Re: [PATCH 5/8] efi: Get the secure boot status [ver #6]

From: David Howells
Date: Wed Jan 11 2017 - 10:31:26 EST

Next message: Linus Walleij: "Re: [PATCH 1/5] pinctrl: core: Use delayed work for hogs"
Previous message: David Howells: "Re: [PATCH 8/8] efi: Add EFI_SECURE_BOOT bit [ver #6]"
In reply to: Matt Fleming: "Re: [PATCH 5/8] efi: Get the secure boot status [ver #6]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Matt Fleming <matt@xxxxxxxxxxxxxxxxxxx> wrote:

> > + movb $0, BP_secure_boot(%rsi)
> > #ifdef CONFIG_EFI_STUB
> > /*
> > * The entry point for the PE/COFF executable is efi_pe_entry, so
>
> Is clearing ::secure_boot really necessary? Any code path that goes
> via efi_main() will set it correctly and all other code paths should
> get it cleared in sanitize_boot_params(), no?

No.

The boot_params->secure_boot parameter exists whether or not efi_main() is
traversed (ie. if EFI isn't enabled or CONFIG_EFI_STUB=n) and, if not cleared,
is of uncertain value.

Further, sanitize_boot_params() has to be modified by this patch so as not to
clobber the secure_boot flag.

> What's the distinction between the unset and unknown enums?

unset -> The flag was cleared by head.S and efi_get_secureboot() was never
called.

unknown -> efi_get_secureboot() tried and failed to access the EFI variables
that should give the state.

David

Next message: Linus Walleij: "Re: [PATCH 1/5] pinctrl: core: Use delayed work for hogs"
Previous message: David Howells: "Re: [PATCH 8/8] efi: Add EFI_SECURE_BOOT bit [ver #6]"
In reply to: Matt Fleming: "Re: [PATCH 5/8] efi: Get the secure boot status [ver #6]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]