[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH v3 4/4] efi: Do not use command line if secure boot is enabled.
On Mon, Sep 07, 2020 at 03:00:27PM -0400, Trammell Hudson wrote: > From: Trammell hudson <hudson@xxxxxxxx> > > If secure boot is enabled, the Xen command line arguments are ignored. > If a unified Xen image is used, then the bundled configuration, dom0 > kernel, and initrd are prefered over the ones listed in the config file. > > Unlike the shim based verification, the PE signature on a unified image > covers the all of the Xen+config+kernel+initrd modules linked into the > unified image. This also ensures that properly configured platforms > will measure the entire runtime into the TPM for unsealing secrets or > remote attestation. > > Signed-off-by: Trammell Hudson <hudson@xxxxxxxx> > --- > xen/common/efi/boot.c | 31 ++++++++++++++++++++++++++++--- > 1 file changed, 28 insertions(+), 3 deletions(-) > > diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c > index 452b5f4362..5aaebd5f20 100644 > --- a/xen/common/efi/boot.c > +++ b/xen/common/efi/boot.c > @@ -947,6 +947,26 @@ static void __init setup_efi_pci(void) > efi_bs->FreePool(handles); > } > > +/* > + * Logic should remain sync'ed with linux/arch/x86/xen/efi.c > + * Secure Boot is enabled iff 'SecureBoot' is set and the system is > + * not in Setup Mode. > + */ > +static bool __init efi_secure_boot(void) > +{ > + static const __initconst EFI_GUID global_guid = EFI_GLOBAL_VARIABLE; > + uint8_t secboot, setupmode; > + UINTN secboot_size = sizeof(secboot); > + UINTN setupmode_size = sizeof(setupmode); > + > + if ( efi_rs->GetVariable(L"SecureBoot", (EFI_GUID *)&global_guid, NULL, > &secboot_size, &secboot) != EFI_SUCCESS ) I'm slightly worried about the dropping of the const here, and the fact that the variable is placed in initconst section. Isn't it dangerous that the EFI services will try to write to it? Line length also. > + return false; > + if ( efi_rs->GetVariable(L"SetupMode", (EFI_GUID *)&global_guid, NULL, > &setupmode_size, &setupmode) != EFI_SUCCESS ) > + return false; > + > + return secboot == 1 && setupmode == 0; I would print a message if secboot is > 1, since those should be reserved. Roger.
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |