From patchwork Tue Jul 7 03:11:52 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 240851 List-Id: U-Boot discussion From: xypron.glpk at gmx.de (Heinrich Schuchardt) Date: Tue, 7 Jul 2020 05:11:52 +0200 Subject: [PATCH v2 09/17] efi_loader: secure boot flag In-Reply-To: <20200707031200.65511-1-xypron.glpk@gmx.de> References: <20200707031200.65511-1-xypron.glpk@gmx.de> Message-ID: <20200707031200.65511-10-xypron.glpk@gmx.de> In audit mode the UEFI variable SecureBoot is set to zero but the efi_secure_boot flag is set to true. The efi_secure_boot flag should match the UEFIvariable SecureBoot. Signed-off-by: Heinrich Schuchardt --- lib/efi_loader/efi_variable.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) -- 2.27.0 diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index b84b86672a..f8a50bb1be 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -190,6 +190,8 @@ static efi_status_t efi_set_secure_state(u8 secure_boot, u8 setup_mode, const u32 attributes_rw = EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS; + efi_secure_boot = secure_boot; + ret = efi_set_variable_int(L"SecureBoot", &efi_global_variable_guid, attributes_ro, sizeof(secure_boot), &secure_boot, false); @@ -240,8 +242,6 @@ static efi_status_t efi_transfer_secure_state(enum efi_secure_mode mode) ret = efi_set_secure_state(1, 0, 0, 1); if (ret != EFI_SUCCESS) goto err; - - efi_secure_boot = true; } else if (mode == EFI_MODE_AUDIT) { ret = efi_set_variable_int(L"PK", &efi_global_variable_guid, EFI_VARIABLE_BOOTSERVICE_ACCESS | @@ -253,14 +253,10 @@ static efi_status_t efi_transfer_secure_state(enum efi_secure_mode mode) ret = efi_set_secure_state(0, 1, 1, 0); if (ret != EFI_SUCCESS) goto err; - - efi_secure_boot = true; } else if (mode == EFI_MODE_USER) { ret = efi_set_secure_state(1, 0, 0, 0); if (ret != EFI_SUCCESS) goto err; - - efi_secure_boot = true; } else if (mode == EFI_MODE_SETUP) { ret = efi_set_secure_state(0, 1, 0, 0); if (ret != EFI_SUCCESS)