| From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
| From: David Howells <dhowells@redhat.com> |
| Date: Tue, 27 Feb 2018 10:04:55 +0000 |
| Subject: [PATCH] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode |
| |
| UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT |
| flag that can be passed to efi_enabled() to find out whether secure boot is |
| enabled. |
| |
| Move the switch-statement in x86's setup_arch() that inteprets the |
| secure_boot boot parameter to generic code and set the bit there. |
| |
| Upstream Status: RHEL only |
| Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> |
| Signed-off-by: David Howells <dhowells@redhat.com> |
| Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> |
| cc: linux-efi@vger.kernel.org |
| [Rebased for context; efi_is_table_address was moved to arch/x86] |
| Signed-off-by: Jeremy Cline <jcline@redhat.com> |
| |
| arch/x86/kernel/setup.c | 14 +----------- |
| drivers/firmware/efi/Makefile | 1 + |
| drivers/firmware/efi/secureboot.c | 38 +++++++++++++++++++++++++++++++ |
| include/linux/efi.h | 18 ++++++++++----- |
| 4 files changed, 52 insertions(+), 19 deletions(-) |
| create mode 100644 drivers/firmware/efi/secureboot.c |
| |
| diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c |
| index 112efbef3414..c9de4b36ca51 100644 |
| |
| |
| @@ -1255,19 +1255,7 @@ void __init setup_arch(char **cmdline_p) |
| /* Allocate bigger log buffer */ |
| setup_log_buf(1); |
| |
| - if (efi_enabled(EFI_BOOT)) { |
| - switch (boot_params.secure_boot) { |
| - case efi_secureboot_mode_disabled: |
| - pr_info("Secure boot disabled\n"); |
| - break; |
| - case efi_secureboot_mode_enabled: |
| - pr_info("Secure boot enabled\n"); |
| - break; |
| - default: |
| - pr_info("Secure boot could not be determined\n"); |
| - break; |
| - } |
| - } |
| + efi_set_secure_boot(boot_params.secure_boot); |
| |
| reserve_initrd(); |
| |
| diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile |
| index 7a216984552b..f0ef02d733af 100644 |
| |
| |
| @@ -25,6 +25,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP) += fake_map.o |
| obj-$(CONFIG_EFI_BOOTLOADER_CONTROL) += efibc.o |
| obj-$(CONFIG_EFI_TEST) += test/ |
| obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o |
| +obj-$(CONFIG_EFI) += secureboot.o |
| obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o |
| obj-$(CONFIG_EFI_RCI2_TABLE) += rci2-table.o |
| obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE) += embedded-firmware.o |
| diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c |
| new file mode 100644 |
| index 000000000000..de0a3714a5d4 |
| |
| |
| @@ -0,0 +1,38 @@ |
| +/* Core kernel secure boot support. |
| + * |
| + * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved. |
| + * Written by David Howells (dhowells@redhat.com) |
| + * |
| + * This program is free software; you can redistribute it and/or |
| + * modify it under the terms of the GNU General Public Licence |
| + * as published by the Free Software Foundation; either version |
| + * 2 of the Licence, or (at your option) any later version. |
| + */ |
| + |
| +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
| + |
| +#include <linux/efi.h> |
| +#include <linux/kernel.h> |
| +#include <linux/printk.h> |
| + |
| +/* |
| + * Decide what to do when UEFI secure boot mode is enabled. |
| + */ |
| +void __init efi_set_secure_boot(enum efi_secureboot_mode mode) |
| +{ |
| + if (efi_enabled(EFI_BOOT)) { |
| + switch (mode) { |
| + case efi_secureboot_mode_disabled: |
| + pr_info("Secure boot disabled\n"); |
| + break; |
| + case efi_secureboot_mode_enabled: |
| + set_bit(EFI_SECURE_BOOT, &efi.flags); |
| + pr_info("Secure boot enabled\n"); |
| + break; |
| + default: |
| + pr_warn("Secure boot could not be determined (mode %u)\n", |
| + mode); |
| + break; |
| + } |
| + } |
| +} |
| diff --git a/include/linux/efi.h b/include/linux/efi.h |
| index 92aa4697f558..1cdc5d8b6ac3 100644 |
| |
| |
| @@ -785,6 +785,14 @@ extern int __init efi_setup_pcdp_console(char *); |
| #define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */ |
| #define EFI_MEM_NO_SOFT_RESERVE 11 /* Is the kernel configured to ignore soft reservations? */ |
| #define EFI_PRESERVE_BS_REGIONS 12 /* Are EFI boot-services memory segments available? */ |
| +#define EFI_SECURE_BOOT 13 /* Are we in Secure Boot mode? */ |
| + |
| +enum efi_secureboot_mode { |
| + efi_secureboot_mode_unset, |
| + efi_secureboot_mode_unknown, |
| + efi_secureboot_mode_disabled, |
| + efi_secureboot_mode_enabled, |
| +}; |
| |
| #ifdef CONFIG_EFI |
| /* |
| @@ -796,6 +804,8 @@ static inline bool efi_enabled(int feature) |
| } |
| extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused); |
| |
| +extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode); |
| + |
| bool __pure __efi_soft_reserve_enabled(void); |
| |
| static inline bool __pure efi_soft_reserve_enabled(void) |
| @@ -822,6 +832,8 @@ efi_capsule_pending(int *reset_type) |
| return false; |
| } |
| |
| +static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {} |
| + |
| static inline bool efi_soft_reserve_enabled(void) |
| { |
| return false; |
| @@ -1094,12 +1106,6 @@ static inline bool efi_runtime_disabled(void) { return true; } |
| extern void efi_call_virt_check_flags(unsigned long flags, const char *call); |
| extern unsigned long efi_call_virt_save_flags(void); |
| |
| -enum efi_secureboot_mode { |
| - efi_secureboot_mode_unset, |
| - efi_secureboot_mode_unknown, |
| - efi_secureboot_mode_disabled, |
| - efi_secureboot_mode_enabled, |
| -}; |
| enum efi_secureboot_mode efi_get_secureboot(void); |
| |
| #ifdef CONFIG_RESET_ATTACK_MITIGATION |
| -- |
| 2.28.0 |
| |