Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/drivers/firmware/efi/libstub/secureboot.c 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  1) // SPDX-License-Identifier: GPL-2.0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  3)  * Secure boot handling.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  4)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  5)  * Copyright (C) 2013,2014 Linaro Limited
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  6)  *     Roy Franz <roy.franz@linaro.org
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  7)  * Copyright (C) 2013 Red Hat, Inc.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  8)  *     Mark Salter <msalter@redhat.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  9)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) #include <linux/efi.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) #include <asm/efi.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) #include "efistub.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) /* BIOS variables */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) static const efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) static const efi_char16_t efi_SecureBoot_name[] = L"SecureBoot";
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) static const efi_char16_t efi_SetupMode_name[] = L"SetupMode";
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) /* SHIM variables */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) static const efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) static const efi_char16_t shim_MokSBState_name[] = L"MokSBState";
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25)  * Determine whether we're in secure boot mode.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27)  * Please keep the logic in sync with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28)  * arch/x86/xen/efi.c:xen_efi_get_secureboot().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) enum efi_secureboot_mode efi_get_secureboot(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) 	u32 attr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) 	u8 secboot, setupmode, moksbstate;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) 	unsigned long size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) 	efi_status_t status;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) 	size = sizeof(secboot);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) 	status = get_efi_var(efi_SecureBoot_name, &efi_variable_guid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) 			     NULL, &size, &secboot);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) 	if (status == EFI_NOT_FOUND)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) 		return efi_secureboot_mode_disabled;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) 	if (status != EFI_SUCCESS)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) 		goto out_efi_err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) 	size = sizeof(setupmode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) 	status = get_efi_var(efi_SetupMode_name, &efi_variable_guid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) 			     NULL, &size, &setupmode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) 	if (status != EFI_SUCCESS)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) 		goto out_efi_err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) 	if (secboot == 0 || setupmode == 1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) 		return efi_secureboot_mode_disabled;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) 	 * See if a user has put the shim into insecure mode. If so, and if the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) 	 * variable doesn't have the runtime attribute set, we might as well
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) 	 * honor that.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) 	size = sizeof(moksbstate);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) 	status = get_efi_var(shim_MokSBState_name, &shim_guid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) 			     &attr, &size, &moksbstate);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) 	/* If it fails, we don't care why. Default to secure */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) 	if (status != EFI_SUCCESS)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) 		goto secure_boot_enabled;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) 	if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS) && moksbstate == 1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) 		return efi_secureboot_mode_disabled;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) secure_boot_enabled:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) 	efi_info("UEFI Secure Boot is enabled.\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) 	return efi_secureboot_mode_enabled;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) out_efi_err:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) 	efi_err("Could not determine UEFI Secure Boot status.\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) 	return efi_secureboot_mode_unknown;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) }
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.