14febfb8dSArd Biesheuvel // SPDX-License-Identifier: GPL-2.0 2de8cb458SDavid Howells /* 3de8cb458SDavid Howells * Secure boot handling. 4de8cb458SDavid Howells * 5de8cb458SDavid Howells * Copyright (C) 2013,2014 Linaro Limited 6de8cb458SDavid Howells * Roy Franz <roy.franz@linaro.org 7de8cb458SDavid Howells * Copyright (C) 2013 Red Hat, Inc. 8de8cb458SDavid Howells * Mark Salter <msalter@redhat.com> 9de8cb458SDavid Howells */ 10de8cb458SDavid Howells #include <linux/efi.h> 11de8cb458SDavid Howells #include <asm/efi.h> 12de8cb458SDavid Howells 13eeff7d63SArd Biesheuvel #include "efistub.h" 14eeff7d63SArd Biesheuvel 15de8cb458SDavid Howells /* BIOS variables */ 16de8cb458SDavid Howells static const efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID; 1736b64976SArd Biesheuvel static const efi_char16_t efi_SecureBoot_name[] = L"SecureBoot"; 1836b64976SArd Biesheuvel static const efi_char16_t efi_SetupMode_name[] = L"SetupMode"; 19de8cb458SDavid Howells 20f3cf6f74SJosh Boyer /* SHIM variables */ 21f3cf6f74SJosh Boyer static const efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID; 2236b64976SArd Biesheuvel static const efi_char16_t shim_MokSBState_name[] = L"MokSBState"; 23f3cf6f74SJosh Boyer 24de8cb458SDavid Howells #define get_efi_var(name, vendor, ...) \ 25de8cb458SDavid Howells efi_call_runtime(get_variable, \ 26de8cb458SDavid Howells (efi_char16_t *)(name), (efi_guid_t *)(vendor), \ 27de8cb458SDavid Howells __VA_ARGS__); 28de8cb458SDavid Howells 29de8cb458SDavid Howells /* 30de8cb458SDavid Howells * Determine whether we're in secure boot mode. 31a7012bdbSDaniel Kiper * 32a7012bdbSDaniel Kiper * Please keep the logic in sync with 33a7012bdbSDaniel Kiper * arch/x86/xen/efi.c:xen_efi_get_secureboot(). 34de8cb458SDavid Howells */ 35cd33a5c1SArd Biesheuvel enum efi_secureboot_mode efi_get_secureboot(void) 36de8cb458SDavid Howells { 37f3cf6f74SJosh Boyer u32 attr; 38f3cf6f74SJosh Boyer u8 secboot, setupmode, moksbstate; 39de8cb458SDavid Howells unsigned long size; 40de8cb458SDavid Howells efi_status_t status; 41de8cb458SDavid Howells 42de8cb458SDavid Howells size = sizeof(secboot); 43de8cb458SDavid Howells status = get_efi_var(efi_SecureBoot_name, &efi_variable_guid, 44de8cb458SDavid Howells NULL, &size, &secboot); 4552e51f16SArd Biesheuvel if (status == EFI_NOT_FOUND) 4652e51f16SArd Biesheuvel return efi_secureboot_mode_disabled; 47de8cb458SDavid Howells if (status != EFI_SUCCESS) 48de8cb458SDavid Howells goto out_efi_err; 49de8cb458SDavid Howells 50de8cb458SDavid Howells size = sizeof(setupmode); 51de8cb458SDavid Howells status = get_efi_var(efi_SetupMode_name, &efi_variable_guid, 52de8cb458SDavid Howells NULL, &size, &setupmode); 53de8cb458SDavid Howells if (status != EFI_SUCCESS) 54de8cb458SDavid Howells goto out_efi_err; 55de8cb458SDavid Howells 56de8cb458SDavid Howells if (secboot == 0 || setupmode == 1) 57de8cb458SDavid Howells return efi_secureboot_mode_disabled; 58de8cb458SDavid Howells 59f3cf6f74SJosh Boyer /* 60f3cf6f74SJosh Boyer * See if a user has put the shim into insecure mode. If so, and if the 61f3cf6f74SJosh Boyer * variable doesn't have the runtime attribute set, we might as well 62f3cf6f74SJosh Boyer * honor that. 63f3cf6f74SJosh Boyer */ 64f3cf6f74SJosh Boyer size = sizeof(moksbstate); 65f3cf6f74SJosh Boyer status = get_efi_var(shim_MokSBState_name, &shim_guid, 66f3cf6f74SJosh Boyer &attr, &size, &moksbstate); 67f3cf6f74SJosh Boyer 68f3cf6f74SJosh Boyer /* If it fails, we don't care why. Default to secure */ 69f3cf6f74SJosh Boyer if (status != EFI_SUCCESS) 70f3cf6f74SJosh Boyer goto secure_boot_enabled; 71f3cf6f74SJosh Boyer if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS) && moksbstate == 1) 72f3cf6f74SJosh Boyer return efi_secureboot_mode_disabled; 73f3cf6f74SJosh Boyer 74f3cf6f74SJosh Boyer secure_boot_enabled: 758173ec79SArd Biesheuvel pr_efi("UEFI Secure Boot is enabled.\n"); 76de8cb458SDavid Howells return efi_secureboot_mode_enabled; 77de8cb458SDavid Howells 78de8cb458SDavid Howells out_efi_err: 798173ec79SArd Biesheuvel pr_efi_err("Could not determine UEFI Secure Boot status.\n"); 80de8cb458SDavid Howells return efi_secureboot_mode_unknown; 81de8cb458SDavid Howells } 82