diff options
| author | Jeremy Cline <jeremy@jcline.org> | 2018-04-04 09:42:24 -0400 |
|---|---|---|
| committer | Jeremy Cline <jeremy@jcline.org> | 2018-04-06 13:39:04 -0400 |
| commit | 99d5108d7e29aa819daba0545d545c423bcef4cc (patch) | |
| tree | b01ad1792e6a6d54df723fbb5c6fc1aa816adf4d /efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch | |
| parent | e36a35763c91a2871199534b6e9686842eabfe2a (diff) | |
| download | kernel-99d5108d7e29aa819daba0545d545c423bcef4cc.tar.gz kernel-99d5108d7e29aa819daba0545d545c423bcef4cc.tar.xz kernel-99d5108d7e29aa819daba0545d545c423bcef4cc.zip | |
Linux v4.16
Diffstat (limited to 'efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch')
| -rw-r--r-- | efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch b/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch new file mode 100644 index 000000000..761a66ff7 --- /dev/null +++ b/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch @@ -0,0 +1,58 @@ +From d687d79620ea20511b2dbf77e74fdcf4d94981f9 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Tue, 5 Feb 2013 19:25:05 -0500 +Subject: [PATCH 12/20] efi: Disable secure boot if shim is in insecure mode + +A user can manually tell the shim boot loader to disable validation of +images it loads. When a user does this, it creates a UEFI variable called +MokSBState that does not have the runtime attribute set. Given that the +user explicitly disabled validation, we can honor that and not enable +secure boot mode if that variable is set. + +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c +index ebc85c1eefd6..50e027f388d8 100644 +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -540,8 +540,9 @@ static void setup_efi_pci(struct boot_params *params) + + static int get_secure_boot(void) + { +- u8 sb, setup; ++ u8 sb, setup, moksbstate; + unsigned long datasize = sizeof(sb); ++ u32 attr; + efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; + efi_status_t status; + +@@ -565,6 +566,23 @@ static int get_secure_boot(void) + if (setup == 1) + return 0; + ++ /* See if a user has put shim into insecure_mode. If so, and the variable ++ * doesn't have the runtime attribute set, we might as well honor that. ++ */ ++ var_guid = EFI_SHIM_LOCK_GUID; ++ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, ++ L"MokSBState", &var_guid, &attr, &datasize, ++ &moksbstate); ++ ++ /* If it fails, we don't care why. Default to secure */ ++ if (status != EFI_SUCCESS) ++ return 1; ++ ++ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) { ++ if (moksbstate == 1) ++ return 0; ++ } ++ + return 1; + } + +-- +2.9.3 + |