xref: /linux/security/integrity/efi_secureboot.c (revision 9cdca336677b4d15579ec462e33c8a330ab3a9de) 
1 // SPDX-License-Identifier: GPL-1.0+
2 /*
3  * Copyright (C) 2018 IBM Corporation
4  */
5 #include <linux/efi.h>
6 #include <linux/secure_boot.h>
7 #include <asm/efi.h>
8 
9 #ifndef arch_efi_boot_mode
10 #define arch_efi_boot_mode efi_secureboot_mode_unset
11 #endif
12 
13 static enum efi_secureboot_mode get_sb_mode(void)
14 {
15 	enum efi_secureboot_mode mode;
16 
17 	if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) {
18 		pr_info("integrity: secureboot mode unknown, no efi\n");
19 		return efi_secureboot_mode_unknown;
20 	}
21 
22 	mode = efi_get_secureboot_mode(efi.get_variable);
23 	if (mode == efi_secureboot_mode_disabled)
24 		pr_info("integrity: secureboot mode disabled\n");
25 	else if (mode == efi_secureboot_mode_unknown)
26 		pr_info("integrity: secureboot mode unknown\n");
27 	else
28 		pr_info("integrity: secureboot mode enabled\n");
29 	return mode;
30 }
31 
32 /*
33  * Query secure boot status
34  *
35  * Note don't call this function too early e.g. in __setup hook otherwise the
36  * kernel may hang when calling efi_get_secureboot_mode.
37  *
38  */
39 bool arch_get_secureboot(void)
40 {
41 	static enum efi_secureboot_mode sb_mode;
42 	static bool initialized;
43 
44 	if (!initialized && efi_enabled(EFI_BOOT)) {
45 		sb_mode = arch_efi_boot_mode;
46 
47 		if (sb_mode == efi_secureboot_mode_unset)
48 			sb_mode = get_sb_mode();
49 		initialized = true;
50 	}
51 
52 	if (sb_mode == efi_secureboot_mode_enabled)
53 		return true;
54 	else
55 		return false;
56 }
57