summaryrefslogtreecommitdiffstats
path: root/include/linux/efi.h
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2017-02-06 11:22:43 +0000
committerIngo Molnar <mingo@kernel.org>2017-02-07 10:42:10 +0100
commitde8cb458625c164bb3f93c4e415e479afce8fa9d (patch)
tree6da87e0a45c5d1e39bc5f46413123358734d8eba /include/linux/efi.h
parente58910cdc9f43cda2e52fcdf2fddbdc74e80b2f7 (diff)
downloadlinux-de8cb458625c164bb3f93c4e415e479afce8fa9d.tar.gz
linux-de8cb458625c164bb3f93c4e415e479afce8fa9d.tar.bz2
linux-de8cb458625c164bb3f93c4e415e479afce8fa9d.zip
efi: Get and store the secure boot status
Get the firmware's secure-boot status in the kernel boot wrapper and stash it somewhere that the main kernel image can find. The efi_get_secureboot() function is extracted from the ARM stub and (a) generalised so that it can be called from x86 and (b) made to use efi_call_runtime() so that it can be run in mixed-mode. For x86, it is stored in boot_params and can be overridden by the boot loader or kexec. This allows secure-boot mode to be passed on to a new kernel. Suggested-by: Lukas Wunner <lukas@wunner.de> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Matt Fleming <matt@codeblueprint.co.uk> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: linux-efi@vger.kernel.org Link: http://lkml.kernel.org/r/1486380166-31868-5-git-send-email-ard.biesheuvel@linaro.org [ Small readability edits. ] Signed-off-by: Ingo Molnar <mingo@kernel.org>
Diffstat (limited to 'include/linux/efi.h')
-rw-r--r--include/linux/efi.h8
1 files changed, 8 insertions, 0 deletions
diff --git a/include/linux/efi.h b/include/linux/efi.h
index d00538a65899..94d34e0be24f 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -1480,6 +1480,14 @@ efi_status_t efi_setup_gop(efi_system_table_t *sys_table_arg,
bool efi_runtime_disabled(void);
extern void efi_call_virt_check_flags(unsigned long flags, const char *call);
+enum efi_secureboot_mode {
+ efi_secureboot_mode_unset,
+ efi_secureboot_mode_unknown,
+ efi_secureboot_mode_disabled,
+ efi_secureboot_mode_enabled,
+};
+enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table);
+
/*
* Arch code can implement the following three template macros, avoiding
* reptition for the void/non-void return cases of {__,}efi_call_virt():