mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-09-04 20:19:47 +08:00
x86/ima: check EFI SetupMode too
Checking "SecureBoot" mode is not sufficient, also check "SetupMode".
Fixes: 399574c64e
("x86/ima: retry detecting secure boot mode")
Reported-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
parent
8cdc23a3d9
commit
980ef4d22a
@ -11,10 +11,11 @@ extern struct boot_params boot_params;
|
|||||||
static enum efi_secureboot_mode get_sb_mode(void)
|
static enum efi_secureboot_mode get_sb_mode(void)
|
||||||
{
|
{
|
||||||
efi_char16_t efi_SecureBoot_name[] = L"SecureBoot";
|
efi_char16_t efi_SecureBoot_name[] = L"SecureBoot";
|
||||||
|
efi_char16_t efi_SetupMode_name[] = L"SecureBoot";
|
||||||
efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
|
efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
|
||||||
efi_status_t status;
|
efi_status_t status;
|
||||||
unsigned long size;
|
unsigned long size;
|
||||||
u8 secboot;
|
u8 secboot, setupmode;
|
||||||
|
|
||||||
size = sizeof(secboot);
|
size = sizeof(secboot);
|
||||||
|
|
||||||
@ -36,7 +37,14 @@ static enum efi_secureboot_mode get_sb_mode(void)
|
|||||||
return efi_secureboot_mode_unknown;
|
return efi_secureboot_mode_unknown;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (secboot == 0) {
|
size = sizeof(setupmode);
|
||||||
|
status = efi.get_variable(efi_SetupMode_name, &efi_variable_guid,
|
||||||
|
NULL, &size, &setupmode);
|
||||||
|
|
||||||
|
if (status != EFI_SUCCESS) /* ignore unknown SetupMode */
|
||||||
|
setupmode = 0;
|
||||||
|
|
||||||
|
if (secboot == 0 || setupmode == 1) {
|
||||||
pr_info("ima: secureboot mode disabled\n");
|
pr_info("ima: secureboot mode disabled\n");
|
||||||
return efi_secureboot_mode_disabled;
|
return efi_secureboot_mode_disabled;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user