From patchwork Sat Jul 11 22:05:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 241377 List-Id: U-Boot discussion From: xypron.glpk at gmx.de (Heinrich Schuchardt) Date: Sun, 12 Jul 2020 00:05:36 +0200 Subject: [PATCH v4 09/17] efi_loader: secure boot flag In-Reply-To: <20200711220544.120976-1-xypron.glpk@gmx.de> References: <20200711220544.120976-1-xypron.glpk@gmx.de> Message-ID: <20200711220544.120976-10-xypron.glpk@gmx.de> In audit mode the UEFI variable SecureBoot is set to zero but the efi_secure_boot flag is set to true. The efi_secure_boot flag should match the UEFIvariable SecureBoot. Signed-off-by: Heinrich Schuchardt --- lib/efi_loader/efi_variable.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) -- 2.27.0 diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index 4bd976e44a..0d6bafc76d 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -190,6 +190,8 @@ static efi_status_t efi_set_secure_state(u8 secure_boot, u8 setup_mode, const u32 attributes_rw = EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS; + efi_secure_boot = secure_boot; + ret = efi_set_variable_int(L"SecureBoot", &efi_global_variable_guid, attributes_ro, sizeof(secure_boot), &secure_boot, false); @@ -240,8 +242,6 @@ static efi_status_t efi_transfer_secure_state(enum efi_secure_mode mode) ret = efi_set_secure_state(1, 0, 0, 1); if (ret != EFI_SUCCESS) goto err; - - efi_secure_boot = true; } else if (mode == EFI_MODE_AUDIT) { ret = efi_set_variable_int(L"PK", &efi_global_variable_guid, EFI_VARIABLE_BOOTSERVICE_ACCESS | @@ -253,14 +253,10 @@ static efi_status_t efi_transfer_secure_state(enum efi_secure_mode mode) ret = efi_set_secure_state(0, 1, 1, 0); if (ret != EFI_SUCCESS) goto err; - - efi_secure_boot = true; } else if (mode == EFI_MODE_USER) { ret = efi_set_secure_state(1, 0, 0, 0); if (ret != EFI_SUCCESS) goto err; - - efi_secure_boot = true; } else if (mode == EFI_MODE_SETUP) { ret = efi_set_secure_state(0, 1, 0, 0); if (ret != EFI_SUCCESS)