|
|
@@ -20,7 +20,7 @@
|
|
|
|
|
|
bool __nokaslr;
|
|
|
|
|
|
-static int efi_secureboot_enabled(efi_system_table_t *sys_table_arg)
|
|
|
+static int efi_get_secureboot(efi_system_table_t *sys_table_arg)
|
|
|
{
|
|
|
static efi_guid_t const var_guid = EFI_GLOBAL_VARIABLE_GUID;
|
|
|
static efi_char16_t const var_name[] = {
|
|
|
@@ -39,8 +39,12 @@ static int efi_secureboot_enabled(efi_system_table_t *sys_table_arg)
|
|
|
return val;
|
|
|
case EFI_NOT_FOUND:
|
|
|
return 0;
|
|
|
+ case EFI_DEVICE_ERROR:
|
|
|
+ return -EIO;
|
|
|
+ case EFI_SECURITY_VIOLATION:
|
|
|
+ return -EACCES;
|
|
|
default:
|
|
|
- return 1;
|
|
|
+ return -EINVAL;
|
|
|
}
|
|
|
}
|
|
|
|
|
|
@@ -185,6 +189,7 @@ unsigned long efi_entry(void *handle, efi_system_table_t *sys_table,
|
|
|
efi_guid_t loaded_image_proto = LOADED_IMAGE_PROTOCOL_GUID;
|
|
|
unsigned long reserve_addr = 0;
|
|
|
unsigned long reserve_size = 0;
|
|
|
+ int secure_boot = 0;
|
|
|
|
|
|
/* Check if we were booted by the EFI firmware */
|
|
|
if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE)
|
|
|
@@ -250,12 +255,21 @@ unsigned long efi_entry(void *handle, efi_system_table_t *sys_table,
|
|
|
if (status != EFI_SUCCESS)
|
|
|
pr_efi_err(sys_table, "Failed to parse EFI cmdline options\n");
|
|
|
|
|
|
+ secure_boot = efi_get_secureboot(sys_table);
|
|
|
+ if (secure_boot > 0)
|
|
|
+ pr_efi(sys_table, "UEFI Secure Boot is enabled.\n");
|
|
|
+
|
|
|
+ if (secure_boot < 0) {
|
|
|
+ pr_efi_err(sys_table,
|
|
|
+ "could not determine UEFI Secure Boot status.\n");
|
|
|
+ }
|
|
|
+
|
|
|
/*
|
|
|
* Unauthenticated device tree data is a security hazard, so
|
|
|
* ignore 'dtb=' unless UEFI Secure Boot is disabled.
|
|
|
*/
|
|
|
- if (efi_secureboot_enabled(sys_table)) {
|
|
|
- pr_efi(sys_table, "UEFI Secure Boot is enabled.\n");
|
|
|
+ if (secure_boot != 0 && strstr(cmdline_ptr, "dtb=")) {
|
|
|
+ pr_efi(sys_table, "Ignoring DTB from command line.\n");
|
|
|
} else {
|
|
|
status = handle_cmdline_files(sys_table, image, cmdline_ptr,
|
|
|
"dtb=",
|
Linn Crosetto