diff options
| -rw-r--r-- | include/variables.h | 2 | ||||
| -rw-r--r-- | lib/variables.c | 8 | ||||
| -rw-r--r-- | shim.c | 8 |
3 files changed, 12 insertions, 6 deletions
diff --git a/include/variables.h b/include/variables.h index b207dbf3..deed269c 100644 --- a/include/variables.h +++ b/include/variables.h @@ -50,7 +50,7 @@ SETOSIndicationsAndReboot(UINT64 indications); int variable_is_secureboot(void); int -variable_is_setupmode(void); +variable_is_setupmode(int default_return); EFI_STATUS variable_enroll_hash(CHAR16 *var, EFI_GUID owner, UINT8 hash[SHA256_DIGEST_SIZE]); diff --git a/lib/variables.c b/lib/variables.c index 4c64d7e4..59d7d054 100644 --- a/lib/variables.c +++ b/lib/variables.c @@ -139,7 +139,7 @@ SetSecureVariable(CHAR16 *var, UINT8 *Data, UINTN len, EFI_GUID owner, /* Microsoft request: Bugs in some UEFI platforms mean that PK or any * other secure variable can be updated or deleted programmatically, * so prevent */ - if (!variable_is_setupmode()) + if (!variable_is_setupmode(1)) return EFI_SECURITY_VIOLATION; if (createtimebased) { @@ -279,17 +279,17 @@ find_in_variable_esl(CHAR16* var, EFI_GUID owner, UINT8 *key, UINTN keylen) } int -variable_is_setupmode(void) +variable_is_setupmode(int default_return) { /* set to 1 because we return true if SetupMode doesn't exist */ - UINT8 SetupMode = 1; + UINT8 SetupMode = default_return; UINTN DataSize = sizeof(SetupMode); EFI_STATUS status; status = uefi_call_wrapper(RT->GetVariable, 5, L"SetupMode", &GV_GUID, NULL, &DataSize, &SetupMode); if (EFI_ERROR(status)) - return 1; + return default_return; return SetupMode; } @@ -484,7 +484,13 @@ static BOOLEAN secure_mode (void) return FALSE; } - if (variable_is_setupmode() == 1) { + /* If we /do/ have "SecureBoot", but /don't/ have "SetupMode", + * then the implementation is bad, but we assume that secure boot is + * enabled according to the status of "SecureBoot". If we have both + * of them, then "SetupMode" may tell us additional data, and we need + * to consider it. + */ + if (variable_is_setupmode(0) == 1) { if (verbose && !in_protocol) console_notify(L"Platform is in setup mode"); return FALSE; |