diff --git a/osutils/src/efivar.rs b/osutils/src/efivar.rs index 828ec33bd..4cf908b28 100644 --- a/osutils/src/efivar.rs +++ b/osutils/src/efivar.rs @@ -8,6 +8,9 @@ use trident_api::error::{ReportError, ServicingError, TridentError, TridentResul use crate::dependencies::{Dependency, DependencyResultExt}; const BOOTLOADER_INTERFACE_GUID: &str = "4a67b082-0a4c-41cf-b6c7-440b29bb8c4f"; +const EFI_GLOBAL_VARIABLE_GUID: &str = "8be4df61-93ca-11d2-aa0d-00e098032b8c"; + +const SECURE_BOOT: &str = "SecureBoot"; const LOADER_ENTRY_ONESHOT: &str = "LoaderEntryOneShot"; const LOADER_ENTRY_DEFAULT: &str = "LoaderEntryDefault"; @@ -105,6 +108,16 @@ fn read_efi_variable(guid: &str, variable: &str) -> Result, TridentError Ok(data[4..].to_vec()) } +/// Returns whether `SecureBoot` is currently enabled. +pub fn is_secure_boot_enabled() -> bool { + let Ok(data) = read_efi_variable(EFI_GLOBAL_VARIABLE_GUID, SECURE_BOOT) else { + return false; + }; + + // SecureBoot is a single byte: 0x00 = disabled, 0x01 = enabled + !data.is_empty() && data[0] == 1 +} + /// Returns whether the LoaderEntrySelected EFI variable is set and indicates a UKI boot. pub fn current_var_is_uki() -> bool { let Ok(current) = read_efi_variable(BOOTLOADER_INTERFACE_GUID, LOADER_ENTRY_SELECTED) else { @@ -200,4 +213,12 @@ mod functional_test { set_default("").unwrap(); } + + #[functional_test(feature = "helpers")] + fn test_is_secure_boot_enabled() { + let secure_boot_enabled = is_secure_boot_enabled(); + + // The function should return false b/c SecureBoot is disabled on FT VM + assert!(!secure_boot_enabled); + } } diff --git a/osutils/src/pcrlock.rs b/osutils/src/pcrlock.rs index ca7b99b8f..50c2f359d 100644 --- a/osutils/src/pcrlock.rs +++ b/osutils/src/pcrlock.rs @@ -15,6 +15,7 @@ use tempfile::NamedTempFile; use crate::{ bootloaders::{BOOT_EFI, GRUB_EFI}, dependencies::Dependency, + efivar, exe::RunAndCheck, }; use sysdefs::tpm2::Pcr; @@ -601,27 +602,26 @@ fn generate_pcrlock_files( bootloader_path.display() ))?; } - // Second, if SecureBoot is disabled, the authenticode of the .linux section of each UKI - // binary is measured into PCR 4 as well. - // - // TODO: Once SecureBoot is enabled, gate this logic with a conditional, or remove - // entirely, as SecureBoot will likely be enabled always. - // https://dev.azure.com/mariner-org/polar/_workitems/edit/14286/. - for (index, uki_path) in uki_binaries.into_iter().enumerate() { - let pcrlock_file = - generate_pcrlock_output_path(BOOT_LOADER_CODE_UKI_PCRLOCK_DIR, index); - debug!( - "Generating .pcrlock file at '{}' to measure .linux section of UKI PE binary at '{}'", + // If SecureBoot is disabled, the authenticode of the .linux section of each UKI binary is + // measured into PCR 4 as well. + if !efivar::is_secure_boot_enabled() { + for (index, uki_path) in uki_binaries.into_iter().enumerate() { + let pcrlock_file = + generate_pcrlock_output_path(BOOT_LOADER_CODE_UKI_PCRLOCK_DIR, index); + debug!( + "SecureBoot is disabled, so generating .pcrlock file at '{}' \ + to measure .linux section of UKI PE binary at '{}'", pcrlock_file.clone().display(), uki_path.clone().display() ); - generate_linux_authenticode(uki_path.clone(), pcrlock_file.clone()).context( + generate_linux_authenticode(uki_path.clone(), pcrlock_file.clone()).context( format!( "Failed to generate .pcrlock file at '{}' for .linux section of UKI PE binary at '{}'", pcrlock_file.display(), uki_path.display() ), )?; + } } } else { debug!("Skipping generating bootloader and UKI .pcrlock files as PCR 4 is not requested");