1de8cb458SDavid Howells /* 2de8cb458SDavid Howells * Secure boot handling. 3de8cb458SDavid Howells * 4de8cb458SDavid Howells * Copyright (C) 2013,2014 Linaro Limited 5de8cb458SDavid Howells * Roy Franz <roy.franz@linaro.org 6de8cb458SDavid Howells * Copyright (C) 2013 Red Hat, Inc. 7de8cb458SDavid Howells * Mark Salter <msalter@redhat.com> 8de8cb458SDavid Howells * 9de8cb458SDavid Howells * This file is part of the Linux kernel, and is made available under the 10de8cb458SDavid Howells * terms of the GNU General Public License version 2. 11de8cb458SDavid Howells */ 12de8cb458SDavid Howells #include <linux/efi.h> 13de8cb458SDavid Howells #include <asm/efi.h> 14de8cb458SDavid Howells 15de8cb458SDavid Howells /* BIOS variables */ 16de8cb458SDavid Howells static const efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID; 17de8cb458SDavid Howells static const efi_char16_t const efi_SecureBoot_name[] = { 18de8cb458SDavid Howells 'S', 'e', 'c', 'u', 'r', 'e', 'B', 'o', 'o', 't', 0 19de8cb458SDavid Howells }; 20de8cb458SDavid Howells static const efi_char16_t const efi_SetupMode_name[] = { 21de8cb458SDavid Howells 'S', 'e', 't', 'u', 'p', 'M', 'o', 'd', 'e', 0 22de8cb458SDavid Howells }; 23de8cb458SDavid Howells 24f3cf6f74SJosh Boyer /* SHIM variables */ 25f3cf6f74SJosh Boyer static const efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID; 26f3cf6f74SJosh Boyer static efi_char16_t const shim_MokSBState_name[] = { 27f3cf6f74SJosh Boyer 'M', 'o', 'k', 'S', 'B', 'S', 't', 'a', 't', 'e', 0 28f3cf6f74SJosh Boyer }; 29f3cf6f74SJosh Boyer 30de8cb458SDavid Howells #define get_efi_var(name, vendor, ...) \ 31de8cb458SDavid Howells efi_call_runtime(get_variable, \ 32de8cb458SDavid Howells (efi_char16_t *)(name), (efi_guid_t *)(vendor), \ 33de8cb458SDavid Howells __VA_ARGS__); 34de8cb458SDavid Howells 35de8cb458SDavid Howells /* 36de8cb458SDavid Howells * Determine whether we're in secure boot mode. 37de8cb458SDavid Howells */ 38de8cb458SDavid Howells enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg) 39de8cb458SDavid Howells { 40f3cf6f74SJosh Boyer u32 attr; 41f3cf6f74SJosh Boyer u8 secboot, setupmode, moksbstate; 42de8cb458SDavid Howells unsigned long size; 43de8cb458SDavid Howells efi_status_t status; 44de8cb458SDavid Howells 45de8cb458SDavid Howells size = sizeof(secboot); 46de8cb458SDavid Howells status = get_efi_var(efi_SecureBoot_name, &efi_variable_guid, 47de8cb458SDavid Howells NULL, &size, &secboot); 48de8cb458SDavid Howells if (status != EFI_SUCCESS) 49de8cb458SDavid Howells goto out_efi_err; 50de8cb458SDavid Howells 51de8cb458SDavid Howells size = sizeof(setupmode); 52de8cb458SDavid Howells status = get_efi_var(efi_SetupMode_name, &efi_variable_guid, 53de8cb458SDavid Howells NULL, &size, &setupmode); 54de8cb458SDavid Howells if (status != EFI_SUCCESS) 55de8cb458SDavid Howells goto out_efi_err; 56de8cb458SDavid Howells 57de8cb458SDavid Howells if (secboot == 0 || setupmode == 1) 58de8cb458SDavid Howells return efi_secureboot_mode_disabled; 59de8cb458SDavid Howells 60f3cf6f74SJosh Boyer /* 61f3cf6f74SJosh Boyer * See if a user has put the shim into insecure mode. If so, and if the 62f3cf6f74SJosh Boyer * variable doesn't have the runtime attribute set, we might as well 63f3cf6f74SJosh Boyer * honor that. 64f3cf6f74SJosh Boyer */ 65f3cf6f74SJosh Boyer size = sizeof(moksbstate); 66f3cf6f74SJosh Boyer status = get_efi_var(shim_MokSBState_name, &shim_guid, 67f3cf6f74SJosh Boyer &attr, &size, &moksbstate); 68f3cf6f74SJosh Boyer 69f3cf6f74SJosh Boyer /* If it fails, we don't care why. Default to secure */ 70f3cf6f74SJosh Boyer if (status != EFI_SUCCESS) 71f3cf6f74SJosh Boyer goto secure_boot_enabled; 72f3cf6f74SJosh Boyer if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS) && moksbstate == 1) 73f3cf6f74SJosh Boyer return efi_secureboot_mode_disabled; 74f3cf6f74SJosh Boyer 75f3cf6f74SJosh Boyer secure_boot_enabled: 76de8cb458SDavid Howells pr_efi(sys_table_arg, "UEFI Secure Boot is enabled.\n"); 77de8cb458SDavid Howells return efi_secureboot_mode_enabled; 78de8cb458SDavid Howells 79de8cb458SDavid Howells out_efi_err: 80de8cb458SDavid Howells pr_efi_err(sys_table_arg, "Could not determine UEFI Secure Boot status.\n"); 81de8cb458SDavid Howells if (status == EFI_NOT_FOUND) 82de8cb458SDavid Howells return efi_secureboot_mode_disabled; 83de8cb458SDavid Howells return efi_secureboot_mode_unknown; 84de8cb458SDavid Howells } 85