efi: Disable secure boot if shim is in insecure mode

A user can manually tell the shim boot loader to disable validation of
images it loads.  When a user does this, it creates a UEFI variable called
MokSBState that does not have the runtime attribute set.  Given that the
user explicitly disabled validation, we can honor that and not enable
secure boot mode if that variable is set.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>

diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index 03bfc83cfd2da226f87b1f9a9e9866e37e9d2736..1e80f3a361cae46530d95d0bf5f517c33639cfd9 100644 (file)
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -830,8 +830,9 @@ out:
 
 static int get_secure_boot(void)
 {
-       u8 sb, setup;
+       u8 sb, setup, moksbstate;
        unsigned long datasize = sizeof(sb);
+       u32 attr;
        efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
        efi_status_t status;
 
@@ -855,6 +856,23 @@ static int get_secure_boot(void)
        if (setup == 1)
                return 0;
 
+       /* See if a user has put shim into insecure_mode.  If so, and the variable
+        * doesn't have the runtime attribute set, we might as well honor that.
+        */
+       var_guid = EFI_SHIM_LOCK_GUID;
+       status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
+                               L"MokSBState", &var_guid, &attr, &datasize,
+                               &moksbstate);
+
+       /* If it fails, we don't care why.  Default to secure */
+       if (status != EFI_SUCCESS)
+               return 1;
+
+       if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
+               if (moksbstate == 1)
+                       return 0;
+       }
+
        return 1;
 }