David Howells
fc077423b8
UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT flag that can be passed to efi_enabled() to find out whether secure boot is enabled. Move the switch-statement in x86's setup_arch() that inteprets the secure_boot boot parameter to generic code and set the bit there. Upstream Status: RHEL only Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> cc: linux-efi@vger.kernel.org [Rebased for context; efi_is_table_address was moved to arch/x86] Signed-off-by: Jeremy Cline <jcline@redhat.com> (cherry picked from commit 53250b991f841be025fa4d264850dadc0fae2861 from https://gitlab.com/cki-project/kernel-ark) Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
39 lines
1022 B
C
39 lines
1022 B
C
/* Core kernel secure boot support.
|
|
*
|
|
* Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public Licence
|
|
* as published by the Free Software Foundation; either version
|
|
* 2 of the Licence, or (at your option) any later version.
|
|
*/
|
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
#include <linux/efi.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/printk.h>
|
|
|
|
/*
|
|
* Decide what to do when UEFI secure boot mode is enabled.
|
|
*/
|
|
void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
|
|
{
|
|
if (efi_enabled(EFI_BOOT)) {
|
|
switch (mode) {
|
|
case efi_secureboot_mode_disabled:
|
|
pr_info("Secure boot disabled\n");
|
|
break;
|
|
case efi_secureboot_mode_enabled:
|
|
set_bit(EFI_SECURE_BOOT, &efi.flags);
|
|
pr_info("Secure boot enabled\n");
|
|
break;
|
|
default:
|
|
pr_warn("Secure boot could not be determined (mode %u)\n",
|
|
mode);
|
|
break;
|
|
}
|
|
}
|
|
}
|