From patchwork Thu Aug 13 08:05:29 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 1344111 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=B1jcvw8S; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BRzfK6bWJz9sPf for ; Thu, 13 Aug 2020 18:05:59 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 0C67D81C1D; Thu, 13 Aug 2020 10:05:55 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="B1jcvw8S"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E71F081E39; Thu, 13 Aug 2020 10:05:53 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x643.google.com (mail-pl1-x643.google.com [IPv6:2607:f8b0:4864:20::643]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 0253980404 for ; Thu, 13 Aug 2020 10:05:50 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x643.google.com with SMTP id t10so2279119plz.10 for ; Thu, 13 Aug 2020 01:05:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=b1AstV2nIy223RQYdWdZydjXXagChNuILyTmNrGExoA=; b=B1jcvw8SZWUcsI/wdURRPw804jsU7qHTYWds5HOJh3XZQ7HqhZmfPV2HIe102eazLe WM7Yg5i6Qkb4cYxkM15JSsFnYz1Wxv5akH5/qHDBHzw1VQZFVu+hsGZB/fOmThCWkHJV DEmBbvCJ1/c1EevOCW9nV2rqNAhBhAV6z4KRE8mjYXZ4YyC1IJjC98RtLn/FJIyU2W3F iBjOr0Q3B5IZgRcU9TbcWL2AZkWJaqaj7rRmFszh+NgcR/i39LnkeAWk8CfdB+MMBuvY CuhUSv2SUT5GAi00vJm5vzbO1xS7SNM8ruW1yzVWXvMTZCyoWP4h1TOxm/R5czFElUWI JlMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=b1AstV2nIy223RQYdWdZydjXXagChNuILyTmNrGExoA=; b=AsaPn1HcWGK8jjVlUsekhRRzOgDZGaCKLDcTC+DMvC3F5IEl5ggDQ9hkD+qzfPJvH2 W0Zs0c41L6EsNi0llCcNO/P7XpUUluKT3bW/ZKKDcWhq0bt8zasf2J2ImdcXDv/xdl3M k5645/N4HhcqQBWfRiTeeZlgooVAs5XSpSzJrt2Otwn+FjFPD+43znlVu/V7cCKgaQdH jdXoIErQ0PmSqxQpsxf/FrbyIr8zxxSr0GtV+OyFMOrRQY2NpA861Yq3c2LBAfu0bUgi P1giPrPH5/1Lt2h679wYmFN1oqXRkWkDXI+GBmIylgTASWW3i3TXtV7cfDSjjlnTp4e9 jwQg== X-Gm-Message-State: AOAM533KWQPUTtBzFFjrUkeRoBIOHKu3j/gLfD7vkDF3JkJ8tKXCA1x6 Tyh0fQ+wO7Gnai5bCmA5EqqFrA== X-Google-Smtp-Source: ABdhPJzbZLlBgP5j5CY3e/zGVRWKRVKRqR69cmZJy3ZVeoZ9QtMrxtgrdefcy6YEzS90nPvjjgh9aA== X-Received: by 2002:a17:90a:3ac3:: with SMTP id b61mr3692724pjc.1.1597305949313; Thu, 13 Aug 2020 01:05:49 -0700 (PDT) Received: from localhost.localdomain (p784a66b9.tkyea130.ap.so-net.ne.jp. [120.74.102.185]) by smtp.gmail.com with ESMTPSA id y79sm4867761pfb.65.2020.08.13.01.05.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Aug 2020 01:05:48 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH] efi_loader: variable: fix secure state initialization Date: Thu, 13 Aug 2020 17:05:29 +0900 Message-Id: <20200813080529.178153-1-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.28.0 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Under the new file-based variable implementation, the secure state is always and falsely set to 0 (hence, the secure boot gets disabled) after the reboot even if PK (and other signature database) has already been enrolled in the previous boot. This is because the secure state is set up *before* loading non-volatile variables' values from saved data. This patch fixes the order of variable initialization and secure state initialization. Signed-off-by: AKASHI Takahiro Fixes: 5f7dcf079de8 ("efi_loader: UEFI variable persistence") Reviewed-by: Heinrich Schuchardt --- lib/efi_loader/efi_variable.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index 282d542a096c..a10b9caa8b03 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -508,10 +508,6 @@ efi_status_t efi_init_variables(void) if (ret != EFI_SUCCESS) return ret; - ret = efi_init_secure_state(); - if (ret != EFI_SUCCESS) - return ret; - if (IS_ENABLED(CONFIG_EFI_VARIABLES_PRESEED)) { ret = efi_var_restore((struct efi_var_file *) __efi_var_file_begin); @@ -519,5 +515,9 @@ efi_status_t efi_init_variables(void) log_err("Invalid EFI variable seed\n"); } - return efi_var_from_file(); + ret = efi_var_from_file(); + if (ret != EFI_SUCCESS) + return ret; + + return efi_init_secure_state(); }