From patchwork Mon Sep 29 05:33:09 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ivan Hu X-Patchwork-Id: 394264 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id C62E914011E; Mon, 29 Sep 2014 15:33:26 +1000 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1XYTaN-0004L3-3E; Mon, 29 Sep 2014 05:33:23 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1XYTaE-0004IA-Cg for fwts-devel@lists.ubuntu.com; Mon, 29 Sep 2014 05:33:14 +0000 Received: from [175.41.48.77] (helo=canonical.com) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1XYTaD-00071A-Pv; Mon, 29 Sep 2014 05:33:14 +0000 From: Ivan Hu To: fwts-devel@lists.ubuntu.com Subject: [PATCH] securebootcert: report info instead of failure for missing DB and KEK when secureboot disabled (LP: #1374351 ) Date: Mon, 29 Sep 2014 13:33:09 +0800 Message-Id: <1411968789-1829-1-git-send-email-ivan.hu@canonical.com> X-Mailer: git-send-email 1.7.9.5 X-BeenThere: fwts-devel@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Firmware Test Suite Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: fwts-devel-bounces@lists.ubuntu.com Sender: fwts-devel-bounces@lists.ubuntu.com When secureboot enabled, it's obverious that something wrong with missing DB and KEK variables, failures will be report. When the secureboot disabled and missing DB and KEK variables, report the information that the machine is not in readiness for secureboot. Signed-off-by: Ivan Hu Acked-by: Alex Hung Acked-by: Colin Ian King --- src/uefi/securebootcert/securebootcert.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c index 53d9e13..4fd6cef 100644 --- a/src/uefi/securebootcert/securebootcert.c +++ b/src/uefi/securebootcert/securebootcert.c @@ -62,6 +62,7 @@ typedef struct _EFI_SIGNATURE_LIST { } static uint8_t var_found; +static bool securebooted = false; static bool compare_guid(EFI_GUID *guid1, uint8_t *guid2) { @@ -118,6 +119,8 @@ static void securebootcert_secure_boot(fwts_framework *fw, fwts_uefi_var *var, c "The secure boot variable data invalid."); return; } + if (value == 1) + securebooted = true; fwts_log_info_verbatum(fw, " Value: 0x%2.2x%s.", value, mode); fwts_passed(fw, "Secure boot relative variable %s check passed.", varname); } @@ -359,12 +362,19 @@ static int securebootcert_test1(fwts_framework *fw) if (!(var_found & VAR_SETUPMODE_FOUND)) fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", "The secure boot variable SetupMode not found."); - if (!(var_found & VAR_DB_FOUND)) - fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", - "The secure boot variable DB not found."); - if (!(var_found & VAR_KEK_FOUND)) - fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", - "The secure boot variable KEK not found."); + if (securebooted) { + if (!(var_found & VAR_DB_FOUND)) + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", + "The secure boot variable DB not found."); + if (!(var_found & VAR_KEK_FOUND)) + fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootCertVariableNotFound", + "The secure boot variable KEK not found."); + } else { + if (!(var_found & VAR_DB_FOUND)) + fwts_log_info(fw, "Not in readiness for secureboot, variable DB not found."); + if (!(var_found & VAR_KEK_FOUND)) + fwts_log_info(fw, "Not in readiness for secureboot, variable KEK not found."); + } fwts_uefi_free_variable_names(&name_list);