On Mon, 2020-11-02 at 23:37 +0100, Ard Biesheuvel wrote:
> From: Chester Lin <clin@xxxxxxxx>
>
> Generalize the efi_get_secureboot() function so not only efistub but also
> other subsystems can use it.
>
> Note that the MokSbState handling is not factored out: the variable is
> boot time only, and so it cannot be parameterized as easily. Also, the
> IMA code will switch to this version in a future patch, and it does not
> incorporate the MokSbState exception in the first place.
>
> Note that the new efi_get_secureboot_mode() helper treats any failures
> to read SetupMode as setup mode being disabled.
>
> Co-developed-by: Chester Lin <clin@xxxxxxxx>
> Signed-off-by: Chester Lin <clin@xxxxxxxx>
> Signed-off-by: Ard Biesheuvel <ardb@xxxxxxxxxx>
Thanks, Ard. Other than one minor thing inline below, the patch looks
good. I haven't done any testing yet.
> diff --git a/include/linux/efi.h b/include/linux/efi.h
> index bd9d83a94173..79b2d4de62e0 100644
> --- a/include/linux/efi.h
> +++ b/include/linux/efi.h
> @@ -1082,7 +1082,28 @@ enum efi_secureboot_mode {
> efi_secureboot_mode_disabled,
> efi_secureboot_mode_enabled,
> };
> -enum efi_secureboot_mode efi_get_secureboot(void);
> +
> +static inline
> +enum efi_secureboot_mode efi_get_secureboot_mode(efi_get_variable_t *get_var)
get_var() should be defined as "efi_status_t". If this is being
upstreamed via integrity, I can make the change.
thanks,
Mimi
