x86/ima: check EFI SetupMode too

Checking "SecureBoot" mode is not sufficient, also check "SetupMode". Fixes: 399574c6 ("x86/ima: retry detecting secure boot mode") Reported-by: Matthew Garrett <mjg59@google.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

x86/ima: check EFI SetupMode too
Checking "SecureBoot" mode is not sufficient, also check "SetupMode". Fixes: 399574c6 ("x86/ima: retry detecting secure boot mode") Reported-by: Matthew Garrett <mjg59@google.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
980ef4d2 · Mimi Zohar · 8cdc23a3 · 980ef4d2
Commit 980ef4d2 authored Apr 24, 2019 by Mimi Zohar
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 2 deletions

arch/x86/kernel/ima_arch.c arch/x86/kernel/ima_arch.c +10 -2

No files found.
--- a/arch/x86/kernel/ima_arch.c
+++ b/arch/x86/kernel/ima_arch.c
@@ -11,10 +11,11 @@ extern struct boot_params boot_params;
 static enum efi_secureboot_mode get_sb_mode(void)
 {
 	efi_char16_t efi_SecureBoot_name[] = L"SecureBoot";
+	efi_char16_t efi_SetupMode_name[] = L"SecureBoot";
 	efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
 	efi_status_t status;
 	unsigned long size;
-	u8 secboot;
+	u8 secboot, setupmode;
 	size = sizeof(secboot);
@@ -36,7 +37,14 @@ static enum efi_secureboot_mode get_sb_mode(void)
 		return efi_secureboot_mode_unknown;
 	}
-	if (secboot == 0) {
+	size = sizeof(setupmode);
+	status = efi.get_variable(efi_SetupMode_name, &efi_variable_guid,
+				  NULL, &size, &setupmode);
+	if (status != EFI_SUCCESS)	/* ignore unknown SetupMode */
+		setupmode = 0;
+	if (secboot == 0 || setupmode == 1) {
 		pr_info("ima: secureboot mode disabled\n");
 		return efi_secureboot_mode_disabled;
 	}