[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMj1kXEXvmO5mrTcKpqYUASBAQB-1=xLa0vg7KwmvOHMjaQ34w@mail.gmail.com>
Date: Fri, 11 Sep 2020 18:01:09 +0300
From: Ard Biesheuvel <ardb@...nel.org>
To: Chester Lin <clin@...e.com>
Cc: Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will@...nel.org>, zohar@...ux.ibm.com,
dmitry.kasatkin@...il.com, Jonathan Corbet <corbet@....net>,
Mark Rutland <mark.rutland@....com>,
Vincenzo Frascino <vincenzo.frascino@....com>,
Sami Tolvanen <samitolvanen@...gle.com>,
Masahiro Yamada <masahiroy@...nel.org>,
Ingo Molnar <mingo@...nel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
linux-efi <linux-efi@...r.kernel.org>,
Linux ARM <linux-arm-kernel@...ts.infradead.org>,
linux-integrity <linux-integrity@...r.kernel.org>,
Linux Doc Mailing List <linux-doc@...r.kernel.org>,
"Lee, Chun-Yi" <jlee@...e.com>
Subject: Re: [PATCH 1/6] efistub: pass uefi secureboot flag via fdt params
On Fri, 4 Sep 2020 at 10:29, Chester Lin <clin@...e.com> wrote:
>
> Add a new UEFI parameter: "linux,uefi-secure-boot" in fdt boot params
> as other architectures have done in their own boot data. For example,
> the boot_params->secure_boot in x86.
>
> Signed-off-by: Chester Lin <clin@...e.com>
Why do we need this flag? Can't the OS simply check the variable directly?
> ---
> drivers/firmware/efi/libstub/fdt.c | 39 +++++++++++++++++++++++++++++-
> 1 file changed, 38 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c
> index 11ecf3c4640e..c9a341e4715f 100644
> --- a/drivers/firmware/efi/libstub/fdt.c
> +++ b/drivers/firmware/efi/libstub/fdt.c
> @@ -136,6 +136,10 @@ static efi_status_t update_fdt(void *orig_fdt, unsigned long orig_fdt_size,
> if (status)
> goto fdt_set_fail;
>
> + status = fdt_setprop_var(fdt, node, "linux,uefi-secure-boot", fdt_val32);
> + if (status)
> + goto fdt_set_fail;
> +
> if (IS_ENABLED(CONFIG_RANDOMIZE_BASE)) {
> efi_status_t efi_status;
>
> @@ -199,6 +203,24 @@ static efi_status_t update_fdt_memmap(void *fdt, struct efi_boot_memmap *map)
> return EFI_SUCCESS;
> }
>
> +static efi_status_t update_fdt_secboot(void *fdt, u32 secboot)
> +{
> + int node = fdt_path_offset(fdt, "/chosen");
> + u32 fdt_val32;
> + int err;
> +
> + if (node < 0)
> + return EFI_LOAD_ERROR;
> +
> + fdt_val32 = cpu_to_fdt32(secboot);
> +
> + err = fdt_setprop_inplace_var(fdt, node, "linux,uefi-secure-boot", fdt_val32);
> + if (err)
> + return EFI_LOAD_ERROR;
> +
> + return EFI_SUCCESS;
> +}
> +
> struct exit_boot_struct {
> efi_memory_desc_t *runtime_map;
> int *runtime_entry_count;
> @@ -208,6 +230,9 @@ struct exit_boot_struct {
> static efi_status_t exit_boot_func(struct efi_boot_memmap *map,
> void *priv)
> {
> + efi_status_t status;
> + enum efi_secureboot_mode secboot_status;
> + u32 secboot_var = 0;
> struct exit_boot_struct *p = priv;
> /*
> * Update the memory map with virtual addresses. The function will also
> @@ -217,7 +242,19 @@ static efi_status_t exit_boot_func(struct efi_boot_memmap *map,
> efi_get_virtmap(*map->map, *map->map_size, *map->desc_size,
> p->runtime_map, p->runtime_entry_count);
>
> - return update_fdt_memmap(p->new_fdt_addr, map);
> + status = update_fdt_memmap(p->new_fdt_addr, map);
> +
> + if (status != EFI_SUCCESS)
> + return status;
> +
> + secboot_status = efi_get_secureboot();
> +
> + if (secboot_status == efi_secureboot_mode_enabled)
> + secboot_var = 1;
> +
> + status = update_fdt_secboot(p->new_fdt_addr, secboot_var);
> +
> + return status;
> }
>
> #ifndef MAX_FDT_SIZE
> --
> 2.26.1
>
Powered by blists - more mailing lists