Re: [PATCH] efi: libstub: treat missing SecureBoot/SetupMode vars as SB disabled

Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx> · Thu, 16 Feb 2017 17:59:42 +0000

On 16 February 2017 at 17:56, Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx> wrote:
> The newly refactored code that infers the firmware's Secure Boot state
> prints the following error when the variables 'SecureBoot' or 'SetupMode'
> are missing.
>
>   EFI stub: ERROR: Could not determine UEFI Secure Boot status.
>
> However, these variables are only guaranteed to be defined on a system
> that is Secure Boot capable to begin with, and so it is not an error if
> they are missing. So report Secure Boot as disabled in this case, without
> printing any error messages.
>
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>
> ---
>  drivers/firmware/efi/libstub/secureboot.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/firmware/efi/libstub/secureboot.c b/drivers/firmware/efi/libstub/secureboot.c
> index 766ac06dac84..1987410e8242 100644
> --- a/drivers/firmware/efi/libstub/secureboot.c
> +++ b/drivers/firmware/efi/libstub/secureboot.c
> @@ -47,12 +47,16 @@ enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg)
>         size = sizeof(secboot);
>         status = get_efi_var(efi_SecureBoot_name, &efi_variable_guid,
>                              NULL, &size, &secboot);
> +       if (status == EFI_NOT_FOUND)
> +               return efi_secureboot_mode_disabled;
>         if (status != EFI_SUCCESS)
>                 goto out_efi_err;
>
>         size = sizeof(setupmode);
>         status = get_efi_var(efi_SetupMode_name, &efi_variable_guid,
>                              NULL, &size, &setupmode);
> +       if (status == EFI_NOT_FOUND)
> +               return efi_secureboot_mode_disabled;

Hmm, I hit 'send' a little quick: if SecureBoot exists and SetupMode
doesn't, I think we are in a situation where we should report
'unknown' rather than disabled.

>         if (status != EFI_SUCCESS)
>                 goto out_efi_err;
>
> @@ -80,7 +84,5 @@ enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg)
>
>  out_efi_err:
>         pr_efi_err(sys_table_arg, "Could not determine UEFI Secure Boot status.\n");
> -       if (status == EFI_NOT_FOUND)
> -               return efi_secureboot_mode_disabled;
>         return efi_secureboot_mode_unknown;
>  }
> --
> 2.7.4
>
--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html