Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934757AbcKWJ07 (ORCPT ); Wed, 23 Nov 2016 04:26:59 -0500 Received: from mailout2.hostsharing.net ([83.223.90.233]:33073 "EHLO mailout2.hostsharing.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933360AbcKWJ0F (ORCPT ); Wed, 23 Nov 2016 04:26:05 -0500 Date: Wed, 23 Nov 2016 10:27:35 +0100 From: Lukas Wunner To: David Howells Cc: linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Josh Boyer , keyrings@vger.kernel.org Subject: Re: [PATCH 6/6] efi: Add EFI_SECURE_BOOT bit [ver #2] Message-ID: <20161123092735.GA2071@wunner.de> References: <147986054870.13790.8640536414645705863.stgit@warthog.procyon.org.uk> <147986059202.13790.3471243422582131819.stgit@warthog.procyon.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <147986059202.13790.3471243422582131819.stgit@warthog.procyon.org.uk> User-Agent: Mutt/1.6.1 (2016-04-27) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1872 Lines: 58 On Wed, Nov 23, 2016 at 12:23:12AM +0000, David Howells wrote: > From: Josh Boyer > > UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit > that can be passed to efi_enabled() to find out whether secure boot is > enabled. > > This will be used by the SysRq+x handler, registered by the x86 arch, to find > out whether secure boot mode is enabled so that it can be disabled. > > Signed-off-by: Josh Boyer > Signed-off-by: David Howells > --- > > arch/x86/kernel/setup.c | 7 +++++++ > include/linux/efi.h | 1 + > 2 files changed, 8 insertions(+) > > diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c > index 9c337b0e8ba7..522915d6de1f 100644 > --- a/arch/x86/kernel/setup.c > +++ b/arch/x86/kernel/setup.c > @@ -1160,6 +1160,13 @@ void __init setup_arch(char **cmdline_p) > > io_delay_init(); > > +#ifdef CONFIG_EFI > + if (boot_params.secure_boot) { > + set_bit(EFI_SECURE_BOOT, &efi.flags); > + pr_info("Secure boot enabled\n"); > + } > +#endif > + Section 20 of Documentation/CodingStyle recommends IS_ENABLED() instead of #ifdef. Also, CONFIG_EFI_STUB might be more apt than CONFIG_EFI. Thanks, Lukas > /* > * Parse the ACPI tables for possible boot-time SMP configuration. > */ > diff --git a/include/linux/efi.h b/include/linux/efi.h > index ff01ad6f2823..d95bb9e69974 100644 > --- a/include/linux/efi.h > +++ b/include/linux/efi.h > @@ -1066,6 +1066,7 @@ extern int __init efi_setup_pcdp_console(char *); > #define EFI_ARCH_1 7 /* First arch-specific bit */ > #define EFI_DBG 8 /* Print additional debug info at runtime */ > #define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */ > +#define EFI_SECURE_BOOT 10 /* Are we in Secure Boot mode? */ > > #ifdef CONFIG_EFI > /* >