diff options
Diffstat (limited to 'efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch')
| -rw-r--r-- | efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch | 58 |
1 files changed, 0 insertions, 58 deletions
diff --git a/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch b/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch deleted file mode 100644 index 761a66ff7..000000000 --- a/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch +++ /dev/null @@ -1,58 +0,0 @@ -From d687d79620ea20511b2dbf77e74fdcf4d94981f9 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@fedoraproject.org> -Date: Tue, 5 Feb 2013 19:25:05 -0500 -Subject: [PATCH 12/20] efi: Disable secure boot if shim is in insecure mode - -A user can manually tell the shim boot loader to disable validation of -images it loads. When a user does this, it creates a UEFI variable called -MokSBState that does not have the runtime attribute set. Given that the -user explicitly disabled validation, we can honor that and not enable -secure boot mode if that variable is set. - -Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> ---- - arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++- - 1 file changed, 19 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index ebc85c1eefd6..50e027f388d8 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -540,8 +540,9 @@ static void setup_efi_pci(struct boot_params *params) - - static int get_secure_boot(void) - { -- u8 sb, setup; -+ u8 sb, setup, moksbstate; - unsigned long datasize = sizeof(sb); -+ u32 attr; - efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; - efi_status_t status; - -@@ -565,6 +566,23 @@ static int get_secure_boot(void) - if (setup == 1) - return 0; - -+ /* See if a user has put shim into insecure_mode. If so, and the variable -+ * doesn't have the runtime attribute set, we might as well honor that. -+ */ -+ var_guid = EFI_SHIM_LOCK_GUID; -+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, -+ L"MokSBState", &var_guid, &attr, &datasize, -+ &moksbstate); -+ -+ /* If it fails, we don't care why. Default to secure */ -+ if (status != EFI_SUCCESS) -+ return 1; -+ -+ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) { -+ if (moksbstate == 1) -+ return 0; -+ } -+ - return 1; - } - --- -2.9.3 - |