From 0a5c52b9eb4918fb2bee43bacc3521b574334cff Mon Sep 17 00:00:00 2001

From: Josh Boyer <jwboyer@fedoraproject.org>

Date: Tue, 5 Feb 2013 19:25:05 -0500

Subject: [PATCH 1/9] efi: Disable secure boot if shim is in insecure mode

A user can manually tell the shim boot loader to disable validation of

images it loads.  When a user does this, it creates a UEFI variable called

MokSBState that does not have the runtime attribute set.  Given that the

user explicitly disabled validation, we can honor that and not enable

secure boot mode if that variable is set.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>

---

 arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++-

 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c

index 6b8b9a775b46..b3a5364d31c6 100644

--- a/arch/x86/boot/compressed/eboot.c

+++ b/arch/x86/boot/compressed/eboot.c

@@ -574,8 +574,9 @@ free_handle:

 static int get_secure_boot(void)

 {

-	u8 sb, setup;

+	u8 sb, setup, moksbstate;

 	unsigned long datasize = sizeof(sb);

+	u32 attr;

 	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;

 	efi_status_t status;

@@ -599,6 +600,23 @@ static int get_secure_boot(void)

 	if (setup == 1)

 		return 0;

+	/* See if a user has put shim into insecure_mode.  If so, and the variable

+	 * doesn't have the runtime attribute set, we might as well honor that.

+	 */

+	var_guid = EFI_SHIM_LOCK_GUID;

+	status = efi_early->call((unsigned long)sys_table->runtime->get_variable,

+				L"MokSBState", &var_guid, &attr, &datasize,

+				&moksbstate);

+

+	/* If it fails, we don't care why.  Default to secure */

+	if (status != EFI_SUCCESS)

+		return 1;

+

+	if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {

+		if (moksbstate == 1)

+			return 0;

+	}

+

 	return 1;

 }

-- 

2.5.5