[PATCH 0/6] efi_loader: fix secure boot mode transitions
Heinrich Schuchardt
heinrich.schuchardt at canonical.com
Thu Aug 26 13:41:59 CEST 2021
The UEFI specification 2.9 defines the different modes that secure boot may
be in.
The patch series adds support for the "Deployed Mode" and the "Setup Mode".
Furthermore the secure boot signature database must only be loaded from
tamper-resistant storage. So we must not load it from ubootefi.var on the
EFI system partition but only from the preseed variables store or via the
OP-TEE driver for the eMMC replay protected memory partition.
Heinrich Schuchardt (6):
efi_loader: stop recursion in efi_init_secure_state
efi_loader: correct determination of secure boot state
efi_loader: don't load signature database from file
efi_loader: correct secure boot state transition
efi_loader: writing AuditMode, DeployedMode
efi_loader: always initialize the secure boot state
include/efi_variable.h | 6 ++-
lib/efi_loader/efi_var_common.c | 66 +++++++++++++++++++++++--------
lib/efi_loader/efi_var_file.c | 41 +++++++++++--------
lib/efi_loader/efi_variable.c | 20 ++++++----
lib/efi_loader/efi_variable_tee.c | 4 +-
5 files changed, 95 insertions(+), 42 deletions(-)
--
2.30.2
More information about the U-Boot
mailing list