Thread (9 messages) 9 messages, 2 authors, 2019-03-11

Re: [PATCH 3/3] x86/ima: retry detecting secure boot mode

From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2019-03-08 13:40:00
Also in: kexec, linux-efi, linux-integrity, lkml

On Thu, 2019-03-07 at 14:50 -0800, Matthew Garrett wrote:
On Thu, Mar 7, 2019 at 2:48 PM Mimi Zohar [off-list ref] wrote:
quoted
I added this last attempt because I'm seeing this on my laptop, with
some older, buggy firmware.
Is the issue that it gives incorrect results on the first read, or is
the issue that it gives incorrect results before ExitBootServices() is
called? If the former then we should read twice in the boot stub, if
the latter then we should figure out a way to do this immediately
after ExitBootServices() instead.
Detecting the secure boot mode isn't the problem.  On boot, I am
seeing "EFI stub: UEFI Secure Boot is enabled", but setup_arch() emits
"Secure boot could not be determined".

In efi_main() the secure_boot mode is initially unset, so
efi_get_secureboot() is called.  efi_get_secureboot() returns the
secure_boot mode correctly as enabled.  The problem seems to be in
saving the secure_boot mode for later use.

Mimi
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help