From patchwork Fri Nov 25 12:03:12 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Howells X-Patchwork-Id: 9447419 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 9BC3F60235 for ; Fri, 25 Nov 2016 12:04:07 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 886B727E3E for ; Fri, 25 Nov 2016 12:04:07 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7C8F727FA8; Fri, 25 Nov 2016 12:04:07 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5656727E3E for ; Fri, 25 Nov 2016 12:04:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753242AbcKYMEB convert rfc822-to-8bit (ORCPT ); Fri, 25 Nov 2016 07:04:01 -0500 Received: from mx1.redhat.com ([209.132.183.28]:59156 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751367AbcKYMEA (ORCPT ); Fri, 25 Nov 2016 07:04:00 -0500 Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 79E6315561; Fri, 25 Nov 2016 12:03:15 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-116-110.phx2.redhat.com [10.3.116.110]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id uAPC3DYI025498; Fri, 25 Nov 2016 07:03:13 -0500 Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: References: <147990561294.7576.6464430479448167484.stgit@warthog.procyon.org.uk> <147990565051.7576.9673287945782426886.stgit@warthog.procyon.org.uk> <1480016487.2444.18.camel@HansenPartnership.com> <15173.1480066220@warthog.procyon.org.uk> To: Ard Biesheuvel Cc: dhowells@redhat.com, James Bottomley , "linux-efi@vger.kernel.org" , "linux-kernel@vger.kernel.org" , linux-security-module , Lukas Wunner , keyrings@vger.kernel.org, "linux-arm-kernel@lists.infradead.org" Subject: Re: [PATCH 5/7] efi: Get the secure boot status [ver #3] MIME-Version: 1.0 Content-ID: <16660.1480075392.1@warthog.procyon.org.uk> Date: Fri, 25 Nov 2016 12:03:12 +0000 Message-ID: <16661.1480075392@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Fri, 25 Nov 2016 12:03:15 +0000 (UTC) Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP How about the attached additional patch? Should I be checking the UEFI version number if such is available? David --- commit 981110f45ba73798875af7639d0328dc2d6f9919 Author: David Howells Date: Fri Nov 25 11:52:05 2016 +0000 efi: Handle secure boot from UEFI-2.6 UEFI-2.6 adds a new variable, DeployedMode. If it exists, this must be 1 to engage lockdown mode. Reported-by: James Bottomley Signed-off-by: David Howells -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/firmware/efi/libstub/secureboot.c b/drivers/firmware/efi/libstub/secureboot.c index ca643eba5a4b..4c3bddef4fb3 100644 --- a/drivers/firmware/efi/libstub/secureboot.c +++ b/drivers/firmware/efi/libstub/secureboot.c @@ -22,6 +22,9 @@ static const efi_char16_t const efi_SecureBoot_name[] = { static const efi_char16_t const efi_SetupMode_name[] = { 'S', 'e', 't', 'u', 'p', 'M', 'o', 'd', 'e', 0 }; +static const efi_char16_t const efi_DeployedMode_name[] = { + 'D', 'e', 'p', 'l', 'o', 'y', 'e', 'd', 'M', 'o', 'd', 'e', 0 +}; /* SHIM variables */ static const efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID; @@ -62,6 +65,16 @@ int efi_get_secureboot(efi_system_table_t *sys_table_arg) if (val == 1) return 0; + status = get_efi_var(efi_DeployedMode_name, &efi_variable_guid, + NULL, &size, &val); + if (status != EFI_NOT_FOUND) { + if (status != EFI_SUCCESS) + goto out_efi_err; + + if (val == 1) + return 0; + } + /* See if a user has put shim into insecure mode. If so, and if the * variable doesn't have the runtime attribute set, we might as well * honor that.