diff options
author | David Howells <dhowells@redhat.com> | 2017-02-06 11:22:43 +0000 |
---|---|---|
committer | Ingo Molnar <mingo@kernel.org> | 2017-02-07 10:42:10 +0100 |
commit | de8cb458625c164bb3f93c4e415e479afce8fa9d (patch) | |
tree | 6da87e0a45c5d1e39bc5f46413123358734d8eba /include/linux/efi.h | |
parent | e58910cdc9f43cda2e52fcdf2fddbdc74e80b2f7 (diff) | |
download | linux-de8cb458625c164bb3f93c4e415e479afce8fa9d.tar.gz linux-de8cb458625c164bb3f93c4e415e479afce8fa9d.tar.bz2 linux-de8cb458625c164bb3f93c4e415e479afce8fa9d.zip |
efi: Get and store the secure boot status
Get the firmware's secure-boot status in the kernel boot wrapper and stash
it somewhere that the main kernel image can find.
The efi_get_secureboot() function is extracted from the ARM stub and (a)
generalised so that it can be called from x86 and (b) made to use
efi_call_runtime() so that it can be run in mixed-mode.
For x86, it is stored in boot_params and can be overridden by the boot
loader or kexec. This allows secure-boot mode to be passed on to a new
kernel.
Suggested-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: http://lkml.kernel.org/r/1486380166-31868-5-git-send-email-ard.biesheuvel@linaro.org
[ Small readability edits. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Diffstat (limited to 'include/linux/efi.h')
-rw-r--r-- | include/linux/efi.h | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/include/linux/efi.h b/include/linux/efi.h index d00538a65899..94d34e0be24f 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -1480,6 +1480,14 @@ efi_status_t efi_setup_gop(efi_system_table_t *sys_table_arg, bool efi_runtime_disabled(void); extern void efi_call_virt_check_flags(unsigned long flags, const char *call); +enum efi_secureboot_mode { + efi_secureboot_mode_unset, + efi_secureboot_mode_unknown, + efi_secureboot_mode_disabled, + efi_secureboot_mode_enabled, +}; +enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table); + /* * Arch code can implement the following three template macros, avoiding * reptition for the void/non-void return cases of {__,}efi_call_virt(): |