diff options
author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2016-05-13 14:51:11 -0700 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2016-05-13 14:51:11 -0700 |
commit | 25c98b2cd223b4b1bf2f3cab0e1f0e1e7e57a797 (patch) | |
tree | e56183904803e054a4295798e08a252784584d64 | |
parent | 5563561f3eed170550f722e43217350d8d1605f8 (diff) | |
download | efitools-25c98b2cd223b4b1bf2f3cab0e1f0e1e7e57a797.tar.gz |
security_policy: fully convert to override,allow and deny functions
The EFI_SECURITY2_PROTOCOL override hadn't been updated, so do that
now. Also remove the now unused security_policy_check_mok() function.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r-- | lib/security_policy.c | 37 |
1 files changed, 12 insertions, 25 deletions
diff --git a/lib/security_policy.c b/lib/security_policy.c index e66ffb0..2e3812a 100644 --- a/lib/security_policy.c +++ b/lib/security_policy.c @@ -129,21 +129,6 @@ BOOLEAN security_policy_mok_allow(VOID *data, UINTN len) return FALSE; } -static EFI_STATUS -security_policy_check_mok(void *data, UINTN len) -{ - if (security_policy_mok_override()) - return EFI_SUCCESS; - - if (security_policy_mok_deny(data, len)) - /* MOK list cannot override dbx */ - return EFI_SECURITY_VIOLATION; - - if (security_policy_mok_allow(data, len)) - return EFI_SUCCESS; - return EFI_SECURITY_VIOLATION; -} - static EFIAPI EFI_SECURITY_FILE_AUTHENTICATION_STATE esfas = NULL; static EFIAPI EFI_SECURITY2_FILE_AUTHENTICATION es2fa = NULL; @@ -161,25 +146,27 @@ security2_policy_authentication ( BOOLEAN BootPolicy ) { - EFI_STATUS status, auth; + EFI_STATUS status; + + if (sp_override && sp_override()) + return EFI_SUCCESS; + + /* if policy would deny, fail now */ + if (sp_deny && sp_deny(FileBuffer, FileSize)) + return EFI_SECURITY_VIOLATION; /* Chain original security policy */ status = es2fa(This, DevicePath, FileBuffer, FileSize, BootPolicy); - /* if OK, don't bother with MOK check */ + /* if OK, don't bother with allow check */ if (status == EFI_SUCCESS) return status; - auth = security_policy_check_mok(FileBuffer, FileSize); - - if (auth == EFI_SECURITY_VIOLATION || auth == EFI_ACCESS_DENIED) - /* return previous status, which is the correct one - * for the platform: may be either EFI_ACCESS_DENIED - * or EFI_SECURITY_VIOLATION */ - return status; + if (sp_allow && sp_allow(FileBuffer, FileSize)) + return EFI_SUCCESS; - return auth; + return status; } EFI_STATUS |