[PATCH v2 6/6] efi_loader: always initialize the secure boot state
Heinrich Schuchardt
heinrich.schuchardt at canonical.com
Thu Aug 26 15:48:05 CEST 2021
Even if we cannot read the variable store from disk we still need to
initialize the secure boot state.
Don't continue to boot if the variable preseed is invalid as this indicates
that the variable store has been tampered.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
---
v2:
no change
---
lib/efi_loader/efi_variable.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c
index 80996d0f47..6d92229e2a 100644
--- a/lib/efi_loader/efi_variable.c
+++ b/lib/efi_loader/efi_variable.c
@@ -427,13 +427,17 @@ efi_status_t efi_init_variables(void)
if (IS_ENABLED(CONFIG_EFI_VARIABLES_PRESEED)) {
ret = efi_var_restore((struct efi_var_file *)
__efi_var_file_begin, true);
- if (ret != EFI_SUCCESS)
+ if (ret != EFI_SUCCESS) {
log_err("Invalid EFI variable seed\n");
+ return ret;
+ }
}
-
- ret = efi_var_from_file();
+ ret = efi_init_secure_state();
if (ret != EFI_SUCCESS)
return ret;
- return efi_init_secure_state();
+ /* Don't stop booting if variable store is not available */
+ efi_var_from_file();
+
+ return EFI_SUCCESS;
}
--
2.30.2
More information about the U-Boot
mailing list