1*4882a593Smuzhiyun // SPDX-License-Identifier: GPL-2.0
2*4882a593Smuzhiyun /*
3*4882a593Smuzhiyun * Secure boot handling.
4*4882a593Smuzhiyun *
5*4882a593Smuzhiyun * Copyright (C) 2013,2014 Linaro Limited
6*4882a593Smuzhiyun * Roy Franz <roy.franz@linaro.org
7*4882a593Smuzhiyun * Copyright (C) 2013 Red Hat, Inc.
8*4882a593Smuzhiyun * Mark Salter <msalter@redhat.com>
9*4882a593Smuzhiyun */
10*4882a593Smuzhiyun #include <linux/efi.h>
11*4882a593Smuzhiyun #include <asm/efi.h>
12*4882a593Smuzhiyun
13*4882a593Smuzhiyun #include "efistub.h"
14*4882a593Smuzhiyun
15*4882a593Smuzhiyun /* BIOS variables */
16*4882a593Smuzhiyun static const efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
17*4882a593Smuzhiyun static const efi_char16_t efi_SecureBoot_name[] = L"SecureBoot";
18*4882a593Smuzhiyun static const efi_char16_t efi_SetupMode_name[] = L"SetupMode";
19*4882a593Smuzhiyun
20*4882a593Smuzhiyun /* SHIM variables */
21*4882a593Smuzhiyun static const efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID;
22*4882a593Smuzhiyun static const efi_char16_t shim_MokSBState_name[] = L"MokSBStateRT";
23*4882a593Smuzhiyun
24*4882a593Smuzhiyun /*
25*4882a593Smuzhiyun * Determine whether we're in secure boot mode.
26*4882a593Smuzhiyun *
27*4882a593Smuzhiyun * Please keep the logic in sync with
28*4882a593Smuzhiyun * arch/x86/xen/efi.c:xen_efi_get_secureboot().
29*4882a593Smuzhiyun */
efi_get_secureboot(void)30*4882a593Smuzhiyun enum efi_secureboot_mode efi_get_secureboot(void)
31*4882a593Smuzhiyun {
32*4882a593Smuzhiyun u32 attr;
33*4882a593Smuzhiyun u8 secboot, setupmode, moksbstate;
34*4882a593Smuzhiyun unsigned long size;
35*4882a593Smuzhiyun efi_status_t status;
36*4882a593Smuzhiyun
37*4882a593Smuzhiyun size = sizeof(secboot);
38*4882a593Smuzhiyun status = get_efi_var(efi_SecureBoot_name, &efi_variable_guid,
39*4882a593Smuzhiyun NULL, &size, &secboot);
40*4882a593Smuzhiyun if (status == EFI_NOT_FOUND)
41*4882a593Smuzhiyun return efi_secureboot_mode_disabled;
42*4882a593Smuzhiyun if (status != EFI_SUCCESS)
43*4882a593Smuzhiyun goto out_efi_err;
44*4882a593Smuzhiyun
45*4882a593Smuzhiyun size = sizeof(setupmode);
46*4882a593Smuzhiyun status = get_efi_var(efi_SetupMode_name, &efi_variable_guid,
47*4882a593Smuzhiyun NULL, &size, &setupmode);
48*4882a593Smuzhiyun if (status != EFI_SUCCESS)
49*4882a593Smuzhiyun goto out_efi_err;
50*4882a593Smuzhiyun
51*4882a593Smuzhiyun if (secboot == 0 || setupmode == 1)
52*4882a593Smuzhiyun return efi_secureboot_mode_disabled;
53*4882a593Smuzhiyun
54*4882a593Smuzhiyun /*
55*4882a593Smuzhiyun * See if a user has put the shim into insecure mode. If so, and if the
56*4882a593Smuzhiyun * variable doesn't have the non-volatile attribute set, we might as
57*4882a593Smuzhiyun * well honor that.
58*4882a593Smuzhiyun */
59*4882a593Smuzhiyun size = sizeof(moksbstate);
60*4882a593Smuzhiyun status = get_efi_var(shim_MokSBState_name, &shim_guid,
61*4882a593Smuzhiyun &attr, &size, &moksbstate);
62*4882a593Smuzhiyun
63*4882a593Smuzhiyun /* If it fails, we don't care why. Default to secure */
64*4882a593Smuzhiyun if (status != EFI_SUCCESS)
65*4882a593Smuzhiyun goto secure_boot_enabled;
66*4882a593Smuzhiyun if (!(attr & EFI_VARIABLE_NON_VOLATILE) && moksbstate == 1)
67*4882a593Smuzhiyun return efi_secureboot_mode_disabled;
68*4882a593Smuzhiyun
69*4882a593Smuzhiyun secure_boot_enabled:
70*4882a593Smuzhiyun efi_info("UEFI Secure Boot is enabled.\n");
71*4882a593Smuzhiyun return efi_secureboot_mode_enabled;
72*4882a593Smuzhiyun
73*4882a593Smuzhiyun out_efi_err:
74*4882a593Smuzhiyun efi_err("Could not determine UEFI Secure Boot status.\n");
75*4882a593Smuzhiyun return efi_secureboot_mode_unknown;
76*4882a593Smuzhiyun }
77