drivers/firmware/efi/libstub/secureboot.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 /*
   3  * Secure boot handling.
   4  *
   5  * Copyright (C) 2013,2014 Linaro Limited
   6  *     Roy Franz <roy.franz@linaro.org
   7  * Copyright (C) 2013 Red Hat, Inc.
   8  *     Mark Salter <msalter@redhat.com>
   9  */
  10 #include <linux/efi.h>
  11 #include <asm/efi.h>
  12
  13 #include "efistub.h"
  14
  15 /* BIOS variables */
  16 static const efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
  17 static const efi_char16_t efi_SecureBoot_name[] = L"SecureBoot";
  18 static const efi_char16_t efi_SetupMode_name[] = L"SetupMode";
  19
  20 /* SHIM variables */
  21 static const efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID;
  22 static const efi_char16_t shim_MokSBState_name[] = L"MokSBState";
  23
  24 /*
  25  * Determine whether we're in secure boot mode.
  26  *
  27  * Please keep the logic in sync with
  28  * arch/x86/xen/efi.c:xen_efi_get_secureboot().
  29  */
  30 enum efi_secureboot_mode efi_get_secureboot(void)
  31 {
  32         u32 attr;
  33         u8 secboot, setupmode, moksbstate;
  34         unsigned long size;
  35         efi_status_t status;
  36
  37         size = sizeof(secboot);
  38         status = get_efi_var(efi_SecureBoot_name, &efi_variable_guid,
  39                              NULL, &size, &secboot);
  40         if (status == EFI_NOT_FOUND)
  41                 return efi_secureboot_mode_disabled;
  42         if (status != EFI_SUCCESS)
  43                 goto out_efi_err;
  44
  45         size = sizeof(setupmode);
  46         status = get_efi_var(efi_SetupMode_name, &efi_variable_guid,
  47                              NULL, &size, &setupmode);
  48         if (status != EFI_SUCCESS)
  49                 goto out_efi_err;
  50
  51         if (secboot == 0 || setupmode == 1)
  52                 return efi_secureboot_mode_disabled;
  53
  54         /*
  55          * See if a user has put the shim into insecure mode. If so, and if the
  56          * variable doesn't have the runtime attribute set, we might as well
  57          * honor that.
  58          */
  59         size = sizeof(moksbstate);
  60         status = get_efi_var(shim_MokSBState_name, &shim_guid,
  61                              &attr, &size, &moksbstate);
  62
  63         /* If it fails, we don't care why. Default to secure */
  64         if (status != EFI_SUCCESS)
  65                 goto secure_boot_enabled;
  66         if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS) && moksbstate == 1)
  67                 return efi_secureboot_mode_disabled;
  68
  69 secure_boot_enabled:
  70         efi_info("UEFI Secure Boot is enabled.\n");
  71         return efi_secureboot_mode_enabled;
  72
  73 out_efi_err:
  74         efi_err("Could not determine UEFI Secure Boot status.\n");
  75         return efi_secureboot_mode_unknown;
  76 }