From 868b3721159ee615a1b774645d610a13b5827e5e Mon Sep 17 00:00:00 2001

From: Gary Ching-Pang Lin <glin@suse.com>

Date: Thu, 31 Oct 2013 16:08:32 +0800

Subject: [PATCH 40/74] Check the secure variables with the lib functions

There are functions defined in lib to check the secure variables.

Use the functions to shun the duplicate code.

Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>

Conflicts:

	shim.c

---

 lib/variables.c | 14 ++++++++++----

 shim.c          | 32 ++------------------------------

 2 files changed, 12 insertions(+), 34 deletions(-)

diff --git a/lib/variables.c b/lib/variables.c

index 3a9735e..4c64d7e 100644

--- a/lib/variables.c

+++ b/lib/variables.c

@@ -284,9 +284,12 @@ variable_is_setupmode(void)

 	/* set to 1 because we return true if SetupMode doesn't exist */

 	UINT8 SetupMode = 1;

 	UINTN DataSize = sizeof(SetupMode);

+	EFI_STATUS status;

-	uefi_call_wrapper(RT->GetVariable, 5, L"SetupMode", &GV_GUID, NULL,

-			  &DataSize, &SetupMode);

+	status = uefi_call_wrapper(RT->GetVariable, 5, L"SetupMode", &GV_GUID, NULL,

+				   &DataSize, &SetupMode);

+	if (EFI_ERROR(status))

+		return 1;

 	return SetupMode;

 }

@@ -297,10 +300,13 @@ variable_is_secureboot(void)

 	/* return false if variable doesn't exist */

 	UINT8 SecureBoot = 0;

 	UINTN DataSize;

+	EFI_STATUS status;

 	DataSize = sizeof(SecureBoot);

-	uefi_call_wrapper(RT->GetVariable, 5, L"SecureBoot", &GV_GUID, NULL,

-			  &DataSize, &SecureBoot);

+	status = uefi_call_wrapper(RT->GetVariable, 5, L"SecureBoot", &GV_GUID, NULL,

+				   &DataSize, &SecureBoot);

+	if (EFI_ERROR(status))

+		return 0;

 	return SecureBoot;

 }

diff --git a/shim.c b/shim.c

index 210e778..14fb601 100644

--- a/shim.c

+++ b/shim.c

@@ -475,44 +475,16 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert,

 static BOOLEAN secure_mode (void)

 {

-	EFI_STATUS status;

-	EFI_GUID global_var = EFI_GLOBAL_VARIABLE;

-	UINTN len;

-	UINT8 *Data;

-	UINT8 sb, setupmode;

-

 	if (user_insecure_mode)

 		return FALSE;

-	status = get_variable(L"SecureBoot", &Data, &len, global_var);

-	if (status != EFI_SUCCESS) {

+	if (variable_is_secureboot() != 1) {

 		if (verbose && !in_protocol)

 			console_notify(L"Secure boot not enabled");

 		return FALSE;

 	}

-	sb = *Data;

-	FreePool(Data);

-

-	if (sb != 1) {

-		if (verbose && !in_protocol)

-			console_notify(L"Secure boot not enabled");

-		return FALSE;

-	}

-

-	/* If we /do/ have "SecureBoot", but /don't/ have "SetupMode",

-	 * then the implementation is bad, but we assume that secure boot is

-	 * enabled according to the status of "SecureBoot".  If we have both

-	 * of them, then "SetupMode" may tell us additional data, and we need

-	 * to consider it.

-	 */

-	status = get_variable(L"SetupMode", &Data, &len, global_var);

-	if (status != EFI_SUCCESS)

-		return TRUE;

-

-	setupmode = *Data;

-	FreePool(Data);

-	if (setupmode == 1) {

+	if (variable_is_setupmode() == 1) {

 		if (verbose && !in_protocol)

 			console_notify(L"Platform is in setup mode");

 		return FALSE;

-- 

1.9.3