[PATCH] efi_loader: variable: fix secure state initialization
Heinrich Schuchardt
xypron.glpk at gmx.de
Thu Aug 13 10:21:20 CEST 2020
On 13.08.20 10:05, AKASHI Takahiro wrote:
> Under the new file-based variable implementation, the secure state
> is always and falsely set to 0 (hence, the secure boot gets disabled)
> after the reboot even if PK (and other signature database) has already
> been enrolled in the previous boot.
>
> This is because the secure state is set up *before* loading non-volatile
> variables' values from saved data.
>
> This patch fixes the order of variable initialization and secure state
> initialization.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
> Fixes: 5f7dcf079de8 ("efi_loader: UEFI variable persistence")
Thanks for the correction.
Reviewed-by: Heinrich Schuchardt <xypron.glpk at gmx.de>
> ---
> lib/efi_loader/efi_variable.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c
> index 282d542a096c..a10b9caa8b03 100644
> --- a/lib/efi_loader/efi_variable.c
> +++ b/lib/efi_loader/efi_variable.c
> @@ -508,10 +508,6 @@ efi_status_t efi_init_variables(void)
> if (ret != EFI_SUCCESS)
> return ret;
>
> - ret = efi_init_secure_state();
> - if (ret != EFI_SUCCESS)
> - return ret;
> -
> if (IS_ENABLED(CONFIG_EFI_VARIABLES_PRESEED)) {
> ret = efi_var_restore((struct efi_var_file *)
> __efi_var_file_begin);
> @@ -519,5 +515,9 @@ efi_status_t efi_init_variables(void)
> log_err("Invalid EFI variable seed\n");
> }
>
> - return efi_var_from_file();
> + ret = efi_var_from_file();
> + if (ret != EFI_SUCCESS)
> + return ret;
> +
> + return efi_init_secure_state();
> }
>
More information about the U-Boot
mailing list