xref: /linux/drivers/firmware/efi/libstub/secureboot.c (revision e1ac4b2406d94eddce8ac2c5ab4235f6075a9602) 
14febfb8dSArd Biesheuvel // SPDX-License-Identifier: GPL-2.0
2de8cb458SDavid Howells /*
3de8cb458SDavid Howells  * Secure boot handling.
4de8cb458SDavid Howells  *
5de8cb458SDavid Howells  * Copyright (C) 2013,2014 Linaro Limited
6de8cb458SDavid Howells  *     Roy Franz <roy.franz@linaro.org
7de8cb458SDavid Howells  * Copyright (C) 2013 Red Hat, Inc.
8de8cb458SDavid Howells  *     Mark Salter <msalter@redhat.com>
9de8cb458SDavid Howells  */
10de8cb458SDavid Howells #include <linux/efi.h>
11de8cb458SDavid Howells #include <asm/efi.h>
12de8cb458SDavid Howells 
13eeff7d63SArd Biesheuvel #include "efistub.h"
14eeff7d63SArd Biesheuvel 
15f3cf6f74SJosh Boyer /* SHIM variables */
16f3cf6f74SJosh Boyer static const efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID;
1736b64976SArd Biesheuvel static const efi_char16_t shim_MokSBState_name[] = L"MokSBState";
18f3cf6f74SJosh Boyer 
19*e1ac4b24SChester Lin static efi_status_t get_var(efi_char16_t *name, efi_guid_t *vendor, u32 *attr,
20*e1ac4b24SChester Lin 			    unsigned long *data_size, void *data)
21*e1ac4b24SChester Lin {
22*e1ac4b24SChester Lin 	return get_efi_var(name, vendor, attr, data_size, data);
23*e1ac4b24SChester Lin }
24*e1ac4b24SChester Lin 
25de8cb458SDavid Howells /*
26de8cb458SDavid Howells  * Determine whether we're in secure boot mode.
27a7012bdbSDaniel Kiper  *
28a7012bdbSDaniel Kiper  * Please keep the logic in sync with
29a7012bdbSDaniel Kiper  * arch/x86/xen/efi.c:xen_efi_get_secureboot().
30de8cb458SDavid Howells  */
31cd33a5c1SArd Biesheuvel enum efi_secureboot_mode efi_get_secureboot(void)
32de8cb458SDavid Howells {
33f3cf6f74SJosh Boyer 	u32 attr;
34de8cb458SDavid Howells 	unsigned long size;
35*e1ac4b24SChester Lin 	enum efi_secureboot_mode mode;
36de8cb458SDavid Howells 	efi_status_t status;
37*e1ac4b24SChester Lin 	u8 moksbstate;
38de8cb458SDavid Howells 
39*e1ac4b24SChester Lin 	mode = efi_get_secureboot_mode(get_var);
40*e1ac4b24SChester Lin 	if (mode == efi_secureboot_mode_unknown) {
41*e1ac4b24SChester Lin 		efi_err("Could not determine UEFI Secure Boot status.\n");
42*e1ac4b24SChester Lin 		return efi_secureboot_mode_unknown;
43*e1ac4b24SChester Lin 	}
44*e1ac4b24SChester Lin 	if (mode != efi_secureboot_mode_enabled)
45*e1ac4b24SChester Lin 		return mode;
46de8cb458SDavid Howells 
47f3cf6f74SJosh Boyer 	/*
48f3cf6f74SJosh Boyer 	 * See if a user has put the shim into insecure mode. If so, and if the
49f3cf6f74SJosh Boyer 	 * variable doesn't have the runtime attribute set, we might as well
50f3cf6f74SJosh Boyer 	 * honor that.
51f3cf6f74SJosh Boyer 	 */
52f3cf6f74SJosh Boyer 	size = sizeof(moksbstate);
53f3cf6f74SJosh Boyer 	status = get_efi_var(shim_MokSBState_name, &shim_guid,
54f3cf6f74SJosh Boyer 			     &attr, &size, &moksbstate);
55f3cf6f74SJosh Boyer 
56f3cf6f74SJosh Boyer 	/* If it fails, we don't care why. Default to secure */
57f3cf6f74SJosh Boyer 	if (status != EFI_SUCCESS)
58f3cf6f74SJosh Boyer 		goto secure_boot_enabled;
59f3cf6f74SJosh Boyer 	if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS) && moksbstate == 1)
60f3cf6f74SJosh Boyer 		return efi_secureboot_mode_disabled;
61f3cf6f74SJosh Boyer 
62f3cf6f74SJosh Boyer secure_boot_enabled:
63793473c2SArvind Sankar 	efi_info("UEFI Secure Boot is enabled.\n");
64de8cb458SDavid Howells 	return efi_secureboot_mode_enabled;
65de8cb458SDavid Howells }
66