[kernel] Linux v3.8-rc6-98-g1589a3e
Josh Boyer
jwboyer at fedoraproject.org
Wed Feb 6 14:24:11 UTC 2013
commit b34201959321fae31bad0eae7cd79289bf8d55f1
Author: Josh Boyer <jwboyer at redhat.com>
Date: Wed Feb 6 09:22:56 2013 -0500
Linux v3.8-rc6-98-g1589a3e
- Add patch to honor MokSBState (rhbz 907406)
kernel.spec | 10 +++-
...ot-20130131.patch => secure-boot-20130206.patch | 58 ++++++++++++++++++++
sources | 2 +-
3 files changed, 66 insertions(+), 4 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index d4ef212..0ca562d 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -95,7 +95,7 @@ Summary: The Linux kernel
# The rc snapshot level
%define rcrev 6
# The git snapshot level
-%define gitrev 2
+%define gitrev 3
# Set rpm version accordingly
%define rpmversion 3.%{upstream_sublevel}.0
%endif
@@ -669,7 +669,7 @@ Patch800: crash-driver.patch
# crypto/
# secure boot
-Patch1000: secure-boot-20130131.patch
+Patch1000: secure-boot-20130206.patch
# virt + ksm patches
@@ -1387,7 +1387,7 @@ ApplyPatch crash-driver.patch
# crypto/
# secure boot
-ApplyPatch secure-boot-20130131.patch
+ApplyPatch secure-boot-20130206.patch
# Assorted Virt Fixes
@@ -2315,6 +2315,10 @@ fi
# ||----w |
# || ||
%changelog
+* Wed Feb 06 2013 Josh Boyer <jwboyer at redhat.com> - 3.8.0-0.rc6.git3.1
+- Linux v3.8-rc6-98-g1589a3e
+- Add patch to honor MokSBState (rhbz 907406)
+
* Tue Feb 05 2013 Josh Boyer <jwboyer at redhat.com> - 3.8.0-0.rc6.git2.1
- Linux v3.8-rc6-62-gfe547d7
- Enable CONFIG_DRM_VMWGFX_FBCON (rhbz 907620)
diff --git a/secure-boot-20130131.patch b/secure-boot-20130206.patch
similarity index 95%
rename from secure-boot-20130131.patch
rename to secure-boot-20130206.patch
index c58f599..479bf27 100644
--- a/secure-boot-20130131.patch
+++ b/secure-boot-20130206.patch
@@ -1329,3 +1329,61 @@ index 4ed81e7..b11a0f4 100644
--
1.8.1
+From 04a46ceeb9eb2dca0364ce836614de722e988c81 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer at redhat.com>
+Date: Tue, 5 Feb 2013 19:25:05 -0500
+Subject: [PATCH] efi: Disable secure boot if shim is in insecure mode
+
+A user can manually tell the shim boot loader to disable validation of
+images it loads. When a user does this, it creates a UEFI variable called
+MokSBState that does not have the runtime attribute set. Given that the
+user explicitly disabled validation, we can honor that and not enable
+secure boot mode if that variable is set.
+
+Signed-off-by: Josh Boyer <jwboyer at redhat.com>
+---
+ arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
+index 96bd86b..6e1331c 100644
+--- a/arch/x86/boot/compressed/eboot.c
++++ b/arch/x86/boot/compressed/eboot.c
+@@ -851,8 +851,9 @@ fail:
+
+ static int get_secure_boot(efi_system_table_t *_table)
+ {
+- u8 sb, setup;
++ u8 sb, setup, moksbstate;
+ unsigned long datasize = sizeof(sb);
++ u32 attr;
+ efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
+ efi_status_t status;
+
+@@ -876,6 +877,23 @@ static int get_secure_boot(efi_system_table_t *_table)
+ if (setup == 1)
+ return 0;
+
++ /* See if a user has put shim into insecure_mode. If so, and the variable
++ * doesn't have the runtime attribute set, we might as well honor that.
++ */
++ var_guid = EFI_SHIM_LOCK_GUID;
++ status = efi_call_phys5(sys_table->runtime->get_variable,
++ L"MokSBState", &var_guid, &attr, &datasize,
++ &moksbstate);
++
++ /* If it fails, we don't care why. Default to secure */
++ if (status != EFI_SUCCESS)
++ return 1;
++
++ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
++ if (moksbstate == 1)
++ return 0;
++ }
++
+ return 1;
+ }
+
+--
+1.8.1
+
diff --git a/sources b/sources
index ae7708c..3276a81 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
21223369d682bcf44bcdfe1521095983 linux-3.7.tar.xz
86fddbbbda8b9d7432ef479d055968e4 patch-3.8-rc6.xz
-47c13c925f34642b05ed4524d62257ec patch-3.8-rc6-git2.xz
+cf0916371135cca3495194b59f877b85 patch-3.8-rc6-git3.xz
More information about the scm-commits
mailing list