[PATCH v2 2/6] efi_loader: correct determination of secure boot state

Thu, 26 Aug 2021 06:49:11 -0700 

When U-Boot is started we have to use the existing variables to determine
in which secure boot state we are.

* If a platform key PK is present and DeployedMode=1, we are in deployed
  mode.
* If no platform key PK is present and AuditMode=1, we are in audit mode.
* Otherwise if a platform key is present, we are in user mode.
* Otherwise if no platform key is present, we are in setup mode.

Signed-off-by: Heinrich Schuchardt <heinrich.schucha...@canonical.com>
---
v2:
        no change
---
 lib/efi_loader/efi_var_common.c | 39 ++++++++++++++++++++++++++-------
 1 file changed, 31 insertions(+), 8 deletions(-)

diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c
index 654ce81f9d..cf7afecd60 100644
--- a/lib/efi_loader/efi_var_common.c
+++ b/lib/efi_loader/efi_var_common.c
@@ -315,20 +315,43 @@ err:
 efi_status_t efi_init_secure_state(void)
 {
        static bool lock;
-       enum efi_secure_mode mode = EFI_MODE_SETUP;
+       enum efi_secure_mode mode;
        u8 efi_vendor_keys = 0;
-       efi_uintn_t size = 0;
+       efi_uintn_t size;
        efi_status_t ret;
 
        if (lock)
                return EFI_SUCCESS;
-
-       ret = efi_get_variable_int(L"PK", &efi_global_variable_guid,
-                                  NULL, &size, NULL, NULL);
-       if (ret == EFI_BUFFER_TOO_SMALL) {
-               if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT))
-                       mode = EFI_MODE_USER;
+       u8 deployed_mode = 0;
+       u8 audit_mode = 0;
+       u8 setup_mode = 1;
+
+       if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT)) {
+               size = sizeof(deployed_mode);
+               ret = efi_get_variable_int(u"DeployedMode", 
&efi_global_variable_guid,
+                                          NULL, &size, &deployed_mode, NULL);
+               size = sizeof(audit_mode);
+               ret = efi_get_variable_int(u"AuditMode", 
&efi_global_variable_guid,
+                                          NULL, &size, &audit_mode, NULL);
+               size = 0;
+               ret = efi_get_variable_int(u"PK", &efi_global_variable_guid,
+                                          NULL, &size, NULL, NULL);
+               if (ret == EFI_BUFFER_TOO_SMALL) {
+                       setup_mode = 0;
+                       audit_mode = 0;
+               } else {
+                       setup_mode = 1;
+                       deployed_mode = 0;
+               }
        }
+       if (deployed_mode)
+               mode = EFI_MODE_DEPLOYED;
+       else if (audit_mode)
+               mode = EFI_MODE_AUDIT;
+       else if (setup_mode)
+               mode = EFI_MODE_SETUP;
+       else
+               mode = EFI_MODE_USER;
 
        lock = true;
        ret = efi_transfer_secure_state(mode);
-- 
2.30.2

Reply via email to