi_random_alloc() allocate below 4 GB on 32-bit (2016-11-25 07:15:23 +0100)

are available in the git repository at:

git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/efi-secure-boot-20161208

for you to fetch changes up to e71dd6bffca41faf7b4458c230e5c3d3c2b16d3e:

efi: Add EFI_SECURE_BOOT bit (2016-12-08 08:19:04 +0000)

EFI secure boot

Ard Biesheuvel (1):
efi: use typed function pointers for runtime services table

David Howells (5):
x86/efi: Allow invocation of arbitrary runtime services
arm/efi: Allow invocation of arbitrary runtime services
efi: Add SHIM and image security database GUID definitions
efi: Get the secure boot status
efi: Handle secure boot from UEFI-2.6

Josh Boyer (2):
efi: Disable secure boot if shim is in insecure mode
efi: Add EFI_SECURE_BOOT bit

Documentation/x86/zero-page.txt | 2 +
arch/arm/include/asm/efi.h | 1 +
arch/arm64/include/asm/efi.h | 1 +
arch/x86/boot/compressed/eboot.c | 3 +
arch/x86/boot/compressed/head_32.S | 7 ++-
arch/x86/boot/compressed/head_64.S | 9 +--
arch/x86/include/asm/bootparam_utils.h | 5 +-
arch/x86/include/asm/efi.h | 5 ++
arch/x86/include/uapi/asm/bootparam.h | 3 +-
arch/x86/kernel/asm-offsets.c | 1 +
arch/x86/kernel/setup.c | 15 +++++
drivers/firmware/efi/libstub/Makefile | 2 +-
drivers/firmware/efi/libstub/arm-stub.c | 63 ++------------------
drivers/firmware/efi/libstub/secureboot.c | 99 +++++++++++++++++++++++++++++++
include/linux/efi.h | 52 ++++++++++------
15 files changed, 182 insertions(+), 86 deletions(-)
create mode 100644 drivers/firmware/efi/libstub/secureboot.c