LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: linux-efi@vger.kernel.org, Ingo Molnar <mingo@kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>
Cc: Daniel Kiper <daniel.kiper@oracle.com>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 01/17] x86/xen/efi: Initialize UEFI secure boot state during dom0 boot
Date: Fri,  4 May 2018 07:59:47 +0200	[thread overview]
Message-ID: <20180504060003.19618-2-ard.biesheuvel@linaro.org> (raw)
In-Reply-To: <20180504060003.19618-1-ard.biesheuvel@linaro.org>

From: Daniel Kiper <daniel.kiper@oracle.com>

Initialize UEFI secure boot state during dom0 boot. Otherwise the kernel
may not even know that it runs on secure boot enabled platform.

Note that part of drivers/firmware/efi/libstub/secureboot.c is duplicated
by this patch, only in this case, it runs in the context of the kernel
proper rather than UEFI boot context. The reason for the duplication is
that maintaining the original code to run correctly on ARM/arm64 as well
as on all the quirky x86 firmware we support is enough of a burden as it
is, and adding the x86/Xen execution context to that mix just so we can
reuse a single routine just isn't worth it.

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
[ardb: explain rationale for code duplication]
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 arch/x86/xen/efi.c                        | 57 +++++++++++++++++++++++
 drivers/firmware/efi/libstub/secureboot.c |  3 ++
 2 files changed, 60 insertions(+)

diff --git a/arch/x86/xen/efi.c b/arch/x86/xen/efi.c
index a18703be9ead..1804b27f9632 100644
--- a/arch/x86/xen/efi.c
+++ b/arch/x86/xen/efi.c
@@ -115,6 +115,61 @@ static efi_system_table_t __init *xen_efi_probe(void)
 	return &efi_systab_xen;
 }
 
+/*
+ * Determine whether we're in secure boot mode.
+ *
+ * Please keep the logic in sync with
+ * drivers/firmware/efi/libstub/secureboot.c:efi_get_secureboot().
+ */
+static enum efi_secureboot_mode xen_efi_get_secureboot(void)
+{
+	static efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
+	static efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID;
+	efi_status_t status;
+	u8 moksbstate, secboot, setupmode;
+	unsigned long size;
+
+	size = sizeof(secboot);
+	status = efi.get_variable(L"SecureBoot", &efi_variable_guid,
+				  NULL, &size, &secboot);
+
+	if (status == EFI_NOT_FOUND)
+		return efi_secureboot_mode_disabled;
+
+	if (status != EFI_SUCCESS)
+		goto out_efi_err;
+
+	size = sizeof(setupmode);
+	status = efi.get_variable(L"SetupMode", &efi_variable_guid,
+				  NULL, &size, &setupmode);
+
+	if (status != EFI_SUCCESS)
+		goto out_efi_err;
+
+	if (secboot == 0 || setupmode == 1)
+		return efi_secureboot_mode_disabled;
+
+	/* See if a user has put the shim into insecure mode. */
+	size = sizeof(moksbstate);
+	status = efi.get_variable(L"MokSBStateRT", &shim_guid,
+				  NULL, &size, &moksbstate);
+
+	/* If it fails, we don't care why. Default to secure. */
+	if (status != EFI_SUCCESS)
+		goto secure_boot_enabled;
+
+	if (moksbstate == 1)
+		return efi_secureboot_mode_disabled;
+
+ secure_boot_enabled:
+	pr_info("UEFI Secure Boot is enabled.\n");
+	return efi_secureboot_mode_enabled;
+
+ out_efi_err:
+	pr_err("Could not determine UEFI Secure Boot status.\n");
+	return efi_secureboot_mode_unknown;
+}
+
 void __init xen_efi_init(void)
 {
 	efi_system_table_t *efi_systab_xen;
@@ -129,6 +184,8 @@ void __init xen_efi_init(void)
 	boot_params.efi_info.efi_systab = (__u32)__pa(efi_systab_xen);
 	boot_params.efi_info.efi_systab_hi = (__u32)(__pa(efi_systab_xen) >> 32);
 
+	boot_params.secure_boot = xen_efi_get_secureboot();
+
 	set_bit(EFI_BOOT, &efi.flags);
 	set_bit(EFI_PARAVIRT, &efi.flags);
 	set_bit(EFI_64BIT, &efi.flags);
diff --git a/drivers/firmware/efi/libstub/secureboot.c b/drivers/firmware/efi/libstub/secureboot.c
index 8f07eb414c00..72d9dfbebf08 100644
--- a/drivers/firmware/efi/libstub/secureboot.c
+++ b/drivers/firmware/efi/libstub/secureboot.c
@@ -30,6 +30,9 @@ static const efi_char16_t shim_MokSBState_name[] = L"MokSBState";
 
 /*
  * Determine whether we're in secure boot mode.
+ *
+ * Please keep the logic in sync with
+ * arch/x86/xen/efi.c:xen_efi_get_secureboot().
  */
 enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg)
 {
-- 
2.17.0

  reply	other threads:[~2018-05-04  6:05 UTC|newest]

Thread overview: 47+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-04  5:59 [GIT PULL 00/17] EFI updates for v4.18 Ard Biesheuvel
2018-05-04  5:59 ` Ard Biesheuvel [this message]
2018-05-14  7:43   ` [tip:efi/core] x86/xen/efi: Initialize UEFI secure boot state during dom0 boot tip-bot for Daniel Kiper
2018-05-04  5:59 ` [PATCH 02/17] efi/cper: Remove the INDENT_SP silliness Ard Biesheuvel
2018-05-14  7:44   ` [tip:efi/core] " tip-bot for Borislav Petkov
2018-05-04  5:59 ` [PATCH 03/17] efi: Fix IA32/X64 Processor Error Record definition Ard Biesheuvel
2018-05-14  7:44   ` [tip:efi/core] " tip-bot for Yazen Ghannam
2018-05-04  5:59 ` [PATCH 04/17] efi: Decode IA32/X64 Processor Error Section Ard Biesheuvel
2018-05-14  7:45   ` [tip:efi/core] " tip-bot for Yazen Ghannam
2018-05-04  5:59 ` [PATCH 05/17] efi: Decode IA32/X64 Processor Error Info Structure Ard Biesheuvel
2018-05-14  7:45   ` [tip:efi/core] " tip-bot for Yazen Ghannam
2018-05-04  5:59 ` [PATCH 06/17] efi: Decode UEFI-defined IA32/X64 Error Structure GUIDs Ard Biesheuvel
2018-05-14  7:46   ` [tip:efi/core] " tip-bot for Yazen Ghannam
2018-05-04  5:59 ` [PATCH 07/17] efi: Decode IA32/X64 Cache, TLB, and Bus Check structures Ard Biesheuvel
2018-05-14  7:46   ` [tip:efi/core] " tip-bot for Yazen Ghannam
2018-05-04  5:59 ` [PATCH 08/17] efi: Decode additional IA32/X64 Bus Check fields Ard Biesheuvel
2018-05-14  7:47   ` [tip:efi/core] " tip-bot for Yazen Ghannam
2018-05-04  5:59 ` [PATCH 09/17] efi: Decode IA32/X64 MS Check structure Ard Biesheuvel
2018-05-14  7:47   ` [tip:efi/core] " tip-bot for Yazen Ghannam
2018-05-04  5:59 ` [PATCH 10/17] efi: Decode IA32/X64 Context Info structure Ard Biesheuvel
2018-05-14  7:48   ` [tip:efi/core] " tip-bot for Yazen Ghannam
2018-05-04  5:59 ` [PATCH 11/17] efi/libstub/tpm: Make function efi_retrieve_tpm2_eventlog_1_2() static Ard Biesheuvel
2018-05-14  7:48   ` [tip:efi/core] " tip-bot for Wei Yongjun
2018-05-04  5:59 ` [PATCH 12/17] efi: fix efi_pci_io_protocol32 prototype for mixed mode Ard Biesheuvel
2018-05-14  6:57   ` Ingo Molnar
2018-05-14  7:02     ` Ard Biesheuvel
2018-05-14  7:42   ` [tip:efi/core] efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32' definition " tip-bot for Ard Biesheuvel
2018-05-04  5:59 ` [PATCH 13/17] efi: align efi_pci_io_protocol typedefs to type naming convention Ard Biesheuvel
2018-05-14  7:49   ` [tip:efi/core] efi: Align " tip-bot for Ard Biesheuvel
2018-05-04  6:00 ` [PATCH 14/17] efi/x86: fold __setup_efi_pci32 and __setup_efi_pci64 into one Ard Biesheuvel
2018-05-14  7:49   ` [tip:efi/core] efi/x86: Fold __setup_efi_pci32() and __setup_efi_pci64() into one function tip-bot for Ard Biesheuvel
2018-05-04  6:00 ` [PATCH 15/17] efi/x86: Ignore unrealistically large option roms Ard Biesheuvel
2018-05-14  6:40   ` Ingo Molnar
2018-05-14  6:43   ` [PATCH] efi/x86: Clean up the eboot code a bit Ingo Molnar
2018-05-14  6:47     ` Ard Biesheuvel
2018-05-14  6:58       ` Ingo Molnar
2018-05-14  6:59         ` Ard Biesheuvel
2018-05-14  7:50   ` [tip:efi/core] efi/x86: Ignore unrealistically large option ROMs tip-bot for Hans de Goede
2018-05-15  9:18     ` Ard Biesheuvel
2018-06-21 15:13       ` Ingo Molnar
2018-05-04  6:00 ` [PATCH 16/17] efi/capsule-loader: Don't output reset log when reset flags are not set Ard Biesheuvel
2018-05-14  7:50   ` [tip:efi/core] " tip-bot for Shunyong Yang
2018-05-04  6:00 ` [PATCH 17/17] efi/libstub/arm64: handle randomized TEXT_OFFSET Ard Biesheuvel
2018-05-14  6:47   ` Ingo Molnar
2018-05-14  6:48     ` Ard Biesheuvel
2018-05-14  7:00       ` Ingo Molnar
2018-05-14  7:01         ` Ard Biesheuvel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180504060003.19618-2-ard.biesheuvel@linaro.org \
    --to=ard.biesheuvel@linaro.org \
    --cc=daniel.kiper@oracle.com \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@kernel.org \
    --cc=tglx@linutronix.de \
    --subject='Re: [PATCH 01/17] x86/xen/efi: Initialize UEFI secure boot state during dom0 boot' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).