[PATCH] efi_loader: variable: fix secure state initialization

Heinrich Schuchardt xypron.glpk at gmx.de
Thu Aug 13 10:21:20 CEST 2020


On 13.08.20 10:05, AKASHI Takahiro wrote:
> Under the new file-based variable implementation, the secure state
> is always and falsely set to 0 (hence, the secure boot gets disabled)
> after the reboot even if PK (and other signature database) has already
> been enrolled in the previous boot.
>
> This is because the secure state is set up *before* loading non-volatile
> variables' values from saved data.
>
> This patch fixes the order of variable initialization and secure state
> initialization.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
> Fixes: 5f7dcf079de8 ("efi_loader: UEFI variable persistence")

Thanks for the correction.

Reviewed-by: Heinrich Schuchardt <xypron.glpk at gmx.de>

> ---
>  lib/efi_loader/efi_variable.c | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c
> index 282d542a096c..a10b9caa8b03 100644
> --- a/lib/efi_loader/efi_variable.c
> +++ b/lib/efi_loader/efi_variable.c
> @@ -508,10 +508,6 @@ efi_status_t efi_init_variables(void)
>  	if (ret != EFI_SUCCESS)
>  		return ret;
>
> -	ret = efi_init_secure_state();
> -	if (ret != EFI_SUCCESS)
> -		return ret;
> -
>  	if (IS_ENABLED(CONFIG_EFI_VARIABLES_PRESEED)) {
>  		ret = efi_var_restore((struct efi_var_file *)
>  				      __efi_var_file_begin);
> @@ -519,5 +515,9 @@ efi_status_t efi_init_variables(void)
>  			log_err("Invalid EFI variable seed\n");
>  	}
>
> -	return efi_var_from_file();
> +	ret = efi_var_from_file();
> +	if (ret != EFI_SUCCESS)
> +		return ret;
> +
> +	return efi_init_secure_state();
>  }
>



More information about the U-Boot mailing list