[PATCH] kexec/uefi: copy secure boot flag in boot params across kexec reboot
Josh Boyer
jwboyer at fedoraproject.org
Fri Aug 7 11:15:57 UTC 2015
On Fri, Aug 7, 2015 at 3:41 AM, Dave Young <dyoung at redhat.com> wrote:
> Kexec reboot in case secure boot enabled does not keep the secure boot mode
> in new kernel, so later one can load unsigned kernel via legacy kexec_load.
Hm. Wasn't there code being written so that one could disable legacy
kexec and only have kexec_file? Perhaps that is queued for 4.3. I'm
wondering if as a general security measure we want to only have
kexec_file available in Fedora when that is possible.
I will add this patch regardless of that, but it seems like a good
question to answer. Thanks!
josh
> Adding a patch to fix this by retain the secure_boot flag in original kernel.
>
> Signed-off-by: Dave Young <dyoung at redhat.com>
> ---
> kernel.spec | 2 ++
> ...uefi-copy-secure_boot-flag-in-boot-params.patch | 30 ++++++++++++++++++++++
> 2 files changed, 32 insertions(+)
> create mode 100644 kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
>
> diff --git a/kernel.spec b/kernel.spec
> index e91ef9d..469a2a2 100644
> --- a/kernel.spec
> +++ b/kernel.spec
> @@ -587,6 +587,8 @@ Patch505: 0001-dm-fix-dm_merge_bvec-regression-on-32-bit-systems.patch
> #rhbz 1244511
> Patch507: HID-chicony-Add-support-for-Acer-Aspire-Switch-12.patch
>
> +Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
> +
> Patch904: kdbus.patch
>
> # END OF PATCH DEFINITIONS
> diff --git a/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch b/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
> new file mode 100644
> index 0000000..e239ea9
> --- /dev/null
> +++ b/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
> @@ -0,0 +1,30 @@
> +From: Dave Young <dyoung at redhat.com>
> +
> +[PATCH] kexec/uefi: copy secure_boot flag in boot params across kexec reboot
> +
> +Kexec reboot in case secure boot being enabled does not keep the secure boot
> +mode in new kernel, so later one can load unsigned kernel via legacy kexec_load.
> +In this state, the system is missing the protections provided by secure boot.
> +
> +Adding a patch to fix this by retain the secure_boot flag in original kernel.
> +
> +secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the stub.
> +Fixing this issue by copying secure_boot flag across kexec reboot.
> +
> +Signed-off-by: Dave Young <dyoung at redhat.com>
> +---
> + arch/x86/kernel/kexec-bzimage64.c | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> +index 9642b9b..0539ec7 100644
> +--- a/arch/x86/kernel/kexec-bzimage64.c
> ++++ b/arch/x86/kernel/kexec-bzimage64.c
> +@@ -178,6 +178,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
> + if (efi_enabled(EFI_OLD_MEMMAP))
> + return 0;
> +
> ++ params->secure_boot = boot_params.secure_boot;
> + ei->efi_loader_signature = current_ei->efi_loader_signature;
> + ei->efi_systab = current_ei->efi_systab;
> + ei->efi_systab_hi = current_ei->efi_systab_hi;
> --
> 1.8.3.1
>
> _______________________________________________
> kernel mailing list
> kernel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/kernel
More information about the kernel
mailing list