proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-07-25 22:02:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Make sure we default to assuming we're locked down.

Browse Source 
If "SecureBoot" exists but "SetupMode" does not, assume "SetupMode" says
we're not in Setup Mode.

Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
Peter Jones 2014-06-25 10:55:56 -04:00
parent 868b372115
commit eb4cb6a509
3 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/variables.h
View File

@ -50,7 +50,7 @@ SETOSIndicationsAndReboot(UINT64 indications);
int int
variable_is_secureboot(void); variable_is_secureboot(void);
int int
variable_is_setupmode(void); variable_is_setupmode(int default_return);
EFI_STATUS EFI_STATUS
variable_enroll_hash(CHAR16 *var, EFI_GUID owner, variable_enroll_hash(CHAR16 *var, EFI_GUID owner,
UINT8 hash[SHA256_DIGEST_SIZE]); UINT8 hash[SHA256_DIGEST_SIZE]);

8
lib/variables.c
View File

@ -139,7 +139,7 @@ SetSecureVariable(CHAR16 *var, UINT8 *Data, UINTN len, EFI_GUID owner,
/* Microsoft request: Bugs in some UEFI platforms mean that PK or any /* Microsoft request: Bugs in some UEFI platforms mean that PK or any
* other secure variable can be updated or deleted programmatically, * other secure variable can be updated or deleted programmatically,
* so prevent */ * so prevent */
if (!variable_is_setupmode()) if (!variable_is_setupmode(1))
return EFI_SECURITY_VIOLATION; return EFI_SECURITY_VIOLATION;
if (createtimebased) { if (createtimebased) {
@ -279,17 +279,17 @@ find_in_variable_esl(CHAR16* var, EFI_GUID owner, UINT8 *key, UINTN keylen)
} }
int int
variable_is_setupmode(void) variable_is_setupmode(int default_return)
{ {
/* set to 1 because we return true if SetupMode doesn't exist */ /* set to 1 because we return true if SetupMode doesn't exist */
UINT8 SetupMode = 1; UINT8 SetupMode = default_return;
UINTN DataSize = sizeof(SetupMode); UINTN DataSize = sizeof(SetupMode);
EFI_STATUS status; EFI_STATUS status;
status = uefi_call_wrapper(RT->GetVariable, 5, L"SetupMode", &GV_GUID, NULL, status = uefi_call_wrapper(RT->GetVariable, 5, L"SetupMode", &GV_GUID, NULL,
&DataSize, &SetupMode); &DataSize, &SetupMode);
if (EFI_ERROR(status)) if (EFI_ERROR(status))
return 1; return default_return;
return SetupMode; return SetupMode;
} }

8
shim.c
View File

@ -484,7 +484,13 @@ static BOOLEAN secure_mode (void)
return FALSE; return FALSE;
} }
if (variable_is_setupmode() == 1) { /* If we /do/ have "SecureBoot", but /don't/ have "SetupMode",
* then the implementation is bad, but we assume that secure boot is
* enabled according to the status of "SecureBoot". If we have both
* of them, then "SetupMode" may tell us additional data, and we need
* to consider it.
*/
if (variable_is_setupmode(0) == 1) {
if (verbose && !in_protocol) if (verbose && !in_protocol)
console_notify(L"Platform is in setup mode"); console_notify(L"Platform is in setup mode");
return FALSE; return FALSE;