diff --git a/src/basic/efivars.c b/src/basic/efivars.c index 99c47e8ce2..b5e12eda62 100644 --- a/src/basic/efivars.c +++ b/src/basic/efivars.c @@ -377,10 +377,11 @@ SecureBootMode efi_get_secure_boot_mode(void) { int audit = read_flag(EFI_GLOBAL_VARIABLE_STR("AuditMode")); int deployed = read_flag(EFI_GLOBAL_VARIABLE_STR("DeployedMode")); int setup = read_flag(EFI_GLOBAL_VARIABLE_STR("SetupMode")); - log_debug("Secure boot variables: SecureBoot=%d AuditMode=%d DeployedMode=%d SetupMode=%d", - secure, audit, deployed, setup); + int moksb = read_flag(EFI_SHIMLOCK_VARIABLE_STR("MokSBStateRT")); + log_debug("Secure boot variables: SecureBoot=%d AuditMode=%d DeployedMode=%d SetupMode=%d MokSBStateRT=%d", + secure, audit, deployed, setup, moksb); - return (cache = decode_secure_boot_mode(secure, audit > 0, deployed > 0, setup > 0)); + return (cache = decode_secure_boot_mode(secure, audit > 0, deployed > 0, setup > 0, moksb > 0)); } #endif diff --git a/src/basic/efivars.h b/src/basic/efivars.h index e4cbf53f55..93c918847a 100644 --- a/src/basic/efivars.h +++ b/src/basic/efivars.h @@ -15,6 +15,8 @@ #define EFI_VENDOR_DATABASE_STR SD_ID128_MAKE_UUID_STR(d7,19,b2,cb,3d,3a,45,96,a3,bc,da,d0,0e,67,65,6f) #define EFI_VENDOR_SYSTEMD SD_ID128_MAKE(8c,f2,64,4b,4b,0b,42,8f,93,87,6d,87,60,50,dc,67) #define EFI_VENDOR_SYSTEMD_STR SD_ID128_MAKE_UUID_STR(8c,f2,64,4b,4b,0b,42,8f,93,87,6d,87,60,50,dc,67) +#define EFI_VENDOR_SHIMLOCK SD_ID128_MAKE(60,5d,ab,50,e0,46,43,00,ab,b6,3d,d8,10,dd,8b,23) +#define EFI_VENDOR_SHIMLOCK_STR SD_ID128_MAKE_UUID_STR(60,5d,ab,50,e0,46,43,00,ab,b6,3d,d8,10,dd,8b,23) #define EFI_VARIABLE_NON_VOLATILE UINT32_C(0x00000001) #define EFI_VARIABLE_BOOTSERVICE_ACCESS UINT32_C(0x00000002) @@ -30,6 +32,7 @@ #define EFI_GLOBAL_VARIABLE_STR(name) EFI_VENDOR_VARIABLE_STR(EFI_VENDOR_GLOBAL_STR, name) #define EFI_LOADER_VARIABLE_STR(name) EFI_VENDOR_VARIABLE_STR(EFI_VENDOR_LOADER_STR, name) #define EFI_SYSTEMD_VARIABLE_STR(name) EFI_VENDOR_VARIABLE_STR(EFI_VENDOR_SYSTEMD_STR, name) +#define EFI_SHIMLOCK_VARIABLE_STR(name) EFI_VENDOR_VARIABLE_STR(EFI_VENDOR_SHIMLOCK_STR, name) #define EFIVAR_PATH(variable) "/sys/firmware/efi/efivars/" variable #define EFIVAR_CACHE_PATH(variable) "/run/systemd/efivars/" variable diff --git a/src/boot/secure-boot.c b/src/boot/secure-boot.c index 1c5f840507..7f599b0bcc 100644 --- a/src/boot/secure-boot.c +++ b/src/boot/secure-boot.c @@ -20,7 +20,7 @@ bool secure_boot_enabled(void) { } SecureBootMode secure_boot_mode(void) { - bool secure, audit = false, deployed = false, setup = false; + bool secure, audit = false, deployed = false, setup = false, moksb = false; EFI_STATUS err; err = efivar_get_boolean_u8(MAKE_GUID_PTR(EFI_GLOBAL_VARIABLE), u"SecureBoot", &secure); @@ -32,8 +32,9 @@ SecureBootMode secure_boot_mode(void) { (void) efivar_get_boolean_u8(MAKE_GUID_PTR(EFI_GLOBAL_VARIABLE), u"AuditMode", &audit); (void) efivar_get_boolean_u8(MAKE_GUID_PTR(EFI_GLOBAL_VARIABLE), u"DeployedMode", &deployed); (void) efivar_get_boolean_u8(MAKE_GUID_PTR(EFI_GLOBAL_VARIABLE), u"SetupMode", &setup); + (void) efivar_get_boolean_u8(MAKE_GUID_PTR(SHIM_LOCK), u"MokSBStateRT", &moksb); - return decode_secure_boot_mode(secure, audit, deployed, setup); + return decode_secure_boot_mode(secure, audit, deployed, setup, moksb); } /* diff --git a/src/boot/shim.c b/src/boot/shim.c index 0168bb424d..e50cac233a 100644 --- a/src/boot/shim.c +++ b/src/boot/shim.c @@ -30,9 +30,6 @@ struct ShimLock { EFI_STATUS __sysv_abi__ (*read_header) (void *data, uint32_t datasize, void *context); }; -#define SHIM_LOCK_GUID \ - { 0x605dab50, 0xe046, 0x4300, { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } } - #define SHIM_IMAGE_LOADER_GUID \ { 0x1f492041, 0xfadb, 0x4e59, { 0x9e, 0x57, 0x7c, 0xaf, 0xe7, 0x3a, 0x55, 0xab } } diff --git a/src/fundamental/efi-fundamental.h b/src/fundamental/efi-fundamental.h index f72290e1b3..967e92f599 100644 --- a/src/fundamental/efi-fundamental.h +++ b/src/fundamental/efi-fundamental.h @@ -80,3 +80,6 @@ typedef struct { GUID_DEF(0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72) #define EFI_CERT_TYPE_PKCS7_GUID \ GUID_DEF(0x4aafd29d, 0x68df, 0x49ee, 0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7) + +#define SHIM_LOCK_GUID \ + GUID_DEF(0x605dab50, 0xe046, 0x4300 ,0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23) diff --git a/src/fundamental/efivars-fundamental.c b/src/fundamental/efivars-fundamental.c index 2ec3bfb2f0..611b0b682d 100644 --- a/src/fundamental/efivars-fundamental.c +++ b/src/fundamental/efivars-fundamental.c @@ -10,13 +10,17 @@ static const sd_char * const table[_SECURE_BOOT_MAX] = { [SECURE_BOOT_DEPLOYED] = STR_C("deployed"), [SECURE_BOOT_SETUP] = STR_C("setup"), [SECURE_BOOT_USER] = STR_C("user"), + [SECURE_BOOT_TAINTED] = STR_C("tainted"), }; const sd_char *secure_boot_mode_to_string(SecureBootMode m) { return (m >= 0 && m < _SECURE_BOOT_MAX) ? table[m] : NULL; } -SecureBootMode decode_secure_boot_mode(bool secure, bool audit, bool deployed, bool setup) { +SecureBootMode decode_secure_boot_mode(bool secure, bool audit, bool deployed, bool setup, bool moksb) { + /* shim verification can be disabled by moksb, some OEMs set it */ + if (secure && moksb) + return SECURE_BOOT_TAINTED; /* See figure 32-4 Secure Boot Modes from UEFI Specification 2.9 */ if (secure && deployed && !audit && !setup) return SECURE_BOOT_DEPLOYED; diff --git a/src/fundamental/efivars-fundamental.h b/src/fundamental/efivars-fundamental.h index 0f4670a37f..df94a736e1 100644 --- a/src/fundamental/efivars-fundamental.h +++ b/src/fundamental/efivars-fundamental.h @@ -51,9 +51,10 @@ typedef enum SecureBootMode { SECURE_BOOT_DEPLOYED, SECURE_BOOT_SETUP, SECURE_BOOT_USER, + SECURE_BOOT_TAINTED, _SECURE_BOOT_MAX, _SECURE_BOOT_INVALID = -EINVAL, } SecureBootMode; const sd_char *secure_boot_mode_to_string(SecureBootMode m); -SecureBootMode decode_secure_boot_mode(bool secure, bool audit, bool deployed, bool setup); +SecureBootMode decode_secure_boot_mode(bool secure, bool audit, bool deployed, bool setup, bool moksb);