From patchwork Wed Jul 8 16:29:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 241058 List-Id: U-Boot discussion From: xypron.glpk at gmx.de (Heinrich Schuchardt) Date: Wed, 8 Jul 2020 18:29:27 +0200 Subject: [PATCH v3 08/17] efi_loader: read-only AuditMode and DeployedMode In-Reply-To: <20200708162936.25802-1-xypron.glpk@gmx.de> References: <20200708162936.25802-1-xypron.glpk@gmx.de> Message-ID: <20200708162936.25802-9-xypron.glpk@gmx.de> Set the read only property of the UEFI variables AuditMode and DeployedMode conforming to the UEFI specification. Signed-off-by: Heinrich Schuchardt --- lib/efi_loader/efi_variable.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) -- 2.27.0 diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index e3b29663a0..b84b86672a 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -183,32 +183,36 @@ static const char *parse_attr(const char *str, u32 *attrp, u64 *timep) static efi_status_t efi_set_secure_state(u8 secure_boot, u8 setup_mode, u8 audit_mode, u8 deployed_mode) { - u32 attributes; efi_status_t ret; + const u32 attributes_ro = EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS | + EFI_VARIABLE_READ_ONLY; + const u32 attributes_rw = EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS; - attributes = EFI_VARIABLE_BOOTSERVICE_ACCESS | - EFI_VARIABLE_RUNTIME_ACCESS | - EFI_VARIABLE_READ_ONLY; ret = efi_set_variable_int(L"SecureBoot", &efi_global_variable_guid, - attributes, sizeof(secure_boot), + attributes_ro, sizeof(secure_boot), &secure_boot, false); if (ret != EFI_SUCCESS) goto err; ret = efi_set_variable_int(L"SetupMode", &efi_global_variable_guid, - attributes, sizeof(setup_mode), + attributes_ro, sizeof(setup_mode), &setup_mode, false); if (ret != EFI_SUCCESS) goto err; ret = efi_set_variable_int(L"AuditMode", &efi_global_variable_guid, - attributes, sizeof(audit_mode), - &audit_mode, false); + audit_mode || setup_mode ? + attributes_ro : attributes_rw, + sizeof(audit_mode), &audit_mode, false); if (ret != EFI_SUCCESS) goto err; ret = efi_set_variable_int(L"DeployedMode", - &efi_global_variable_guid, attributes, + &efi_global_variable_guid, + audit_mode || deployed_mode || setup_mode ? + attributes_ro : attributes_rw, sizeof(deployed_mode), &deployed_mode, false); err: