summaryrefslogtreecommitdiffstats
path: root/src/fundamental/efivars-fundamental.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-10 20:49:52 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-10 20:49:52 +0000
commit55944e5e40b1be2afc4855d8d2baf4b73d1876b5 (patch)
tree33f869f55a1b149e9b7c2b7e201867ca5dd52992 /src/fundamental/efivars-fundamental.c
parentInitial commit. (diff)
downloadsystemd-55944e5e40b1be2afc4855d8d2baf4b73d1876b5.tar.xz
systemd-55944e5e40b1be2afc4855d8d2baf4b73d1876b5.zip
Adding upstream version 255.4.upstream/255.4
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/fundamental/efivars-fundamental.c')
-rw-r--r--src/fundamental/efivars-fundamental.c37
1 files changed, 37 insertions, 0 deletions
diff --git a/src/fundamental/efivars-fundamental.c b/src/fundamental/efivars-fundamental.c
new file mode 100644
index 0000000..2ec3bfb
--- /dev/null
+++ b/src/fundamental/efivars-fundamental.c
@@ -0,0 +1,37 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "efivars-fundamental.h"
+
+static const sd_char * const table[_SECURE_BOOT_MAX] = {
+ [SECURE_BOOT_UNSUPPORTED] = STR_C("unsupported"),
+ [SECURE_BOOT_DISABLED] = STR_C("disabled"),
+ [SECURE_BOOT_UNKNOWN] = STR_C("unknown"),
+ [SECURE_BOOT_AUDIT] = STR_C("audit"),
+ [SECURE_BOOT_DEPLOYED] = STR_C("deployed"),
+ [SECURE_BOOT_SETUP] = STR_C("setup"),
+ [SECURE_BOOT_USER] = STR_C("user"),
+};
+
+const sd_char *secure_boot_mode_to_string(SecureBootMode m) {
+ return (m >= 0 && m < _SECURE_BOOT_MAX) ? table[m] : NULL;
+}
+
+SecureBootMode decode_secure_boot_mode(bool secure, bool audit, bool deployed, bool setup) {
+ /* See figure 32-4 Secure Boot Modes from UEFI Specification 2.9 */
+ if (secure && deployed && !audit && !setup)
+ return SECURE_BOOT_DEPLOYED;
+ if (secure && !deployed && !audit && !setup)
+ return SECURE_BOOT_USER;
+ if (!secure && !deployed && audit && setup)
+ return SECURE_BOOT_AUDIT;
+ if (!secure && !deployed && !audit && setup)
+ return SECURE_BOOT_SETUP;
+
+ /* Some firmware allows disabling secure boot while not being in
+ * setup mode unless the PK is cleared. */
+ if (!secure && !deployed && !audit && !setup)
+ return SECURE_BOOT_DISABLED;
+
+ /* Well, this should not happen. */
+ return SECURE_BOOT_UNKNOWN;
+}