:: commit c5e109d7b665a27847a7de60f99ed1d0343f78cb
protos/linux: Report UEFI Secure Boot state to the kernel
diff --git a/common/protos/linux_risc.c b/common/protos/linux_risc.c
index 6e6285a4..b927ce49 100644
--- a/common/protos/linux_risc.c
+++ b/common/protos/linux_risc.c
@@ -211,12 +211,9 @@ static void prepare_device_tree_blob(struct boot_param *p) {
panic(true, "linux: failed to set UEFI system table pointer: '%s'", fdt_strerror(ret));
}
- // This property is not required by mainline Linux, but is required by
- // Debian (and derivative) kernels, because Debian has a patch that adds
- // this flag, and the existing logic that deals with it will just outright
- // fail if any of the properties is missing. We don't care about Debian's
- // hardening or whatever, so just always report that secure boot is off.
- ret = fdt_set_chosen_uint32(dtb, "linux,uefi-secure-boot", 0);
+ // Report UEFI Secure Boot state via the /chosen FDT property. Values
+ // match Linux's efi_secureboot_mode enum: 2 = disabled, 3 = enabled.
+ ret = fdt_set_chosen_uint32(dtb, "linux,uefi-secure-boot", secure_boot_active ? 3 : 2);
if (ret < 0) {
panic(true, "linux: failed to set UEFI secure boot state: '%s'", fdt_strerror(ret));
}
diff --git a/common/protos/linux_x86.c b/common/protos/linux_x86.c
index 8960e196..cf67099b 100644
--- a/common/protos/linux_x86.c
+++ b/common/protos/linux_x86.c
@@ -622,6 +622,8 @@ no_fb:;
boot_params->efi_info.efi_memmap_size = efi_mmap_size;
boot_params->efi_info.efi_memdesc_size = efi_desc_size;
boot_params->efi_info.efi_memdesc_version = efi_desc_ver;
+
+ boot_params->secure_boot = secure_boot_active ? 3 : 2;
#endif
///////////////////////////////////////
