x86/efi: Initialize and display UEFI secure boot state a bit later during init

Otherwise Xen dom0 does not display "Secure boot enabled" message if it runs
on secure boot enabled platform. This happens because boot_params.secure_boot
is initialized too late. However, despite lack of message all features depending
on UEFI secure boot are enabled properly.

Orabug: 27258204

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 98ab1e8a85d3e7033fda76de5c60748826b9e116..9da730e452e46249c42bdd676e6cae462cc8124a 100644 (file)
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1149,14 +1149,6 @@ void __init setup_arch(char **cmdline_p)
        /* Allocate bigger log buffer */
        setup_log_buf(1);
 
-#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
-       if (boot_params.secure_boot) {
-               set_bit(EFI_SECURE_BOOT, &efi.flags);
-               set_securelevel(1);
-               pr_info("Secure boot enabled\n");
-       }
-#endif
-
        reserve_initrd();
 
 #if defined(CONFIG_ACPI) && defined(CONFIG_BLK_DEV_INITRD)

diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
index 9020fc1f73062af63a11ac8d100fb1792bdb30f7..e3811ccdc2ecea36a4003c382f8eb8dbf642bc39 100644 (file)
--- a/arch/x86/platform/efi/efi.c
+++ b/arch/x86/platform/efi/efi.c
@@ -93,6 +93,9 @@ static int __init efi_secure_boot_enabled(void)
        if (boot_params.secure_boot)
                return 1;
 
+       if (!efi_enabled(EFI_RUNTIME_SERVICES))
+               return 0;
+
        status = efi.get_variable((efi_char16_t*)sb_var,
                                &var_guid, NULL, &datasize, &sb);
 
@@ -482,7 +485,9 @@ void __init efi_secure_boot_init(void)
 
        boot_params.secure_boot = 1;
 #ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
+       set_bit(EFI_SECURE_BOOT, &efi.flags);
        set_securelevel(1);
+       pr_info("Secure boot enabled\n");
 #endif
 }
 

diff --git a/init/main.c b/init/main.c
index 49a7559e25007ae6747643a657779c1176959672..068d450f365f96c67166d2d517b0aa17ca9d74c0 100644 (file)
--- a/init/main.c
+++ b/init/main.c
@@ -644,8 +644,7 @@ asmlinkage __visible void __init start_kernel(void)
 #ifdef CONFIG_X86
        if (efi_enabled(EFI_RUNTIME_SERVICES))
                efi_enter_virtual_mode();
-       if (efi_enabled(EFI_RUNTIME_SERVICES))
-               efi_secure_boot_init();
+       efi_secure_boot_init();
 #endif
 #ifdef CONFIG_X86_ESPFIX64
        /* Should be run before the first non-init thread is created */