diff options
author | Daan De Meyer <daan.j.demeyer@gmail.com> | 2021-01-30 22:18:01 +0000 |
---|---|---|
committer | Daan De Meyer <daan.j.demeyer@gmail.com> | 2021-01-31 21:46:05 +0000 |
commit | ce0f078f4d23690e3b5d870e062e35aeaf581e7e (patch) | |
tree | 39d5fd305508e890141199e2baf97bce8fc29c7f | |
parent | a3c5d7e95ba3cf6557c7b23e900e37c066fba392 (diff) | |
download | systemd-ce0f078f4d23690e3b5d870e062e35aeaf581e7e.tar.gz |
boot: Move Secure Boot logic to new file
-rw-r--r-- | src/boot/efi/boot.c | 6 | ||||
-rw-r--r-- | src/boot/efi/meson.build | 1 | ||||
-rw-r--r-- | src/boot/efi/random-seed.c | 2 | ||||
-rw-r--r-- | src/boot/efi/secure-boot.c | 16 | ||||
-rw-r--r-- | src/boot/efi/secure-boot.h | 6 | ||||
-rw-r--r-- | src/boot/efi/shim.c | 11 | ||||
-rw-r--r-- | src/boot/efi/shim.h | 2 | ||||
-rw-r--r-- | src/boot/efi/stub.c | 13 |
8 files changed, 30 insertions, 27 deletions
diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c index e1a7dd1f32..0d516e00dc 100644 --- a/src/boot/efi/boot.c +++ b/src/boot/efi/boot.c @@ -13,6 +13,7 @@ #include "measure.h" #include "pe.h" #include "random-seed.h" +#include "secure-boot.h" #include "shim.h" #include "util.h" @@ -359,7 +360,7 @@ static UINTN entry_lookup_key(Config *config, UINTN start, CHAR16 key) { static VOID print_status(Config *config, CHAR16 *loaded_image_path) { UINT64 key; UINTN i; - _cleanup_freepool_ CHAR8 *bootvar = NULL, *modevar = NULL, *indvar = NULL; + _cleanup_freepool_ CHAR8 *modevar = NULL, *indvar = NULL; _cleanup_freepool_ CHAR16 *partstr = NULL, *defaultstr = NULL; UINTN x, y, size; @@ -376,8 +377,7 @@ static VOID print_status(Config *config, CHAR16 *loaded_image_path) { if (uefi_call_wrapper(ST->ConOut->QueryMode, 4, ST->ConOut, ST->ConOut->Mode->Mode, &x, &y) == EFI_SUCCESS) Print(L"console size: %d x %d\n", x, y); - if (efivar_get_raw(&global_guid, L"SecureBoot", &bootvar, &size) == EFI_SUCCESS) - Print(L"SecureBoot: %s\n", yes_no(*bootvar > 0)); + Print(L"SecureBoot: %s\n", yes_no(secure_boot_enabled())); if (efivar_get_raw(&global_guid, L"SetupMode", &modevar, &size) == EFI_SUCCESS) Print(L"SetupMode: %s\n", *modevar > 0 ? L"setup" : L"user"); diff --git a/src/boot/efi/meson.build b/src/boot/efi/meson.build index 24177f9384..875a501b30 100644 --- a/src/boot/efi/meson.build +++ b/src/boot/efi/meson.build @@ -21,6 +21,7 @@ common_sources = ''' graphics.c measure.c pe.c + secure-boot.c util.c '''.split() diff --git a/src/boot/efi/random-seed.c b/src/boot/efi/random-seed.c index 895c85445e..18e686b3a8 100644 --- a/src/boot/efi/random-seed.c +++ b/src/boot/efi/random-seed.c @@ -5,9 +5,9 @@ #include "missing_efi.h" #include "random-seed.h" +#include "secure-boot.h" #include "sha256.h" #include "util.h" -#include "shim.h" #define RANDOM_MAX_SIZE_MIN (32U) #define RANDOM_MAX_SIZE_MAX (32U*1024U) diff --git a/src/boot/efi/secure-boot.c b/src/boot/efi/secure-boot.c new file mode 100644 index 0000000000..cea7e28828 --- /dev/null +++ b/src/boot/efi/secure-boot.c @@ -0,0 +1,16 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ + +#include "secure-boot.h" +#include "util.h" + +static const EFI_GUID global_guid = EFI_GLOBAL_VARIABLE; + +BOOLEAN secure_boot_enabled(void) { + _cleanup_freepool_ CHAR8 *b = NULL; + UINTN size; + + if (efivar_get_raw(&global_guid, L"SecureBoot", &b, &size) == EFI_SUCCESS) + return *b > 0; + + return FALSE; +} diff --git a/src/boot/efi/secure-boot.h b/src/boot/efi/secure-boot.h new file mode 100644 index 0000000000..d06a7deaaa --- /dev/null +++ b/src/boot/efi/secure-boot.h @@ -0,0 +1,6 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +#pragma once + +#include <efi.h> + +BOOLEAN secure_boot_enabled(void); diff --git a/src/boot/efi/shim.c b/src/boot/efi/shim.c index 3dc10089c6..2039603260 100644 --- a/src/boot/efi/shim.c +++ b/src/boot/efi/shim.c @@ -31,7 +31,6 @@ struct ShimLock { }; static const EFI_GUID simple_fs_guid = SIMPLE_FILE_SYSTEM_PROTOCOL; -static const EFI_GUID global_guid = EFI_GLOBAL_VARIABLE; static const EFI_GUID security_protocol_guid = { 0xa46423e3, 0x4617, 0x49f1, {0xb9, 0xff, 0xd1, 0xbf, 0xa9, 0x11, 0x58, 0x39 } }; static const EFI_GUID security2_protocol_guid = { 0x94ab2f58, 0x1438, 0x4ef1, {0x91, 0x52, 0x18, 0x94, 0x1a, 0x3a, 0x0e, 0x68 } }; @@ -58,16 +57,6 @@ static BOOLEAN shim_validate(VOID *data, UINT32 size) { return shim_lock->shim_verify(data, size) == EFI_SUCCESS; } -BOOLEAN secure_boot_enabled(void) { - _cleanup_freepool_ CHAR8 *b = NULL; - UINTN size; - - if (efivar_get_raw(&global_guid, L"SecureBoot", &b, &size) == EFI_SUCCESS) - return *b > 0; - - return FALSE; -} - /* * See the UEFI Platform Initialization manual (Vol2: DXE) for this */ diff --git a/src/boot/efi/shim.h b/src/boot/efi/shim.h index e24fcdac54..d682994b9e 100644 --- a/src/boot/efi/shim.h +++ b/src/boot/efi/shim.h @@ -13,6 +13,4 @@ BOOLEAN shim_loaded(void); -BOOLEAN secure_boot_enabled(void); - EFI_STATUS security_policy_install(void); diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c index a09f47c711..eb6ce61bb9 100644 --- a/src/boot/efi/stub.c +++ b/src/boot/efi/stub.c @@ -8,19 +8,15 @@ #include "linux.h" #include "measure.h" #include "pe.h" +#include "secure-boot.h" #include "splash.h" #include "util.h" /* magic string to find in the binary image */ static const char __attribute__((used)) magic[] = "#### LoaderInfo: systemd-stub " GIT_VERSION " ####"; -static const EFI_GUID global_guid = EFI_GLOBAL_VARIABLE; - EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { EFI_LOADED_IMAGE *loaded_image; - _cleanup_freepool_ CHAR8 *b = NULL; - UINTN size; - BOOLEAN secure = FALSE; CHAR8 *sections[] = { (CHAR8 *)".cmdline", (CHAR8 *)".linux", @@ -46,10 +42,6 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { return err; } - if (efivar_get_raw(&global_guid, L"SecureBoot", &b, &size) == EFI_SUCCESS) - if (*b > 0) - secure = TRUE; - err = pe_memory_locate_sections(loaded_image->ImageBase, sections, addrs, offs, szs); if (EFI_ERROR(err)) { Print(L"Unable to locate embedded .linux section: %r ", err); @@ -63,7 +55,8 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { cmdline_len = szs[0]; /* if we are not in secure boot mode, or none was provided, accept a custom command line and replace the built-in one */ - if ((!secure || cmdline_len == 0) && loaded_image->LoadOptionsSize > 0 && *(CHAR16 *)loaded_image->LoadOptions > 0x1F) { + if ((!secure_boot_enabled() || cmdline_len == 0) && loaded_image->LoadOptionsSize > 0 && + *(CHAR16 *) loaded_image->LoadOptions > 0x1F) { CHAR16 *options; CHAR8 *line; UINTN i; |