summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.ibm.com>2019-04-24 19:05:46 +0200
committerMimi Zohar <zohar@linux.ibm.com>2019-05-30 05:20:46 +0200
commit980ef4d22a95a3cd84a9b8ffaa7b81b391d173c6 (patch)
tree8ee36877dade494ef48deb2a1cfc894300576a14
parentima: show rules with IMA_INMASK correctly (diff)
downloadlinux-980ef4d22a95a3cd84a9b8ffaa7b81b391d173c6.tar.xz
linux-980ef4d22a95a3cd84a9b8ffaa7b81b391d173c6.zip
x86/ima: check EFI SetupMode too
Checking "SecureBoot" mode is not sufficient, also check "SetupMode". Fixes: 399574c64eaf ("x86/ima: retry detecting secure boot mode") Reported-by: Matthew Garrett <mjg59@google.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-rw-r--r--arch/x86/kernel/ima_arch.c12
1 files changed, 10 insertions, 2 deletions
diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c
index 64b973f0e985..4c407833faca 100644
--- a/arch/x86/kernel/ima_arch.c
+++ b/arch/x86/kernel/ima_arch.c
@@ -11,10 +11,11 @@ extern struct boot_params boot_params;
static enum efi_secureboot_mode get_sb_mode(void)
{
efi_char16_t efi_SecureBoot_name[] = L"SecureBoot";
+ efi_char16_t efi_SetupMode_name[] = L"SecureBoot";
efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
efi_status_t status;
unsigned long size;
- u8 secboot;
+ u8 secboot, setupmode;
size = sizeof(secboot);
@@ -36,7 +37,14 @@ static enum efi_secureboot_mode get_sb_mode(void)
return efi_secureboot_mode_unknown;
}
- if (secboot == 0) {
+ size = sizeof(setupmode);
+ status = efi.get_variable(efi_SetupMode_name, &efi_variable_guid,
+ NULL, &size, &setupmode);
+
+ if (status != EFI_SUCCESS) /* ignore unknown SetupMode */
+ setupmode = 0;
+
+ if (secboot == 0 || setupmode == 1) {
pr_info("ima: secureboot mode disabled\n");
return efi_secureboot_mode_disabled;
}