diff --git a/drivers/firmware/efi/efi-init.c b/drivers/firmware/efi/efi-init.c index a00e07b853f2..2f05aab95640 100644 --- a/drivers/firmware/efi/efi-init.c +++ b/drivers/firmware/efi/efi-init.c @@ -19,6 +19,7 @@ #include #include #include +#include #include @@ -237,6 +238,13 @@ void __init efi_init(void) return; } + efi_set_secure_boot(efi_get__secure_boot()); + +#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT + if (efi_enabled(EFI_SECURE_BOOT)) + security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX); +#endif + reserve_regions(); /* * For memblock manipulation, the cap should come after the memblock_add(). diff --git a/drivers/firmware/efi/fdtparams.c b/drivers/firmware/efi/fdtparams.c index 0ec83ba58097..562cf610447a 100644 --- a/drivers/firmware/efi/fdtparams.c +++ b/drivers/firmware/efi/fdtparams.c @@ -16,16 +16,24 @@ enum { MMSIZE, DCSIZE, DCVERS, + SCBOOT, PARAMCOUNT }; +static u32 __secure_boot __initdata = efi_secureboot_mode_unset; +u32 __init efi_get__secure_boot(void) +{ + return __secure_boot; +} + static __initconst const char name[][22] = { [SYSTAB] = "System Table ", [MMBASE] = "MemMap Address ", [MMSIZE] = "MemMap Size ", [DCSIZE] = "MemMap Desc. Size ", [DCVERS] = "MemMap Desc. Version ", + [SCBOOT] = "Secure Boot Enabled ", }; static __initconst const struct { @@ -53,6 +61,7 @@ static __initconst const struct { [MMSIZE] = "linux,uefi-mmap-size", [DCSIZE] = "linux,uefi-mmap-desc-size", [DCVERS] = "linux,uefi-mmap-desc-ver", + [SCBOOT] = "linux,uefi-secure-boot", } } }; @@ -95,6 +104,7 @@ u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm) [MMSIZE] = { &mm->size, sizeof(mm->size) }, [DCSIZE] = { &mm->desc_size, sizeof(mm->desc_size) }, [DCVERS] = { &mm->desc_version, sizeof(mm->desc_version) }, + [SCBOOT] = { &__secure_boot, sizeof(__secure_boot) }, }; BUILD_BUG_ON(ARRAY_SIZE(target) != ARRAY_SIZE(name)); diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c index 70e9789ff9de..ce8d64d7f549 100644 --- a/drivers/firmware/efi/libstub/fdt.c +++ b/drivers/firmware/efi/libstub/fdt.c @@ -132,6 +132,12 @@ static efi_status_t update_fdt(void *orig_fdt, unsigned long orig_fdt_size, } } + fdt_val32 = cpu_to_fdt32(efi_get_secureboot()); + status = fdt_setprop(fdt, node, "linux,uefi-secure-boot", + &fdt_val32, sizeof(fdt_val32)); + if (status) + goto fdt_set_fail; + /* Shrink the FDT back to its minimum size: */ fdt_pack(fdt); diff --git a/include/linux/efi.h b/include/linux/efi.h index e7bbf3b7a938..cedde46f5a2f 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -876,6 +876,15 @@ enum efi_secureboot_mode { efi_secureboot_mode_enabled, }; +#ifdef CONFIG_EFI_PARAMS_FROM_FDT +u32 __init efi_get__secure_boot(void); +#else +static inline u32 efi_get__secure_boot(void) +{ + return efi_secureboot_mode_unset; +}; +#endif + #ifdef CONFIG_EFI /* * Test whether the above EFI_* bits are enabled.