From patchwork Wed Jul 8 16:29:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 1325322 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256 header.s=badeba3b8450 header.b=cdHEAgkv; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B24ZV0zKtz9sRK for ; Thu, 9 Jul 2020 02:31:46 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 8FD8481F17; Wed, 8 Jul 2020 18:30:21 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.b="cdHEAgkv"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id AC6D581C2F; Wed, 8 Jul 2020 18:30:09 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FROM,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 7974181C02 for ; Wed, 8 Jul 2020 18:30:00 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=xypron.glpk@gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1594225799; bh=uCSUWWGC4eVqKeDyW6kE58B7G9sVV+wNvlRJp26NQLU=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=cdHEAgkvwtgE8giTslyxTkegMp/Pl6uMc+lM6oGhmQDNLsdb+ASgl/jNsvkYARHtP Q9jPP9J7xy+sYNrSuzxmYHLmwID2rPd2ucoacDvqLlLBcEQnjzodjJpo9w+F5GLvXt Uv4/tIK+wuQ4nc5LSjhr4HiyeT5k+2iwEvTm8aWU= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from workstation4.fritz.box ([88.152.145.75]) by mail.gmx.com (mrgmx004 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MYvY2-1kNt0J0faK-00UrIg; Wed, 08 Jul 2020 18:29:59 +0200 From: Heinrich Schuchardt To: Alexander Graf Cc: Ilias Apalodimas , AKASHI Takahiro , u-boot@lists.denx.de, Heinrich Schuchardt Subject: [PATCH v3 08/17] efi_loader: read-only AuditMode and DeployedMode Date: Wed, 8 Jul 2020 18:29:27 +0200 Message-Id: <20200708162936.25802-9-xypron.glpk@gmx.de> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200708162936.25802-1-xypron.glpk@gmx.de> References: <20200708162936.25802-1-xypron.glpk@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:tYtK2k47P2l+HEy4DVMhlmS9IZs1gQxWAiRTbcosonRsHpWxgOt qXL93esfd3N5u6htkAvsASZUBZe4x2Nl8uu0g8juABGb3ZPdkRZEr7mrIK1mwbsjdXTQ80/ hnH8uYr7XkNpuWE+KwZNRQIvM9lSUkyFon8IT0cJBBFcaVUvtdEAJu0hie3BaLCBTgkGtaH Ol9E8tg0R78Vv820YUc+A== X-UI-Out-Filterresults: notjunk:1;V03:K0:4b0nufjzG+A=:Bx4Z+Cpv6Ow76bPjyhaepo cUScAKOxqnmiMLJoRgsQOBr1QMQz+VeaN+dsgHzVmtyN9AJTDjXuAZI/oAL97toGeit597QRC K49camtjVK+sHPJvRx+iacJdpVfomNC0nVVRSVjUYPxN0gMfcjJUfh1wOFLeYw5tAdeKZrrE0 MyN7MnhcAg1OGKdK4tWcqYL4mSwio0PPdMW9hFLsJJpT2LIAaP60Yg88FUtuRRAphV4ZfKASs XMbDC9uWabxET7H1mff2tXUoXipk3k1DvcNiaPn2sWmkHflHT9Dqf/P09QpGa8So6AkY+OgpF x4St0mvnIIRZXCDJ9KxF9WrM3MRFl1lGXdYEt9h6/naq5JFaqFDYukoJfkFrc/OoFK5nzpjpf UUVCMnSidondVjLr5WOXtFH4duZve2nLHhNJpNUmHO26AeL2sH0mFr7gjh7s3GSQCLj0XXVew V6JyCBeHgH5HtBFHaYPhL3B0vjRVfoAwZUMEjV8yZmoCtFuZid4UW8IVNY9zX/8ogOjtfbAeT ESGLiY1HgBjx+2DcGQA+zecG8cXd7cMWpMzLzVro4ZodnOlGHzOD7vX2PJ+zjw3ZhNsirpndH OcMQvql7OXt3WFcmHk37vY09go7XaTOg0sScWEsBMJZ9mMKr6dvhv/vj5BqcmtELkZ6jXjfes QBj/Gweuw/ChcnBsWfE6t8/Bb7mBtpQY/Mja9CLUp8iipeEZ/S26EXI1UCxLnKpf/rlGFISts lB7QfdNJHOqET/whBJ6ges1DBi1m7/gpoCiKPtI9Y617vkHSebKXCe1UNc3fbxYa39xMxj3pA jEaJHbhTvpMrAmk79IQRgfp+jqxcojYMotw7TubpbaX45s62ELGpjStqgKxtfxl6b7z2UYjZo ul82dSmIgqdgD2IyfKHoMiJ5ym6xUvz4VIqA3oIGbWMfUJUp1weja4+ad+mLLfUpL+OB1/X5M kmiZNb9XxCJGwCzIw3OGFTYcaONWBdvAY6LFl6y2LT8BBTKv3ipgYdIjTEHRbUArafQ5gWk/3 cechuCwrNrrMrMyJRtoAJ8wv9/XVtLY0VQDwUIw+pnjGqMKeuJsCVaa+7yupqLurpv8J0CvNl Rv+gAjFkzep4o8D3EO8wotuUqUXR8ADYDqr8aFTzM/FUjnEe2Oe+W34IHtizOx82nRpNAoIyF 40bQCZVBtv6ceE8DT4XmLPA8IoRm9Pe6VAn90qfasessNyaaorzzGpixf0GlT300+vEalVPfl mH2cR3fv6znrgkhLUDZubsbq0G+trqsFSVwFtzQ== X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Set the read only property of the UEFI variables AuditMode and DeployedMode conforming to the UEFI specification. Signed-off-by: Heinrich Schuchardt --- lib/efi_loader/efi_variable.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) -- 2.27.0 diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index e3b29663a0..b84b86672a 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -183,32 +183,36 @@ static const char *parse_attr(const char *str, u32 *attrp, u64 *timep) static efi_status_t efi_set_secure_state(u8 secure_boot, u8 setup_mode, u8 audit_mode, u8 deployed_mode) { - u32 attributes; efi_status_t ret; + const u32 attributes_ro = EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS | + EFI_VARIABLE_READ_ONLY; + const u32 attributes_rw = EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS; - attributes = EFI_VARIABLE_BOOTSERVICE_ACCESS | - EFI_VARIABLE_RUNTIME_ACCESS | - EFI_VARIABLE_READ_ONLY; ret = efi_set_variable_int(L"SecureBoot", &efi_global_variable_guid, - attributes, sizeof(secure_boot), + attributes_ro, sizeof(secure_boot), &secure_boot, false); if (ret != EFI_SUCCESS) goto err; ret = efi_set_variable_int(L"SetupMode", &efi_global_variable_guid, - attributes, sizeof(setup_mode), + attributes_ro, sizeof(setup_mode), &setup_mode, false); if (ret != EFI_SUCCESS) goto err; ret = efi_set_variable_int(L"AuditMode", &efi_global_variable_guid, - attributes, sizeof(audit_mode), - &audit_mode, false); + audit_mode || setup_mode ? + attributes_ro : attributes_rw, + sizeof(audit_mode), &audit_mode, false); if (ret != EFI_SUCCESS) goto err; ret = efi_set_variable_int(L"DeployedMode", - &efi_global_variable_guid, attributes, + &efi_global_variable_guid, + audit_mode || deployed_mode || setup_mode ? + attributes_ro : attributes_rw, sizeof(deployed_mode), &deployed_mode, false); err: