diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 20:49:52 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 20:49:52 +0000 |
commit | 55944e5e40b1be2afc4855d8d2baf4b73d1876b5 (patch) | |
tree | 33f869f55a1b149e9b7c2b7e201867ca5dd52992 /src/fundamental/efivars-fundamental.c | |
parent | Initial commit. (diff) | |
download | systemd-55944e5e40b1be2afc4855d8d2baf4b73d1876b5.tar.xz systemd-55944e5e40b1be2afc4855d8d2baf4b73d1876b5.zip |
Adding upstream version 255.4.upstream/255.4
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | src/fundamental/efivars-fundamental.c | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/src/fundamental/efivars-fundamental.c b/src/fundamental/efivars-fundamental.c new file mode 100644 index 0000000..2ec3bfb --- /dev/null +++ b/src/fundamental/efivars-fundamental.c @@ -0,0 +1,37 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ + +#include "efivars-fundamental.h" + +static const sd_char * const table[_SECURE_BOOT_MAX] = { + [SECURE_BOOT_UNSUPPORTED] = STR_C("unsupported"), + [SECURE_BOOT_DISABLED] = STR_C("disabled"), + [SECURE_BOOT_UNKNOWN] = STR_C("unknown"), + [SECURE_BOOT_AUDIT] = STR_C("audit"), + [SECURE_BOOT_DEPLOYED] = STR_C("deployed"), + [SECURE_BOOT_SETUP] = STR_C("setup"), + [SECURE_BOOT_USER] = STR_C("user"), +}; + +const sd_char *secure_boot_mode_to_string(SecureBootMode m) { + return (m >= 0 && m < _SECURE_BOOT_MAX) ? table[m] : NULL; +} + +SecureBootMode decode_secure_boot_mode(bool secure, bool audit, bool deployed, bool setup) { + /* See figure 32-4 Secure Boot Modes from UEFI Specification 2.9 */ + if (secure && deployed && !audit && !setup) + return SECURE_BOOT_DEPLOYED; + if (secure && !deployed && !audit && !setup) + return SECURE_BOOT_USER; + if (!secure && !deployed && audit && setup) + return SECURE_BOOT_AUDIT; + if (!secure && !deployed && !audit && setup) + return SECURE_BOOT_SETUP; + + /* Some firmware allows disabling secure boot while not being in + * setup mode unless the PK is cleared. */ + if (!secure && !deployed && !audit && !setup) + return SECURE_BOOT_DISABLED; + + /* Well, this should not happen. */ + return SECURE_BOOT_UNKNOWN; +} |