]> git.dujemihanovic.xyz Git - u-boot.git/commitdiff
projects / u-boot.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9ef82e2)
efi_loader: efi_auth_var_type for AuditMode, DeployedMode
authorHeinrich Schuchardt <heinrich.schuchardt@canonical.com>
Thu, 26 Aug 2021 02:30:24 +0000 (04:30 +0200)
committerHeinrich Schuchardt <xypron.glpk@gmx.de>
Sat, 4 Sep 2021 10:03:57 +0000 (12:03 +0200)
Writing variables AuditMode and DeployedMode serves to switch between
Secure Boot modes. Provide a separate value for these in efi_auth_var_type.

With this patch the variables will not be read from from file even if they
are marked as non-volatile by mistake.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
include/efi_variable.h patch | blob | history
lib/efi_loader/efi_var_common.c patch | blob | history
lib/efi_loader/efi_variable.c patch | blob | history

diff --git a/include/efi_variable.h b/include/efi_variable.h
index 2d97655e1f1d0ce9a14586ad08ccfa34efdaabdd..0440d356bc896ce463fa8829eec1ca47d4aafa3e 100644 (file)
--- a/include/efi_variable.h
+++ b/include/efi_variable.h
@@ -12,6 +12,7 @@
 
 enum efi_auth_var_type {
        EFI_AUTH_VAR_NONE = 0,
+       EFI_AUTH_MODE,
        EFI_AUTH_VAR_PK,
        EFI_AUTH_VAR_KEK,
        EFI_AUTH_VAR_DB,
diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c
index 005c03ea5f862611b8f0c2cfce9cdcce718b67af..c744e2fd910ff88df4f3a855d7745bc0665d4f22 100644 (file)
--- a/lib/efi_loader/efi_var_common.c
+++ b/lib/efi_loader/efi_var_common.c
@@ -34,6 +34,8 @@ static const struct efi_auth_var_name_type name_type[] = {
        {u"dbx",  &efi_guid_image_security_database, EFI_AUTH_VAR_DBX},
        {u"dbt",  &efi_guid_image_security_database, EFI_AUTH_VAR_DBT},
        {u"dbr",  &efi_guid_image_security_database, EFI_AUTH_VAR_DBR},
+       {u"AuditMode", &efi_global_variable_guid, EFI_AUTH_MODE},
+       {u"DeployedMode", &efi_global_variable_guid, EFI_AUTH_MODE},
 };
 
 static bool efi_secure_boot;
diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c
index a7d305ffbc78e2efba2a2d0f4f20d5a05ea76d6f..fa2b6bc7a8697670f0163026b8eb88d73122cfa8 100644 (file)
--- a/lib/efi_loader/efi_variable.c
+++ b/lib/efi_loader/efi_variable.c
@@ -247,7 +247,7 @@ efi_status_t efi_set_variable_int(u16 *variable_name, const efi_guid_t *vendor,
                        return EFI_WRITE_PROTECTED;
 
                if (IS_ENABLED(CONFIG_EFI_VARIABLES_PRESEED)) {
-                       if (var_type != EFI_AUTH_VAR_NONE)
+                       if (var_type >= EFI_AUTH_VAR_PK)
                                return EFI_WRITE_PROTECTED;
                }
 
@@ -268,7 +268,7 @@ efi_status_t efi_set_variable_int(u16 *variable_name, const efi_guid_t *vendor,
                        return EFI_NOT_FOUND;
        }
 
-       if (var_type != EFI_AUTH_VAR_NONE) {
+       if (var_type >= EFI_AUTH_VAR_PK) {
                /* authentication is mandatory */
                if (!(attributes &
                      EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)) {
My U-Boot fork