This will ensure that we just start secured binary without user confirmation But for now on we only support EFI correctly signed image to start Later will allow both. Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@xxxxxxxxxxxx> --- arch/x86/Kconfig | 1 + common/efi/efi-image.c | 1 + drivers/efi/efi-device.c | 13 +++++++++++-- 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 52ccf4894..65e4c8b7c 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -78,6 +78,7 @@ choice select EFI_DEVICEPATH select PRINTF_UUID select CLOCKSOURCE_EFI_X86 + select HAS_SECURE_BOOT config X86_BIOS_BRINGUP bool "16 bit BIOS" diff --git a/common/efi/efi-image.c b/common/efi/efi-image.c index 885348da4..6552d803d 100644 --- a/common/efi/efi-image.c +++ b/common/efi/efi-image.c @@ -270,6 +270,7 @@ static int do_bootm_efi(struct image_data *data) static struct image_handler efi_handle_tr = { .name = "EFI Application", .bootm = do_bootm_efi, + .is_secure_supported = 1, .filetype = filetype_exe, }; diff --git a/drivers/efi/efi-device.c b/drivers/efi/efi-device.c index 998bda7c6..0a6d7ca4e 100644 --- a/drivers/efi/efi-device.c +++ b/drivers/efi/efi-device.c @@ -26,6 +26,7 @@ #include <linux/sizes.h> #include <wchar.h> #include <init.h> +#include <boot_verify.h> #include <efi.h> #include <efi/efi.h> #include <efi/efi-device.h> @@ -382,13 +383,20 @@ static int efi_is_setup_mode(void) return ret != 0; } +static int efi_is_secure_mode(void) +{ + int secure_boot = efi_is_secure_boot(); + int setup_mode = efi_is_setup_mode(); + + return secure_boot && !setup_mode; +} + static int efi_init_devices(void) { char *fw_vendor = NULL; u16 sys_major = efi_sys_table->hdr.revision >> 16; u16 sys_minor = efi_sys_table->hdr.revision & 0xffff; int secure_boot = efi_is_secure_boot(); - int setup_mode = efi_is_setup_mode(); fw_vendor = strdup_wchar_to_char((const wchar_t *)efi_sys_table->fw_vendor); @@ -406,9 +414,10 @@ static int efi_init_devices(void) dev_add_param_int_ro(efi_bus.dev, "fw_revision", efi_sys_table->fw_revision, "%u"); dev_add_param_int_ro(efi_bus.dev, "secure_boot", secure_boot, "%d"); dev_add_param_int_ro(efi_bus.dev, "secure_mode", - secure_boot && !setup_mode, "%u"); + efi_is_secure_mode(), "%u"); efi_bus.dev->info = efi_businfo; + boot_set_is_secure_mode(efi_is_secure_mode); efi_register_devices(); -- 2.11.0 _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox