[PATCH 0/6] efi_loader: fix secure boot mode transitions

Heinrich Schuchardt heinrich.schuchardt at canonical.com
Thu Aug 26 13:41:59 CEST 2021


The UEFI specification 2.9 defines the different modes that secure boot may
be in. 

The patch series adds support for the "Deployed Mode" and the "Setup Mode".

Furthermore the secure boot signature database must only be loaded from
tamper-resistant storage. So we must not load it from ubootefi.var on the
EFI system partition but only from the preseed variables store or via the
OP-TEE driver for the eMMC replay protected memory partition.

Heinrich Schuchardt (6):
  efi_loader: stop recursion in efi_init_secure_state
  efi_loader: correct determination of secure boot state
  efi_loader: don't load signature database from file
  efi_loader: correct secure boot state transition
  efi_loader: writing AuditMode, DeployedMode
  efi_loader: always initialize the secure boot state

 include/efi_variable.h            |  6 ++-
 lib/efi_loader/efi_var_common.c   | 66 +++++++++++++++++++++++--------
 lib/efi_loader/efi_var_file.c     | 41 +++++++++++--------
 lib/efi_loader/efi_variable.c     | 20 ++++++----
 lib/efi_loader/efi_variable_tee.c |  4 +-
 5 files changed, 95 insertions(+), 42 deletions(-)

-- 
2.30.2



More information about the U-Boot mailing list