On Wed, 2016-11-23 at 12:54 +0000, David Howells wrote: > Get the firmware's secure-boot status in the kernel boot wrapper and > stash it somewhere that the main kernel image can find. > > The efi_get_secureboot() function is extracted from the arm stub and > (a) generalised so that it can be called from x86 and (b) made to use > efi_call_runtime() so that it can be run in mixed-mode. > > Suggested-by: Lukas Wunner <lukas@xxxxxxxxx> > Signed-off-by: David Howells <dhowells@xxxxxxxxxx> Since you seem to be using this to mean "is the platform locked down?", this looks to be no longer complete in the UEFI 2.6 world. If DeployedMode == 0, even if SecureBoot == 1 and SetupMode == 0, you can remove the platform key by writing 1 to AuditMode and gain control of the secure variables. The lock down state becomes DeployedMode == 1, SecureBoot == 1 and SetupMode == 0 See the diagram on page 1817 http://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_6.pdf James -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
