Commit 7219856d authored by Heinrich Schuchardt's avatar Heinrich Schuchardt 💬
Browse files

efi_loader: correct determination of secure boot state



When U-Boot is started we have to use the existing variables to determine
in which secure boot state we are.

* If a platform key PK is present and DeployedMode=1, we are in deployed
  mode.
* If no platform key PK is present and AuditMode=1, we are in audit mode.
* Otherwise if a platform key is present, we are in user mode.
* Otherwise if no platform key is present, we are in setup mode.
Signed-off-by: Heinrich Schuchardt's avatarHeinrich Schuchardt <xypron.glpk@gmx.de>
parent b191aa42
......@@ -314,17 +314,40 @@ err:
efi_status_t efi_init_secure_state(void)
{
enum efi_secure_mode mode = EFI_MODE_SETUP;
enum efi_secure_mode mode;
u8 efi_vendor_keys = 0;
efi_uintn_t size = 0;
efi_uintn_t size;
efi_status_t ret;
ret = efi_get_variable_int(L"PK", &efi_global_variable_guid,
NULL, &size, NULL, NULL);
if (ret == EFI_BUFFER_TOO_SMALL) {
if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT))
mode = EFI_MODE_USER;
u8 deployed_mode = 0;
u8 audit_mode = 0;
u8 setup_mode = 1;
if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT)) {
size = sizeof(deployed_mode);
ret = efi_get_variable_int(u"DeployedMode", &efi_global_variable_guid,
NULL, &size, &deployed_mode, NULL);
size = sizeof(audit_mode);
ret = efi_get_variable_int(u"AuditMode", &efi_global_variable_guid,
NULL, &size, &audit_mode, NULL);
size = 0;
ret = efi_get_variable_int(u"PK", &efi_global_variable_guid,
NULL, &size, NULL, NULL);
if (ret == EFI_BUFFER_TOO_SMALL) {
setup_mode = 0;
audit_mode = 0;
} else {
setup_mode = 1;
deployed_mode = 0;
}
}
if (deployed_mode)
mode = EFI_MODE_DEPLOYED;
else if (audit_mode)
mode = EFI_MODE_AUDIT;
else if (setup_mode)
mode = EFI_MODE_SETUP;
else
mode = EFI_MODE_USER;
ret = efi_transfer_secure_state(mode);
if (ret != EFI_SUCCESS)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment