1de8cb458SDavid Howells /*
2de8cb458SDavid Howells  * Secure boot handling.
3de8cb458SDavid Howells  *
4de8cb458SDavid Howells  * Copyright (C) 2013,2014 Linaro Limited
5de8cb458SDavid Howells  *     Roy Franz <roy.franz@linaro.org
6de8cb458SDavid Howells  * Copyright (C) 2013 Red Hat, Inc.
7de8cb458SDavid Howells  *     Mark Salter <msalter@redhat.com>
8de8cb458SDavid Howells  *
9de8cb458SDavid Howells  * This file is part of the Linux kernel, and is made available under the
10de8cb458SDavid Howells  * terms of the GNU General Public License version 2.
11de8cb458SDavid Howells  */
12de8cb458SDavid Howells #include <linux/efi.h>
13de8cb458SDavid Howells #include <asm/efi.h>
14de8cb458SDavid Howells 
15de8cb458SDavid Howells /* BIOS variables */
16de8cb458SDavid Howells static const efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
17de8cb458SDavid Howells static const efi_char16_t const efi_SecureBoot_name[] = {
18de8cb458SDavid Howells 	'S', 'e', 'c', 'u', 'r', 'e', 'B', 'o', 'o', 't', 0
19de8cb458SDavid Howells };
20de8cb458SDavid Howells static const efi_char16_t const efi_SetupMode_name[] = {
21de8cb458SDavid Howells 	'S', 'e', 't', 'u', 'p', 'M', 'o', 'd', 'e', 0
22de8cb458SDavid Howells };
23de8cb458SDavid Howells 
24f3cf6f74SJosh Boyer /* SHIM variables */
25f3cf6f74SJosh Boyer static const efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID;
26f3cf6f74SJosh Boyer static efi_char16_t const shim_MokSBState_name[] = {
27f3cf6f74SJosh Boyer 	'M', 'o', 'k', 'S', 'B', 'S', 't', 'a', 't', 'e', 0
28f3cf6f74SJosh Boyer };
29f3cf6f74SJosh Boyer 
30de8cb458SDavid Howells #define get_efi_var(name, vendor, ...) \
31de8cb458SDavid Howells 	efi_call_runtime(get_variable, \
32de8cb458SDavid Howells 			 (efi_char16_t *)(name), (efi_guid_t *)(vendor), \
33de8cb458SDavid Howells 			 __VA_ARGS__);
34de8cb458SDavid Howells 
35de8cb458SDavid Howells /*
36de8cb458SDavid Howells  * Determine whether we're in secure boot mode.
37de8cb458SDavid Howells  */
38de8cb458SDavid Howells enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg)
39de8cb458SDavid Howells {
40f3cf6f74SJosh Boyer 	u32 attr;
41f3cf6f74SJosh Boyer 	u8 secboot, setupmode, moksbstate;
42de8cb458SDavid Howells 	unsigned long size;
43de8cb458SDavid Howells 	efi_status_t status;
44de8cb458SDavid Howells 
45de8cb458SDavid Howells 	size = sizeof(secboot);
46de8cb458SDavid Howells 	status = get_efi_var(efi_SecureBoot_name, &efi_variable_guid,
47de8cb458SDavid Howells 			     NULL, &size, &secboot);
48de8cb458SDavid Howells 	if (status != EFI_SUCCESS)
49de8cb458SDavid Howells 		goto out_efi_err;
50de8cb458SDavid Howells 
51de8cb458SDavid Howells 	size = sizeof(setupmode);
52de8cb458SDavid Howells 	status = get_efi_var(efi_SetupMode_name, &efi_variable_guid,
53de8cb458SDavid Howells 			     NULL, &size, &setupmode);
54de8cb458SDavid Howells 	if (status != EFI_SUCCESS)
55de8cb458SDavid Howells 		goto out_efi_err;
56de8cb458SDavid Howells 
57de8cb458SDavid Howells 	if (secboot == 0 || setupmode == 1)
58de8cb458SDavid Howells 		return efi_secureboot_mode_disabled;
59de8cb458SDavid Howells 
60f3cf6f74SJosh Boyer 	/*
61f3cf6f74SJosh Boyer 	 * See if a user has put the shim into insecure mode. If so, and if the
62f3cf6f74SJosh Boyer 	 * variable doesn't have the runtime attribute set, we might as well
63f3cf6f74SJosh Boyer 	 * honor that.
64f3cf6f74SJosh Boyer 	 */
65f3cf6f74SJosh Boyer 	size = sizeof(moksbstate);
66f3cf6f74SJosh Boyer 	status = get_efi_var(shim_MokSBState_name, &shim_guid,
67f3cf6f74SJosh Boyer 			     &attr, &size, &moksbstate);
68f3cf6f74SJosh Boyer 
69f3cf6f74SJosh Boyer 	/* If it fails, we don't care why. Default to secure */
70f3cf6f74SJosh Boyer 	if (status != EFI_SUCCESS)
71f3cf6f74SJosh Boyer 		goto secure_boot_enabled;
72f3cf6f74SJosh Boyer 	if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS) && moksbstate == 1)
73f3cf6f74SJosh Boyer 		return efi_secureboot_mode_disabled;
74f3cf6f74SJosh Boyer 
75f3cf6f74SJosh Boyer secure_boot_enabled:
76de8cb458SDavid Howells 	pr_efi(sys_table_arg, "UEFI Secure Boot is enabled.\n");
77de8cb458SDavid Howells 	return efi_secureboot_mode_enabled;
78de8cb458SDavid Howells 
79de8cb458SDavid Howells out_efi_err:
80de8cb458SDavid Howells 	pr_efi_err(sys_table_arg, "Could not determine UEFI Secure Boot status.\n");
81de8cb458SDavid Howells 	if (status == EFI_NOT_FOUND)
82de8cb458SDavid Howells 		return efi_secureboot_mode_disabled;
83de8cb458SDavid Howells 	return efi_secureboot_mode_unknown;
84de8cb458SDavid Howells }
85