Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp6129815imb; Fri, 8 Mar 2019 09:54:03 -0800 (PST) X-Google-Smtp-Source: APXvYqwZjeOnA/bXcSrezMaiJ7XIQI2m7xgve4kRIQ5NZOjFxP3m9ka4HMpHGzNoU4YXWg2+Lnva X-Received: by 2002:a62:fc10:: with SMTP id e16mr20008767pfh.83.1552067643874; Fri, 08 Mar 2019 09:54:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1552067643; cv=none; d=google.com; s=arc-20160816; b=vv9L3u7JoP3lDHzxQGF3B5mzQR5YRtXQ8+kV9t+pKApvXRILyakxkUiqImY8Wwbw2t 4L4JRvRUCSx2OgcxNcHIDH2TavUAOWuKUF2POBLh05E2K577jbnZKtCXmgDZTCb5md1i Du7Rem3k8ACvFUOt36rm3yjLQjjS7Mr26RFmxK6VUu6LgyJrpa2Fj6oRh8Hf1fdu5KUn a6VEwoIiXGzgNUzcibIfVXBsESNNo1Im1qXRUsNU58Zift8ZoDXGfOq9OI3zErOY8wF0 dFSbnUQJBaG7XmnI81bW2SxOxoyjwS9WJSCrIlNEYNTVEP7WH6OlMWa6kVT+S7YgwcVc X/Dg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=lCgz1Pcq5WHXCqvJ4MedxdGc3TiYDShi2zICvXucyK0=; b=KWp9aylBgDQgf4waiF8aLaUa9moEDmozJ91qC8C2qpL2HbooeqyOjFIv/Hw8b1MKni JHhlE7H9Ve781np+R1Zsj1Q86Ght08BzsWI7b0oaEbmrZLagd05HvMyxiK3ykJ1Yc3bX qWv1RlycSHj/uB/RT6Jh3HiEwgcpA1EMvtQjJ8auvkQhROFvTiGDJRzRQ7lFRA30uWUW dsNTa/Of+i9JmXjcepa/+Ayl8cz5+RdOfdPElSyLjM/VPeXELb8qCNjfc/voWRwizGRd 5tCy18fshc7ADSL5J5zhcJihQnyHoA+l7pgp3vKhfvOELhwLXxW8I1Tn1qFduWBM/llL E4DQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=div2a8TW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j12si7279560plt.115.2019.03.08.09.53.48; Fri, 08 Mar 2019 09:54:03 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=div2a8TW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726971AbfCHRwL (ORCPT + 99 others); Fri, 8 Mar 2019 12:52:11 -0500 Received: from mail-it1-f194.google.com ([209.85.166.194]:36034 "EHLO mail-it1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726761AbfCHRwL (ORCPT ); Fri, 8 Mar 2019 12:52:11 -0500 Received: by mail-it1-f194.google.com with SMTP id v83so22571388itf.1 for ; Fri, 08 Mar 2019 09:52:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lCgz1Pcq5WHXCqvJ4MedxdGc3TiYDShi2zICvXucyK0=; b=div2a8TWLJ8asGEQa1ee0Ui8FMA/QEw9lXU8rICpQdMsv3LjYIj+unAHWUE/vXpaG2 G5RaeZxkDAN5Wb/D7gFIrWBB8xmNUuQEZQ/7rermCkv8PvM4ArJiLTnzCcBenQCM15GH 6Zyn1Rv3OZWGFqHN0SXyJN94SSwFIcwAhdjjn/sfDnSX4qfvx3i5bEEvYPZQ3DIaJWB2 owEVE8FG0B1CHoGifjpkkwL2WtEscND5TbiO//uAQG+e0cMVRYilY18+P/WH3WC7szFx wZLLKXMgl7qgPq+CkpvDGS++yUIqlTfv0isbK4u+Xi3eYhGBxkN2HvYqEJzNlLUZZSIY gRwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lCgz1Pcq5WHXCqvJ4MedxdGc3TiYDShi2zICvXucyK0=; b=TGJyICXNRf1RD8b3fiUh2RGLIE81s2n/BkSW9jeCEqOvfwsh6EI8EgoA+xGKl7pDjO LEnY6HHaQdYcciOIORrwth+fZ0IUY+08kVDL1PMi8JVOXCzxfCHBpxKbkkK56R+NX0+u jz0Z1WyH52j+lIq+JBVeTUCgSad2vwM6qIK0PspSvHm3x/7eIMY8vQ+9xj3MAB1pW6C3 aosUNOgKlqhkbzHGMY1Xz11/GMfhT3UCjFcM1cMIZxZmaAL1kXZmu4TuzNvbJukq5anf Tqh+ArTZIT1dWK13Bsx/5l6H87KoNx4ZWCGcAHm5Qnk6zsYTgJ4ZXcoTwvZvSuNOCOLI xZpg== X-Gm-Message-State: APjAAAWb76j1Q+OOROOX1ppL23MFEa1bskaaSuilK5OFzrp6lkERvO9t xkoKzI4O4e3LoJoYHe5Y5dSV1o3OAYtuS2bUCSBrHg== X-Received: by 2002:a24:7908:: with SMTP id z8mr9720424itc.16.1552067529523; Fri, 08 Mar 2019 09:52:09 -0800 (PST) MIME-Version: 1.0 References: <1542657371-7019-1-git-send-email-zohar@linux.ibm.com> <1542657371-7019-4-git-send-email-zohar@linux.ibm.com> <1551998897.31706.461.camel@linux.ibm.com> <1552052377.4134.23.camel@linux.ibm.com> In-Reply-To: <1552052377.4134.23.camel@linux.ibm.com> From: Matthew Garrett Date: Fri, 8 Mar 2019 09:51:57 -0800 Message-ID: Subject: Re: [PATCH 3/3] x86/ima: retry detecting secure boot mode To: Mimi Zohar Cc: Justin Forbes , linux-integrity , LSM List , linux-efi , Linux Kernel Mailing List , David Howells , Seth Forshee , kexec@lists.infradead.org, Nayna Jain Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 8, 2019 at 5:40 AM Mimi Zohar wrote: > > On Thu, 2019-03-07 at 14:50 -0800, Matthew Garrett wrote: > > Is the issue that it gives incorrect results on the first read, or is > > the issue that it gives incorrect results before ExitBootServices() is > > called? If the former then we should read twice in the boot stub, if > > the latter then we should figure out a way to do this immediately > > after ExitBootServices() instead. > > Detecting the secure boot mode isn't the problem. On boot, I am > seeing "EFI stub: UEFI Secure Boot is enabled", but setup_arch() emits > "Secure boot could not be determined". > > In efi_main() the secure_boot mode is initially unset, so > efi_get_secureboot() is called. efi_get_secureboot() returns the > secure_boot mode correctly as enabled. The problem seems to be in > saving the secure_boot mode for later use. Hm. And this only happens on certain firmware versions? If something's stepping on boot_params then we have bigger problems.