This will ensure that we just start secured binary
without user confirmation
But for now on we only support EFI correctly signed image to start
Later will allow both.
Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@xxxxxxxxxxxx>
---
arch/x86/Kconfig | 1 +
common/efi/efi-image.c | 1 +
drivers/efi/efi-device.c | 9 +++++++++
3 files changed, 11 insertions(+)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 52ccf4894..65e4c8b7c 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -78,6 +78,7 @@ choice
select EFI_DEVICEPATH
select PRINTF_UUID
select CLOCKSOURCE_EFI_X86
+ select HAS_SECURE_BOOT
config X86_BIOS_BRINGUP
bool "16 bit BIOS"
diff --git a/common/efi/efi-image.c b/common/efi/efi-image.c
index 885348da4..6552d803d 100644
--- a/common/efi/efi-image.c
+++ b/common/efi/efi-image.c
@@ -270,6 +270,7 @@ static int do_bootm_efi(struct image_data *data)
static struct image_handler efi_handle_tr = {
.name = "EFI Application",
.bootm = do_bootm_efi,
+ .is_secure_supported = 1,
.filetype = filetype_exe,
};
diff --git a/drivers/efi/efi-device.c b/drivers/efi/efi-device.c
index 7029bfb31..959878e7f 100644
--- a/drivers/efi/efi-device.c
+++ b/drivers/efi/efi-device.c
@@ -26,6 +26,7 @@
#include <linux/sizes.h>
#include <wchar.h>
#include <init.h>
+#include <secure_boot.h>
#include <efi.h>
#include <efi/efi.h>
#include <efi/efi-device.h>
@@ -382,6 +383,14 @@ static int efi_is_setup_mode(void)
return ret != 0;
}
+int is_secure_mode(void)
+{
+ int secure_boot = efi_is_secure_boot();
+ int setup_mode = efi_is_setup_mode();
+
+ return secure_boot & !setup_mode;
+}
+
static int efi_init_devices(void)
{
char *fw_vendor = NULL;
--
2.11.0
_______________________________________________
barebox mailing list
barebox@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/barebox
