mirror of
				https://git.proxmox.com/git/efi-boot-shim
				synced 2025-10-26 05:17:42 +00:00 
			
		
		
		
	Clarify meaning of insecure_mode
insecure_mode was intended to indicate that the user had explicity disabled checks with mokutil, which means it wasn't the opposite of secure_mode(). Change the names to clarify this and don't show the insecure mode message unless the user has explicitly enabled that mode. Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
This commit is contained in:
		
							parent
							
								
									2f09d0ab29
								
							
						
					
					
						commit
						d95b24bd02
					
				| @ -64,13 +64,9 @@ static typeof(systab->BootServices->StartImage) system_start_image; | |||||||
| static typeof(systab->BootServices->Exit) system_exit; | static typeof(systab->BootServices->Exit) system_exit; | ||||||
| static typeof(systab->BootServices->ExitBootServices) system_exit_boot_services; | static typeof(systab->BootServices->ExitBootServices) system_exit_boot_services; | ||||||
| 
 | 
 | ||||||
| extern UINT8 insecure_mode; |  | ||||||
| 
 |  | ||||||
| void | void | ||||||
| unhook_system_services(void) | unhook_system_services(void) | ||||||
| { | { | ||||||
| 	if (insecure_mode) |  | ||||||
| 		return; |  | ||||||
| 	systab->BootServices->Exit = system_exit; | 	systab->BootServices->Exit = system_exit; | ||||||
| 	systab->BootServices->StartImage = system_start_image; | 	systab->BootServices->StartImage = system_start_image; | ||||||
| 	systab->BootServices->ExitBootServices = system_exit_boot_services; | 	systab->BootServices->ExitBootServices = system_exit_boot_services; | ||||||
| @ -123,8 +119,6 @@ exit(EFI_HANDLE ImageHandle, EFI_STATUS ExitStatus, | |||||||
| void | void | ||||||
| hook_system_services(EFI_SYSTEM_TABLE *local_systab) | hook_system_services(EFI_SYSTEM_TABLE *local_systab) | ||||||
| { | { | ||||||
| 	if (insecure_mode) |  | ||||||
| 		return; |  | ||||||
| 	systab = local_systab; | 	systab = local_systab; | ||||||
| 
 | 
 | ||||||
| 	/* We need to hook various calls to make this work... */ | 	/* We need to hook various calls to make this work... */ | ||||||
|  | |||||||
							
								
								
									
										12
									
								
								shim.c
									
									
									
									
									
								
							
							
						
						
									
										12
									
								
								shim.c
									
									
									
									
									
								
							| @ -85,7 +85,7 @@ int loader_is_participating; | |||||||
| 
 | 
 | ||||||
| #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} | #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} | ||||||
| 
 | 
 | ||||||
| UINT8 insecure_mode; | UINT8 user_insecure_mode; | ||||||
| UINT8 ignore_db; | UINT8 ignore_db; | ||||||
| 
 | 
 | ||||||
| typedef enum { | typedef enum { | ||||||
| @ -456,7 +456,7 @@ static BOOLEAN secure_mode (void) | |||||||
| 	UINT8 *Data; | 	UINT8 *Data; | ||||||
| 	UINT8 sb, setupmode; | 	UINT8 sb, setupmode; | ||||||
| 
 | 
 | ||||||
| 	if (insecure_mode) | 	if (user_insecure_mode) | ||||||
| 		return FALSE; | 		return FALSE; | ||||||
| 
 | 
 | ||||||
| 	status = get_variable(L"SecureBoot", &Data, &len, global_var); | 	status = get_variable(L"SecureBoot", &Data, &len, global_var); | ||||||
| @ -1534,7 +1534,7 @@ static EFI_STATUS check_mok_sb (void) | |||||||
| 	UINTN MokSBStateSize = 0; | 	UINTN MokSBStateSize = 0; | ||||||
| 	UINT32 attributes; | 	UINT32 attributes; | ||||||
| 
 | 
 | ||||||
| 	insecure_mode = 0; | 	user_insecure_mode = 0; | ||||||
| 	ignore_db = 0; | 	ignore_db = 0; | ||||||
| 
 | 
 | ||||||
| 	status = get_variable_attr(L"MokSBState", &MokSBState, &MokSBStateSize, | 	status = get_variable_attr(L"MokSBState", &MokSBState, &MokSBStateSize, | ||||||
| @ -1555,7 +1555,7 @@ static EFI_STATUS check_mok_sb (void) | |||||||
| 		status = EFI_ACCESS_DENIED; | 		status = EFI_ACCESS_DENIED; | ||||||
| 	} else { | 	} else { | ||||||
| 		if (*(UINT8 *)MokSBState == 1) { | 		if (*(UINT8 *)MokSBState == 1) { | ||||||
| 			insecure_mode = 1; | 			user_insecure_mode = 1; | ||||||
| 		} | 		} | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| @ -1753,10 +1753,10 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) | |||||||
| 	/*
 | 	/*
 | ||||||
| 	 * Tell the user that we're in insecure mode if necessary | 	 * Tell the user that we're in insecure mode if necessary | ||||||
| 	 */ | 	 */ | ||||||
| 	if (!secure_mode()) { | 	if (user_insecure_mode) { | ||||||
| 		Print(L"Booting in insecure mode\n"); | 		Print(L"Booting in insecure mode\n"); | ||||||
| 		uefi_call_wrapper(BS->Stall, 1, 2000000); | 		uefi_call_wrapper(BS->Stall, 1, 2000000); | ||||||
| 	} else { | 	} else if (secure_mode()) { | ||||||
| 		/*
 | 		/*
 | ||||||
| 		 * Install our hooks for ExitBootServices() and StartImage() | 		 * Install our hooks for ExitBootServices() and StartImage() | ||||||
| 		 */ | 		 */ | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user
	 Matthew Garrett
						Matthew Garrett