Adding upstream version 255.4.upstream/255.4

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 37 insertions, 0 deletions

diff --git a/src/fundamental/efivars-fundamental.c b/src/fundamental/efivars-fundamental.c
new file mode 100644
index 0000000..2ec3bfb
--- /dev/null
+++ b/src/fundamental/efivars-fundamental.c
@@ -0,0 +1,37 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "efivars-fundamental.h"
+
+static const sd_char * const table[_SECURE_BOOT_MAX] = {
+        [SECURE_BOOT_UNSUPPORTED] = STR_C("unsupported"),
+        [SECURE_BOOT_DISABLED]    = STR_C("disabled"),
+        [SECURE_BOOT_UNKNOWN]     = STR_C("unknown"),
+        [SECURE_BOOT_AUDIT]       = STR_C("audit"),
+        [SECURE_BOOT_DEPLOYED]    = STR_C("deployed"),
+        [SECURE_BOOT_SETUP]       = STR_C("setup"),
+        [SECURE_BOOT_USER]        = STR_C("user"),
+};
+
+const sd_char *secure_boot_mode_to_string(SecureBootMode m) {
+        return (m >= 0 && m < _SECURE_BOOT_MAX) ? table[m] : NULL;
+}
+
+SecureBootMode decode_secure_boot_mode(bool secure, bool audit, bool deployed, bool setup) {
+        /* See figure 32-4 Secure Boot Modes from UEFI Specification 2.9 */
+        if (secure && deployed && !audit && !setup)
+                return SECURE_BOOT_DEPLOYED;
+        if (secure && !deployed && !audit && !setup)
+                return SECURE_BOOT_USER;
+        if (!secure && !deployed && audit && setup)
+                return SECURE_BOOT_AUDIT;
+        if (!secure && !deployed && !audit && setup)
+                return SECURE_BOOT_SETUP;
+
+        /* Some firmware allows disabling secure boot while not being in
+         * setup mode unless the PK is cleared. */
+        if (!secure && !deployed && !audit && !setup)
+                return SECURE_BOOT_DISABLED;
+
+        /* Well, this should not happen. */
+        return SECURE_BOOT_UNKNOWN;
+}