boot: Move Secure Boot logic to new file

author: Daan De Meyer <daan.j.demeyer@gmail.com> 2021-01-30 22:18:01 +0000
committer: Daan De Meyer <daan.j.demeyer@gmail.com> 2021-01-31 21:46:05 +0000
commit: ce0f078f4d23690e3b5d870e062e35aeaf581e7e (patch)
tree: 39d5fd305508e890141199e2baf97bce8fc29c7f
parent: a3c5d7e95ba3cf6557c7b23e900e37c066fba392 (diff)
download: systemd-ce0f078f4d23690e3b5d870e062e35aeaf581e7e.tar.gz
8 files changed, 30 insertions, 27 deletions
diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c
index e1a7dd1f32..0d516e00dc 100644
--- a/src/boot/efi/boot.c
+++ b/src/boot/efi/boot.c
@@ -13,6 +13,7 @@
 #include "measure.h"
 #include "pe.h"
 #include "random-seed.h"
+#include "secure-boot.h"
 #include "shim.h"
 #include "util.h"
 
@@ -359,7 +360,7 @@ static UINTN entry_lookup_key(Config *config, UINTN start, CHAR16 key) {
 static VOID print_status(Config *config, CHAR16 *loaded_image_path) {
         UINT64 key;
         UINTN i;
-        _cleanup_freepool_ CHAR8 *bootvar = NULL, *modevar = NULL, *indvar = NULL;
+        _cleanup_freepool_ CHAR8 *modevar = NULL, *indvar = NULL;
         _cleanup_freepool_ CHAR16 *partstr = NULL, *defaultstr = NULL;
         UINTN x, y, size;
 
@@ -376,8 +377,7 @@ static VOID print_status(Config *config, CHAR16 *loaded_image_path) {
         if (uefi_call_wrapper(ST->ConOut->QueryMode, 4, ST->ConOut, ST->ConOut->Mode->Mode, &x, &y) == EFI_SUCCESS)
                 Print(L"console size:           %d x %d\n", x, y);
 
-        if (efivar_get_raw(&global_guid, L"SecureBoot", &bootvar, &size) == EFI_SUCCESS)
-                Print(L"SecureBoot:             %s\n", yes_no(*bootvar > 0));
+        Print(L"SecureBoot:             %s\n", yes_no(secure_boot_enabled()));
 
         if (efivar_get_raw(&global_guid, L"SetupMode", &modevar, &size) == EFI_SUCCESS)
                 Print(L"SetupMode:              %s\n", *modevar > 0 ? L"setup" : L"user");
diff --git a/src/boot/efi/meson.build b/src/boot/efi/meson.build
index 24177f9384..875a501b30 100644
--- a/src/boot/efi/meson.build
+++ b/src/boot/efi/meson.build
@@ -21,6 +21,7 @@ common_sources = '''
         graphics.c
         measure.c
         pe.c
+        secure-boot.c
         util.c
 '''.split()
 
diff --git a/src/boot/efi/random-seed.c b/src/boot/efi/random-seed.c
index 895c85445e..18e686b3a8 100644
--- a/src/boot/efi/random-seed.c
+++ b/src/boot/efi/random-seed.c
@@ -5,9 +5,9 @@
 
 #include "missing_efi.h"
 #include "random-seed.h"
+#include "secure-boot.h"
 #include "sha256.h"
 #include "util.h"
-#include "shim.h"
 
 #define RANDOM_MAX_SIZE_MIN (32U)
 #define RANDOM_MAX_SIZE_MAX (32U*1024U)
diff --git a/src/boot/efi/secure-boot.c b/src/boot/efi/secure-boot.c
new file mode 100644
index 0000000000..cea7e28828
--- /dev/null
+++ b/src/boot/efi/secure-boot.c
@@ -0,0 +1,16 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "secure-boot.h"
+#include "util.h"
+
+static const EFI_GUID global_guid = EFI_GLOBAL_VARIABLE;
+
+BOOLEAN secure_boot_enabled(void) {
+        _cleanup_freepool_ CHAR8 *b = NULL;
+        UINTN size;
+
+        if (efivar_get_raw(&global_guid, L"SecureBoot", &b, &size) == EFI_SUCCESS)
+                return *b > 0;
+
+        return FALSE;
+}
diff --git a/src/boot/efi/secure-boot.h b/src/boot/efi/secure-boot.h
new file mode 100644
index 0000000000..d06a7deaaa
--- /dev/null
+++ b/src/boot/efi/secure-boot.h
@@ -0,0 +1,6 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+#include <efi.h>
+
+BOOLEAN secure_boot_enabled(void);
diff --git a/src/boot/efi/shim.c b/src/boot/efi/shim.c
index 3dc10089c6..2039603260 100644
--- a/src/boot/efi/shim.c
+++ b/src/boot/efi/shim.c
@@ -31,7 +31,6 @@ struct ShimLock {
 };
 
 static const EFI_GUID simple_fs_guid = SIMPLE_FILE_SYSTEM_PROTOCOL;
-static const EFI_GUID global_guid = EFI_GLOBAL_VARIABLE;
 
 static const EFI_GUID security_protocol_guid = { 0xa46423e3, 0x4617, 0x49f1, {0xb9, 0xff, 0xd1, 0xbf, 0xa9, 0x11, 0x58, 0x39 } };
 static const EFI_GUID security2_protocol_guid = { 0x94ab2f58, 0x1438, 0x4ef1, {0x91, 0x52, 0x18, 0x94, 0x1a, 0x3a, 0x0e, 0x68 } };
@@ -58,16 +57,6 @@ static BOOLEAN shim_validate(VOID *data, UINT32 size) {
         return shim_lock->shim_verify(data, size) == EFI_SUCCESS;
 }
 
-BOOLEAN secure_boot_enabled(void) {
-        _cleanup_freepool_ CHAR8 *b = NULL;
-        UINTN size;
-
-        if (efivar_get_raw(&global_guid, L"SecureBoot", &b, &size) == EFI_SUCCESS)
-                return *b > 0;
-
-        return FALSE;
-}
-
 /*
  * See the UEFI Platform Initialization manual (Vol2: DXE) for this
  */
diff --git a/src/boot/efi/shim.h b/src/boot/efi/shim.h
index e24fcdac54..d682994b9e 100644
--- a/src/boot/efi/shim.h
+++ b/src/boot/efi/shim.h
@@ -13,6 +13,4 @@
 
 BOOLEAN shim_loaded(void);
 
-BOOLEAN secure_boot_enabled(void);
-
 EFI_STATUS security_policy_install(void);
diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c
index a09f47c711..eb6ce61bb9 100644
--- a/src/boot/efi/stub.c
+++ b/src/boot/efi/stub.c
@@ -8,19 +8,15 @@
 #include "linux.h"
 #include "measure.h"
 #include "pe.h"
+#include "secure-boot.h"
 #include "splash.h"
 #include "util.h"
 
 /* magic string to find in the binary image */
 static const char __attribute__((used)) magic[] = "#### LoaderInfo: systemd-stub " GIT_VERSION " ####";
 
-static const EFI_GUID global_guid = EFI_GLOBAL_VARIABLE;
-
 EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {
         EFI_LOADED_IMAGE *loaded_image;
-        _cleanup_freepool_ CHAR8 *b = NULL;
-        UINTN size;
-        BOOLEAN secure = FALSE;
         CHAR8 *sections[] = {
                 (CHAR8 *)".cmdline",
                 (CHAR8 *)".linux",
@@ -46,10 +42,6 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {
                 return err;
         }
 
-        if (efivar_get_raw(&global_guid, L"SecureBoot", &b, &size) == EFI_SUCCESS)
-                if (*b > 0)
-                        secure = TRUE;
-
         err = pe_memory_locate_sections(loaded_image->ImageBase, sections, addrs, offs, szs);
         if (EFI_ERROR(err)) {
                 Print(L"Unable to locate embedded .linux section: %r ", err);
@@ -63,7 +55,8 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {
         cmdline_len = szs[0];
 
         /* if we are not in secure boot mode, or none was provided, accept a custom command line and replace the built-in one */
-        if ((!secure || cmdline_len == 0) && loaded_image->LoadOptionsSize > 0 && *(CHAR16 *)loaded_image->LoadOptions > 0x1F) {
+        if ((!secure_boot_enabled() || cmdline_len == 0) && loaded_image->LoadOptionsSize > 0 &&
+            *(CHAR16 *) loaded_image->LoadOptions > 0x1F) {
                 CHAR16 *options;
                 CHAR8 *line;
                 UINTN i;
author	Daan De Meyer <daan.j.demeyer@gmail.com>	2021-01-30 22:18:01 +0000
committer	Daan De Meyer <daan.j.demeyer@gmail.com>	2021-01-31 21:46:05 +0000
commit	ce0f078f4d23690e3b5d870e062e35aeaf581e7e (patch)
tree	39d5fd305508e890141199e2baf97bce8fc29c7f
parent	a3c5d7e95ba3cf6557c7b23e900e37c066fba392 (diff)
download	systemd-ce0f078f4d23690e3b5d870e062e35aeaf581e7e.tar.gz