From: Josh Boyer <jwboyer@fedoraproject.org>

Date: Tue, 5 Feb 2013 19:25:05 -0500

Subject: [PATCH] efi: Disable secure boot if shim is in insecure mode

A user can manually tell the shim boot loader to disable validation of

images it loads.  When a user does this, it creates a UEFI variable called

MokSBState that does not have the runtime attribute set.  Given that the

user explicitly disabled validation, we can honor that and not enable

secure boot mode if that variable is set.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>

---

 arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++-

 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c

index 975d11bfaf5b..94bf7819857a 100644

--- a/arch/x86/boot/compressed/eboot.c

+++ b/arch/x86/boot/compressed/eboot.c

@@ -817,8 +817,9 @@ out:

 static int get_secure_boot(void)

 {

-	u8 sb, setup;

+	u8 sb, setup, moksbstate;

 	unsigned long datasize = sizeof(sb);

+	u32 attr;

 	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;

 	efi_status_t status;

@@ -842,6 +843,23 @@ static int get_secure_boot(void)

 	if (setup == 1)

 		return 0;

+	/* See if a user has put shim into insecure_mode.  If so, and the variable

+	 * doesn't have the runtime attribute set, we might as well honor that.

+	 */

+	var_guid = EFI_SHIM_LOCK_GUID;

+	status = efi_early->call((unsigned long)sys_table->runtime->get_variable,

+				L"MokSBState", &var_guid, &attr, &datasize,

+				&moksbstate);

+

+	/* If it fails, we don't care why.  Default to secure */

+	if (status != EFI_SUCCESS)

+		return 1;

+

+	if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {

+		if (moksbstate == 1)

+			return 0;

+	}

+

 	return 1;

 }

-- 

1.9.3