6a9155
From: Josh Boyer <jwboyer@fedoraproject.org>
6a9155
Date: Tue, 5 Feb 2013 19:25:05 -0500
6a9155
Subject: [PATCH] efi: Disable secure boot if shim is in insecure mode
6a9155
6a9155
A user can manually tell the shim boot loader to disable validation of
6a9155
images it loads.  When a user does this, it creates a UEFI variable called
6a9155
MokSBState that does not have the runtime attribute set.  Given that the
6a9155
user explicitly disabled validation, we can honor that and not enable
6a9155
secure boot mode if that variable is set.
6a9155
6a9155
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
6a9155
---
6a9155
 arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++-
6a9155
 1 file changed, 19 insertions(+), 1 deletion(-)
6a9155
6a9155
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
6a50f3
index 1ef8ea7f8ed9..d82dc9c1c19e 100644
6a9155
--- a/arch/x86/boot/compressed/eboot.c
6a9155
+++ b/arch/x86/boot/compressed/eboot.c
f1193f
@@ -830,8 +830,9 @@ out:
6a9155
 
6a9155
 static int get_secure_boot(void)
6a9155
 {
6a9155
-	u8 sb, setup;
6a9155
+	u8 sb, setup, moksbstate;
6a9155
 	unsigned long datasize = sizeof(sb);
6a9155
+	u32 attr;
6a9155
 	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
6a9155
 	efi_status_t status;
6a9155
 
f1193f
@@ -855,6 +856,23 @@ static int get_secure_boot(void)
6a9155
 	if (setup == 1)
6a9155
 		return 0;
6a9155
 
6a9155
+	/* See if a user has put shim into insecure_mode.  If so, and the variable
6a9155
+	 * doesn't have the runtime attribute set, we might as well honor that.
6a9155
+	 */
6a9155
+	var_guid = EFI_SHIM_LOCK_GUID;
6a9155
+	status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
6a9155
+				L"MokSBState", &var_guid, &attr, &datasize,
6a9155
+				&moksbstate);
6a9155
+
6a9155
+	/* If it fails, we don't care why.  Default to secure */
6a9155
+	if (status != EFI_SUCCESS)
6a9155
+		return 1;
6a9155
+
6a9155
+	if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
6a9155
+		if (moksbstate == 1)
6a9155
+			return 0;
6a9155
+	}
6a9155
+
6a9155
 	return 1;
6a9155
 }
6a9155