Commit 9ea3d9b4 authored by Peter Jones's avatar Peter Jones

Make sure we default to assuming we're locked down.

If "SecureBoot" exists but "SetupMode" does not, assume "SetupMode" says
we're not in Setup Mode.
Signed-off-by: default avatarPeter Jones <pjones@redhat.com>
parent 7a72592b
......@@ -50,7 +50,7 @@ SETOSIndicationsAndReboot(UINT64 indications);
int
variable_is_secureboot(void);
int
variable_is_setupmode(void);
variable_is_setupmode(int default_return);
EFI_STATUS
variable_enroll_hash(CHAR16 *var, EFI_GUID owner,
UINT8 hash[SHA256_DIGEST_SIZE]);
......
......@@ -139,7 +139,7 @@ SetSecureVariable(CHAR16 *var, UINT8 *Data, UINTN len, EFI_GUID owner,
/* Microsoft request: Bugs in some UEFI platforms mean that PK or any
* other secure variable can be updated or deleted programmatically,
* so prevent */
if (!variable_is_setupmode())
if (!variable_is_setupmode(1))
return EFI_SECURITY_VIOLATION;
if (createtimebased) {
......@@ -279,17 +279,17 @@ find_in_variable_esl(CHAR16* var, EFI_GUID owner, UINT8 *key, UINTN keylen)
}
int
variable_is_setupmode(void)
variable_is_setupmode(int default_return)
{
/* set to 1 because we return true if SetupMode doesn't exist */
UINT8 SetupMode = 1;
UINT8 SetupMode = default_return;
UINTN DataSize = sizeof(SetupMode);
EFI_STATUS status;
status = uefi_call_wrapper(RT->GetVariable, 5, L"SetupMode", &GV_GUID, NULL,
&DataSize, &SetupMode);
if (EFI_ERROR(status))
return 1;
return default_return;
return SetupMode;
}
......
......@@ -484,7 +484,13 @@ static BOOLEAN secure_mode (void)
return FALSE;
}
if (variable_is_setupmode() == 1) {
/* If we /do/ have "SecureBoot", but /don't/ have "SetupMode",
* then the implementation is bad, but we assume that secure boot is
* enabled according to the status of "SecureBoot". If we have both
* of them, then "SetupMode" may tell us additional data, and we need
* to consider it.
*/
if (variable_is_setupmode(0) == 1) {
if (verbose && !in_protocol)
console_notify(L"Platform is in setup mode");
return FALSE;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment