1de8cb458SDavid Howells /* 2de8cb458SDavid Howells * Secure boot handling. 3de8cb458SDavid Howells * 4de8cb458SDavid Howells * Copyright (C) 2013,2014 Linaro Limited 5de8cb458SDavid Howells * Roy Franz <roy.franz@linaro.org 6de8cb458SDavid Howells * Copyright (C) 2013 Red Hat, Inc. 7de8cb458SDavid Howells * Mark Salter <msalter@redhat.com> 8de8cb458SDavid Howells * 9de8cb458SDavid Howells * This file is part of the Linux kernel, and is made available under the 10de8cb458SDavid Howells * terms of the GNU General Public License version 2. 11de8cb458SDavid Howells */ 12de8cb458SDavid Howells #include <linux/efi.h> 13de8cb458SDavid Howells #include <asm/efi.h> 14de8cb458SDavid Howells 15de8cb458SDavid Howells /* BIOS variables */ 16de8cb458SDavid Howells static const efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID; 17de8cb458SDavid Howells static const efi_char16_t const efi_SecureBoot_name[] = { 18de8cb458SDavid Howells 'S', 'e', 'c', 'u', 'r', 'e', 'B', 'o', 'o', 't', 0 19de8cb458SDavid Howells }; 20de8cb458SDavid Howells static const efi_char16_t const efi_SetupMode_name[] = { 21de8cb458SDavid Howells 'S', 'e', 't', 'u', 'p', 'M', 'o', 'd', 'e', 0 22de8cb458SDavid Howells }; 23de8cb458SDavid Howells 24de8cb458SDavid Howells #define get_efi_var(name, vendor, ...) \ 25de8cb458SDavid Howells efi_call_runtime(get_variable, \ 26de8cb458SDavid Howells (efi_char16_t *)(name), (efi_guid_t *)(vendor), \ 27de8cb458SDavid Howells __VA_ARGS__); 28de8cb458SDavid Howells 29de8cb458SDavid Howells /* 30de8cb458SDavid Howells * Determine whether we're in secure boot mode. 31de8cb458SDavid Howells */ 32de8cb458SDavid Howells enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg) 33de8cb458SDavid Howells { 34de8cb458SDavid Howells u8 secboot, setupmode; 35de8cb458SDavid Howells unsigned long size; 36de8cb458SDavid Howells efi_status_t status; 37de8cb458SDavid Howells 38de8cb458SDavid Howells size = sizeof(secboot); 39de8cb458SDavid Howells status = get_efi_var(efi_SecureBoot_name, &efi_variable_guid, 40de8cb458SDavid Howells NULL, &size, &secboot); 41de8cb458SDavid Howells if (status != EFI_SUCCESS) 42de8cb458SDavid Howells goto out_efi_err; 43de8cb458SDavid Howells 44de8cb458SDavid Howells size = sizeof(setupmode); 45de8cb458SDavid Howells status = get_efi_var(efi_SetupMode_name, &efi_variable_guid, 46de8cb458SDavid Howells NULL, &size, &setupmode); 47de8cb458SDavid Howells if (status != EFI_SUCCESS) 48de8cb458SDavid Howells goto out_efi_err; 49de8cb458SDavid Howells 50de8cb458SDavid Howells if (secboot == 0 || setupmode == 1) 51de8cb458SDavid Howells return efi_secureboot_mode_disabled; 52de8cb458SDavid Howells 53de8cb458SDavid Howells pr_efi(sys_table_arg, "UEFI Secure Boot is enabled.\n"); 54de8cb458SDavid Howells return efi_secureboot_mode_enabled; 55de8cb458SDavid Howells 56de8cb458SDavid Howells out_efi_err: 57de8cb458SDavid Howells pr_efi_err(sys_table_arg, "Could not determine UEFI Secure Boot status.\n"); 58de8cb458SDavid Howells if (status == EFI_NOT_FOUND) 59de8cb458SDavid Howells return efi_secureboot_mode_disabled; 60de8cb458SDavid Howells return efi_secureboot_mode_unknown; 61de8cb458SDavid Howells } 62