On Thu, Aug 26, 2021 at 03:47:59PM +0200, Heinrich Schuchardt wrote:
The UEFI specification 2.9 defines the different modes that secure boot may be in.
The patch series adds support for the "Deployed Mode" and the "Setup Mode".
This sentence seems to be wrong, or at least inaccurate. "Setup Mode" has been supported from the beginning when I implemented secure boot. In other word, I implemented only the transition between "Setup Mode" and "User Mode" only.
-Takahiro Akashi
Furthermore the secure boot signature database must only be loaded from tamper-resistant storage. So we must not load it from ubootefi.var on the EFI system partition but only from the preseed variables store or via the OP-TEE driver for the eMMC replay protected memory partition.
v2: correct variable name in lib/efi_loader/efi_variable_tee.c
Heinrich Schuchardt (6): efi_loader: stop recursion in efi_init_secure_state efi_loader: correct determination of secure boot state efi_loader: don't load signature database from file efi_loader: correct secure boot state transition efi_loader: writing AuditMode, DeployedMode efi_loader: always initialize the secure boot state
include/efi_variable.h | 6 ++- lib/efi_loader/efi_var_common.c | 66 +++++++++++++++++++++++-------- lib/efi_loader/efi_var_file.c | 41 +++++++++++-------- lib/efi_loader/efi_variable.c | 20 ++++++---- lib/efi_loader/efi_variable_tee.c | 4 +- 5 files changed, 95 insertions(+), 42 deletions(-)
-- 2.30.2