[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2] x86/xen/efi: Initialize UEFI secure boot state during dom0 boot



On Tue, 2018-04-03 at 18:07 +0200, Daniel Kiper wrote:
> On Tue, Apr 03, 2018 at 08:44:41AM -0700, James Bottomley wrote:
> > 
> > On Tue, 2018-04-03 at 16:39 +0200, Daniel Kiper wrote:
> > > 
> > > Initialize UEFI secure boot state during dom0 boot. Otherwise the
> > > kernel may not even know that it runs on secure boot enabled
> > > platform.
> > > 
> > > Signed-off-by: Daniel Kiper <daniel.kiper@xxxxxxxxxx>
> > > ---
> > >  arch/x86/xen/efi.c                        |   57
> > > +++++++++++++++++++++++++++++
> > >  drivers/firmware/efi/libstub/secureboot.c |    3 ++
> > >  2 files changed, 60 insertions(+)
> > > 
> > > diff --git a/arch/x86/xen/efi.c b/arch/x86/xen/efi.c
> > > index a18703b..1804b27 100644
> > > --- a/arch/x86/xen/efi.c
> > > +++ b/arch/x86/xen/efi.c
> > > @@ -115,6 +115,61 @@ static efi_system_table_t __init
> > > *xen_efi_probe(void)
> > >   return &efi_systab_xen;
> > >  }
> > >  
> > > +/*
> > > + * Determine whether we're in secure boot mode.
> > > + *
> > > + * Please keep the logic in sync with
> > > + *
> > > drivers/firmware/efi/libstub/secureboot.c:efi_get_secureboot().
> > > + */
> > > +static enum efi_secureboot_mode xen_efi_get_secureboot(void)
> > > +{
> > > + static efi_guid_t efi_variable_guid =
> > > EFI_GLOBAL_VARIABLE_GUID;
> > > + static efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID;
> > > + efi_status_t status;
> > > + u8 moksbstate, secboot, setupmode;
> > > + unsigned long size;
> > > +
> > > + size = sizeof(secboot);
> > > + status = efi.get_variable(L"SecureBoot",
> > > &efi_variable_guid,
> > > +                           NULL, &size, &secboot);
> > > +
> > > + if (status == EFI_NOT_FOUND)
> > > +         return efi_secureboot_mode_disabled;
> > > +
> > > + if (status != EFI_SUCCESS)
> > > +         goto out_efi_err;
> > > +
> > > + size = sizeof(setupmode);
> > > + status = efi.get_variable(L"SetupMode",
> > > &efi_variable_guid,
> > > +                           NULL, &size, &setupmode);
> > > +
> > > + if (status != EFI_SUCCESS)
> > > +         goto out_efi_err;
> > > +
> > > + if (secboot == 0 || setupmode == 1)
> > > +         return efi_secureboot_mode_disabled;
> > > +
> > > + /* See if a user has put the shim into insecure mode. */
> > > + size = sizeof(moksbstate);
> > > + status = efi.get_variable(L"MokSBStateRT", &shim_guid,
> > > +                           NULL, &size, &moksbstate);
> > > +
> > > + /* If it fails, we don't care why. Default to secure. */
> > > + if (status != EFI_SUCCESS)
> > > +         goto secure_boot_enabled;
> > > +
> > > + if (moksbstate == 1)
> > > +         return efi_secureboot_mode_disabled;
> > > +
> > > + secure_boot_enabled:
> > > + pr_info("UEFI Secure Boot is enabled.\n");
> > > + return efi_secureboot_mode_enabled;
> > > +
> > > + out_efi_err:
> > > + pr_err("Could not determine UEFI Secure Boot
> > > status.\n");
> > > + return efi_secureboot_mode_unknown;
> > > +}
> > > +
> > 
> > This looks like a bad idea: you're duplicating the secure boot
> > check in
> > 
> > drivers/firmware/efi/libstub/secureboot.c
> > 
> > Which is an implementation of policy.  If we have to have policy in
> > the kernel, it should really only be in one place to prevent drift;
> > why can't you simply use the libstub efi_get_secureboot() so we're
> > not duplicating the implementation of policy?
> 
> Well, here is the first version of this patch:
> https://lkml.org/lkml/2018/1/9/496 Ard did not like it. I was not
> happy too. In general both approaches are not perfect. More you can
> find in the discussion around this patchset. If you have better idea
> how to do that I am happy to implement it.

One way might be simply to have the pre exit-boot-services code lay
down a variable containing the state which you pick up, rather than you
calling efi code separately and trying to use the insecure RT
variables.  That way there's a uniform view of the internal kernel
secure boot state that everyone can use.

James


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.