diff options
-rw-r--r-- | lib/efi_loader/efi_variable.c | 194 |
1 files changed, 64 insertions, 130 deletions
diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index 0c6d1deb58..9a3f1f3d2e 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -177,6 +177,59 @@ static efi_status_t efi_set_variable_internal(u16 *variable_name, bool ro_check); /** + * efi_set_secure_state - modify secure boot state variables + * @sec_boot: value of SecureBoot + * @setup_mode: value of SetupMode + * @audit_mode: value of AuditMode + * @deployed_mode: value of DeployedMode + * + * Modify secure boot stat-related variables as indicated. + * + * Return: status code + */ +static efi_status_t efi_set_secure_state(int sec_boot, int setup_mode, + int audit_mode, int deployed_mode) +{ + u32 attributes; + efi_status_t ret; + + attributes = EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS | + READ_ONLY; + ret = efi_set_variable_internal(L"SecureBoot", + &efi_global_variable_guid, + attributes, + sizeof(sec_boot), &sec_boot, + false); + if (ret != EFI_SUCCESS) + goto err; + + ret = efi_set_variable_internal(L"SetupMode", + &efi_global_variable_guid, + attributes, + sizeof(setup_mode), &setup_mode, + false); + if (ret != EFI_SUCCESS) + goto err; + + ret = efi_set_variable_internal(L"AuditMode", + &efi_global_variable_guid, + attributes, + sizeof(audit_mode), &audit_mode, + false); + if (ret != EFI_SUCCESS) + goto err; + + ret = efi_set_variable_internal(L"DeployedMode", + &efi_global_variable_guid, + attributes, + sizeof(deployed_mode), &deployed_mode, + false); +err: + return ret; +} + +/** * efi_transfer_secure_state - handle a secure boot state transition * @mode: new state * @@ -188,157 +241,38 @@ static efi_status_t efi_set_variable_internal(u16 *variable_name, */ static efi_status_t efi_transfer_secure_state(enum efi_secure_mode mode) { - u32 attributes; - u8 val; efi_status_t ret; - debug("Secure state from %d to %d\n", efi_secure_mode, mode); + debug("Switching secure state from %d to %d\n", efi_secure_mode, mode); - attributes = EFI_VARIABLE_BOOTSERVICE_ACCESS | - EFI_VARIABLE_RUNTIME_ACCESS; if (mode == EFI_MODE_DEPLOYED) { - val = 1; - ret = efi_set_variable_internal(L"SecureBoot", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"SetupMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"AuditMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 1; - ret = efi_set_variable_internal(L"DeployedMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); + ret = efi_set_secure_state(1, 0, 0, 1); if (ret != EFI_SUCCESS) goto err; efi_secure_boot = true; } else if (mode == EFI_MODE_AUDIT) { - ret = efi_set_variable_internal(L"PK", - &efi_global_variable_guid, - attributes, - 0, NULL, - false); + ret = efi_set_variable_internal( + L"PK", &efi_global_variable_guid, + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS, + 0, NULL, false); if (ret != EFI_SUCCESS) goto err; - val = 0; - ret = efi_set_variable_internal(L"SecureBoot", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 1; - ret = efi_set_variable_internal(L"SetupMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 1; - ret = efi_set_variable_internal(L"AuditMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"DeployedMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); + + ret = efi_set_secure_state(0, 1, 1, 0); if (ret != EFI_SUCCESS) goto err; efi_secure_boot = true; } else if (mode == EFI_MODE_USER) { - val = 1; - ret = efi_set_variable_internal(L"SecureBoot", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"SetupMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"AuditMode", - &efi_global_variable_guid, - attributes, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"DeployedMode", - &efi_global_variable_guid, - attributes, - sizeof(val), &val, - false); + ret = efi_set_secure_state(1, 0, 0, 0); if (ret != EFI_SUCCESS) goto err; efi_secure_boot = true; } else if (mode == EFI_MODE_SETUP) { - val = 0; - ret = efi_set_variable_internal(L"SecureBoot", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 1; - ret = efi_set_variable_internal(L"SetupMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"AuditMode", - &efi_global_variable_guid, - attributes, - sizeof(val), &val, - false); - if (ret != EFI_SUCCESS) - goto err; - val = 0; - ret = efi_set_variable_internal(L"DeployedMode", - &efi_global_variable_guid, - attributes | READ_ONLY, - sizeof(val), &val, - false); + ret = efi_set_secure_state(0, 1, 0, 0); if (ret != EFI_SUCCESS) goto err; } else { |