UBUNTU: SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl

BugLink: http://bugs.launchpad.net/bugs/1593075
This is a better method for detecting the state of secure boot and
the MOKSBState override, as opposed to grepping status from the kernel log.
Both variables return 0 or 1. If secure_boot==0 then signed module
enforcement is not enabled. Likewise, if moksbstate_disabled==1 then
signed module enforcement is not enabled. The only conditions uder which
signed module enforcement is enabled is when secure_boot==1 and
moksbstate_disabled==0.

/proc/sys/kernel/secure_boot
/proc/sys/kernel/moksbstate_disabled

Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 299497aa36697750bbbd36109b146ac522c2cca7..7e49d380759f950e90041047a25cb6efea52209f 100644 (file)
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1191,6 +1191,7 @@ void __init setup_arch(char **cmdline_p)
                pr_info("Secure boot enabled\n");
        }
        else if (boot_params.secure_boot == EFI_MOKSBSTATE_DISABLED) {
+               set_bit(EFI_MOKSBSTATE_DISABLED, &efi.flags);
                boot_params.secure_boot = 0;
                pr_info("Secure boot MOKSBState disabled\n");
     }

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 9d5c1f34df8ed371b1f49a7db739ed63b5069661..8adb223c9652a664799011dac18ab972010aa384 100644 (file)
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -66,6 +66,7 @@
 #include <linux/kexec.h>
 #include <linux/bpf.h>
 #include <linux/mount.h>
+#include <linux/efi.h>
 
 #include <linux/uaccess.h>
 #include <asm/processor.h>
@@ -283,7 +284,37 @@ static int min_extfrag_threshold;
 static int max_extfrag_threshold = 1000;
 #endif
 
+static unsigned int secure_boot_enabled;
+int secure_boot_proc_handler(struct ctl_table *table, int write,
+       void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+       secure_boot_enabled = efi_enabled(EFI_SECURE_BOOT);
+       return proc_dointvec(table, write, buffer, lenp, ppos);
+}
+
+static unsigned int moksbstate_disabled;
+int moksbstate_disabled_proc_handler(struct ctl_table *table, int write,
+       void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+       moksbstate_disabled = efi_enabled(EFI_MOKSBSTATE_DISABLED);
+       return proc_dointvec(table, write, buffer, lenp, ppos);
+}
+
 static struct ctl_table kern_table[] = {
+       {
+               .procname   = "secure_boot",
+               .data       = &secure_boot_enabled,
+               .maxlen     = sizeof(unsigned int),
+               .mode       = 0444,
+               .proc_handler   = secure_boot_proc_handler,
+       },
+       {
+               .procname   = "moksbstate_disabled",
+               .data       = &moksbstate_disabled,
+               .maxlen     = sizeof(unsigned int),
+               .mode       = 0444,
+               .proc_handler   = moksbstate_disabled_proc_handler,
+       },
        {
                .procname       = "sched_child_runs_first",
                .data           = &sysctl_sched_child_runs_first,