Skip to content

Commit 5f56a74

Browse files
ardbiesheuvelardbiesheuvel
committed
efi: libstub: check Shim mode using MokSBStateRT
We currently check the MokSBState variable to decide whether we should treat UEFI secure boot as being disabled, even if the firmware thinks otherwise. This is used by shim to indicate that it is not checking signatures on boot images. In the kernel, we use this to relax lockdown policies. However, in cases where shim is not even being used, we don't want this variable to interfere with lockdown, given that the variable may be non-volatile and therefore persist across a reboot. This means setting it once will persistently disable lockdown checks on a given system. So switch to the mirrored version of this variable, called MokSBStateRT, which is supposed to be volatile, and this is something we can check. Cc: <[email protected]> # v4.19+ Signed-off-by: Ard Biesheuvel <[email protected]> Reviewed-by: Ilias Apalodimas <[email protected]> Reviewed-by: Peter Jones <[email protected]>
1 parent 63bf28c commit 5f56a74

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

drivers/firmware/efi/libstub/secureboot.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414

1515
/* SHIM variables */
1616
static const efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID;
17-
static const efi_char16_t shim_MokSBState_name[] = L"MokSBState";
17+
static const efi_char16_t shim_MokSBState_name[] = L"MokSBStateRT";
1818

1919
static efi_status_t get_var(efi_char16_t *name, efi_guid_t *vendor, u32 *attr,
2020
unsigned long *data_size, void *data)
@@ -43,8 +43,8 @@ enum efi_secureboot_mode efi_get_secureboot(void)
4343

4444
/*
4545
* See if a user has put the shim into insecure mode. If so, and if the
46-
* variable doesn't have the runtime attribute set, we might as well
47-
* honor that.
46+
* variable doesn't have the non-volatile attribute set, we might as
47+
* well honor that.
4848
*/
4949
size = sizeof(moksbstate);
5050
status = get_efi_var(shim_MokSBState_name, &shim_guid,
@@ -53,7 +53,7 @@ enum efi_secureboot_mode efi_get_secureboot(void)
5353
/* If it fails, we don't care why. Default to secure */
5454
if (status != EFI_SUCCESS)
5555
goto secure_boot_enabled;
56-
if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS) && moksbstate == 1)
56+
if (!(attr & EFI_VARIABLE_NON_VOLATILE) && moksbstate == 1)
5757
return efi_secureboot_mode_disabled;
5858

5959
secure_boot_enabled:

0 commit comments

Comments
 (0)