diff options
| author | Peter Jones <pjones@redhat.com> | 2014-06-25 10:55:56 -0400 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2014-06-25 10:55:56 -0400 |
| commit | eb4cb6a50981f9ef4698b3847bd32e70081ab71d (patch) | |
| tree | 9a6c818be0a99eb80d7ce165cb31b90ecae4eb04 | |
| parent | 868b3721159ee615a1b774645d610a13b5827e5e (diff) | |
| download | efi-boot-shim-eb4cb6a50981f9ef4698b3847bd32e70081ab71d.tar.gz efi-boot-shim-eb4cb6a50981f9ef4698b3847bd32e70081ab71d.zip | |
Make sure we default to assuming we're locked down.
If "SecureBoot" exists but "SetupMode" does not, assume "SetupMode" says
we're not in Setup Mode.
Signed-off-by: Peter Jones <pjones@redhat.com>
| -rw-r--r-- | include/variables.h | 2 | ||||
| -rw-r--r-- | lib/variables.c | 8 | ||||
| -rw-r--r-- | shim.c | 8 |
3 files changed, 12 insertions, 6 deletions
diff --git a/include/variables.h b/include/variables.h index b207dbf3..deed269c 100644 --- a/include/variables.h +++ b/include/variables.h @@ -50,7 +50,7 @@ SETOSIndicationsAndReboot(UINT64 indications); int variable_is_secureboot(void); int -variable_is_setupmode(void); +variable_is_setupmode(int default_return); EFI_STATUS variable_enroll_hash(CHAR16 *var, EFI_GUID owner, UINT8 hash[SHA256_DIGEST_SIZE]); diff --git a/lib/variables.c b/lib/variables.c index 4c64d7e4..59d7d054 100644 --- a/lib/variables.c +++ b/lib/variables.c @@ -139,7 +139,7 @@ SetSecureVariable(CHAR16 *var, UINT8 *Data, UINTN len, EFI_GUID owner, /* Microsoft request: Bugs in some UEFI platforms mean that PK or any * other secure variable can be updated or deleted programmatically, * so prevent */ - if (!variable_is_setupmode()) + if (!variable_is_setupmode(1)) return EFI_SECURITY_VIOLATION; if (createtimebased) { @@ -279,17 +279,17 @@ find_in_variable_esl(CHAR16* var, EFI_GUID owner, UINT8 *key, UINTN keylen) } int -variable_is_setupmode(void) +variable_is_setupmode(int default_return) { /* set to 1 because we return true if SetupMode doesn't exist */ - UINT8 SetupMode = 1; + UINT8 SetupMode = default_return; UINTN DataSize = sizeof(SetupMode); EFI_STATUS status; status = uefi_call_wrapper(RT->GetVariable, 5, L"SetupMode", &GV_GUID, NULL, &DataSize, &SetupMode); if (EFI_ERROR(status)) - return 1; + return default_return; return SetupMode; } @@ -484,7 +484,13 @@ static BOOLEAN secure_mode (void) return FALSE; } - if (variable_is_setupmode() == 1) { + /* If we /do/ have "SecureBoot", but /don't/ have "SetupMode", + * then the implementation is bad, but we assume that secure boot is + * enabled according to the status of "SecureBoot". If we have both + * of them, then "SetupMode" may tell us additional data, and we need + * to consider it. + */ + if (variable_is_setupmode(0) == 1) { if (verbose && !in_protocol) console_notify(L"Platform is in setup mode"); return FALSE; |