UBUNTU: SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode

A user can manually tell the shim boot loader to disable validation of
images it loads.  When a user does this, it creates a UEFI variable called
MokSBState that does not have the runtime attribute set.  Given that the
user explicitly disabled validation, we can honor that and not enable
secure boot mode if that variable is set.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index 43d31df4887c5d736d4e087310995d647ad77ef5..26eb06980bfa25632727f216da0279debba81fb0 100644 (file)
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -603,8 +603,9 @@ static void setup_quirks(struct boot_params *boot_params)
 
 static int get_secure_boot(void)
 {
-       u8 sb, setup;
+       u8 sb, setup, moksbstate;
        unsigned long datasize = sizeof(sb);
+       u32 attr;
        efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
        efi_status_t status;
 
@@ -628,6 +629,23 @@ static int get_secure_boot(void)
        if (setup == 1)
                return 0;
 
+       /* See if a user has put shim into insecure_mode.  If so, and the variable
+        * doesn't have the runtime attribute set, we might as well honor that.
+        */
+       var_guid = EFI_SHIM_LOCK_GUID;
+       status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
+                               L"MokSBState", &var_guid, &attr, &datasize,
+                               &moksbstate);
+
+       /* If it fails, we don't care why.  Default to secure */
+       if (status != EFI_SUCCESS)
+               return 1;
+
+       if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
+               if (moksbstate == 1)
+                       return 0;
+       }
+
        return 1;
 }