efi: libstub: check Shim mode using MokSBStateRT

stable inclusion from stable-v5.10.146 commit 85f9a2d51e72f558c9bbf94cd1ae7c73f80034de category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6D0VX Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=85f9a2d51e72f558c9bbf94cd1ae7c73f80034de -------------------------------- commit 5f56a74c upstream. We currently check the MokSBState variable to decide whether we should treat UEFI secure boot as being disabled, even if the firmware thinks otherwise. This is used by shim to indicate that it is not checking signatures on boot images. In the kernel, we use this to relax lockdown policies. However, in cases where shim is not even being used, we don't want this variable to interfere with lockdown, given that the variable may be non-volatile and therefore persist across a reboot. This means setting it once will persistently disable lockdown checks on a given system. So switch to the mirrored version of this variable, called MokSBStateRT, which is supposed to be volatile, and this is something we can check. Cc: <stable@vger.kernel.org> # v4.19+ Signed-off-by: N Ard Biesheuvel <ardb@kernel.org> Reviewed-by: N Ilias Apalodimas <ilias.apalodimas@linaro.org> Reviewed-by: N Peter Jones <pjones@redhat.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Jialin Zhang <zhangjialin11@huawei.com> Reviewed-by: N Zheng Zengkai <zhengzengkai@huawei.com>

efi: libstub: check Shim mode using MokSBStateRT
stable inclusion from stable-v5.10.146 commit 85f9a2d51e72f558c9bbf94cd1ae7c73f80034de category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6D0VX Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=85f9a2d51e72f558c9bbf94cd1ae7c73f80034de -------------------------------- commit 5f56a74c upstream. We currently check the MokSBState variable to decide whether we should treat UEFI secure boot as being disabled, even if the firmware thinks otherwise. This is used by shim to indicate that it is not checking signatures on boot images. In the kernel, we use this to relax lockdown policies. However, in cases where shim is not even being used, we don't want this variable to interfere with lockdown, given that the variable may be non-volatile and therefore persist across a reboot. This means setting it once will persistently disable lockdown checks on a given system. So switch to the mirrored version of this variable, called MokSBStateRT, which is supposed to be volatile, and this is something we can check. Cc: <stable@vger.kernel.org> # v4.19+ Signed-off-by: N Ard Biesheuvel <ardb@kernel.org> Reviewed-by: N Ilias Apalodimas <ilias.apalodimas@linaro.org> Reviewed-by: N Peter Jones <pjones@redhat.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Jialin Zhang <zhangjialin11@huawei.com> Reviewed-by: N Zheng Zengkai <zhengzengkai@huawei.com>
4f56b634 · Ard Biesheuvel · Jialin Zhang · 5a0243e1 · 4f56b634
显示空白变更内容
内联并排

Showing with 4 addition and 4 deletion

drivers/firmware/efi/libstub/secureboot.c drivers/firmware/efi/libstub/secureboot.c +4 -4

未找到文件。
--- a/drivers/firmware/efi/libstub/secureboot.c
+++ b/drivers/firmware/efi/libstub/secureboot.c
@@ -19,7 +19,7 @@ static const efi_char16_t efi_SetupMode_name[] = L"SetupMode";
 /* SHIM variables */
 static const efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID;
-static const efi_char16_t shim_MokSBState_name[] = L"MokSBState";
+static const efi_char16_t shim_MokSBState_name[] = L"MokSBStateRT";
 /*
 * Determine whether we're in secure boot mode.
@@ -53,8 +53,8 @@ enum efi_secureboot_mode efi_get_secureboot(void)
 	/*
 	 * See if a user has put the shim into insecure mode. If so, and if the
-	 * variable doesn't have the runtime attribute set, we might as well
+	 * variable doesn't have the non-volatile attribute set, we might as
-	 * honor that.
+	 * well honor that.
 	 */
 	size = sizeof(moksbstate);
 	status = get_efi_var(shim_MokSBState_name, &shim_guid,
@@ -63,7 +63,7 @@ enum efi_secureboot_mode efi_get_secureboot(void)
 	/* If it fails, we don't care why. Default to secure */
 	if (status != EFI_SUCCESS)
 		goto secure_boot_enabled;
-	if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS) && moksbstate == 1)
+	if (!(attr & EFI_VARIABLE_NON_VOLATILE) && moksbstate == 1)
 		return efi_secureboot_mode_disabled;
 secure_boot_enabled: