Pablo Greco 7b2c62
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
Pablo Greco 7b2c62
From: David Howells <dhowells@redhat.com>
Pablo Greco 7b2c62
Date: Tue, 27 Feb 2018 10:04:55 +0000
Pablo Greco 7b2c62
Subject: [PATCH] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
Pablo Greco 7b2c62
Pablo Greco 7b2c62
UEFI machines can be booted in Secure Boot mode.  Add an EFI_SECURE_BOOT
Pablo Greco 7b2c62
flag that can be passed to efi_enabled() to find out whether secure boot is
Pablo Greco 7b2c62
enabled.
Pablo Greco 7b2c62
Pablo Greco 7b2c62
Move the switch-statement in x86's setup_arch() that inteprets the
Pablo Greco 7b2c62
secure_boot boot parameter to generic code and set the bit there.
Pablo Greco 7b2c62
Pablo Greco 7b2c62
Upstream Status: RHEL only
Pablo Greco 7b2c62
Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Pablo Greco 7b2c62
Signed-off-by: David Howells <dhowells@redhat.com>
Pablo Greco 7b2c62
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Pablo Greco 7b2c62
cc: linux-efi@vger.kernel.org
Pablo Greco 7b2c62
[Rebased for context; efi_is_table_address was moved to arch/x86]
Pablo Greco 7b2c62
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Pablo Greco 7b2c62
---
Pablo Greco 7b2c62
 arch/x86/kernel/setup.c           | 14 +-----------
Pablo Greco 7b2c62
 drivers/firmware/efi/Makefile     |  1 +
Pablo Greco 7b2c62
 drivers/firmware/efi/secureboot.c | 38 +++++++++++++++++++++++++++++++
Pablo Greco 7b2c62
 include/linux/efi.h               | 18 ++++++++++-----
Pablo Greco 7b2c62
 4 files changed, 52 insertions(+), 19 deletions(-)
Pablo Greco 7b2c62
 create mode 100644 drivers/firmware/efi/secureboot.c
Pablo Greco 7b2c62
Pablo Greco 7b2c62
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
Pablo Greco 7b2c62
index 112efbef3414..c9de4b36ca51 100644
Pablo Greco 7b2c62
--- a/arch/x86/kernel/setup.c
Pablo Greco 7b2c62
+++ b/arch/x86/kernel/setup.c
Pablo Greco 7b2c62
@@ -1255,19 +1255,7 @@ void __init setup_arch(char **cmdline_p)
Pablo Greco 7b2c62
 	/* Allocate bigger log buffer */
Pablo Greco 7b2c62
 	setup_log_buf(1);
Pablo Greco 7b2c62
Pablo Greco 7b2c62
-	if (efi_enabled(EFI_BOOT)) {
Pablo Greco 7b2c62
-		switch (boot_params.secure_boot) {
Pablo Greco 7b2c62
-		case efi_secureboot_mode_disabled:
Pablo Greco 7b2c62
-			pr_info("Secure boot disabled\n");
Pablo Greco 7b2c62
-			break;
Pablo Greco 7b2c62
-		case efi_secureboot_mode_enabled:
Pablo Greco 7b2c62
-			pr_info("Secure boot enabled\n");
Pablo Greco 7b2c62
-			break;
Pablo Greco 7b2c62
-		default:
Pablo Greco 7b2c62
-			pr_info("Secure boot could not be determined\n");
Pablo Greco 7b2c62
-			break;
Pablo Greco 7b2c62
-		}
Pablo Greco 7b2c62
-	}
Pablo Greco 7b2c62
+	efi_set_secure_boot(boot_params.secure_boot);
Pablo Greco 7b2c62
Pablo Greco 7b2c62
 	reserve_initrd();
Pablo Greco 7b2c62
Pablo Greco 7b2c62
diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile
Pablo Greco 7b2c62
index 7a216984552b..f0ef02d733af 100644
Pablo Greco 7b2c62
--- a/drivers/firmware/efi/Makefile
Pablo Greco 7b2c62
+++ b/drivers/firmware/efi/Makefile
Pablo Greco 7b2c62
@@ -25,6 +25,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP)		+= fake_map.o
Pablo Greco 7b2c62
 obj-$(CONFIG_EFI_BOOTLOADER_CONTROL)	+= efibc.o
Pablo Greco 7b2c62
 obj-$(CONFIG_EFI_TEST)			+= test/
Pablo Greco 7b2c62
 obj-$(CONFIG_EFI_DEV_PATH_PARSER)	+= dev-path-parser.o
Pablo Greco 7b2c62
+obj-$(CONFIG_EFI)			+= secureboot.o
Pablo Greco 7b2c62
 obj-$(CONFIG_APPLE_PROPERTIES)		+= apple-properties.o
Pablo Greco 7b2c62
 obj-$(CONFIG_EFI_RCI2_TABLE)		+= rci2-table.o
Pablo Greco 7b2c62
 obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE)	+= embedded-firmware.o
Pablo Greco 7b2c62
diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
Pablo Greco 7b2c62
new file mode 100644
Pablo Greco 7b2c62
index 000000000000..de0a3714a5d4
Pablo Greco 7b2c62
--- /dev/null
Pablo Greco 7b2c62
+++ b/drivers/firmware/efi/secureboot.c
Pablo Greco 7b2c62
@@ -0,0 +1,38 @@
Pablo Greco 7b2c62
+/* Core kernel secure boot support.
Pablo Greco 7b2c62
+ *
Pablo Greco 7b2c62
+ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
Pablo Greco 7b2c62
+ * Written by David Howells (dhowells@redhat.com)
Pablo Greco 7b2c62
+ *
Pablo Greco 7b2c62
+ * This program is free software; you can redistribute it and/or
Pablo Greco 7b2c62
+ * modify it under the terms of the GNU General Public Licence
Pablo Greco 7b2c62
+ * as published by the Free Software Foundation; either version
Pablo Greco 7b2c62
+ * 2 of the Licence, or (at your option) any later version.
Pablo Greco 7b2c62
+ */
Pablo Greco 7b2c62
+
Pablo Greco 7b2c62
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
Pablo Greco 7b2c62
+
Pablo Greco 7b2c62
+#include <linux/efi.h>
Pablo Greco 7b2c62
+#include <linux/kernel.h>
Pablo Greco 7b2c62
+#include <linux/printk.h>
Pablo Greco 7b2c62
+
Pablo Greco 7b2c62
+/*
Pablo Greco 7b2c62
+ * Decide what to do when UEFI secure boot mode is enabled.
Pablo Greco 7b2c62
+ */
Pablo Greco 7b2c62
+void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
Pablo Greco 7b2c62
+{
Pablo Greco 7b2c62
+	if (efi_enabled(EFI_BOOT)) {
Pablo Greco 7b2c62
+		switch (mode) {
Pablo Greco 7b2c62
+		case efi_secureboot_mode_disabled:
Pablo Greco 7b2c62
+			pr_info("Secure boot disabled\n");
Pablo Greco 7b2c62
+			break;
Pablo Greco 7b2c62
+		case efi_secureboot_mode_enabled:
Pablo Greco 7b2c62
+			set_bit(EFI_SECURE_BOOT, &efi.flags);
Pablo Greco 7b2c62
+			pr_info("Secure boot enabled\n");
Pablo Greco 7b2c62
+			break;
Pablo Greco 7b2c62
+		default:
Pablo Greco 7b2c62
+			pr_warn("Secure boot could not be determined (mode %u)\n",
Pablo Greco 7b2c62
+				   mode);
Pablo Greco 7b2c62
+			break;
Pablo Greco 7b2c62
+		}
Pablo Greco 7b2c62
+	}
Pablo Greco 7b2c62
+}
Pablo Greco 7b2c62
diff --git a/include/linux/efi.h b/include/linux/efi.h
Pablo Greco 7b2c62
index 92aa4697f558..1cdc5d8b6ac3 100644
Pablo Greco 7b2c62
--- a/include/linux/efi.h
Pablo Greco 7b2c62
+++ b/include/linux/efi.h
Pablo Greco 7b2c62
@@ -785,6 +785,14 @@ extern int __init efi_setup_pcdp_console(char *);
Pablo Greco 7b2c62
 #define EFI_MEM_ATTR		10	/* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
Pablo Greco 7b2c62
 #define EFI_MEM_NO_SOFT_RESERVE	11	/* Is the kernel configured to ignore soft reservations? */
Pablo Greco 7b2c62
 #define EFI_PRESERVE_BS_REGIONS	12	/* Are EFI boot-services memory segments available? */
Pablo Greco 7b2c62
+#define EFI_SECURE_BOOT		13	/* Are we in Secure Boot mode? */
Pablo Greco 7b2c62
+
Pablo Greco 7b2c62
+enum efi_secureboot_mode {
Pablo Greco 7b2c62
+	efi_secureboot_mode_unset,
Pablo Greco 7b2c62
+	efi_secureboot_mode_unknown,
Pablo Greco 7b2c62
+	efi_secureboot_mode_disabled,
Pablo Greco 7b2c62
+	efi_secureboot_mode_enabled,
Pablo Greco 7b2c62
+};
Pablo Greco 7b2c62
Pablo Greco 7b2c62
 #ifdef CONFIG_EFI
Pablo Greco 7b2c62
 /*
Pablo Greco 7b2c62
@@ -796,6 +804,8 @@ static inline bool efi_enabled(int feature)
Pablo Greco 7b2c62
 }
Pablo Greco 7b2c62
 extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused);
Pablo Greco 7b2c62
Pablo Greco 7b2c62
+extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode);
Pablo Greco 7b2c62
+
Pablo Greco 7b2c62
 bool __pure __efi_soft_reserve_enabled(void);
Pablo Greco 7b2c62
Pablo Greco 7b2c62
 static inline bool __pure efi_soft_reserve_enabled(void)
Pablo Greco 7b2c62
@@ -822,6 +832,8 @@ efi_capsule_pending(int *reset_type)
Pablo Greco 7b2c62
 	return false;
Pablo Greco 7b2c62
 }
Pablo Greco 7b2c62
Pablo Greco 7b2c62
+static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {}
Pablo Greco 7b2c62
+
Pablo Greco 7b2c62
 static inline bool efi_soft_reserve_enabled(void)
Pablo Greco 7b2c62
 {
Pablo Greco 7b2c62
 	return false;
Pablo Greco 7b2c62
@@ -1094,12 +1106,6 @@ static inline bool efi_runtime_disabled(void) { return true; }
Pablo Greco 7b2c62
 extern void efi_call_virt_check_flags(unsigned long flags, const char *call);
Pablo Greco 7b2c62
 extern unsigned long efi_call_virt_save_flags(void);
Pablo Greco 7b2c62
Pablo Greco 7b2c62
-enum efi_secureboot_mode {
Pablo Greco 7b2c62
-	efi_secureboot_mode_unset,
Pablo Greco 7b2c62
-	efi_secureboot_mode_unknown,
Pablo Greco 7b2c62
-	efi_secureboot_mode_disabled,
Pablo Greco 7b2c62
-	efi_secureboot_mode_enabled,
Pablo Greco 7b2c62
-};
Pablo Greco 7b2c62
 enum efi_secureboot_mode efi_get_secureboot(void);
Pablo Greco 7b2c62
Pablo Greco 7b2c62
 #ifdef CONFIG_RESET_ATTACK_MITIGATION
Pablo Greco 7b2c62
-- 
Pablo Greco 7b2c62
2.28.0
Pablo Greco 7b2c62