1 // SPDX-License-Identifier: GPL-2.0
3 * Secure boot handling.
5 * Copyright (C) 2013,2014 Linaro Limited
6 * Roy Franz <roy.franz@linaro.org
7 * Copyright (C) 2013 Red Hat, Inc.
8 * Mark Salter <msalter@redhat.com>
10 #include <linux/efi.h>
16 static const efi_guid_t efi_variable_guid
= EFI_GLOBAL_VARIABLE_GUID
;
17 static const efi_char16_t efi_SecureBoot_name
[] = L
"SecureBoot";
18 static const efi_char16_t efi_SetupMode_name
[] = L
"SetupMode";
21 static const efi_guid_t shim_guid
= EFI_SHIM_LOCK_GUID
;
22 static const efi_char16_t shim_MokSBState_name
[] = L
"MokSBState";
25 * Determine whether we're in secure boot mode.
27 * Please keep the logic in sync with
28 * arch/x86/xen/efi.c:xen_efi_get_secureboot().
30 enum efi_secureboot_mode
efi_get_secureboot(void)
33 u8 secboot
, setupmode
, moksbstate
;
37 size
= sizeof(secboot
);
38 status
= get_efi_var(efi_SecureBoot_name
, &efi_variable_guid
,
39 NULL
, &size
, &secboot
);
40 if (status
== EFI_NOT_FOUND
)
41 return efi_secureboot_mode_disabled
;
42 if (status
!= EFI_SUCCESS
)
45 size
= sizeof(setupmode
);
46 status
= get_efi_var(efi_SetupMode_name
, &efi_variable_guid
,
47 NULL
, &size
, &setupmode
);
48 if (status
!= EFI_SUCCESS
)
51 if (secboot
== 0 || setupmode
== 1)
52 return efi_secureboot_mode_disabled
;
55 * See if a user has put the shim into insecure mode. If so, and if the
56 * variable doesn't have the runtime attribute set, we might as well
59 size
= sizeof(moksbstate
);
60 status
= get_efi_var(shim_MokSBState_name
, &shim_guid
,
61 &attr
, &size
, &moksbstate
);
63 /* If it fails, we don't care why. Default to secure */
64 if (status
!= EFI_SUCCESS
)
65 goto secure_boot_enabled
;
66 if (!(attr
& EFI_VARIABLE_RUNTIME_ACCESS
) && moksbstate
== 1)
67 return efi_secureboot_mode_disabled
;
70 efi_info("UEFI Secure Boot is enabled.\n");
71 return efi_secureboot_mode_enabled
;
74 efi_err("Could not determine UEFI Secure Boot status.\n");
75 return efi_secureboot_mode_unknown
;