Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758366AbcCDIBR (ORCPT ); Fri, 4 Mar 2016 03:01:17 -0500 Received: from mail-io0-f175.google.com ([209.85.223.175]:36703 "EHLO mail-io0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751090AbcCDIBP (ORCPT ); Fri, 4 Mar 2016 03:01:15 -0500 MIME-Version: 1.0 In-Reply-To: <1457041550-15736-3-git-send-email-linn@hpe.com> References: <1456445895-97647-1-git-send-email-linn@hpe.com> <1457041550-15736-1-git-send-email-linn@hpe.com> <1457041550-15736-3-git-send-email-linn@hpe.com> Date: Fri, 4 Mar 2016 09:01:14 +0100 Message-ID: Subject: Re: [PATCH v3 2/2] arm64/efi: check SetupMode when determining Secure Boot status From: Ard Biesheuvel To: Linn Crosetto Cc: Matt Fleming , Roy Franz , Ingo Molnar , Mark Rutland , "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2766 Lines: 77 On 3 March 2016 at 22:45, Linn Crosetto wrote: > According to the UEFI specification (version 2.5 Errata A, page 87): > > The platform firmware is operating in secure boot mode if the value of > the SetupMode variable is 0 and the SecureBoot variable is set to 1. A > platform cannot operate in secure boot mode if the SetupMode variable > is set to 1. > > Check the value of the SetupMode variable when determining the state of > Secure Boot. Minor cleanup, change sizeof to match kernel style guidelines. > > Signed-off-by: Linn Crosetto Reviewed-by: Ard Biesheuvel > --- > v2: > - Reformat quote from UEFI specification and note cleanup (Mark Rutland) > - Restructure code on top of changes in patch 1/2 > > drivers/firmware/efi/libstub/arm-stub.c | 32 +++++++++++++++++++++++++------- > 1 file changed, 25 insertions(+), 7 deletions(-) > > diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c > index 1e98fb7..c049d41 100644 > --- a/drivers/firmware/efi/libstub/arm-stub.c > +++ b/drivers/firmware/efi/libstub/arm-stub.c > @@ -20,21 +20,39 @@ > > static int efi_get_secureboot(efi_system_table_t *sys_table_arg) > { > - static efi_guid_t const var_guid = EFI_GLOBAL_VARIABLE_GUID; > - static efi_char16_t const var_name[] = { > + static efi_char16_t const sb_var_name[] = { > 'S', 'e', 'c', 'u', 'r', 'e', 'B', 'o', 'o', 't', 0 }; > + static efi_char16_t const sm_var_name[] = { > + 'S', 'e', 't', 'u', 'p', 'M', 'o', 'd', 'e', 0 }; > > + efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; > efi_get_variable_t *f_getvar = sys_table_arg->runtime->get_variable; > - unsigned long size = sizeof(u8); > - efi_status_t status; > u8 val; > + unsigned long size = sizeof(val); > + efi_status_t status; > > - status = f_getvar((efi_char16_t *)var_name, (efi_guid_t *)&var_guid, > + status = f_getvar((efi_char16_t *)sb_var_name, (efi_guid_t *)&var_guid, > NULL, &size, &val); > > + if (status != EFI_SUCCESS) > + goto out_efi_err; > + > + if (val == 0) > + return 0; > + > + status = f_getvar((efi_char16_t *)sm_var_name, (efi_guid_t *)&var_guid, > + NULL, &size, &val); > + > + if (status != EFI_SUCCESS) > + goto out_efi_err; > + > + if (val == 1) > + return 0; > + > + return 1; > + > +out_efi_err: > switch (status) { > - case EFI_SUCCESS: > - return val; > case EFI_NOT_FOUND: > return 0; > case EFI_DEVICE_ERROR: > -- > 2.1.4 >