Skip to content

efi/fw_load_handler.go: only add DeployedMode/AuditMode if it is in log #497

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
chrisccoulson merged 1 commit into from
Jan 29, 2026
Merged

efi/fw_load_handler.go: only add DeployedMode/AuditMode if it is in log #497

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 18 additions & 15 deletions efi/fw_load_handler.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,21 +197,6 @@ func (h *fwLoadHandler) measureSecureBootPolicyPreOS(ctx pcrBranchContext) error
return xerrors.Errorf("cannot measure dbx: %w", err)
}

// Backward compliance: On Ubuntu Core not using preinstall checks,
// the firmware might be UEFI 2.5 compliant but not be in deployed mode.
// In that case we should still expect those measurements due to the mode.
// Note that DeployedMode variable should only be present in UEFI 2.5
// and not before.
deployedMode, _, err := ctx.Vars().ReadVar("DeployedMode", efi.GlobalVariable)
if err != nil && err != efi.ErrVarNotExist {
return fmt.Errorf("cannot read DeployedMode variable: %w", err)
} else if err == nil {
if len(deployedMode) == 1 && deployedMode[0] == 0 {
ctx.MeasureVariable(internal_efi.SecureBootPolicyPCR, efi.GlobalVariable, "AuditMode", []byte{0})
ctx.MeasureVariable(internal_efi.SecureBootPolicyPCR, efi.GlobalVariable, "DeployedMode", []byte{0})
}
}

// TODO: Support optional dbt/dbr database

// We don't measure a EV_SEPARATOR here yet because we need to preserve the
Expand Down Expand Up @@ -271,6 +256,24 @@ func (h *fwLoadHandler) measureSecureBootPolicyPreOS(ctx pcrBranchContext) error
// once we've encountered the first EV_EFI_VARIABLE_AUTHORITY event and
// we'll likely generate an invalid profile if we do. The preinstall
// checks will catch this.

// Except...
// Backward compliance: On Ubuntu Core not using preinstall checks,
// the firmware might be UEFI 2.5 compliant but not be in deployed mode.
// In that case we should still expect those measurements due to the mode.
if data, ok := e.Data.(*tcglog.EFIVariableData); ok {
if (data.VariableName == efi.GlobalVariable && data.UnicodeName == "AuditMode") {
if bytes.Equal(data.VariableData, []byte{0}) {
ctx.MeasureVariable(internal_efi.SecureBootPolicyPCR, efi.GlobalVariable, "AuditMode", data.VariableData)
}
}
if (data.VariableName == efi.GlobalVariable && data.UnicodeName == "DeployedMode") {
if bytes.Equal(data.VariableData, []byte{0}) {
ctx.MeasureVariable(internal_efi.SecureBootPolicyPCR, efi.GlobalVariable, "DeployedMode", data.VariableData)
}
}
}

case e.PCRIndex == internal_efi.SecureBootPolicyPCR && e.EventType == tcglog.EventTypeEFIAction &&
(bytes.Equal(e.Data.Bytes(), []byte(dmaProtectionDisabled)) || bytes.Equal(e.Data.Bytes(), []byte(dmaProtectionDisabledNul))) &&
allowInsufficientDMAProtection:
Expand Down
Loading