| Message ID | 148587565838.4026.2835771993519594392.stgit@warthog.procyon.org.uk (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 31 January 2017 at 15:14, David Howells <dhowells@redhat.com> wrote: > Print the secure boot status in the x86 setup_arch() but otherwise do > nothing more for now. More functionality will be added later, but this at > least allows for testing. > > Signed-off-by: David Howells <dhowells@redhat.com> > --- > > arch/x86/kernel/setup.c | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > > diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c > index 4cfba947d774..22e4b47a5c14 100644 > --- a/arch/x86/kernel/setup.c > +++ b/arch/x86/kernel/setup.c > @@ -1176,6 +1176,20 @@ void __init setup_arch(char **cmdline_p) > /* Allocate bigger log buffer */ > setup_log_buf(1); > > + if (IS_ENABLED(CONFIG_EFI)) { Shouldn't this be a runtime check? > + switch (boot_params.secure_boot) { > + case efi_secureboot_mode_disabled: > + pr_info("Secure boot disabled\n"); > + break; > + case efi_secureboot_mode_enabled: > + pr_info("Secure boot enabled\n"); > + break; > + default: > + pr_info("Secure boot could not be determined\n"); > + break; > + } > + } > + > reserve_initrd(); > > acpi_table_upgrade(); > -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote: > > + if (IS_ENABLED(CONFIG_EFI)) { > > Shouldn't this be a runtime check? Interesting question. The original patch I was working from had a #ifdef here. Possibly it doesn't need to be there at all. We could rely entirely on the value of boot_params.secure_boot. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 3 February 2017 at 16:21, David Howells <dhowells@redhat.com> wrote: > Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote: > >> > + if (IS_ENABLED(CONFIG_EFI)) { >> >> Shouldn't this be a runtime check? > > Interesting question. The original patch I was working from had a #ifdef > here. Possibly it doesn't need to be there at all. We could rely entirely on > the value of boot_params.secure_boot. > Yes, but only if you are booting via UEFI, no? So perhaps use efi_enabled(EFI_BOOT) instead? -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote: > Yes, but only if you are booting via UEFI, no? Why limit it so? Even if you don't boot via UEFI, the bootloader/kexec can always set the secure-boot state on. > So perhaps use efi_enabled(EFI_BOOT) instead? I've no objection to that, given it incorporates a test of CONFIG_EFI. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
David Howells <dhowells@redhat.com> wrote: > Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote: > > > Yes, but only if you are booting via UEFI, no? > > Why limit it so? Even if you don't boot via UEFI, the bootloader/kexec can > always set the secure-boot state on. > > > So perhaps use efi_enabled(EFI_BOOT) instead? > > I've no objection to that, given it incorporates a test of CONFIG_EFI. Feel free to just go ahead and change it in the patch. We can always take the check out later. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 3 February 2017 at 16:29, David Howells <dhowells@redhat.com> wrote: > David Howells <dhowells@redhat.com> wrote: > >> Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote: >> >> > Yes, but only if you are booting via UEFI, no? >> >> Why limit it so? Even if you don't boot via UEFI, the bootloader/kexec can >> always set the secure-boot state on. >> >> > So perhaps use efi_enabled(EFI_BOOT) instead? >> >> I've no objection to that, given it incorporates a test of CONFIG_EFI. > > Feel free to just go ahead and change it in the patch. We can always take the > check out later. > Sure -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 3 February 2017 at 16:29, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote: > On 3 February 2017 at 16:29, David Howells <dhowells@redhat.com> wrote: >> David Howells <dhowells@redhat.com> wrote: >> >>> Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote: >>> >>> > Yes, but only if you are booting via UEFI, no? >>> >>> Why limit it so? Even if you don't boot via UEFI, the bootloader/kexec can >>> always set the secure-boot state on. >>> >>> > So perhaps use efi_enabled(EFI_BOOT) instead? >>> >>> I've no objection to that, given it incorporates a test of CONFIG_EFI. >> >> Feel free to just go ahead and change it in the patch. We can always take the >> check out later. >> > > Sure OK, I have queued these patches (minus the DeployedMode one) in the next branch on efi.git. Please double check, I will send out a pull request to tip shortly (once the autobuilder gives me the green light) Thanks, Ard. -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote: > OK, I have queued these patches (minus the DeployedMode one) in the > next branch on efi.git. Please double check, I will send out a pull > request to tip shortly (once the autobuilder gives me the green light) Looks okay. Now if I can just squeeze a fixed grub2 out of Peter Jones... David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c index 4cfba947d774..22e4b47a5c14 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -1176,6 +1176,20 @@ void __init setup_arch(char **cmdline_p) /* Allocate bigger log buffer */ setup_log_buf(1); + if (IS_ENABLED(CONFIG_EFI)) { + switch (boot_params.secure_boot) { + case efi_secureboot_mode_disabled: + pr_info("Secure boot disabled\n"); + break; + case efi_secureboot_mode_enabled: + pr_info("Secure boot enabled\n"); + break; + default: + pr_info("Secure boot could not be determined\n"); + break; + } + } + reserve_initrd(); acpi_table_upgrade();
Print the secure boot status in the x86 setup_arch() but otherwise do nothing more for now. More functionality will be added later, but this at least allows for testing. Signed-off-by: David Howells <dhowells@redhat.com> --- arch/x86/kernel/setup.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html