From patchwork Thu Aug 13 08:05:29 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 247673 Delivered-To: patch@linaro.org Received: by 2002:a92:cc90:0:0:0:0:0 with SMTP id x16csp1068895ilo; Thu, 13 Aug 2020 01:05:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzJST/jA7RqnYB8bOorRzd013bO0WJdSpu9k3BFXI9fU9/xxpzX/XeKtDG9XjUcwDKtwYtx X-Received: by 2002:a17:906:7856:: with SMTP id p22mr3535499ejm.262.1597305957296; Thu, 13 Aug 2020 01:05:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597305957; cv=none; d=google.com; s=arc-20160816; b=zvvSFdbRQZoygqZDFwwbBHI5w7jAbVyeUVIhg3Y7VqcqwBJXblq8oNmZGBgsRBL029 7FKaetTxxb2ek6wY3oamyFek+VnyXcD9QjdldYd/DNUCYt2deqxRDbUfqEXsChnCE/Ho mTek+L8BuuvDMNRA9oPlQ/S+D1YWfONwopq4Mx/XwVJ7lCFFe+WKkd0nh4OFbi8gAMYR Q+pUYRD7epcu+FsI1xmT+AZgCjLkWLOxmR/hyYl/XhkVGV1uBG6k4AsNW/G6EMocfyvn MrgPJw71PqfM/h0uNnotKU9cbbZbUVHMJV6tro2zVSwuUh+cl+TMGP4gPM5h/PL1cyLn WjoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature; bh=b1AstV2nIy223RQYdWdZydjXXagChNuILyTmNrGExoA=; b=xmlwOuU6tJ54dOKMXzVIndDQdAqjTPRbJsn4PT1PjTEdEfZctnOGy/jfGbehPHAa1w dkkFYF4AfUZIq1uwMzpWoHqlMBg1Xc/ox1f0xpFmNESsESxzT72IiTK/6zsVbHY2NK8B 1EeqNkU4lgkPLpJo0IKBMUqXuHguW4eBITJwPWsU0QGw2vgytKXmEy6+A9XUGhjerMad AgZ+p9tPlKzEKS0xQcNMcU+MH5I9vht6jV06LJQrPxs3qKcSh5Gl7WW67ElqhpRELTkK zw86xHPT/bOFw0UvjMfyQSf9jE9cs6JCYRZGs9nNKjcoqvalP3LqY5I670ulfNqHkS4M zcWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=B1jcvw8S; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id g17si2741746edq.44.2020.08.13.01.05.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Aug 2020 01:05:57 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=B1jcvw8S; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 0C67D81C1D; Thu, 13 Aug 2020 10:05:55 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="B1jcvw8S"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E71F081E39; Thu, 13 Aug 2020 10:05:53 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x643.google.com (mail-pl1-x643.google.com [IPv6:2607:f8b0:4864:20::643]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 0253980404 for ; Thu, 13 Aug 2020 10:05:50 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x643.google.com with SMTP id t10so2279119plz.10 for ; Thu, 13 Aug 2020 01:05:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=b1AstV2nIy223RQYdWdZydjXXagChNuILyTmNrGExoA=; b=B1jcvw8SZWUcsI/wdURRPw804jsU7qHTYWds5HOJh3XZQ7HqhZmfPV2HIe102eazLe WM7Yg5i6Qkb4cYxkM15JSsFnYz1Wxv5akH5/qHDBHzw1VQZFVu+hsGZB/fOmThCWkHJV DEmBbvCJ1/c1EevOCW9nV2rqNAhBhAV6z4KRE8mjYXZ4YyC1IJjC98RtLn/FJIyU2W3F iBjOr0Q3B5IZgRcU9TbcWL2AZkWJaqaj7rRmFszh+NgcR/i39LnkeAWk8CfdB+MMBuvY CuhUSv2SUT5GAi00vJm5vzbO1xS7SNM8ruW1yzVWXvMTZCyoWP4h1TOxm/R5czFElUWI JlMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=b1AstV2nIy223RQYdWdZydjXXagChNuILyTmNrGExoA=; b=AsaPn1HcWGK8jjVlUsekhRRzOgDZGaCKLDcTC+DMvC3F5IEl5ggDQ9hkD+qzfPJvH2 W0Zs0c41L6EsNi0llCcNO/P7XpUUluKT3bW/ZKKDcWhq0bt8zasf2J2ImdcXDv/xdl3M k5645/N4HhcqQBWfRiTeeZlgooVAs5XSpSzJrt2Otwn+FjFPD+43znlVu/V7cCKgaQdH jdXoIErQ0PmSqxQpsxf/FrbyIr8zxxSr0GtV+OyFMOrRQY2NpA861Yq3c2LBAfu0bUgi P1giPrPH5/1Lt2h679wYmFN1oqXRkWkDXI+GBmIylgTASWW3i3TXtV7cfDSjjlnTp4e9 jwQg== X-Gm-Message-State: AOAM533KWQPUTtBzFFjrUkeRoBIOHKu3j/gLfD7vkDF3JkJ8tKXCA1x6 Tyh0fQ+wO7Gnai5bCmA5EqqFrA== X-Received: by 2002:a17:90a:3ac3:: with SMTP id b61mr3692724pjc.1.1597305949313; Thu, 13 Aug 2020 01:05:49 -0700 (PDT) Received: from localhost.localdomain (p784a66b9.tkyea130.ap.so-net.ne.jp. [120.74.102.185]) by smtp.gmail.com with ESMTPSA id y79sm4867761pfb.65.2020.08.13.01.05.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Aug 2020 01:05:48 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH] efi_loader: variable: fix secure state initialization Date: Thu, 13 Aug 2020 17:05:29 +0900 Message-Id: <20200813080529.178153-1-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.28.0 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Under the new file-based variable implementation, the secure state is always and falsely set to 0 (hence, the secure boot gets disabled) after the reboot even if PK (and other signature database) has already been enrolled in the previous boot. This is because the secure state is set up *before* loading non-volatile variables' values from saved data. This patch fixes the order of variable initialization and secure state initialization. Signed-off-by: AKASHI Takahiro Fixes: 5f7dcf079de8 ("efi_loader: UEFI variable persistence") --- lib/efi_loader/efi_variable.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) -- 2.28.0 Reviewed-by: Heinrich Schuchardt diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index 282d542a096c..a10b9caa8b03 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -508,10 +508,6 @@ efi_status_t efi_init_variables(void) if (ret != EFI_SUCCESS) return ret; - ret = efi_init_secure_state(); - if (ret != EFI_SUCCESS) - return ret; - if (IS_ENABLED(CONFIG_EFI_VARIABLES_PRESEED)) { ret = efi_var_restore((struct efi_var_file *) __efi_var_file_begin); @@ -519,5 +515,9 @@ efi_status_t efi_init_variables(void) log_err("Invalid EFI variable seed\n"); } - return efi_var_from_file(); + ret = efi_var_from_file(); + if (ret != EFI_SUCCESS) + return ret; + + return efi_init_secure_state(); }