From: Chester Lin <clin@suse.com>
To: zohar@linux.ibm.com, ardb@kernel.org, catalin.marinas@arm.com,
will@kernel.org, tglx@linutronix.de, mingo@redhat.com,
bp@alien8.de, hpa@zytor.com, vincenzo.frascino@arm.com,
mark.rutland@arm.com, samitolvanen@google.com,
masahiroy@kernel.org
Cc: linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, x86@kernel.org,
linux-integrity@vger.kernel.org, linux-efi@vger.kernel.org,
jlee@suse.com, clin@suse.com
Subject: Re: [PATCH v2 1/2] efi: add secure boot get helper
Date: Wed, 14 Oct 2020 18:51:02 +0800 [thread overview]
Message-ID: <20201014105102.GA9912@linux-8mug> (raw)
In-Reply-To: <20201014104032.9776-2-clin@suse.com>
Hi Ard and Mimi,
On Wed, Oct 14, 2020 at 06:40:31PM +0800, Chester Lin wrote:
> Separate the get_sb_mode() from arch/x86 and treat it as a common function
> [rename to efi_get_secureboot_mode] so all EFI-based architectures can
> reuse the same logic.
>
> Signed-off-by: Chester Lin <clin@suse.com>
> ---
> arch/x86/kernel/ima_arch.c | 47 ++------------------------------------
> drivers/firmware/efi/efi.c | 43 ++++++++++++++++++++++++++++++++++
> include/linux/efi.h | 5 ++++
> 3 files changed, 50 insertions(+), 45 deletions(-)
>
> diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c
> index 7dfb1e808928..ed4623ecda6e 100644
> --- a/arch/x86/kernel/ima_arch.c
> +++ b/arch/x86/kernel/ima_arch.c
> @@ -8,49 +8,6 @@
>
> extern struct boot_params boot_params;
>
> -static enum efi_secureboot_mode get_sb_mode(void)
> -{
> - efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
> - efi_status_t status;
> - unsigned long size;
> - u8 secboot, setupmode;
> -
> - size = sizeof(secboot);
> -
> - if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) {
> - pr_info("ima: secureboot mode unknown, no efi\n");
> - return efi_secureboot_mode_unknown;
> - }
> -
> - /* Get variable contents into buffer */
> - status = efi.get_variable(L"SecureBoot", &efi_variable_guid,
> - NULL, &size, &secboot);
> - if (status == EFI_NOT_FOUND) {
> - pr_info("ima: secureboot mode disabled\n");
> - return efi_secureboot_mode_disabled;
> - }
> -
> - if (status != EFI_SUCCESS) {
> - pr_info("ima: secureboot mode unknown\n");
> - return efi_secureboot_mode_unknown;
> - }
> -
> - size = sizeof(setupmode);
> - status = efi.get_variable(L"SetupMode", &efi_variable_guid,
> - NULL, &size, &setupmode);
> -
> - if (status != EFI_SUCCESS) /* ignore unknown SetupMode */
> - setupmode = 0;
> -
> - if (secboot == 0 || setupmode == 1) {
> - pr_info("ima: secureboot mode disabled\n");
> - return efi_secureboot_mode_disabled;
> - }
> -
> - pr_info("ima: secureboot mode enabled\n");
> - return efi_secureboot_mode_enabled;
> -}
> -
> bool arch_ima_get_secureboot(void)
> {
> static enum efi_secureboot_mode sb_mode;
> @@ -60,7 +17,7 @@ bool arch_ima_get_secureboot(void)
> sb_mode = boot_params.secure_boot;
>
> if (sb_mode == efi_secureboot_mode_unset)
> - sb_mode = get_sb_mode();
> + sb_mode = efi_get_secureboot_mode();
> initialized = true;
> }
>
> @@ -70,7 +27,7 @@ bool arch_ima_get_secureboot(void)
> return false;
> }
>
> -/* secureboot arch rules */
> +/* secure and trusted boot arch rules */
> static const char * const sb_arch_rules[] = {
> #if !IS_ENABLED(CONFIG_KEXEC_SIG)
> "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig",
> diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
> index 5e5480a0a32d..68ffa6a069c0 100644
> --- a/drivers/firmware/efi/efi.c
> +++ b/drivers/firmware/efi/efi.c
I hope you don't mind that I temporarily move the get_sb_mode() to efi
since I'm not sure which place is better. Please let me know if any
suggestions.
Thanks,
Chester
> @@ -1022,3 +1022,46 @@ static int __init register_update_efi_random_seed(void)
> }
> late_initcall(register_update_efi_random_seed);
> #endif
> +
> +enum efi_secureboot_mode efi_get_secureboot_mode(void)
> +{
> + efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
> + efi_status_t status;
> + unsigned long size;
> + u8 secboot, setupmode;
> +
> + size = sizeof(secboot);
> +
> + if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) {
> + pr_info("ima: secureboot mode unknown, no efi\n");
> + return efi_secureboot_mode_unknown;
> + }
> +
> + /* Get variable contents into buffer */
> + status = efi.get_variable(L"SecureBoot", &efi_variable_guid,
> + NULL, &size, &secboot);
> + if (status == EFI_NOT_FOUND) {
> + pr_info("ima: secureboot mode disabled\n");
> + return efi_secureboot_mode_disabled;
> + }
> +
> + if (status != EFI_SUCCESS) {
> + pr_info("ima: secureboot mode unknown\n");
> + return efi_secureboot_mode_unknown;
> + }
> +
> + size = sizeof(setupmode);
> + status = efi.get_variable(L"SetupMode", &efi_variable_guid,
> + NULL, &size, &setupmode);
> +
> + if (status != EFI_SUCCESS) /* ignore unknown SetupMode */
> + setupmode = 0;
> +
> + if (secboot == 0 || setupmode == 1) {
> + pr_info("ima: secureboot mode disabled\n");
> + return efi_secureboot_mode_disabled;
> + }
> +
> + pr_info("ima: secureboot mode enabled\n");
> + return efi_secureboot_mode_enabled;
> +}
> diff --git a/include/linux/efi.h b/include/linux/efi.h
> index d7c0e73af2b9..a73e5ae04672 100644
> --- a/include/linux/efi.h
> +++ b/include/linux/efi.h
> @@ -1076,8 +1076,13 @@ static inline int efi_runtime_map_copy(void *buf, size_t bufsz)
>
> #ifdef CONFIG_EFI
> extern bool efi_runtime_disabled(void);
> +extern enum efi_secureboot_mode efi_get_secureboot_mode(void);
> #else
> static inline bool efi_runtime_disabled(void) { return true; }
> +static inline enum efi_secureboot_mode efi_get_secureboot_mode(void)
> +{
> + return efi_secureboot_mode_disabled;
> +}
> #endif
>
> extern void efi_call_virt_check_flags(unsigned long flags, const char *call);
> --
> 2.26.1
>
WARNING: multiple messages have this Message-ID (diff)
From: Chester Lin <clin@suse.com>
To: zohar@linux.ibm.com, ardb@kernel.org, catalin.marinas@arm.com,
will@kernel.org, tglx@linutronix.de, mingo@redhat.com,
bp@alien8.de, hpa@zytor.com, vincenzo.frascino@arm.com,
mark.rutland@arm.com, samitolvanen@google.com,
masahiroy@kernel.org
Cc: clin@suse.com, linux-efi@vger.kernel.org, x86@kernel.org,
linux-kernel@vger.kernel.org, jlee@suse.com,
linux-integrity@vger.kernel.org,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH v2 1/2] efi: add secure boot get helper
Date: Wed, 14 Oct 2020 18:51:02 +0800 [thread overview]
Message-ID: <20201014105102.GA9912@linux-8mug> (raw)
In-Reply-To: <20201014104032.9776-2-clin@suse.com>
Hi Ard and Mimi,
On Wed, Oct 14, 2020 at 06:40:31PM +0800, Chester Lin wrote:
> Separate the get_sb_mode() from arch/x86 and treat it as a common function
> [rename to efi_get_secureboot_mode] so all EFI-based architectures can
> reuse the same logic.
>
> Signed-off-by: Chester Lin <clin@suse.com>
> ---
> arch/x86/kernel/ima_arch.c | 47 ++------------------------------------
> drivers/firmware/efi/efi.c | 43 ++++++++++++++++++++++++++++++++++
> include/linux/efi.h | 5 ++++
> 3 files changed, 50 insertions(+), 45 deletions(-)
>
> diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c
> index 7dfb1e808928..ed4623ecda6e 100644
> --- a/arch/x86/kernel/ima_arch.c
> +++ b/arch/x86/kernel/ima_arch.c
> @@ -8,49 +8,6 @@
>
> extern struct boot_params boot_params;
>
> -static enum efi_secureboot_mode get_sb_mode(void)
> -{
> - efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
> - efi_status_t status;
> - unsigned long size;
> - u8 secboot, setupmode;
> -
> - size = sizeof(secboot);
> -
> - if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) {
> - pr_info("ima: secureboot mode unknown, no efi\n");
> - return efi_secureboot_mode_unknown;
> - }
> -
> - /* Get variable contents into buffer */
> - status = efi.get_variable(L"SecureBoot", &efi_variable_guid,
> - NULL, &size, &secboot);
> - if (status == EFI_NOT_FOUND) {
> - pr_info("ima: secureboot mode disabled\n");
> - return efi_secureboot_mode_disabled;
> - }
> -
> - if (status != EFI_SUCCESS) {
> - pr_info("ima: secureboot mode unknown\n");
> - return efi_secureboot_mode_unknown;
> - }
> -
> - size = sizeof(setupmode);
> - status = efi.get_variable(L"SetupMode", &efi_variable_guid,
> - NULL, &size, &setupmode);
> -
> - if (status != EFI_SUCCESS) /* ignore unknown SetupMode */
> - setupmode = 0;
> -
> - if (secboot == 0 || setupmode == 1) {
> - pr_info("ima: secureboot mode disabled\n");
> - return efi_secureboot_mode_disabled;
> - }
> -
> - pr_info("ima: secureboot mode enabled\n");
> - return efi_secureboot_mode_enabled;
> -}
> -
> bool arch_ima_get_secureboot(void)
> {
> static enum efi_secureboot_mode sb_mode;
> @@ -60,7 +17,7 @@ bool arch_ima_get_secureboot(void)
> sb_mode = boot_params.secure_boot;
>
> if (sb_mode == efi_secureboot_mode_unset)
> - sb_mode = get_sb_mode();
> + sb_mode = efi_get_secureboot_mode();
> initialized = true;
> }
>
> @@ -70,7 +27,7 @@ bool arch_ima_get_secureboot(void)
> return false;
> }
>
> -/* secureboot arch rules */
> +/* secure and trusted boot arch rules */
> static const char * const sb_arch_rules[] = {
> #if !IS_ENABLED(CONFIG_KEXEC_SIG)
> "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig",
> diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
> index 5e5480a0a32d..68ffa6a069c0 100644
> --- a/drivers/firmware/efi/efi.c
> +++ b/drivers/firmware/efi/efi.c
I hope you don't mind that I temporarily move the get_sb_mode() to efi
since I'm not sure which place is better. Please let me know if any
suggestions.
Thanks,
Chester
> @@ -1022,3 +1022,46 @@ static int __init register_update_efi_random_seed(void)
> }
> late_initcall(register_update_efi_random_seed);
> #endif
> +
> +enum efi_secureboot_mode efi_get_secureboot_mode(void)
> +{
> + efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
> + efi_status_t status;
> + unsigned long size;
> + u8 secboot, setupmode;
> +
> + size = sizeof(secboot);
> +
> + if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) {
> + pr_info("ima: secureboot mode unknown, no efi\n");
> + return efi_secureboot_mode_unknown;
> + }
> +
> + /* Get variable contents into buffer */
> + status = efi.get_variable(L"SecureBoot", &efi_variable_guid,
> + NULL, &size, &secboot);
> + if (status == EFI_NOT_FOUND) {
> + pr_info("ima: secureboot mode disabled\n");
> + return efi_secureboot_mode_disabled;
> + }
> +
> + if (status != EFI_SUCCESS) {
> + pr_info("ima: secureboot mode unknown\n");
> + return efi_secureboot_mode_unknown;
> + }
> +
> + size = sizeof(setupmode);
> + status = efi.get_variable(L"SetupMode", &efi_variable_guid,
> + NULL, &size, &setupmode);
> +
> + if (status != EFI_SUCCESS) /* ignore unknown SetupMode */
> + setupmode = 0;
> +
> + if (secboot == 0 || setupmode == 1) {
> + pr_info("ima: secureboot mode disabled\n");
> + return efi_secureboot_mode_disabled;
> + }
> +
> + pr_info("ima: secureboot mode enabled\n");
> + return efi_secureboot_mode_enabled;
> +}
> diff --git a/include/linux/efi.h b/include/linux/efi.h
> index d7c0e73af2b9..a73e5ae04672 100644
> --- a/include/linux/efi.h
> +++ b/include/linux/efi.h
> @@ -1076,8 +1076,13 @@ static inline int efi_runtime_map_copy(void *buf, size_t bufsz)
>
> #ifdef CONFIG_EFI
> extern bool efi_runtime_disabled(void);
> +extern enum efi_secureboot_mode efi_get_secureboot_mode(void);
> #else
> static inline bool efi_runtime_disabled(void) { return true; }
> +static inline enum efi_secureboot_mode efi_get_secureboot_mode(void)
> +{
> + return efi_secureboot_mode_disabled;
> +}
> #endif
>
> extern void efi_call_virt_check_flags(unsigned long flags, const char *call);
> --
> 2.26.1
>
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-10-14 10:51 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-14 10:40 [PATCH v2 0/2] add ima_arch support for ARM64 Chester Lin
2020-10-14 10:40 ` Chester Lin
2020-10-14 10:40 ` [PATCH v2 1/2] efi: add secure boot get helper Chester Lin
2020-10-14 10:40 ` Chester Lin
2020-10-14 10:51 ` Chester Lin [this message]
2020-10-14 10:51 ` Chester Lin
2020-10-14 11:00 ` Ard Biesheuvel
2020-10-14 11:00 ` Ard Biesheuvel
2020-10-14 11:56 ` Mimi Zohar
2020-10-14 11:56 ` Mimi Zohar
2020-10-15 12:21 ` Chester Lin
2020-10-15 12:21 ` Chester Lin
2020-10-14 13:08 ` kernel test robot
2020-10-14 16:04 ` kernel test robot
2020-10-14 10:40 ` [PATCH v2 2/2] arm64/ima: add ima_arch support Chester Lin
2020-10-14 10:40 ` Chester Lin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201014105102.GA9912@linux-8mug \
--to=clin@suse.com \
--cc=ardb@kernel.org \
--cc=bp@alien8.de \
--cc=catalin.marinas@arm.com \
--cc=hpa@zytor.com \
--cc=jlee@suse.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=masahiroy@kernel.org \
--cc=mingo@redhat.com \
--cc=samitolvanen@google.com \
--cc=tglx@linutronix.de \
--cc=vincenzo.frascino@arm.com \
--cc=will@kernel.org \
--cc=x86@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.