|
|
f2fa6b |
From d95b24bd02cf41cca9adebd95f10609d6424d2b3 Mon Sep 17 00:00:00 2001
|
|
|
f2fa6b |
From: Matthew Garrett <matthew.garrett@nebula.com>
|
|
|
f2fa6b |
Date: Tue, 19 Nov 2013 10:09:13 -0500
|
|
|
f2fa6b |
Subject: [PATCH 10/19] Clarify meaning of insecure_mode
|
|
|
f2fa6b |
|
|
|
f2fa6b |
insecure_mode was intended to indicate that the user had explicity disabled
|
|
|
f2fa6b |
checks with mokutil, which means it wasn't the opposite of secure_mode().
|
|
|
f2fa6b |
Change the names to clarify this and don't show the insecure mode message
|
|
|
f2fa6b |
unless the user has explicitly enabled that mode.
|
|
|
f2fa6b |
|
|
|
f2fa6b |
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
|
|
f2fa6b |
---
|
|
|
f2fa6b |
replacements.c | 6 ------
|
|
|
f2fa6b |
shim.c | 12 ++++++------
|
|
|
f2fa6b |
2 files changed, 6 insertions(+), 12 deletions(-)
|
|
|
f2fa6b |
|
|
|
f2fa6b |
diff --git a/replacements.c b/replacements.c
|
|
|
f2fa6b |
index bac5e5d..5ea5c32 100644
|
|
|
f2fa6b |
--- a/replacements.c
|
|
|
f2fa6b |
+++ b/replacements.c
|
|
|
f2fa6b |
@@ -64,13 +64,9 @@ static typeof(systab->BootServices->StartImage) system_start_image;
|
|
|
f2fa6b |
static typeof(systab->BootServices->Exit) system_exit;
|
|
|
f2fa6b |
static typeof(systab->BootServices->ExitBootServices) system_exit_boot_services;
|
|
|
f2fa6b |
|
|
|
f2fa6b |
-extern UINT8 insecure_mode;
|
|
|
f2fa6b |
-
|
|
|
f2fa6b |
void
|
|
|
f2fa6b |
unhook_system_services(void)
|
|
|
f2fa6b |
{
|
|
|
f2fa6b |
- if (insecure_mode)
|
|
|
f2fa6b |
- return;
|
|
|
f2fa6b |
systab->BootServices->Exit = system_exit;
|
|
|
f2fa6b |
systab->BootServices->StartImage = system_start_image;
|
|
|
f2fa6b |
systab->BootServices->ExitBootServices = system_exit_boot_services;
|
|
|
f2fa6b |
@@ -123,8 +119,6 @@ exit(EFI_HANDLE ImageHandle, EFI_STATUS ExitStatus,
|
|
|
f2fa6b |
void
|
|
|
f2fa6b |
hook_system_services(EFI_SYSTEM_TABLE *local_systab)
|
|
|
f2fa6b |
{
|
|
|
f2fa6b |
- if (insecure_mode)
|
|
|
f2fa6b |
- return;
|
|
|
f2fa6b |
systab = local_systab;
|
|
|
f2fa6b |
|
|
|
f2fa6b |
/* We need to hook various calls to make this work... */
|
|
|
f2fa6b |
diff --git a/shim.c b/shim.c
|
|
|
f2fa6b |
index 9ae1936..524f5fc 100644
|
|
|
f2fa6b |
--- a/shim.c
|
|
|
f2fa6b |
+++ b/shim.c
|
|
|
f2fa6b |
@@ -85,7 +85,7 @@ int loader_is_participating;
|
|
|
f2fa6b |
|
|
|
f2fa6b |
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
|
|
|
f2fa6b |
|
|
|
f2fa6b |
-UINT8 insecure_mode;
|
|
|
f2fa6b |
+UINT8 user_insecure_mode;
|
|
|
f2fa6b |
UINT8 ignore_db;
|
|
|
f2fa6b |
|
|
|
f2fa6b |
typedef enum {
|
|
|
f2fa6b |
@@ -456,7 +456,7 @@ static BOOLEAN secure_mode (void)
|
|
|
f2fa6b |
UINT8 *Data;
|
|
|
f2fa6b |
UINT8 sb, setupmode;
|
|
|
f2fa6b |
|
|
|
f2fa6b |
- if (insecure_mode)
|
|
|
f2fa6b |
+ if (user_insecure_mode)
|
|
|
f2fa6b |
return FALSE;
|
|
|
f2fa6b |
|
|
|
f2fa6b |
status = get_variable(L"SecureBoot", &Data, &len, global_var);
|
|
|
f2fa6b |
@@ -1534,7 +1534,7 @@ static EFI_STATUS check_mok_sb (void)
|
|
|
f2fa6b |
UINTN MokSBStateSize = 0;
|
|
|
f2fa6b |
UINT32 attributes;
|
|
|
f2fa6b |
|
|
|
f2fa6b |
- insecure_mode = 0;
|
|
|
f2fa6b |
+ user_insecure_mode = 0;
|
|
|
f2fa6b |
ignore_db = 0;
|
|
|
f2fa6b |
|
|
|
f2fa6b |
status = get_variable_attr(L"MokSBState", &MokSBState, &MokSBStateSize,
|
|
|
f2fa6b |
@@ -1555,7 +1555,7 @@ static EFI_STATUS check_mok_sb (void)
|
|
|
f2fa6b |
status = EFI_ACCESS_DENIED;
|
|
|
f2fa6b |
} else {
|
|
|
f2fa6b |
if (*(UINT8 *)MokSBState == 1) {
|
|
|
f2fa6b |
- insecure_mode = 1;
|
|
|
f2fa6b |
+ user_insecure_mode = 1;
|
|
|
f2fa6b |
}
|
|
|
f2fa6b |
}
|
|
|
f2fa6b |
|
|
|
f2fa6b |
@@ -1753,10 +1753,10 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
|
|
|
f2fa6b |
/*
|
|
|
f2fa6b |
* Tell the user that we're in insecure mode if necessary
|
|
|
f2fa6b |
*/
|
|
|
f2fa6b |
- if (!secure_mode()) {
|
|
|
f2fa6b |
+ if (user_insecure_mode) {
|
|
|
f2fa6b |
Print(L"Booting in insecure mode\n");
|
|
|
f2fa6b |
uefi_call_wrapper(BS->Stall, 1, 2000000);
|
|
|
f2fa6b |
- } else {
|
|
|
f2fa6b |
+ } else if (secure_mode()) {
|
|
|
f2fa6b |
/*
|
|
|
f2fa6b |
* Install our hooks for ExitBootServices() and StartImage()
|
|
|
f2fa6b |
*/
|
|
|
f2fa6b |
--
|
|
|
f2fa6b |
1.8.5.3
|
|
|
f2fa6b |
|