diff options
author | AKASHI Takahiro <takahiro.akashi@linaro.org> | 2020-04-14 11:51:45 +0900 |
---|---|---|
committer | Heinrich Schuchardt <xypron.glpk@gmx.de> | 2020-04-16 08:12:46 +0200 |
commit | d0f07949cc390b06e6ee36a0b5e5a9f70ea3dae1 (patch) | |
tree | 35cbc3660c1829b223b5c3feb04f208c9ba7ff5f /lib/efi_loader/efi_setup.c | |
parent | 4540dabdcacaea50bf874115f28adc103966d25a (diff) |
efi_loader: set up secure boot
The following variable is exported as UEFI specification defines:
SignatureSupport: array of GUIDs representing the type of signatures
supported by the platform firmware
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Diffstat (limited to 'lib/efi_loader/efi_setup.c')
-rw-r--r-- | lib/efi_loader/efi_setup.c | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/lib/efi_loader/efi_setup.c b/lib/efi_loader/efi_setup.c index b458093dfb..1b648c8467 100644 --- a/lib/efi_loader/efi_setup.c +++ b/lib/efi_loader/efi_setup.c @@ -82,6 +82,39 @@ out: return ret; } +#ifdef CONFIG_EFI_SECURE_BOOT +/** + * efi_init_secure_boot - initialize secure boot state + * + * Return: EFI_SUCCESS on success, status code (negative) on error + */ +static efi_status_t efi_init_secure_boot(void) +{ + efi_guid_t signature_types[] = { + EFI_CERT_SHA256_GUID, + EFI_CERT_X509_GUID, + }; + efi_status_t ret; + + /* TODO: read-only */ + ret = EFI_CALL(efi_set_variable(L"SignatureSupport", + &efi_global_variable_guid, + EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_RUNTIME_ACCESS, + sizeof(signature_types), + &signature_types)); + if (ret != EFI_SUCCESS) + printf("EFI: cannot initialize SignatureSupport variable\n"); + + return ret; +} +#else +static efi_status_t efi_init_secure_boot(void) +{ + return EFI_SUCCESS; +} +#endif /* CONFIG_EFI_SECURE_BOOT */ + /** * efi_init_obj_list() - Initialize and populate EFI object list * @@ -127,6 +160,11 @@ efi_status_t efi_init_obj_list(void) if (ret != EFI_SUCCESS) goto out; + /* Secure boot */ + ret = efi_init_secure_boot(); + if (ret != EFI_SUCCESS) + goto out; + /* Indicate supported runtime services */ ret = efi_init_runtime_supported(); if (ret != EFI_SUCCESS) |