From 54418aa60ad49d1e87037855532b3b7ff1fbc903 Mon Sep 17 00:00:00 2001
From: Daniel Kiper <daniel.kiper@oracle.com>
Date: Thu, 14 Dec 2017 15:31:56 +0100
Subject: [PATCH] x86/efi: Initialize and display UEFI secure boot state a bit
 later during init

Otherwise Xen dom0 does not display "Secure boot enabled" message if it runs
on secure boot enabled platform. This happens because boot_params.secure_boot
is initialized too late. However, despite lack of message all features depending
on UEFI secure boot are enabled properly.

Orabug: 27258204

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
---
 arch/x86/kernel/setup.c     | 8 --------
 arch/x86/platform/efi/efi.c | 5 +++++
 init/main.c                 | 3 +--
 3 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 98ab1e8a85d3..9da730e452e4 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1149,14 +1149,6 @@ void __init setup_arch(char **cmdline_p)
 	/* Allocate bigger log buffer */
 	setup_log_buf(1);
 
-#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
-	if (boot_params.secure_boot) {
-		set_bit(EFI_SECURE_BOOT, &efi.flags);
-		set_securelevel(1);
-		pr_info("Secure boot enabled\n");
-	}
-#endif
-
 	reserve_initrd();
 
 #if defined(CONFIG_ACPI) && defined(CONFIG_BLK_DEV_INITRD)
diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
index 9020fc1f7306..e3811ccdc2ec 100644
--- a/arch/x86/platform/efi/efi.c
+++ b/arch/x86/platform/efi/efi.c
@@ -93,6 +93,9 @@ static int __init efi_secure_boot_enabled(void)
 	if (boot_params.secure_boot)
 		return 1;
 
+	if (!efi_enabled(EFI_RUNTIME_SERVICES))
+		return 0;
+
 	status = efi.get_variable((efi_char16_t*)sb_var,
 				&var_guid, NULL, &datasize, &sb);
 
@@ -482,7 +485,9 @@ void __init efi_secure_boot_init(void)
 
 	boot_params.secure_boot = 1;
 #ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
+	set_bit(EFI_SECURE_BOOT, &efi.flags);
 	set_securelevel(1);
+	pr_info("Secure boot enabled\n");
 #endif
 }
 
diff --git a/init/main.c b/init/main.c
index 49a7559e2500..068d450f365f 100644
--- a/init/main.c
+++ b/init/main.c
@@ -644,8 +644,7 @@ asmlinkage __visible void __init start_kernel(void)
 #ifdef CONFIG_X86
 	if (efi_enabled(EFI_RUNTIME_SERVICES))
 		efi_enter_virtual_mode();
-	if (efi_enabled(EFI_RUNTIME_SERVICES))
-		efi_secure_boot_init();
+	efi_secure_boot_init();
 #endif
 #ifdef CONFIG_X86_ESPFIX64
 	/* Should be run before the first non-init thread is created */
-- 
2.50.1