Message ID | 148120026820.5854.13036556358308461345.stgit@warthog.procyon.org.uk (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On Thu, 08 Dec, at 12:31:08PM, David Howells wrote: > From: Josh Boyer <jwboyer@fedoraproject.org> > > UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit > that can be passed to efi_enabled() to find out whether secure boot is > enabled. > > This will be used by the SysRq+x handler, registered by the x86 arch, to find > out whether secure boot mode is enabled so that it can be disabled. > > Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> > Signed-off-by: David Howells <dhowells@redhat.com> > --- > > arch/x86/kernel/setup.c | 15 +++++++++++++++ > include/linux/efi.h | 1 + > 2 files changed, 16 insertions(+) Before we add more efi.flags bits I'd like this series to include the patch that makes use of EFI_SECURE_BOOT. Alternatively, you move this last patch to a new series.
Matt Fleming <matt@codeblueprint.co.uk> wrote: > Before we add more efi.flags bits I'd like this series to include the > patch that makes use of EFI_SECURE_BOOT. Alternatively, you move this > last patch to a new series. Are you willing to take the kernel lock-down patches also? David
On Wed, 11 Jan, at 03:29:24PM, David Howells wrote: > Matt Fleming <matt@codeblueprint.co.uk> wrote: > > > Before we add more efi.flags bits I'd like this series to include the > > patch that makes use of EFI_SECURE_BOOT. Alternatively, you move this > > last patch to a new series. > > Are you willing to take the kernel lock-down patches also? I'm happy to take them through the EFI tree provided that they've been Reviewed/Ack-ed by the security folks.
Matt Fleming <matt@codeblueprint.co.uk> wrote: > > > Before we add more efi.flags bits I'd like this series to include the > > > patch that makes use of EFI_SECURE_BOOT. Alternatively, you move this > > > last patch to a new series. > > > > Are you willing to take the kernel lock-down patches also? > > I'm happy to take them through the EFI tree provided that they've been > Reviewed/Ack-ed by the security folks. Thinking further about it, it might be best to push the EFI_SECURE_BOOT flag into a later series and exclude that patch from this one. David
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c index 9c337b0e8ba7..d8972ec6257d 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -1152,6 +1152,21 @@ void __init setup_arch(char **cmdline_p) /* Allocate bigger log buffer */ setup_log_buf(1); + if (IS_ENABLED(CONFIG_EFI)) { + switch (boot_params.secure_boot) { + case efi_secureboot_mode_disabled: + pr_info("Secure boot disabled\n"); + break; + case efi_secureboot_mode_enabled: + set_bit(EFI_SECURE_BOOT, &efi.flags); + pr_info("Secure boot enabled\n"); + break; + default: + pr_info("Secure boot could not be determined\n"); + break; + } + } + reserve_initrd(); acpi_table_upgrade(); diff --git a/include/linux/efi.h b/include/linux/efi.h index c894ed5bfa1c..e1893f5002c3 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -1070,6 +1070,7 @@ extern int __init efi_setup_pcdp_console(char *); #define EFI_ARCH_1 7 /* First arch-specific bit */ #define EFI_DBG 8 /* Print additional debug info at runtime */ #define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */ +#define EFI_SECURE_BOOT 10 /* Are we in Secure Boot mode? */ #ifdef CONFIG_EFI /*