From: Kate Hsuan <hpa@redhat.com>
Date: Mon, 4 Jul 2022 08:13:58 +0000 (+0800)
Subject: libply: ply-utils: Add ply_is_secure_boot_enabled () helper
X-Git-Tag: 23.51.283~82^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=25f0932cba0d69dbc5e8dc4ef12a2555139e1dc1;p=thirdparty%2Fplymouth.git

libply: ply-utils: Add ply_is_secure_boot_enabled () helper

This checks the secure boot status. If the secure boot are enabled,
return true. Otherwise, return false.

The system secure boot settings is at
/sys/firmware/efi/efivars/SecureBoot* and the fifth byte should be
0x1 which means the system secure boot is enabled.

Signed-off-by: Kate Hsuan <hpa@redhat.com>
---

diff --git a/src/libply/ply-utils.c b/src/libply/ply-utils.c
index 219e2e77..ed6b054a 100644
--- a/src/libply/ply-utils.c
+++ b/src/libply/ply-utils.c
@@ -76,6 +76,11 @@
 #define PLY_MAX_COMMAND_LINE_SIZE 4096
 #endif
 
+#define EFI_VARIABLES_PATH "/sys/firmware/efi/efivars/"
+#define EFI_GLOBAL_VARIABLES_GUID "8be4df61-93ca-11d2-aa0d-00e098032b8c"
+#define SECURE_BOOT_GLOBAL_VARIABLES_FILE EFI_VARIABLES_PATH "SecureBoot-" EFI_GLOBAL_VARIABLES_GUID
+#define IS_SECURE_BOOT_ENABLED(sb_config) ((sb_config) == 0x1)
+
 static int errno_stack[PLY_ERRNO_STACK_SIZE];
 static int errno_stack_position = 0;
 
@@ -1021,3 +1026,43 @@ double ply_strtod (const char *str)
         return ret;
 }
 
+static bool
+check_secure_boot_settings (const char *filename)
+{
+        int fd;
+        int len;
+        uint8_t buf[5];
+
+        fd = open (filename, O_RDONLY);
+        len = read (fd, buf, 5);
+        close (fd);
+
+        /* /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
+         * is in a binary format. The file is exactly 5 bytes long and the last byte
+         * is the secure boot configuration. If it is 0x1, the secure boot is
+         * enabled.
+         */
+        if (len == 5)
+                if (IS_SECURE_BOOT_ENABLED (buf[4]))
+                        return true;
+
+        return false;
+}
+
+bool
+ply_is_secure_boot_enabled (void)
+{
+        static int is_secure_boot_enabled = -1;
+
+        if (is_secure_boot_enabled != -1)
+                return is_secure_boot_enabled;
+
+        if (check_secure_boot_settings (SECURE_BOOT_GLOBAL_VARIABLES_FILE))
+                is_secure_boot_enabled = true;
+        else
+                is_secure_boot_enabled = false;
+
+        return is_secure_boot_enabled;
+}
+
+/* vim: set ts=4 sw=4 expandtab autoindent cindent cino={.5s,(0: */
diff --git a/src/libply/ply-utils.h b/src/libply/ply-utils.h
index 62425048..09507e09 100644
--- a/src/libply/ply-utils.h
+++ b/src/libply/ply-utils.h
@@ -134,6 +134,8 @@ char *ply_kernel_command_line_get_key_value (const char *key);
 
 double ply_strtod (const char *str);
 
+bool ply_is_secure_boot_enabled (void);
+
 #endif
 
 #endif /* PLY_UTILS_H */