Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit de8cb458 authored Feb 06, 2017 by David Howells Committed by Ingo Molnar Feb 07, 2017

efi: Get and store the secure boot status



Get the firmware's secure-boot status in the kernel boot wrapper and stash
it somewhere that the main kernel image can find.

The efi_get_secureboot() function is extracted from the ARM stub and (a)
generalised so that it can be called from x86 and (b) made to use
efi_call_runtime() so that it can be run in mixed-mode.

For x86, it is stored in boot_params and can be overridden by the boot
loader or kexec.  This allows secure-boot mode to be passed on to a new
kernel.

Suggested-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: http://lkml.kernel.org/r/1486380166-31868-5-git-send-email-ard.biesheuvel@linaro.org


[ Small readability edits. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>

parent e58910cd

Documentation/x86/zero-page.txt

+2 −0

Original line number	Original line	Diff line number	Diff line
	@@ -31,6 +31,8 @@ Offset Proto Name Meaning
	1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below)		1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below)
	1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer		1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer
	(below)		(below)
			1EB/001 ALL kbd_status Numlock is enabled
			1EC/001 ALL secure_boot Secure boot is enabled in the firmware
	1EF/001 ALL sentinel Used to detect broken bootloaders		1EF/001 ALL sentinel Used to detect broken bootloaders
	290/040 ALL edd_mbr_sig_buffer EDD MBR signatures		290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
	2D0/A00 ALL e820_map E820 memory map table		2D0/A00 ALL e820_map E820 memory map table

arch/x86/boot/compressed/eboot.c

+7 −0

Original line number	Original line	Diff line number	Diff line
	@@ -988,6 +988,13 @@ struct boot_params efi_main(struct efi_config c,
	else		else
	setup_boot_services32(efi_early);		setup_boot_services32(efi_early);

			/*
			* If the boot loader gave us a value for secure_boot then we use that,
			* otherwise we ask the BIOS.
			*/
			if (boot_params->secure_boot == efi_secureboot_mode_unset)
			boot_params->secure_boot = efi_get_secureboot(sys_table);

	setup_graphics(boot_params);		setup_graphics(boot_params);

	setup_efi_pci(boot_params);		setup_efi_pci(boot_params);

arch/x86/include/uapi/asm/bootparam.h

+2 −1

Original line number	Original line	Diff line number	Diff line
	@@ -135,7 +135,8 @@ struct boot_params {
	__u8 eddbuf_entries; /* 0x1e9 */		__u8 eddbuf_entries; /* 0x1e9 */
	__u8 edd_mbr_sig_buf_entries; /* 0x1ea */		__u8 edd_mbr_sig_buf_entries; /* 0x1ea */
	__u8 kbd_status; /* 0x1eb */		__u8 kbd_status; /* 0x1eb */
	__u8 _pad5[3]; /* 0x1ec */		__u8 secure_boot; /* 0x1ec */
			__u8 _pad5[2]; /* 0x1ed */
	/*		/*
	* The sentinel is set to a nonzero value (0xff) in header.S.		* The sentinel is set to a nonzero value (0xff) in header.S.
	*		*

arch/x86/kernel/asm-offsets.c

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -81,6 +81,7 @@ void common(void) {

	BLANK();		BLANK();
	OFFSET(BP_scratch, boot_params, scratch);		OFFSET(BP_scratch, boot_params, scratch);
			OFFSET(BP_secure_boot, boot_params, secure_boot);
	OFFSET(BP_loadflags, boot_params, hdr.loadflags);		OFFSET(BP_loadflags, boot_params, hdr.loadflags);
	OFFSET(BP_hardware_subarch, boot_params, hdr.hardware_subarch);		OFFSET(BP_hardware_subarch, boot_params, hdr.hardware_subarch);
	OFFSET(BP_version, boot_params, hdr.version);		OFFSET(BP_version, boot_params, hdr.version);

drivers/firmware/efi/libstub/Makefile

+1 −1

Original line number	Original line	Diff line number	Diff line
	@@ -28,7 +28,7 @@ OBJECT_FILES_NON_STANDARD := y
	# Prevents link failures: __sanitizer_cov_trace_pc() is not linked in.		# Prevents link failures: __sanitizer_cov_trace_pc() is not linked in.
	KCOV_INSTRUMENT := n		KCOV_INSTRUMENT := n

	lib-y := efi-stub-helper.o gop.o		lib-y := efi-stub-helper.o gop.o secureboot.o

	# include the stub's generic dependencies from lib/ when building for ARM/arm64		# include the stub's generic dependencies from lib/ when building for ARM/arm64
	arm-deps := fdt_rw.c fdt_ro.c fdt_wip.c fdt.c fdt_empty_tree.c fdt_sw.c sort.c		arm-deps := fdt_rw.c fdt_ro.c fdt_wip.c fdt.c fdt_empty_tree.c fdt_sw.c sort.c