/* * Determine whether we're in secure boot mode. */ enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg) { u32 attr; u8 secboot, setupmode, moksbstate; unsigned long size; efi_status_t status; size = sizeof(secboot); status = get_efi_var(efi_SecureBoot_name, &efi_variable_guid, NULL, &size, &secboot); if (status != EFI_SUCCESS) goto out_efi_err; size = sizeof(setupmode); status = get_efi_var(efi_SetupMode_name, &efi_variable_guid, NULL, &size, &setupmode); if (status != EFI_SUCCESS) goto out_efi_err; if (secboot == 0 || setupmode == 1) return efi_secureboot_mode_disabled; /* * See if a user has put the shim into insecure mode. If so, and if the * variable doesn't have the runtime attribute set, we might as well * honor that. */ size = sizeof(moksbstate); status = get_efi_var(shim_MokSBState_name, &shim_guid, &attr, &size, &moksbstate); /* If it fails, we don't care why. Default to secure */ if (status != EFI_SUCCESS) goto secure_boot_enabled; if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS) && moksbstate == 1) return efi_secureboot_mode_disabled; secure_boot_enabled: pr_efi(sys_table_arg, "UEFI Secure Boot is enabled.\n"); return efi_secureboot_mode_enabled; out_efi_err: pr_efi_err(sys_table_arg, "Could not determine UEFI Secure Boot status.\n"); if (status == EFI_NOT_FOUND) return efi_secureboot_mode_disabled; return efi_secureboot_mode_unknown; }
/* * Enable reboot attack mitigation. This requests that the firmware clear the * RAM on next reboot before proceeding with boot, ensuring that any secrets * are cleared. If userland has ensured that all secrets have been removed * from RAM before reboot it can simply reset this variable. */ void efi_enable_reset_attack_mitigation(efi_system_table_t *sys_table_arg) { u8 val = 1; efi_guid_t var_guid = MEMORY_ONLY_RESET_CONTROL_GUID; efi_status_t status; unsigned long datasize = 0; status = get_efi_var(efi_MemoryOverWriteRequest_name, &var_guid, NULL, &datasize, NULL); if (status == EFI_NOT_FOUND) return; set_efi_var(efi_MemoryOverWriteRequest_name, &var_guid, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, sizeof(val), &val); }