From patchwork Sat Jul 11 22:05:34 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 241375 List-Id: U-Boot discussion From: xypron.glpk at gmx.de (Heinrich Schuchardt) Date: Sun, 12 Jul 2020 00:05:34 +0200 Subject: [PATCH v4 07/17] efi_loader: value of VendorKeys In-Reply-To: <20200711220544.120976-1-xypron.glpk@gmx.de> References: <20200711220544.120976-1-xypron.glpk@gmx.de> Message-ID: <20200711220544.120976-8-xypron.glpk@gmx.de> According to the UEFI specification the variable VendorKeys is 1 if the "system is configured to use only vendor-provided keys". As we do not supply any vendor keys yet the variable VendorKeys must be zero. Signed-off-by: Heinrich Schuchardt --- lib/efi_loader/efi_variable.c | 75 +++++++---------------------------- 1 file changed, 15 insertions(+), 60 deletions(-) -- 2.27.0 diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index c9980ca692..2f8005bd95 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -282,45 +282,29 @@ err: */ static efi_status_t efi_init_secure_state(void) { - enum efi_secure_mode mode; - efi_uintn_t size; + enum efi_secure_mode mode = EFI_MODE_SETUP; + efi_uintn_t size = 0; efi_status_t ret; - /* - * TODO: - * Since there is currently no "platform-specific" installation - * method of Platform Key, we can't say if VendorKeys is 0 or 1 - * precisely. - */ - - size = 0; ret = efi_get_variable_int(L"PK", &efi_global_variable_guid, NULL, &size, NULL, NULL); if (ret == EFI_BUFFER_TOO_SMALL) { if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT)) mode = EFI_MODE_USER; - else - mode = EFI_MODE_SETUP; - - efi_vendor_keys = 0; - } else if (ret == EFI_NOT_FOUND) { - mode = EFI_MODE_SETUP; - efi_vendor_keys = 1; - } else { - goto err; } ret = efi_transfer_secure_state(mode); - if (ret == EFI_SUCCESS) - ret = efi_set_variable_int(L"VendorKeys", - &efi_global_variable_guid, - EFI_VARIABLE_BOOTSERVICE_ACCESS | - EFI_VARIABLE_RUNTIME_ACCESS | - EFI_VARIABLE_READ_ONLY, - sizeof(efi_vendor_keys), - &efi_vendor_keys, false); + if (ret != EFI_SUCCESS) + return ret; -err: + /* As we do not provide vendor keys this variable is always 0. */ + ret = efi_set_variable_int(L"VendorKeys", + &efi_global_variable_guid, + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS | + EFI_VARIABLE_READ_ONLY, + sizeof(efi_vendor_keys), + &efi_vendor_keys, false); return ret; } @@ -998,39 +982,10 @@ out: if (env_set(native_name, val)) { ret = EFI_DEVICE_ERROR; } else { - bool vendor_keys_modified = false; - - if ((u16_strcmp(variable_name, L"PK") == 0 && - guidcmp(vendor, &efi_global_variable_guid) == 0)) { - ret = efi_transfer_secure_state( - (delete ? EFI_MODE_SETUP : - EFI_MODE_USER)); - if (ret != EFI_SUCCESS) - goto err; - - if (efi_secure_mode != EFI_MODE_SETUP) - vendor_keys_modified = true; - } else if ((u16_strcmp(variable_name, L"KEK") == 0 && - guidcmp(vendor, &efi_global_variable_guid) == 0)) { - if (efi_secure_mode != EFI_MODE_SETUP) - vendor_keys_modified = true; - } - - /* update VendorKeys */ - if (vendor_keys_modified & efi_vendor_keys) { - efi_vendor_keys = 0; - ret = efi_set_variable_int( - L"VendorKeys", - &efi_global_variable_guid, - EFI_VARIABLE_BOOTSERVICE_ACCESS - | EFI_VARIABLE_RUNTIME_ACCESS - | EFI_VARIABLE_READ_ONLY, - sizeof(efi_vendor_keys), - &efi_vendor_keys, - false); - } else { + if (!u16_strcmp(variable_name, L"PK")) + ret = efi_init_secure_state(); + else ret = EFI_SUCCESS; - } } err: