drivers/firmware/efi/libstub/secureboot.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 /*
   3  * Secure boot handling.
   4  *
   5  * Copyright (C) 2013,2014 Linaro Limited
   6  *     Roy Franz <roy.franz@linaro.org
   7  * Copyright (C) 2013 Red Hat, Inc.
   8  *     Mark Salter <msalter@redhat.com>
   9  */
  10 #include <linux/efi.h>
  11 #include <asm/efi.h>
  12
  13 #include "efistub.h"
  14
  15 /* BIOS variables */
  16 static const efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
  17 static const efi_char16_t efi_SecureBoot_name[] = L"SecureBoot";
  18 static const efi_char16_t efi_SetupMode_name[] = L"SetupMode";
  19
  20 /* SHIM variables */
  21 static const efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID;
  22 static const efi_char16_t shim_MokSBState_name[] = L"MokSBState";
  23
  24 #define get_efi_var(name, vendor, ...) \
  25         efi_call_runtime(get_variable, \
  26                          (efi_char16_t *)(name), (efi_guid_t *)(vendor), \
  27                          __VA_ARGS__);
  28
  29 /*
  30  * Determine whether we're in secure boot mode.
  31  *
  32  * Please keep the logic in sync with
  33  * arch/x86/xen/efi.c:xen_efi_get_secureboot().
  34  */
  35 enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg)
  36 {
  37         u32 attr;
  38         u8 secboot, setupmode, moksbstate;
  39         unsigned long size;
  40         efi_status_t status;
  41
  42         size = sizeof(secboot);
  43         status = get_efi_var(efi_SecureBoot_name, &efi_variable_guid,
  44                              NULL, &size, &secboot);
  45         if (status == EFI_NOT_FOUND)
  46                 return efi_secureboot_mode_disabled;
  47         if (status != EFI_SUCCESS)
  48                 goto out_efi_err;
  49
  50         size = sizeof(setupmode);
  51         status = get_efi_var(efi_SetupMode_name, &efi_variable_guid,
  52                              NULL, &size, &setupmode);
  53         if (status != EFI_SUCCESS)
  54                 goto out_efi_err;
  55
  56         if (secboot == 0 || setupmode == 1)
  57                 return efi_secureboot_mode_disabled;
  58
  59         /*
  60          * See if a user has put the shim into insecure mode. If so, and if the
  61          * variable doesn't have the runtime attribute set, we might as well
  62          * honor that.
  63          */
  64         size = sizeof(moksbstate);
  65         status = get_efi_var(shim_MokSBState_name, &shim_guid,
  66                              &attr, &size, &moksbstate);
  67
  68         /* If it fails, we don't care why. Default to secure */
  69         if (status != EFI_SUCCESS)
  70                 goto secure_boot_enabled;
  71         if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS) && moksbstate == 1)
  72                 return efi_secureboot_mode_disabled;
  73
  74 secure_boot_enabled:
  75         pr_efi(sys_table_arg, "UEFI Secure Boot is enabled.\n");
  76         return efi_secureboot_mode_enabled;
  77
  78 out_efi_err:
  79         pr_efi_err(sys_table_arg, "Could not determine UEFI Secure Boot status.\n");
  80         return efi_secureboot_mode_unknown;
  81 }