[PATCH 3/3 Xenial SRU] UBUNTU: SAUCE: Display MOKSBState when disabled

tim.gardner at canonical.com tim.gardner at canonical.com
Mon Apr 18 17:41:56 UTC 2016 

From: Tim Gardner <tim.gardner at canonical.com>

BugLink: http://bugs.launchpad.net/bugs/1571691

It would be much simpler if one could pass MOKSBState via a global variable,
but the the EFI bits appear to be managed and linked a bit differently then
a normal text section. Hence the shennanigans with boot_params.secure_boot.

Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
---
 arch/x86/boot/compressed/eboot.c | 9 +++++----
 arch/x86/kernel/setup.c          | 6 +++++-
 include/linux/efi.h              | 1 +
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index 665b202..47914c5 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -886,14 +886,15 @@ static int get_secure_boot(void)
 
 	/* If it fails, we don't care why.  Default to secure */
 	if (status != EFI_SUCCESS)
-		return 1;
+		return EFI_SECURE_BOOT;
 
 	if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
-		if (moksbstate == 1)
-			return 0;
+		if (moksbstate == 1) {
+			return EFI_MOKSBSTATE_DISABLED;
+		}
 	}
 
-	return 1;
+	return EFI_SECURE_BOOT;
 }
 
 
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index e96398f..be173c2 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1144,11 +1144,15 @@ void __init setup_arch(char **cmdline_p)
 	io_delay_init();
 
 #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
-	if (boot_params.secure_boot) {
+	if (boot_params.secure_boot == EFI_SECURE_BOOT) {
 		set_bit(EFI_SECURE_BOOT, &efi.flags);
 		enforce_signed_modules();
 		pr_info("Secure boot enabled\n");
 	}
+	else if (boot_params.secure_boot == EFI_MOKSBSTATE_DISABLED) {
+		boot_params.secure_boot = 0;
+		pr_info("Secure boot MOKSBState disabled\n");
+    }
 #endif
 
 	/*
diff --git a/include/linux/efi.h b/include/linux/efi.h
index 3d29fd1..f2d3f54 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -987,6 +987,7 @@ extern int __init efi_setup_pcdp_console(char *);
 #define EFI_DBG			8	/* Print additional debug info at runtime */
 #define EFI_NX_PE_DATA		9	/* Can runtime data regions be mapped non-executable? */
 #define EFI_SECURE_BOOT		10	/* Are we in Secure Boot mode? */
+#define EFI_MOKSBSTATE_DISABLED	11	/* Secure boot mode disabled in the MOK */
 
 #ifdef CONFIG_EFI
 /*
-- 
1.9.1

More information about the kernel-team mailing list