From nobody Wed Sep 10 05:18:53 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=cloud.com ARC-Seal: i=1; a=rsa-sha256; t=1757429589; cv=none; d=zohomail.com; s=zohoarc; b=Hhz/36Le7BFlEZa0a/R5YYJYqzL7R0nef2a82iZooEn0LqlPEhu52WnPLUSbUycmUCQTThBr2cRtuua3uuO5ZmilwZAtqnNN9D3X7O7vKnkTNboHNcw1RONhwtRSe45nbXZzJFFSF00xW4HaNTjA5nxsqq3cjIpJOSCHRvXN3Cw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1757429589; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=1eEqARqC+B2G8bL7TcbwWKgsOMAevlPlBxP4QFC8iu8=; b=ea+ZvTFkYhYmbH/NoLOG/TKVebI0yIh8XVqsv+a6CdxGxKZfSVQEpzdWgER+U+j6R1mNsSJ9S2YVDMU1fghQtsoaXqEfHQN7M3oQGjfxsnEuIDCYKtDwiFfIr08skciWRQ2a7ATSb2sF2ZUJ3/h4hN5PE7fPHOXS2aabxB559Os= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1757429589408608.374382086772; Tue, 9 Sep 2025 07:53:09 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.1117089.1463301 (Exim 4.92) (envelope-from ) id 1uvzi8-0001xJ-Ps; Tue, 09 Sep 2025 14:52:44 +0000 Received: by outflank-mailman (output) from mailman id 1117089.1463301; Tue, 09 Sep 2025 14:52:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1uvzi8-0001xB-NO; Tue, 09 Sep 2025 14:52:44 +0000 Received: by outflank-mailman (input) for mailman id 1117089; Tue, 09 Sep 2025 14:52:44 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1uvzi7-0001x1-Ua for xen-devel@lists.xenproject.org; Tue, 09 Sep 2025 14:52:43 +0000 Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [2a00:1450:4864:20::536]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id a368f53f-8d8c-11f0-9d13-b5c5bf9af7f9; Tue, 09 Sep 2025 16:52:42 +0200 (CEST) Received: by mail-ed1-x536.google.com with SMTP id 4fb4d7f45d1cf-627b85e4c0fso4009962a12.1 for ; Tue, 09 Sep 2025 07:52:42 -0700 (PDT) Received: from eddie5.eng.citrite.net ([185.25.67.249]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-62c018f663asm1414898a12.43.2025.09.09.07.52.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Sep 2025 07:52:41 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: a368f53f-8d8c-11f0-9d13-b5c5bf9af7f9 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloud.com; s=cloud; t=1757429562; x=1758034362; darn=lists.xenproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=1eEqARqC+B2G8bL7TcbwWKgsOMAevlPlBxP4QFC8iu8=; b=Ctvoi2jDK/w2HDN+dlQDS0T1eYZBiIdsEFqUAb33/r4u1g35I6HFT6FMPtEKvczCjG fDHvBIsAF6O7ooVkBxOuYAoT90yy2ue0Mlq7nEYMVZDxCDpIaHPFJdYEx5oYAgLPqz+z LB+zxbIOjA+Wt+0Se1LZwPfoFwKNpgBy651Vw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757429562; x=1758034362; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1eEqARqC+B2G8bL7TcbwWKgsOMAevlPlBxP4QFC8iu8=; b=Y28s9KuWgL7k4KTWypGSg/OfgxxOO2Eh59WGSfi449mnspw3vODyv3oOqFA3lxwo7E 61/NMoivG/SifJRRLk3bObn32XpD9VN57iY2adPl3braqnlXUgjPXBQrC1CAZw0054V5 i3cV/HKJVXKZzZQT3No+zSTMITjSK2MSsvPuNGJq8BhMuj79TI6hRpHWmvysIyUDQ/Eg LqxmyTCpT1EYsKEIT7drq65z+QR0dS+SGBG4mqBuEavN4FNFy105Uqz3jVINhU3xfepO Pvr5Fs+PWryV/VeY0yQfTiBcf+sZD7mGYUmi+R9D7iloq448RlWwRM8Cxkc8BdWhv+lF Fl7w== X-Gm-Message-State: AOJu0YwjM/Iba6RNN3eXArgh5veLsOGbJaVzuyv80kYHHBxAxEZ5KQYJ ydCX/KFh52V/WKJtKxlKG+HgjMu7TWAdvmJveb0owwu/Ye+hfV8s+8E5697Sf5VB82KGtQyK55T Bi9bmDmE= X-Gm-Gg: ASbGncuIWqKkEWDNdsgDrPzej+T8vDVtevVYbEYD6dsMDeqRv4rSzhbABRK5Xw/4hzT StYa8tVAANbDULcuaxXhLEw0ol4UUEv7JshekBIJoKLarMthb504D0WksjM58nkMJQznIipX/im IZDJQi7bqpa8tSx1EH6bRQiWSpXjFJ3zCmyRkia2GsbWmLyl6DmoiJWr5uSc8A2iw7F1hf9U3k4 iAzENJGnUKKBLn5SiWCQlU0iXr8460q5JOAWSitniMn0bZ4Vxx569OmPbz8pe7/whVKrsVpzN/b 2eGGTiiVMuO/hJM/rEx5RWOb1kLKgexlcorLQ0CW7EqZI4F8PK2Vb58OcDQxHLoN86r60OyUFBn DR0+XbYW2j+ETYdKGPU+6AfyjZ+CdVNssQRmTEoDeG2ayN+4H8wYQRIwW X-Google-Smtp-Source: AGHT+IGdmlzAwf9qfVQOHOdpr+P0JJ3hMje1i2OshWya4hxHI39qZjL+0rhVPA5EfM2sZT5+b4vQtQ== X-Received: by 2002:a05:6402:4302:b0:626:73d7:36c5 with SMTP id 4fb4d7f45d1cf-62673d739f9mr9997431a12.11.1757429561644; Tue, 09 Sep 2025 07:52:41 -0700 (PDT) From: Gerald Elder-Vass To: Xen-devel Cc: Ross Lagerwall , Gerald Elder-Vass , =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= , "Daniel P. Smith" , Jan Beulich , Andrew Cooper , Anthony PERARD , Michal Orzel , Julien Grall , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Stefano Stabellini Subject: [PATCH v5 1/2] efi: Add a function to check if Secure Boot mode is enabled Date: Tue, 9 Sep 2025 14:52:32 +0000 Message-ID: <69dad96a21e230b35d57b8e3253815f9cb1532d3.1757421999.git.gerald.elder-vass@cloud.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @cloud.com) X-ZM-MESSAGEID: 1757429595813124100 From: Ross Lagerwall Also cache it to avoid needing to repeatedly ask the firmware. Signed-off-by: Ross Lagerwall Signed-off-by: Gerald Elder-Vass --- CC: Marek Marczykowski-G=C3=B3recki CC: "Daniel P. Smith" CC: Jan Beulich CC: Andrew Cooper CC: Anthony PERARD CC: Michal Orzel CC: Julien Grall CC: "Roger Pau Monn=C3=A9" CC: Stefano Stabellini v5: - Fix line length v4: - Fix MISRA warning regarding SecureBoot string v3: - Fix build on ARM --- xen/common/efi/boot.c | 25 +++++++++++++++++++++++++ xen/common/efi/runtime.c | 1 + xen/include/xen/efi.h | 2 ++ 3 files changed, 28 insertions(+) diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c index e12fa1a7ec04..5eb0394e2937 100644 --- a/xen/common/efi/boot.c +++ b/xen/common/efi/boot.c @@ -901,6 +901,29 @@ static void __init pre_parse(const struct file *file) " last line will be ignored.\r\n"); } =20 +static void __init init_secure_boot_mode(void) +{ + static EFI_GUID __initdata gv_uuid =3D EFI_GLOBAL_VARIABLE; + static CHAR16 __initdata str_SecureBoot[] =3D L"SecureBoot"; + EFI_STATUS status; + uint8_t data =3D 0; + UINTN size =3D sizeof(data); + UINT32 attr =3D 0; + + status =3D efi_rs->GetVariable(str_SecureBoot, &gv_uuid, &attr, &size,= &data); + + if ( status =3D=3D EFI_NOT_FOUND || + (status =3D=3D EFI_SUCCESS && + attr =3D=3D (EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS) && + size =3D=3D 1 && data =3D=3D 0) ) + /* Platform does not support Secure Boot or it's disabled. */ + efi_secure_boot =3D false; + else + /* Everything else play it safe and assume enabled. */ + efi_secure_boot =3D true; +} + static void __init efi_init(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *Syst= emTable) { efi_ih =3D ImageHandle; @@ -915,6 +938,8 @@ static void __init efi_init(EFI_HANDLE ImageHandle, EFI= _SYSTEM_TABLE *SystemTabl =20 StdOut =3D SystemTable->ConOut; StdErr =3D SystemTable->StdErr ?: StdOut; + + init_secure_boot_mode(); } =20 static void __init efi_console_set_mode(void) diff --git a/xen/common/efi/runtime.c b/xen/common/efi/runtime.c index 42386c6bde42..30d649ca5c1b 100644 --- a/xen/common/efi/runtime.c +++ b/xen/common/efi/runtime.c @@ -41,6 +41,7 @@ void efi_rs_leave(struct efi_rs_state *state); unsigned int __read_mostly efi_num_ct; const EFI_CONFIGURATION_TABLE *__read_mostly efi_ct; =20 +bool __ro_after_init efi_secure_boot; unsigned int __read_mostly efi_version; unsigned int __read_mostly efi_fw_revision; const CHAR16 *__read_mostly efi_fw_vendor; diff --git a/xen/include/xen/efi.h b/xen/include/xen/efi.h index 623ed2ccdf31..723cb8085270 100644 --- a/xen/include/xen/efi.h +++ b/xen/include/xen/efi.h @@ -36,6 +36,8 @@ static inline bool efi_enabled(unsigned int feature) } #endif =20 +extern bool efi_secure_boot; + void efi_init_memory(void); bool efi_boot_mem_unused(unsigned long *start, unsigned long *end); bool efi_rs_using_pgtables(void); --=20 2.47.3