lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1456273509-25249-1-git-send-email-linn@hpe.com>
Date:	Tue, 23 Feb 2016 17:25:09 -0700
From:	Linn Crosetto <linn@....com>
To:	matt@...eblueprint.co.uk, ard.biesheuvel@...aro.org,
	roy.franz@...aro.org, mingo@...nel.org, mark.rutland@....com
Cc:	linux-kernel@...r.kernel.org, Linn Crosetto <linn@....com>
Subject: [PATCH] arm64/efi: check SetupMode when determining Secure Boot status

According to the UEFI specification, the platform is operating in secure
boot mode if SetupMode is 0 and SecureBoot is 1, and cannot operate in
secure boot mode if SetupMode is set to 1. Check the value of SetupMode
when determining the state of Secure Boot.

Signed-off-by: Linn Crosetto <linn@....com>
---
 drivers/firmware/efi/libstub/arm-stub.c | 34 +++++++++++++++++++++------------
 1 file changed, 22 insertions(+), 12 deletions(-)

diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c
index 3397902..7ef2e20 100644
--- a/drivers/firmware/efi/libstub/arm-stub.c
+++ b/drivers/firmware/efi/libstub/arm-stub.c
@@ -20,26 +20,36 @@
 
 static int efi_secureboot_enabled(efi_system_table_t *sys_table_arg)
 {
-	static efi_guid_t const var_guid = EFI_GLOBAL_VARIABLE_GUID;
-	static efi_char16_t const var_name[] = {
+	static efi_char16_t const sb_var_name[] = {
 		'S', 'e', 'c', 'u', 'r', 'e', 'B', 'o', 'o', 't', 0 };
+	static efi_char16_t const sm_var_name[] = {
+		'S', 'e', 't', 'u', 'p', 'M', 'o', 'd', 'e', 0 };
 
+	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
 	efi_get_variable_t *f_getvar = sys_table_arg->runtime->get_variable;
-	unsigned long size = sizeof(u8);
-	efi_status_t status;
 	u8 val;
+	unsigned long size = sizeof(val);
+	efi_status_t status;
 
-	status = f_getvar((efi_char16_t *)var_name, (efi_guid_t *)&var_guid,
+	status = f_getvar((efi_char16_t *)sb_var_name, (efi_guid_t *)&var_guid,
 			  NULL, &size, &val);
 
-	switch (status) {
-	case EFI_SUCCESS:
-		return val;
-	case EFI_NOT_FOUND:
+	if (status != EFI_SUCCESS)
 		return 0;
-	default:
-		return 1;
-	}
+
+	if (val == 0)
+		return 0;
+
+	status = f_getvar((efi_char16_t *)sm_var_name, (efi_guid_t *)&var_guid,
+			  NULL, &size, &val);
+
+	if (status != EFI_SUCCESS)
+		return 0;
+
+	if (val == 1)
+		return 0;
+
+	return 1;
 }
 
 efi_status_t efi_open_volume(efi_system_table_t *sys_table_arg,
-- 
2.1.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ