Commit b191aa42 authored by Heinrich Schuchardt's avatar Heinrich Schuchardt Committed by Heinrich Schuchardt
Browse files

efi_loader: efi_auth_var_type for AuditMode, DeployedMode



Writing variables AuditMode and DeployedMode serves to switch between
Secure Boot modes. Provide a separate value for these in efi_auth_var_type.

With this patch the variables will not be read from from file even if they
are marked as non-volatile by mistake.
Signed-off-by: default avatarHeinrich Schuchardt <heinrich.schuchardt@canonical.com>
parent 9ef82e29
......@@ -12,6 +12,7 @@
enum efi_auth_var_type {
EFI_AUTH_VAR_NONE = 0,
EFI_AUTH_MODE,
EFI_AUTH_VAR_PK,
EFI_AUTH_VAR_KEK,
EFI_AUTH_VAR_DB,
......
......@@ -34,6 +34,8 @@ static const struct efi_auth_var_name_type name_type[] = {
{u"dbx", &efi_guid_image_security_database, EFI_AUTH_VAR_DBX},
{u"dbt", &efi_guid_image_security_database, EFI_AUTH_VAR_DBT},
{u"dbr", &efi_guid_image_security_database, EFI_AUTH_VAR_DBR},
{u"AuditMode", &efi_global_variable_guid, EFI_AUTH_MODE},
{u"DeployedMode", &efi_global_variable_guid, EFI_AUTH_MODE},
};
static bool efi_secure_boot;
......
......@@ -247,7 +247,7 @@ efi_status_t efi_set_variable_int(u16 *variable_name, const efi_guid_t *vendor,
return EFI_WRITE_PROTECTED;
if (IS_ENABLED(CONFIG_EFI_VARIABLES_PRESEED)) {
if (var_type != EFI_AUTH_VAR_NONE)
if (var_type >= EFI_AUTH_VAR_PK)
return EFI_WRITE_PROTECTED;
}
......@@ -268,7 +268,7 @@ efi_status_t efi_set_variable_int(u16 *variable_name, const efi_guid_t *vendor,
return EFI_NOT_FOUND;
}
if (var_type != EFI_AUTH_VAR_NONE) {
if (var_type >= EFI_AUTH_VAR_PK) {
/* authentication is mandatory */
if (!(attributes &
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment