2 * Secure boot handling.
4 * Copyright (C) 2013,2014 Linaro Limited
5 * Roy Franz <roy.franz@linaro.org
6 * Copyright (C) 2013 Red Hat, Inc.
7 * Mark Salter <msalter@redhat.com>
9 * This file is part of the Linux kernel, and is made available under the
10 * terms of the GNU General Public License version 2.
12 #include <linux/efi.h>
18 static const efi_guid_t efi_variable_guid
= EFI_GLOBAL_VARIABLE_GUID
;
19 static const efi_char16_t efi_SecureBoot_name
[] = {
20 'S', 'e', 'c', 'u', 'r', 'e', 'B', 'o', 'o', 't', 0
22 static const efi_char16_t efi_SetupMode_name
[] = {
23 'S', 'e', 't', 'u', 'p', 'M', 'o', 'd', 'e', 0
27 static const efi_guid_t shim_guid
= EFI_SHIM_LOCK_GUID
;
28 static efi_char16_t
const shim_MokSBState_name
[] = {
29 'M', 'o', 'k', 'S', 'B', 'S', 't', 'a', 't', 'e', 0
32 #define get_efi_var(name, vendor, ...) \
33 efi_call_runtime(get_variable, \
34 (efi_char16_t *)(name), (efi_guid_t *)(vendor), \
38 * Determine whether we're in secure boot mode.
40 enum efi_secureboot_mode
efi_get_secureboot(efi_system_table_t
*sys_table_arg
)
43 u8 secboot
, setupmode
, moksbstate
;
47 size
= sizeof(secboot
);
48 status
= get_efi_var(efi_SecureBoot_name
, &efi_variable_guid
,
49 NULL
, &size
, &secboot
);
50 if (status
== EFI_NOT_FOUND
)
51 return efi_secureboot_mode_disabled
;
52 if (status
!= EFI_SUCCESS
)
55 size
= sizeof(setupmode
);
56 status
= get_efi_var(efi_SetupMode_name
, &efi_variable_guid
,
57 NULL
, &size
, &setupmode
);
58 if (status
!= EFI_SUCCESS
)
61 if (secboot
== 0 || setupmode
== 1)
62 return efi_secureboot_mode_disabled
;
65 * See if a user has put the shim into insecure mode. If so, and if the
66 * variable doesn't have the runtime attribute set, we might as well
69 size
= sizeof(moksbstate
);
70 status
= get_efi_var(shim_MokSBState_name
, &shim_guid
,
71 &attr
, &size
, &moksbstate
);
73 /* If it fails, we don't care why. Default to secure */
74 if (status
!= EFI_SUCCESS
)
75 goto secure_boot_enabled
;
76 if (!(attr
& EFI_VARIABLE_RUNTIME_ACCESS
) && moksbstate
== 1)
77 return efi_secureboot_mode_disabled
;
80 pr_efi(sys_table_arg
, "UEFI Secure Boot is enabled.\n");
81 return efi_secureboot_mode_enabled
;
84 pr_efi_err(sys_table_arg
, "Could not determine UEFI Secure Boot status.\n");
85 return efi_secureboot_mode_unknown
;