Here's a set of patches that can determine the secure boot state of the UEFI BIOS and pass that along to the main kernel image. This involves generalising ARM's efi_get_secureboot() function and making it mixed-mode safe. The patches can be found here also: http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=efi-secure-boot at tag: efi-secure-boot-20161123 Note that the patches are not terminal on the branch. David --- David Howells (4): x86/efi: Allow invocation of arbitrary runtime services arm/efi: Allow invocation of arbitrary runtime services efi: Add SHIM and image security database GUID definitions efi: Get the secure boot status Josh Boyer (2): efi: Disable secure boot if shim is in insecure mode efi: Add EFI_SECURE_BOOT bit Documentation/x86/zero-page.txt | 2 + arch/arm/include/asm/efi.h | 1 arch/arm64/include/asm/efi.h | 1 arch/x86/boot/compressed/eboot.c | 3 + arch/x86/boot/compressed/head_32.S | 6 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/include/asm/efi.h | 5 ++ arch/x86/include/uapi/asm/bootparam.h | 3 + arch/x86/kernel/setup.c | 7 ++ drivers/firmware/efi/libstub/Makefile | 2 - drivers/firmware/efi/libstub/arm-stub.c | 46 -------------- drivers/firmware/efi/libstub/secureboot.c | 93 +++++++++++++++++++++++++++++ include/linux/efi.h | 6 ++ 13 files changed, 128 insertions(+), 55 deletions(-) create mode 100644 drivers/firmware/efi/libstub/secureboot.c -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html