Re: [PATCH 1/6] efistub: pass uefi secureboot flag via fdt params

From: Ard Biesheuvel
Date: Fri Sep 11 2020 - 13:06:04 EST

Next message: Kirti Wankhede: "Re: [PATCH] vfio: Fix typo of the device_state"
Previous message: David Hildenbrand: "Re: [PATCH 1/3] mm: replace memmap_context by memplug_context"
Next in thread: Chester Lin: "Re: [PATCH 1/6] efistub: pass uefi secureboot flag via fdt params"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 4 Sep 2020 at 10:29, Chester Lin <clin@xxxxxxxx> wrote:
>
> Add a new UEFI parameter: "linux,uefi-secure-boot" in fdt boot params
> as other architectures have done in their own boot data. For example,
> the boot_params->secure_boot in x86.
>
> Signed-off-by: Chester Lin <clin@xxxxxxxx>

Why do we need this flag? Can't the OS simply check the variable directly?

> ---
> drivers/firmware/efi/libstub/fdt.c | 39 +++++++++++++++++++++++++++++-
> 1 file changed, 38 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c
> index 11ecf3c4640e..c9a341e4715f 100644
> --- a/drivers/firmware/efi/libstub/fdt.c
> +++ b/drivers/firmware/efi/libstub/fdt.c
> @@ -136,6 +136,10 @@ static efi_status_t update_fdt(void *orig_fdt, unsigned long orig_fdt_size,
> if (status)
> goto fdt_set_fail;
>
> + status = fdt_setprop_var(fdt, node, "linux,uefi-secure-boot", fdt_val32);
> + if (status)
> + goto fdt_set_fail;
> +
> if (IS_ENABLED(CONFIG_RANDOMIZE_BASE)) {
> efi_status_t efi_status;
>
> @@ -199,6 +203,24 @@ static efi_status_t update_fdt_memmap(void *fdt, struct efi_boot_memmap *map)
> return EFI_SUCCESS;
> }
>
> +static efi_status_t update_fdt_secboot(void *fdt, u32 secboot)
> +{
> + int node = fdt_path_offset(fdt, "/chosen");
> + u32 fdt_val32;
> + int err;
> +
> + if (node < 0)
> + return EFI_LOAD_ERROR;
> +
> + fdt_val32 = cpu_to_fdt32(secboot);
> +
> + err = fdt_setprop_inplace_var(fdt, node, "linux,uefi-secure-boot", fdt_val32);
> + if (err)
> + return EFI_LOAD_ERROR;
> +
> + return EFI_SUCCESS;
> +}
> +
> struct exit_boot_struct {
> efi_memory_desc_t *runtime_map;
> int *runtime_entry_count;
> @@ -208,6 +230,9 @@ struct exit_boot_struct {
> static efi_status_t exit_boot_func(struct efi_boot_memmap *map,
> void *priv)
> {
> + efi_status_t status;
> + enum efi_secureboot_mode secboot_status;
> + u32 secboot_var = 0;
> struct exit_boot_struct *p = priv;
> /*
> * Update the memory map with virtual addresses. The function will also
> @@ -217,7 +242,19 @@ static efi_status_t exit_boot_func(struct efi_boot_memmap *map,
> efi_get_virtmap(*map->map, *map->map_size, *map->desc_size,
> p->runtime_map, p->runtime_entry_count);
>
> - return update_fdt_memmap(p->new_fdt_addr, map);
> + status = update_fdt_memmap(p->new_fdt_addr, map);
> +
> + if (status != EFI_SUCCESS)
> + return status;
> +
> + secboot_status = efi_get_secureboot();
> +
> + if (secboot_status == efi_secureboot_mode_enabled)
> + secboot_var = 1;
> +
> + status = update_fdt_secboot(p->new_fdt_addr, secboot_var);
> +
> + return status;
> }
>
> #ifndef MAX_FDT_SIZE
> --
> 2.26.1
>

Next message: Kirti Wankhede: "Re: [PATCH] vfio: Fix typo of the device_state"
Previous message: David Hildenbrand: "Re: [PATCH 1/3] mm: replace memmap_context by memplug_context"
Next in thread: Chester Lin: "Re: [PATCH 1/6] efistub: pass uefi secureboot flag via fdt params"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]