[kernel/f18] Add patch to honor MokSBState (rhbz 907406)

Josh Boyer jwboyer at fedoraproject.org
Mon Feb 11 16:18:46 UTC 2013 

commit 31d643927c2fb58f59da275ced9f7d443e02a334
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Mon Feb 11 08:32:00 2013 -0500

    Add patch to honor MokSBState (rhbz 907406)

 kernel.spec                    |    5 +++-
 secure-boot-3.7-20130204.patch |   58 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+), 1 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 8b55ace..f1c927e 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 202
+%global baserelease 203
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -2378,6 +2378,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Mon Feb 11 2013 Josh Boyer <jwboyer at redhat.com>
+- Add patch to honor MokSBState (rhbz 907406)
+
 * Thu Feb  7 2013 Peter Robinson <pbrobinson at fedoraproject.org>
 - Minor ARM build fixes
 
diff --git a/secure-boot-3.7-20130204.patch b/secure-boot-3.7-20130204.patch
index 653ac67..c6765f6 100644
--- a/secure-boot-3.7-20130204.patch
+++ b/secure-boot-3.7-20130204.patch
@@ -1332,3 +1332,61 @@ index 4ed81e7..b11a0f4 100644
 -- 
 1.8.1
 
+From 04a46ceeb9eb2dca0364ce836614de722e988c81 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer at redhat.com>
+Date: Tue, 5 Feb 2013 19:25:05 -0500
+Subject: [PATCH] efi: Disable secure boot if shim is in insecure mode
+
+A user can manually tell the shim boot loader to disable validation of
+images it loads.  When a user does this, it creates a UEFI variable called
+MokSBState that does not have the runtime attribute set.  Given that the
+user explicitly disabled validation, we can honor that and not enable
+secure boot mode if that variable is set.
+
+Signed-off-by: Josh Boyer <jwboyer at redhat.com>
+---
+ arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
+index 96bd86b..6e1331c 100644
+--- a/arch/x86/boot/compressed/eboot.c
++++ b/arch/x86/boot/compressed/eboot.c
+@@ -851,8 +851,9 @@ fail:
+ 
+ static int get_secure_boot(efi_system_table_t *_table)
+ {
+-	u8 sb, setup;
++	u8 sb, setup, moksbstate;
+ 	unsigned long datasize = sizeof(sb);
++	u32 attr;
+ 	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
+ 	efi_status_t status;
+ 
+@@ -876,6 +877,23 @@ static int get_secure_boot(efi_system_table_t *_table)
+ 	if (setup == 1)
+ 		return 0;
+ 
++	/* See if a user has put shim into insecure_mode.  If so, and the variable
++	 * doesn't have the runtime attribute set, we might as well honor that.
++	 */
++	var_guid = EFI_SHIM_LOCK_GUID;
++	status = efi_call_phys5(sys_table->runtime->get_variable,
++				L"MokSBState", &var_guid, &attr, &datasize,
++				&moksbstate);
++
++	/* If it fails, we don't care why.  Default to secure */
++	if (status != EFI_SUCCESS)
++		return 1;
++
++	if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
++		if (moksbstate == 1)
++			return 0;
++	}
++
+ 	return 1;
+ }
+ 
+-- 
+1.8.1
+

More information about the scm-commits mailing list