The UEFI specification 2.9 defines the different modes that secure boot may be in.
The patch series adds support for the "Deployed Mode" and the "Setup Mode".
Furthermore the secure boot signature database must only be loaded from tamper-resistant storage. So we must not load it from ubootefi.var on the EFI system partition but only from the preseed variables store or via the OP-TEE driver for the eMMC replay protected memory partition.
v2: correct variable name in lib/efi_loader/efi_variable_tee.c
Heinrich Schuchardt (6): efi_loader: stop recursion in efi_init_secure_state efi_loader: correct determination of secure boot state efi_loader: don't load signature database from file efi_loader: correct secure boot state transition efi_loader: writing AuditMode, DeployedMode efi_loader: always initialize the secure boot state
include/efi_variable.h | 6 ++- lib/efi_loader/efi_var_common.c | 66 +++++++++++++++++++++++-------- lib/efi_loader/efi_var_file.c | 41 +++++++++++-------- lib/efi_loader/efi_variable.c | 20 ++++++---- lib/efi_loader/efi_variable_tee.c | 4 +- 5 files changed, 95 insertions(+), 42 deletions(-)