efi_loader: correct determination of secure boot state

When U-Boot is started we have to use the existing variables to determine
in which secure boot state we are.

* If a platform key PK is present and DeployedMode=1, we are in deployed
  mode.
* If no platform key PK is present and AuditMode=1, we are in audit mode.
* Otherwise if a platform key is present, we are in user mode.
* Otherwise if no platform key is present, we are in setup mode.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>

diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c
index c744e2f..a00bbf1 100644 (file)
--- a/lib/efi_loader/efi_var_common.c
+++ b/lib/efi_loader/efi_var_common.c
@@ -314,17 +314,40 @@ err:
 
 efi_status_t efi_init_secure_state(void)
 {
-       enum efi_secure_mode mode = EFI_MODE_SETUP;
+       enum efi_secure_mode mode;
        u8 efi_vendor_keys = 0;
-       efi_uintn_t size = 0;
+       efi_uintn_t size;
        efi_status_t ret;
-
-       ret = efi_get_variable_int(L"PK", &efi_global_variable_guid,
-                                  NULL, &size, NULL, NULL);
-       if (ret == EFI_BUFFER_TOO_SMALL) {
-               if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT))
-                       mode = EFI_MODE_USER;
+       u8 deployed_mode = 0;
+       u8 audit_mode = 0;
+       u8 setup_mode = 1;
+
+       if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT)) {
+               size = sizeof(deployed_mode);
+               ret = efi_get_variable_int(u"DeployedMode", &efi_global_variable_guid,
+                                          NULL, &size, &deployed_mode, NULL);
+               size = sizeof(audit_mode);
+               ret = efi_get_variable_int(u"AuditMode", &efi_global_variable_guid,
+                                          NULL, &size, &audit_mode, NULL);
+               size = 0;
+               ret = efi_get_variable_int(u"PK", &efi_global_variable_guid,
+                                          NULL, &size, NULL, NULL);
+               if (ret == EFI_BUFFER_TOO_SMALL) {
+                       setup_mode = 0;
+                       audit_mode = 0;
+               } else {
+                       setup_mode = 1;
+                       deployed_mode = 0;
+               }
        }
+       if (deployed_mode)
+               mode = EFI_MODE_DEPLOYED;
+       else if (audit_mode)
+               mode = EFI_MODE_AUDIT;
+       else if (setup_mode)
+               mode = EFI_MODE_SETUP;
+       else
+               mode = EFI_MODE_USER;
 
        ret = efi_transfer_secure_state(mode);
        if (ret != EFI_SUCCESS)