[v2,07/17] efi_loader: value of VendorKeys

Message ID 20200707031200.65511-8-xypron.glpk@gmx.de
State Superseded
Headers show
Series
  • efi_loader: non-volatile and runtime variables
Related show

Commit Message

Heinrich Schuchardt July 7, 2020, 3:11 a.m.
According to the UEFI specification the variable VendorKeys is 1 if the
"system is configured to use only vendor-provided keys".

As we do not supply any vendor keys yet the variable VendorKeys must be
zero.

Signed-off-by: Heinrich Schuchardt <xypron.glpk at gmx.de>
---
 lib/efi_loader/efi_variable.c | 75 +++++++----------------------------
 1 file changed, 15 insertions(+), 60 deletions(-)

--
2.27.0

Patch

diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c
index a7de0b4022..e3b29663a0 100644
--- a/lib/efi_loader/efi_variable.c
+++ b/lib/efi_loader/efi_variable.c
@@ -282,45 +282,29 @@  err:
  */
 static efi_status_t efi_init_secure_state(void)
 {
-	enum efi_secure_mode mode;
-	efi_uintn_t size;
+	enum efi_secure_mode mode = EFI_MODE_SETUP;
+	efi_uintn_t size = 0;
 	efi_status_t ret;

-	/*
-	 * TODO:
-	 * Since there is currently no "platform-specific" installation
-	 * method of Platform Key, we can't say if VendorKeys is 0 or 1
-	 * precisely.
-	 */
-
-	size = 0;
 	ret = efi_get_variable_int(L"PK", &efi_global_variable_guid,
 				   NULL, &size, NULL, NULL);
 	if (ret == EFI_BUFFER_TOO_SMALL) {
 		if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT))
 			mode = EFI_MODE_USER;
-		else
-			mode = EFI_MODE_SETUP;
-
-		efi_vendor_keys = 0;
-	} else if (ret == EFI_NOT_FOUND) {
-		mode = EFI_MODE_SETUP;
-		efi_vendor_keys = 1;
-	} else {
-		goto err;
 	}

 	ret = efi_transfer_secure_state(mode);
-	if (ret == EFI_SUCCESS)
-		ret = efi_set_variable_int(L"VendorKeys",
-					   &efi_global_variable_guid,
-					   EFI_VARIABLE_BOOTSERVICE_ACCESS |
-					   EFI_VARIABLE_RUNTIME_ACCESS |
-					   EFI_VARIABLE_READ_ONLY,
-					   sizeof(efi_vendor_keys),
-					   &efi_vendor_keys, false);
+	if (ret != EFI_SUCCESS)
+		return ret;

-err:
+	/* As we do not provide vendor keys this variable is always 0. */
+	ret = efi_set_variable_int(L"VendorKeys",
+				   &efi_global_variable_guid,
+				   EFI_VARIABLE_BOOTSERVICE_ACCESS |
+				   EFI_VARIABLE_RUNTIME_ACCESS |
+				   EFI_VARIABLE_READ_ONLY,
+				   sizeof(efi_vendor_keys),
+				   &efi_vendor_keys, false);
 	return ret;
 }

@@ -998,39 +982,10 @@  out:
 	if (env_set(native_name, val)) {
 		ret = EFI_DEVICE_ERROR;
 	} else {
-		bool vendor_keys_modified = false;
-
-		if ((u16_strcmp(variable_name, L"PK") == 0 &&
-		     guidcmp(vendor, &efi_global_variable_guid) == 0)) {
-			ret = efi_transfer_secure_state(
-					(delete ? EFI_MODE_SETUP :
-						  EFI_MODE_USER));
-			if (ret != EFI_SUCCESS)
-				goto err;
-
-			if (efi_secure_mode != EFI_MODE_SETUP)
-				vendor_keys_modified = true;
-		} else if ((u16_strcmp(variable_name, L"KEK") == 0 &&
-		     guidcmp(vendor, &efi_global_variable_guid) == 0)) {
-			if (efi_secure_mode != EFI_MODE_SETUP)
-				vendor_keys_modified = true;
-		}
-
-		/* update VendorKeys */
-		if (vendor_keys_modified & efi_vendor_keys) {
-			efi_vendor_keys = 0;
-			ret = efi_set_variable_int(
-						L"VendorKeys",
-						&efi_global_variable_guid,
-						EFI_VARIABLE_BOOTSERVICE_ACCESS
-						 | EFI_VARIABLE_RUNTIME_ACCESS
-						 | EFI_VARIABLE_READ_ONLY,
-						sizeof(efi_vendor_keys),
-						&efi_vendor_keys,
-						false);
-		} else {
+		if (!u16_strcmp(variable_name, L"PK"))
+			ret = efi_init_secure_state();
+		else
 			ret = EFI_SUCCESS;
-		}
 	}

 err: