x86/ima: use correct identifier for SetupMode variable (ff5ac61e) · Commits · 戴 / test

The IMA arch code attempts to inspect the "SetupMode" EFI variable by populating a variable called efi_SetupMode_name with the string "SecureBoot" and passing that to the EFI GetVariable service, which obviously does not yield the expected result. Given that the string is only referenced a single time, let's get rid of the intermediate variable, and pass the correct string as an immediate argument. While at it, do the same for "SecureBoot". Fixes: ("x86/ima: retry detecting secure boot mode") Fixes: ("x86/ima: check EFI SetupMode too") Cc: Matthew Garrett <mjg59@google.com> Signed-off-by:

Ard Biesheuvel <ardb@kernel.org> Cc: stable@vger.kernel.org # v5.3 Signed-off-by:

Mimi Zohar <zohar@linux.ibm.com>

arch/x86/kernel/ima_arch.c

+2 −4

Original line number	Diff line number	Diff line
		@@ -10,8 +10,6 @@ extern struct boot_params boot_params;

		static enum efi_secureboot_mode get_sb_mode(void)
		{
		efi_char16_t efi_SecureBoot_name[] = L"SecureBoot";
		efi_char16_t efi_SetupMode_name[] = L"SecureBoot";
		efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
		efi_status_t status;
		unsigned long size;
		@@ -25,7 +23,7 @@ static enum efi_secureboot_mode get_sb_mode(void)
		}

		/* Get variable contents into buffer */
		status = efi.get_variable(efi_SecureBoot_name, &efi_variable_guid,
		status = efi.get_variable(L"SecureBoot", &efi_variable_guid,
		NULL, &size, &secboot);
		if (status == EFI_NOT_FOUND) {
		pr_info("ima: secureboot mode disabled\n");
		@@ -38,7 +36,7 @@ static enum efi_secureboot_mode get_sb_mode(void)
		}

		size = sizeof(setupmode);
		status = efi.get_variable(efi_SetupMode_name, &efi_variable_guid,
		status = efi.get_variable(L"SetupMode", &efi_variable_guid,
		NULL, &size, &setupmode);

		if (status != EFI_SUCCESS) /* ignore unknown SetupMode */

Admin message