diff options
author | Chester Lin <clin@suse.com> | 2020-10-30 14:08:38 +0800 |
---|---|---|
committer | Ard Biesheuvel <ardb@kernel.org> | 2020-11-04 23:05:40 +0100 |
commit | e1ac4b2406d94eddce8ac2c5ab4235f6075a9602 (patch) | |
tree | 668816181cf8a034e3af08297f94a0e1e33c1350 /include/linux/efi.h | |
parent | 6edcf9dc2e1aff3aa1f5a69ee420fb30dd0e968a (diff) |
efi: generalize efi_get_secureboot
Generalize the efi_get_secureboot() function so not only efistub but also
other subsystems can use it.
Note that the MokSbState handling is not factored out: the variable is
boot time only, and so it cannot be parameterized as easily. Also, the
IMA code will switch to this version in a future patch, and it does not
incorporate the MokSbState exception in the first place.
Note that the new efi_get_secureboot_mode() helper treats any failures
to read SetupMode as setup mode being disabled.
Co-developed-by: Chester Lin <clin@suse.com>
Signed-off-by: Chester Lin <clin@suse.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Diffstat (limited to 'include/linux/efi.h')
-rw-r--r-- | include/linux/efi.h | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/include/linux/efi.h b/include/linux/efi.h index d7c0e73af2b9..1cd5d91d8ca1 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -1089,7 +1089,28 @@ enum efi_secureboot_mode { efi_secureboot_mode_disabled, efi_secureboot_mode_enabled, }; -enum efi_secureboot_mode efi_get_secureboot(void); + +static inline +enum efi_secureboot_mode efi_get_secureboot_mode(efi_get_variable_t *get_var) +{ + u8 secboot, setupmode = 0; + efi_status_t status; + unsigned long size; + + size = sizeof(secboot); + status = get_var(L"SecureBoot", &EFI_GLOBAL_VARIABLE_GUID, NULL, &size, + &secboot); + if (status == EFI_NOT_FOUND) + return efi_secureboot_mode_disabled; + if (status != EFI_SUCCESS) + return efi_secureboot_mode_unknown; + + size = sizeof(setupmode); + get_var(L"SetupMode", &EFI_GLOBAL_VARIABLE_GUID, NULL, &size, &setupmode); + if (secboot == 0 || setupmode == 1) + return efi_secureboot_mode_disabled; + return efi_secureboot_mode_enabled; +} #ifdef CONFIG_RESET_ATTACK_MITIGATION void efi_enable_reset_attack_mitigation(void); |