release/5.2.37/x86-ima-use-correct-identifier-for-SetupMode-variabl.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From e139889b12be1d316762804930124c5fb595fbb1 Mon Sep 17 00:00:00 2001
 From: Ard Biesheuvel <ardb@kernel.org>
 Date: Sat, 1 Feb 2020 09:32:21 +0100
 Subject: [PATCH] x86/ima: use correct identifier for SetupMode variable

 commit ff5ac61ee83c13f516544d29847d28be093a40ee upstream.

 The IMA arch code attempts to inspect the "SetupMode" EFI variable
 by populating a variable called efi_SetupMode_name with the string
 "SecureBoot" and passing that to the EFI GetVariable service, which
 obviously does not yield the expected result.

 Given that the string is only referenced a single time, let's get
 rid of the intermediate variable, and pass the correct string as
 an immediate argument. While at it, do the same for "SecureBoot".

 Fixes: 399574c64eaf ("x86/ima: retry detecting secure boot mode")
 Fixes: 980ef4d22a95 ("x86/ima: check EFI SetupMode too")
 Cc: Matthew Garrett <mjg59@google.com>
 Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
 Cc: stable@vger.kernel.org # v5.3
 Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c
 index 4c407833faca..fa188de3f424 100644
 --- a/arch/x86/kernel/ima_arch.c
 +++ b/arch/x86/kernel/ima_arch.c
 @@ -10,8 +10,6 @@ extern struct boot_params boot_params;

  static enum efi_secureboot_mode get_sb_mode(void)
  {
 -	efi_char16_t efi_SecureBoot_name[] = L"SecureBoot";
 -	efi_char16_t efi_SetupMode_name[] = L"SecureBoot";
  	efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
  	efi_status_t status;
  	unsigned long size;
 @@ -25,7 +23,7 @@ static enum efi_secureboot_mode get_sb_mode(void)
  	}

  	/* Get variable contents into buffer */
 -	status = efi.get_variable(efi_SecureBoot_name, &efi_variable_guid,
 +	status = efi.get_variable(L"SecureBoot", &efi_variable_guid,
  				  NULL, &size, &secboot);
  	if (status == EFI_NOT_FOUND) {
  		pr_info("ima: secureboot mode disabled\n");
 @@ -38,7 +36,7 @@ static enum efi_secureboot_mode get_sb_mode(void)
  	}

  	size = sizeof(setupmode);
 -	status = efi.get_variable(efi_SetupMode_name, &efi_variable_guid,
 +	status = efi.get_variable(L"SetupMode", &efi_variable_guid,
  				  NULL, &size, &setupmode);

  	if (status != EFI_SUCCESS)	/* ignore unknown SetupMode */
 --
 2.7.4
	From e139889b12be1d316762804930124c5fb595fbb1 Mon Sep 17 00:00:00 2001
	From: Ard Biesheuvel <ardb@kernel.org>
	Date: Sat, 1 Feb 2020 09:32:21 +0100
	Subject: [PATCH] x86/ima: use correct identifier for SetupMode variable

	commit ff5ac61ee83c13f516544d29847d28be093a40ee upstream.

	The IMA arch code attempts to inspect the "SetupMode" EFI variable
	by populating a variable called efi_SetupMode_name with the string
	"SecureBoot" and passing that to the EFI GetVariable service, which
	obviously does not yield the expected result.

	Given that the string is only referenced a single time, let's get
	rid of the intermediate variable, and pass the correct string as
	an immediate argument. While at it, do the same for "SecureBoot".

	Fixes: 399574c64eaf ("x86/ima: retry detecting secure boot mode")
	Fixes: 980ef4d22a95 ("x86/ima: check EFI SetupMode too")
	Cc: Matthew Garrett <mjg59@google.com>
	Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
	Cc: stable@vger.kernel.org # v5.3
	Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c
	index 4c407833faca..fa188de3f424 100644
	--- a/arch/x86/kernel/ima_arch.c
	+++ b/arch/x86/kernel/ima_arch.c
	@@ -10,8 +10,6 @@ extern struct boot_params boot_params;

	static enum efi_secureboot_mode get_sb_mode(void)
	{
	- efi_char16_t efi_SecureBoot_name[] = L"SecureBoot";
	- efi_char16_t efi_SetupMode_name[] = L"SecureBoot";
	efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
	efi_status_t status;
	unsigned long size;
	@@ -25,7 +23,7 @@ static enum efi_secureboot_mode get_sb_mode(void)
	}

	/* Get variable contents into buffer */
	- status = efi.get_variable(efi_SecureBoot_name, &efi_variable_guid,
	+ status = efi.get_variable(L"SecureBoot", &efi_variable_guid,
	NULL, &size, &secboot);
	if (status == EFI_NOT_FOUND) {
	pr_info("ima: secureboot mode disabled\n");
	@@ -38,7 +36,7 @@ static enum efi_secureboot_mode get_sb_mode(void)
	}

	size = sizeof(setupmode);
	- status = efi.get_variable(efi_SetupMode_name, &efi_variable_guid,
	+ status = efi.get_variable(L"SetupMode", &efi_variable_guid,
	NULL, &size, &setupmode);

	if (status != EFI_SUCCESS) /* ignore unknown SetupMode */
	--
	2.7.4