6a91557
From: Josh Boyer <jwboyer@fedoraproject.org>
6a91557
Date: Tue, 5 Feb 2013 19:25:05 -0500
6a91557
Subject: [PATCH] efi: Disable secure boot if shim is in insecure mode
6a91557
6a91557
A user can manually tell the shim boot loader to disable validation of
6a91557
images it loads.  When a user does this, it creates a UEFI variable called
6a91557
MokSBState that does not have the runtime attribute set.  Given that the
6a91557
user explicitly disabled validation, we can honor that and not enable
6a91557
secure boot mode if that variable is set.
6a91557
6a91557
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
6a91557
---
6a91557
 arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++-
6a91557
 1 file changed, 19 insertions(+), 1 deletion(-)
6a91557
6a91557
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
f1193f2
index 105e7360d747..83fc4e9888ee 100644
6a91557
--- a/arch/x86/boot/compressed/eboot.c
6a91557
+++ b/arch/x86/boot/compressed/eboot.c
f1193f2
@@ -830,8 +830,9 @@ out:
6a91557
 
6a91557
 static int get_secure_boot(void)
6a91557
 {
6a91557
-	u8 sb, setup;
6a91557
+	u8 sb, setup, moksbstate;
6a91557
 	unsigned long datasize = sizeof(sb);
6a91557
+	u32 attr;
6a91557
 	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
6a91557
 	efi_status_t status;
6a91557
 
f1193f2
@@ -855,6 +856,23 @@ static int get_secure_boot(void)
6a91557
 	if (setup == 1)
6a91557
 		return 0;
6a91557
 
6a91557
+	/* See if a user has put shim into insecure_mode.  If so, and the variable
6a91557
+	 * doesn't have the runtime attribute set, we might as well honor that.
6a91557
+	 */
6a91557
+	var_guid = EFI_SHIM_LOCK_GUID;
6a91557
+	status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
6a91557
+				L"MokSBState", &var_guid, &attr, &datasize,
6a91557
+				&moksbstate);
6a91557
+
6a91557
+	/* If it fails, we don't care why.  Default to secure */
6a91557
+	if (status != EFI_SUCCESS)
6a91557
+		return 1;
6a91557
+
6a91557
+	if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
6a91557
+		if (moksbstate == 1)
6a91557
+			return 0;
6a91557
+	}
6a91557
+
6a91557
 	return 1;
6a91557
 }
6a91557
 
6a91557
-- 
1e63a38
2.1.0
6a91557