From patchwork Fri May 4 05:59:47 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 134957 Delivered-To: patch@linaro.org Received: by 10.46.151.6 with SMTP id r6csp440384lji; Thu, 3 May 2018 23:05:06 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpivsXi1Rm0KERwIRThwR4mfshcbXrdpiBv8nBfFCZnW5sSFK+ap+/PqnL8MqktNkm4tJ8S X-Received: by 10.98.74.136 with SMTP id c8mr25700629pfj.23.1525413906629; Thu, 03 May 2018 23:05:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525413906; cv=none; d=google.com; s=arc-20160816; b=DxUYXnhxh9RmDvl6pwpKSKGuGwLuT5T/bFUWl0xpbt8Uy10EV9Y901MvZc4JPsW0cs UjAIX/HvCWBj685Io766lAofRFBSW1/MimgwDWPHtsa9gkjeDxB6yuR6Fz0+6sJzgUWh aDUELbxJsOrgw+O+OLLhfopi7XYg9vXBgRQ7vlscjx4JUokz6PNUTKT/cfc98CoGe5ug JCoNra4E/ifz1C7yf7CAVRMCcU0wASzJrx7h3IvMsI9MtKCG4vllXxxPa2HJlyJjZXMa znUF4VjWOCQaoThlVSDE5GT2gBp+Qry5mDecxFzDIIK2luSMfWeyEq6npecqyYe2Aan0 UoXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=Z4r2NQZwKVNvxrX5BnSLUF3DoIt5BmU8wuRSbOhkgYA=; b=bXZFiGX9DGIdO63hxD00nm2LfHNJlMxwmeVwkJYYFWYka3K5hNNyzMFR6Dra1olz07 mg1rNB9lyyV6s2uNSYjP/WZ6WsRLOUkoDJTere1zPxOB+RC4FJZFfPBZo2lNBDKrvmeg aEmy/b7JSIqSk1QP3otUCeqwBARkDIrG9bIFAPS/y5ooytt3DV9AbA4OfWAyaKeZ/ipf /+ZQgxs81R2jQxsTo2UrS34a5STl6MyEWo4J40s6vacOrbOQ5DaILx5NSUpW/crXuUho l4kuBPhO5Qnfl8qiNypZrBB8w/xp056akw3WsHsUSEvFJ37WLMItL3fsbORdhq42oowz dZRQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=T5Bde6ww; spf=pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-efi-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 202si15758960pfx.61.2018.05.03.23.05.06; Thu, 03 May 2018 23:05:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=T5Bde6ww; spf=pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-efi-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750774AbeEDGFF (ORCPT + 2 others); Fri, 4 May 2018 02:05:05 -0400 Received: from mail-wr0-f194.google.com ([209.85.128.194]:40725 "EHLO mail-wr0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751394AbeEDGBE (ORCPT ); Fri, 4 May 2018 02:01:04 -0400 Received: by mail-wr0-f194.google.com with SMTP id v60-v6so19766340wrc.7 for ; Thu, 03 May 2018 23:01:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=YSRxmjrrmzsG8nmkS9VVjgihVs6uFWq2LNl+IHpQ/ns=; b=T5Bde6wwDSmScsuHUH/9tjQtB78QxNm8QmVsCTlOarNFRR/zYgqH1Q2WS3lbOAYkdq IyfSpTmn6HBurEZFkISOEe1i4FgHH+aEyAdUoosK/6I+nahC01IktrZr5+CQ8XaPnED2 YCyCmwCXjQ/FiT9r6CzTbgLdxVAONIBY4xU1Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=YSRxmjrrmzsG8nmkS9VVjgihVs6uFWq2LNl+IHpQ/ns=; b=s3AsOdr/Mg8+Tl4Vx9a7pB/d8rtkLw5TMXgpLElrYJkKqJnnysBO/KLAQDFgEQlJ2q wDOTZ8QiGPTjNg3+Z+n3ODtfWVBvtZ6LntMLI6Y5JoZBswY+mNhFdQwnSeWnLIT4kY1p JIzH256L6qgQKn3Fpm+Q7GuqQauUGg/dqlcOi9QyTnhCCrQSONHqXwdUH6Pl3FYA3lCN 3GOckaYH+r+dTgjSfYr3sMcRveD7KSoV32xY0NALZhjiYTYeWUkF46dUDsNyFRYo1qHQ ZJROwrf03T73Fzq+kwcI56IKhPg2jSn5WfpFecKKh5UjZwDWYC4QyYIumDn85J6lwv6V 4kGQ== X-Gm-Message-State: ALQs6tB6IiQM1QKEto6Wxjl84cfxbIfAxcHzTzPSefskzFJ5m3ycSN3Z KBZFOca9bYJOC5wY0iJomdqU4yJoq1Y= X-Received: by 2002:adf:e943:: with SMTP id m3-v6mr18927816wrn.185.1525413662949; Thu, 03 May 2018 23:01:02 -0700 (PDT) Received: from localhost.localdomain ([2a01:e35:3995:5470:200:1aff:fe1b:b328]) by smtp.gmail.com with ESMTPSA id i30-v6sm32411863wra.38.2018.05.03.23.01.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 03 May 2018 23:01:02 -0700 (PDT) From: Ard Biesheuvel To: linux-efi@vger.kernel.org, Ingo Molnar , Thomas Gleixner Cc: Daniel Kiper , Ard Biesheuvel , linux-kernel@vger.kernel.org Subject: [PATCH 01/17] x86/xen/efi: Initialize UEFI secure boot state during dom0 boot Date: Fri, 4 May 2018 07:59:47 +0200 Message-Id: <20180504060003.19618-2-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180504060003.19618-1-ard.biesheuvel@linaro.org> References: <20180504060003.19618-1-ard.biesheuvel@linaro.org> Sender: linux-efi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-efi@vger.kernel.org From: Daniel Kiper Initialize UEFI secure boot state during dom0 boot. Otherwise the kernel may not even know that it runs on secure boot enabled platform. Note that part of drivers/firmware/efi/libstub/secureboot.c is duplicated by this patch, only in this case, it runs in the context of the kernel proper rather than UEFI boot context. The reason for the duplication is that maintaining the original code to run correctly on ARM/arm64 as well as on all the quirky x86 firmware we support is enough of a burden as it is, and adding the x86/Xen execution context to that mix just so we can reuse a single routine just isn't worth it. Signed-off-by: Daniel Kiper [ardb: explain rationale for code duplication] Signed-off-by: Ard Biesheuvel --- arch/x86/xen/efi.c | 57 +++++++++++++++++++++++ drivers/firmware/efi/libstub/secureboot.c | 3 ++ 2 files changed, 60 insertions(+) -- 2.17.0 -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/arch/x86/xen/efi.c b/arch/x86/xen/efi.c index a18703be9ead..1804b27f9632 100644 --- a/arch/x86/xen/efi.c +++ b/arch/x86/xen/efi.c @@ -115,6 +115,61 @@ static efi_system_table_t __init *xen_efi_probe(void) return &efi_systab_xen; } +/* + * Determine whether we're in secure boot mode. + * + * Please keep the logic in sync with + * drivers/firmware/efi/libstub/secureboot.c:efi_get_secureboot(). + */ +static enum efi_secureboot_mode xen_efi_get_secureboot(void) +{ + static efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID; + static efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID; + efi_status_t status; + u8 moksbstate, secboot, setupmode; + unsigned long size; + + size = sizeof(secboot); + status = efi.get_variable(L"SecureBoot", &efi_variable_guid, + NULL, &size, &secboot); + + if (status == EFI_NOT_FOUND) + return efi_secureboot_mode_disabled; + + if (status != EFI_SUCCESS) + goto out_efi_err; + + size = sizeof(setupmode); + status = efi.get_variable(L"SetupMode", &efi_variable_guid, + NULL, &size, &setupmode); + + if (status != EFI_SUCCESS) + goto out_efi_err; + + if (secboot == 0 || setupmode == 1) + return efi_secureboot_mode_disabled; + + /* See if a user has put the shim into insecure mode. */ + size = sizeof(moksbstate); + status = efi.get_variable(L"MokSBStateRT", &shim_guid, + NULL, &size, &moksbstate); + + /* If it fails, we don't care why. Default to secure. */ + if (status != EFI_SUCCESS) + goto secure_boot_enabled; + + if (moksbstate == 1) + return efi_secureboot_mode_disabled; + + secure_boot_enabled: + pr_info("UEFI Secure Boot is enabled.\n"); + return efi_secureboot_mode_enabled; + + out_efi_err: + pr_err("Could not determine UEFI Secure Boot status.\n"); + return efi_secureboot_mode_unknown; +} + void __init xen_efi_init(void) { efi_system_table_t *efi_systab_xen; @@ -129,6 +184,8 @@ void __init xen_efi_init(void) boot_params.efi_info.efi_systab = (__u32)__pa(efi_systab_xen); boot_params.efi_info.efi_systab_hi = (__u32)(__pa(efi_systab_xen) >> 32); + boot_params.secure_boot = xen_efi_get_secureboot(); + set_bit(EFI_BOOT, &efi.flags); set_bit(EFI_PARAVIRT, &efi.flags); set_bit(EFI_64BIT, &efi.flags); diff --git a/drivers/firmware/efi/libstub/secureboot.c b/drivers/firmware/efi/libstub/secureboot.c index 8f07eb414c00..72d9dfbebf08 100644 --- a/drivers/firmware/efi/libstub/secureboot.c +++ b/drivers/firmware/efi/libstub/secureboot.c @@ -30,6 +30,9 @@ static const efi_char16_t shim_MokSBState_name[] = L"MokSBState"; /* * Determine whether we're in secure boot mode. + * + * Please keep the logic in sync with + * arch/x86/xen/efi.c:xen_efi_get_secureboot(). */ enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg) {