1 /* SPDX-License-Identifier: GPL-2.0+ */
3 * Copyright (C) 2018 IBM Corporation
8 extern struct boot_params boot_params
;
10 static enum efi_secureboot_mode
get_sb_mode(void)
12 efi_char16_t efi_SecureBoot_name
[] = L
"SecureBoot";
13 efi_guid_t efi_variable_guid
= EFI_GLOBAL_VARIABLE_GUID
;
18 size
= sizeof(secboot
);
20 /* Get variable contents into buffer */
21 status
= efi
.get_variable(efi_SecureBoot_name
, &efi_variable_guid
,
22 NULL
, &size
, &secboot
);
23 if (status
== EFI_NOT_FOUND
) {
24 pr_info("ima: secureboot mode disabled\n");
25 return efi_secureboot_mode_disabled
;
28 if (status
!= EFI_SUCCESS
) {
29 pr_info("ima: secureboot mode unknown\n");
30 return efi_secureboot_mode_unknown
;
34 pr_info("ima: secureboot mode disabled\n");
35 return efi_secureboot_mode_disabled
;
38 pr_info("ima: secureboot mode enabled\n");
39 return efi_secureboot_mode_enabled
;
42 bool arch_ima_get_secureboot(void)
44 static enum efi_secureboot_mode sb_mode
;
45 static bool initialized
;
47 if (!initialized
&& efi_enabled(EFI_BOOT
)) {
48 sb_mode
= boot_params
.secure_boot
;
50 if (sb_mode
== efi_secureboot_mode_unset
)
51 sb_mode
= get_sb_mode();
55 if (sb_mode
== efi_secureboot_mode_enabled
)
61 /* secureboot arch rules */
62 static const char * const sb_arch_rules
[] = {
63 #if !IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG)
64 "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig",
65 #endif /* CONFIG_KEXEC_VERIFY_SIG */
66 "measure func=KEXEC_KERNEL_CHECK",
70 const char * const *arch_get_ima_policy(void)
72 if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY
) && arch_ima_get_secureboot())
