Re: [PATCH 3/3] x86/ima: retry detecting secure boot mode
From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2019-03-08 13:40:00
Also in:
kexec, linux-efi, linux-integrity, lkml
From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2019-03-08 13:40:00
Also in:
kexec, linux-efi, linux-integrity, lkml
On Thu, 2019-03-07 at 14:50 -0800, Matthew Garrett wrote:
On Thu, Mar 7, 2019 at 2:48 PM Mimi Zohar [off-list ref] wrote:quoted
I added this last attempt because I'm seeing this on my laptop, with some older, buggy firmware.Is the issue that it gives incorrect results on the first read, or is the issue that it gives incorrect results before ExitBootServices() is called? If the former then we should read twice in the boot stub, if the latter then we should figure out a way to do this immediately after ExitBootServices() instead.
Detecting the secure boot mode isn't the problem. On boot, I am seeing "EFI stub: UEFI Secure Boot is enabled", but setup_arch() emits "Secure boot could not be determined". In efi_main() the secure_boot mode is initially unset, so efi_get_secureboot() is called. efi_get_secureboot() returns the secure_boot mode correctly as enabled. The problem seems to be in saving the secure_boot mode for later use. Mimi