Re: [PATCH v2 0/6] efi_loader: fix secure boot mode transitions

[AKASHI Takahiro <takahiro.akashi@linaro.org>]

On Thu, Aug 26, 2021 at 03:47:59PM +0200, Heinrich Schuchardt wrote:
> The UEFI specification 2.9 defines the different modes that secure boot may
> be in. 
> 
> The patch series adds support for the "Deployed Mode" and the "Setup Mode".

This sentence seems to be wrong, or at least inaccurate.
"Setup Mode" has been supported from the beginning when I implemented
secure boot. In other word, I implemented only the transition between
"Setup Mode" and "User Mode" only.

-Takahiro Akashi


> Furthermore the secure boot signature database must only be loaded from
> tamper-resistant storage. So we must not load it from ubootefi.var on the
> EFI system partition but only from the preseed variables store or via the
> OP-TEE driver for the eMMC replay protected memory partition.
> 
> v2:
> 	correct variable name in lib/efi_loader/efi_variable_tee.c
> 
> Heinrich Schuchardt (6):
>   efi_loader: stop recursion in efi_init_secure_state
>   efi_loader: correct determination of secure boot state
>   efi_loader: don't load signature database from file
>   efi_loader: correct secure boot state transition
>   efi_loader: writing AuditMode, DeployedMode
>   efi_loader: always initialize the secure boot state
> 
>  include/efi_variable.h            |  6 ++-
>  lib/efi_loader/efi_var_common.c   | 66 +++++++++++++++++++++++--------
>  lib/efi_loader/efi_var_file.c     | 41 +++++++++++--------
>  lib/efi_loader/efi_variable.c     | 20 ++++++----
>  lib/efi_loader/efi_variable_tee.c |  4 +-
>  5 files changed, 95 insertions(+), 42 deletions(-)
> 
> -- 
> 2.30.2
>