mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-04 20:19:47 +08:00 
			
		
		
		
	x86/ima: check EFI SetupMode too
Checking "SecureBoot" mode is not sufficient, also check "SetupMode".
Fixes: 399574c64e ("x86/ima: retry detecting secure boot mode")
Reported-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
			
			
This commit is contained in:
		
							parent
							
								
									8cdc23a3d9
								
							
						
					
					
						commit
						980ef4d22a
					
				| @ -11,10 +11,11 @@ extern struct boot_params boot_params; | |||||||
| static enum efi_secureboot_mode get_sb_mode(void) | static enum efi_secureboot_mode get_sb_mode(void) | ||||||
| { | { | ||||||
| 	efi_char16_t efi_SecureBoot_name[] = L"SecureBoot"; | 	efi_char16_t efi_SecureBoot_name[] = L"SecureBoot"; | ||||||
|  | 	efi_char16_t efi_SetupMode_name[] = L"SecureBoot"; | ||||||
| 	efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID; | 	efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID; | ||||||
| 	efi_status_t status; | 	efi_status_t status; | ||||||
| 	unsigned long size; | 	unsigned long size; | ||||||
| 	u8 secboot; | 	u8 secboot, setupmode; | ||||||
| 
 | 
 | ||||||
| 	size = sizeof(secboot); | 	size = sizeof(secboot); | ||||||
| 
 | 
 | ||||||
| @ -36,7 +37,14 @@ static enum efi_secureboot_mode get_sb_mode(void) | |||||||
| 		return efi_secureboot_mode_unknown; | 		return efi_secureboot_mode_unknown; | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	if (secboot == 0) { | 	size = sizeof(setupmode); | ||||||
|  | 	status = efi.get_variable(efi_SetupMode_name, &efi_variable_guid, | ||||||
|  | 				  NULL, &size, &setupmode); | ||||||
|  | 
 | ||||||
|  | 	if (status != EFI_SUCCESS)	/* ignore unknown SetupMode */ | ||||||
|  | 		setupmode = 0; | ||||||
|  | 
 | ||||||
|  | 	if (secboot == 0 || setupmode == 1) { | ||||||
| 		pr_info("ima: secureboot mode disabled\n"); | 		pr_info("ima: secureboot mode disabled\n"); | ||||||
| 		return efi_secureboot_mode_disabled; | 		return efi_secureboot_mode_disabled; | ||||||
| 	} | 	} | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user
	 Mimi Zohar
						Mimi Zohar