efi_loader: value of VendorKeys

According to the UEFI specification the variable VendorKeys is 1 if the "system is configured to use only vendor-provided keys". As we do not supply any vendor keys yet the variable VendorKeys must be zero. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2025-05-09 03:21:51 +00:00 · 2020-07-04 22:41:26 +02:00 · 2020-07-04 22:41:26 +02:00 · fd7b6730ab
commit fd7b6730ab
parent 37fa7cb045
1 changed files with 15 additions and 60 deletions
--- a/lib/efi_loader/efi_variable.c
+++ b/lib/efi_loader/efi_variable.c
@ -282,45 +282,29 @@ err:
 */
 static efi_status_t efi_init_secure_state(void)
 {
-	enum efi_secure_mode mode;
+	enum efi_secure_mode mode = EFI_MODE_SETUP;
-	efi_uintn_t size;
+	efi_uintn_t size = 0;
 	efi_status_t ret;
 	/*
 	 * TODO:
 	 * Since there is currently no "platform-specific" installation
 	 * method of Platform Key, we can't say if VendorKeys is 0 or 1
 	 * precisely.
 	 */
 	size = 0;
 	ret = efi_get_variable_int(L"PK", &efi_global_variable_guid,
 				   NULL, &size, NULL, NULL);
 	if (ret == EFI_BUFFER_TOO_SMALL) {
 		if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT))
 			mode = EFI_MODE_USER;
 		else
 			mode = EFI_MODE_SETUP;
 		efi_vendor_keys = 0;
 	} else if (ret == EFI_NOT_FOUND) {
 		mode = EFI_MODE_SETUP;
 		efi_vendor_keys = 1;
 	} else {
 		goto err;
 	}
 	ret = efi_transfer_secure_state(mode);
-	if (ret == EFI_SUCCESS)
+	if (ret != EFI_SUCCESS)
-		ret = efi_set_variable_int(L"VendorKeys",
+		return ret;
 					   &efi_global_variable_guid,
 					   EFI_VARIABLE_BOOTSERVICE_ACCESS |
 					   EFI_VARIABLE_RUNTIME_ACCESS |
 					   EFI_VARIABLE_READ_ONLY,
 					   sizeof(efi_vendor_keys),
 					   &efi_vendor_keys, false);
-err:
+	/* As we do not provide vendor keys this variable is always 0. */
 	ret = efi_set_variable_int(L"VendorKeys",
 				   &efi_global_variable_guid,
 				   EFI_VARIABLE_BOOTSERVICE_ACCESS |
 				   EFI_VARIABLE_RUNTIME_ACCESS |
 				   EFI_VARIABLE_READ_ONLY,
 				   sizeof(efi_vendor_keys),
 				   &efi_vendor_keys, false);
 	return ret;
 }
@ -998,39 +982,10 @@ out:
 	if (env_set(native_name, val)) {
 		ret = EFI_DEVICE_ERROR;
 	} else {
-		bool vendor_keys_modified = false;
+		if (!u16_strcmp(variable_name, L"PK"))
-
+			ret = efi_init_secure_state();
-		if ((u16_strcmp(variable_name, L"PK") == 0 &&
+		else
 		     guidcmp(vendor, &efi_global_variable_guid) == 0)) {
 			ret = efi_transfer_secure_state(
 					(delete ? EFI_MODE_SETUP :
 						  EFI_MODE_USER));
 			if (ret != EFI_SUCCESS)
 				goto err;
 			if (efi_secure_mode != EFI_MODE_SETUP)
 				vendor_keys_modified = true;
 		} else if ((u16_strcmp(variable_name, L"KEK") == 0 &&
 		     guidcmp(vendor, &efi_global_variable_guid) == 0)) {
 			if (efi_secure_mode != EFI_MODE_SETUP)
 				vendor_keys_modified = true;
 		}
 		/* update VendorKeys */
 		if (vendor_keys_modified & efi_vendor_keys) {
 			efi_vendor_keys = 0;
 			ret = efi_set_variable_int(
 						L"VendorKeys",
 						&efi_global_variable_guid,
 						EFI_VARIABLE_BOOTSERVICE_ACCESS
 						 | EFI_VARIABLE_RUNTIME_ACCESS
 						 | EFI_VARIABLE_READ_ONLY,
 						sizeof(efi_vendor_keys),
 						&efi_vendor_keys,
 						false);
 		} else {
 			ret = EFI_SUCCESS;
 		}
 	}
 err: