xref: /linux/security/integrity/efi_secureboot.c (revision 9cdca336677b4d15579ec462e33c8a330ab3a9de) 
1*31a6a07eSCoiby Xu // SPDX-License-Identifier: GPL-1.0+
2*31a6a07eSCoiby Xu /*
3*31a6a07eSCoiby Xu  * Copyright (C) 2018 IBM Corporation
4*31a6a07eSCoiby Xu  */
5*31a6a07eSCoiby Xu #include <linux/efi.h>
6*31a6a07eSCoiby Xu #include <linux/secure_boot.h>
7*31a6a07eSCoiby Xu #include <asm/efi.h>
8*31a6a07eSCoiby Xu 
9*31a6a07eSCoiby Xu #ifndef arch_efi_boot_mode
10*31a6a07eSCoiby Xu #define arch_efi_boot_mode efi_secureboot_mode_unset
11*31a6a07eSCoiby Xu #endif
12*31a6a07eSCoiby Xu 
13*31a6a07eSCoiby Xu static enum efi_secureboot_mode get_sb_mode(void)
14*31a6a07eSCoiby Xu {
15*31a6a07eSCoiby Xu 	enum efi_secureboot_mode mode;
16*31a6a07eSCoiby Xu 
17*31a6a07eSCoiby Xu 	if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) {
18*31a6a07eSCoiby Xu 		pr_info("integrity: secureboot mode unknown, no efi\n");
19*31a6a07eSCoiby Xu 		return efi_secureboot_mode_unknown;
20*31a6a07eSCoiby Xu 	}
21*31a6a07eSCoiby Xu 
22*31a6a07eSCoiby Xu 	mode = efi_get_secureboot_mode(efi.get_variable);
23*31a6a07eSCoiby Xu 	if (mode == efi_secureboot_mode_disabled)
24*31a6a07eSCoiby Xu 		pr_info("integrity: secureboot mode disabled\n");
25*31a6a07eSCoiby Xu 	else if (mode == efi_secureboot_mode_unknown)
26*31a6a07eSCoiby Xu 		pr_info("integrity: secureboot mode unknown\n");
27*31a6a07eSCoiby Xu 	else
28*31a6a07eSCoiby Xu 		pr_info("integrity: secureboot mode enabled\n");
29*31a6a07eSCoiby Xu 	return mode;
30*31a6a07eSCoiby Xu }
31*31a6a07eSCoiby Xu 
32*31a6a07eSCoiby Xu /*
33*31a6a07eSCoiby Xu  * Query secure boot status
34*31a6a07eSCoiby Xu  *
35*31a6a07eSCoiby Xu  * Note don't call this function too early e.g. in __setup hook otherwise the
36*31a6a07eSCoiby Xu  * kernel may hang when calling efi_get_secureboot_mode.
37*31a6a07eSCoiby Xu  *
38*31a6a07eSCoiby Xu  */
39*31a6a07eSCoiby Xu bool arch_get_secureboot(void)
40*31a6a07eSCoiby Xu {
41*31a6a07eSCoiby Xu 	static enum efi_secureboot_mode sb_mode;
42*31a6a07eSCoiby Xu 	static bool initialized;
43*31a6a07eSCoiby Xu 
44*31a6a07eSCoiby Xu 	if (!initialized && efi_enabled(EFI_BOOT)) {
45*31a6a07eSCoiby Xu 		sb_mode = arch_efi_boot_mode;
46*31a6a07eSCoiby Xu 
47*31a6a07eSCoiby Xu 		if (sb_mode == efi_secureboot_mode_unset)
48*31a6a07eSCoiby Xu 			sb_mode = get_sb_mode();
49*31a6a07eSCoiby Xu 		initialized = true;
50*31a6a07eSCoiby Xu 	}
51*31a6a07eSCoiby Xu 
52*31a6a07eSCoiby Xu 	if (sb_mode == efi_secureboot_mode_enabled)
53*31a6a07eSCoiby Xu 		return true;
54*31a6a07eSCoiby Xu 	else
55*31a6a07eSCoiby Xu 		return false;
56*31a6a07eSCoiby Xu }
57