[kernel/f18] Add patch to honor MokSBState (rhbz 907406)
Josh Boyer
jwboyer at fedoraproject.org
Mon Feb 11 16:18:46 UTC 2013
commit 31d643927c2fb58f59da275ced9f7d443e02a334
Author: Josh Boyer <jwboyer at redhat.com>
Date: Mon Feb 11 08:32:00 2013 -0500
Add patch to honor MokSBState (rhbz 907406)
kernel.spec | 5 +++-
secure-boot-3.7-20130204.patch | 58 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 62 insertions(+), 1 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 8b55ace..f1c927e 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -62,7 +62,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
-%global baserelease 202
+%global baserelease 203
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -2378,6 +2378,9 @@ fi
# ||----w |
# || ||
%changelog
+* Mon Feb 11 2013 Josh Boyer <jwboyer at redhat.com>
+- Add patch to honor MokSBState (rhbz 907406)
+
* Thu Feb 7 2013 Peter Robinson <pbrobinson at fedoraproject.org>
- Minor ARM build fixes
diff --git a/secure-boot-3.7-20130204.patch b/secure-boot-3.7-20130204.patch
index 653ac67..c6765f6 100644
--- a/secure-boot-3.7-20130204.patch
+++ b/secure-boot-3.7-20130204.patch
@@ -1332,3 +1332,61 @@ index 4ed81e7..b11a0f4 100644
--
1.8.1
+From 04a46ceeb9eb2dca0364ce836614de722e988c81 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer at redhat.com>
+Date: Tue, 5 Feb 2013 19:25:05 -0500
+Subject: [PATCH] efi: Disable secure boot if shim is in insecure mode
+
+A user can manually tell the shim boot loader to disable validation of
+images it loads. When a user does this, it creates a UEFI variable called
+MokSBState that does not have the runtime attribute set. Given that the
+user explicitly disabled validation, we can honor that and not enable
+secure boot mode if that variable is set.
+
+Signed-off-by: Josh Boyer <jwboyer at redhat.com>
+---
+ arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
+index 96bd86b..6e1331c 100644
+--- a/arch/x86/boot/compressed/eboot.c
++++ b/arch/x86/boot/compressed/eboot.c
+@@ -851,8 +851,9 @@ fail:
+
+ static int get_secure_boot(efi_system_table_t *_table)
+ {
+- u8 sb, setup;
++ u8 sb, setup, moksbstate;
+ unsigned long datasize = sizeof(sb);
++ u32 attr;
+ efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
+ efi_status_t status;
+
+@@ -876,6 +877,23 @@ static int get_secure_boot(efi_system_table_t *_table)
+ if (setup == 1)
+ return 0;
+
++ /* See if a user has put shim into insecure_mode. If so, and the variable
++ * doesn't have the runtime attribute set, we might as well honor that.
++ */
++ var_guid = EFI_SHIM_LOCK_GUID;
++ status = efi_call_phys5(sys_table->runtime->get_variable,
++ L"MokSBState", &var_guid, &attr, &datasize,
++ &moksbstate);
++
++ /* If it fails, we don't care why. Default to secure */
++ if (status != EFI_SUCCESS)
++ return 1;
++
++ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
++ if (moksbstate == 1)
++ return 0;
++ }
++
+ return 1;
+ }
+
+--
+1.8.1
+
More information about the scm-commits
mailing list