ea38f2f
From d687d79620ea20511b2dbf77e74fdcf4d94981f9 Mon Sep 17 00:00:00 2001
6a91557
From: Josh Boyer <jwboyer@fedoraproject.org>
6a91557
Date: Tue, 5 Feb 2013 19:25:05 -0500
ea38f2f
Subject: [PATCH 12/20] efi: Disable secure boot if shim is in insecure mode
6a91557
6a91557
A user can manually tell the shim boot loader to disable validation of
6a91557
images it loads.  When a user does this, it creates a UEFI variable called
6a91557
MokSBState that does not have the runtime attribute set.  Given that the
6a91557
user explicitly disabled validation, we can honor that and not enable
6a91557
secure boot mode if that variable is set.
6a91557
6a91557
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
6a91557
---
6a91557
 arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++-
6a91557
 1 file changed, 19 insertions(+), 1 deletion(-)
6a91557
6a91557
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
ea38f2f
index ebc85c1eefd6..50e027f388d8 100644
6a91557
--- a/arch/x86/boot/compressed/eboot.c
6a91557
+++ b/arch/x86/boot/compressed/eboot.c
ea38f2f
@@ -540,8 +540,9 @@ static void setup_efi_pci(struct boot_params *params)
6a91557
 
6a91557
 static int get_secure_boot(void)
6a91557
 {
6a91557
-	u8 sb, setup;
6a91557
+	u8 sb, setup, moksbstate;
6a91557
 	unsigned long datasize = sizeof(sb);
6a91557
+	u32 attr;
6a91557
 	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
6a91557
 	efi_status_t status;
6a91557
 
ea38f2f
@@ -565,6 +566,23 @@ static int get_secure_boot(void)
6a91557
 	if (setup == 1)
6a91557
 		return 0;
6a91557
 
6a91557
+	/* See if a user has put shim into insecure_mode.  If so, and the variable
6a91557
+	 * doesn't have the runtime attribute set, we might as well honor that.
6a91557
+	 */
6a91557
+	var_guid = EFI_SHIM_LOCK_GUID;
6a91557
+	status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
6a91557
+				L"MokSBState", &var_guid, &attr, &datasize,
6a91557
+				&moksbstate);
6a91557
+
6a91557
+	/* If it fails, we don't care why.  Default to secure */
6a91557
+	if (status != EFI_SUCCESS)
6a91557
+		return 1;
6a91557
+
6a91557
+	if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
6a91557
+		if (moksbstate == 1)
6a91557
+			return 0;
6a91557
+	}
6a91557
+
6a91557
 	return 1;
6a91557
 }
6a91557
 
18c8249
-- 
ea38f2f
2.9.3
18c8249