diff options
author | Justin M. Forbes <jforbes@fedoraproject.org> | 2020-08-04 17:00:01 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2020-08-04 17:00:01 -0500 |
commit | 9ab9ea2db0b13375d3d7114d5c82eb298a118740 (patch) | |
tree | eb4615cacf3e4ee8bd71c2522241011baa6c56fe /0001-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch | |
parent | bf5b588422a50d970ea8660d368cc6cdd2c377c9 (diff) | |
download | kernel-9ab9ea2db0b13375d3d7114d5c82eb298a118740.tar.gz kernel-9ab9ea2db0b13375d3d7114d5c82eb298a118740.tar.xz kernel-9ab9ea2db0b13375d3d7114d5c82eb298a118740.zip |
Linux v5.8 rebase
Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
Diffstat (limited to '0001-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch')
-rw-r--r-- | 0001-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch | 161 |
1 files changed, 0 insertions, 161 deletions
diff --git a/0001-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch b/0001-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch deleted file mode 100644 index acd11a206..000000000 --- a/0001-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch +++ /dev/null @@ -1,161 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 27 Feb 2018 10:04:55 +0000 -Subject: [PATCH] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode - -UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT -flag that can be passed to efi_enabled() to find out whether secure boot is -enabled. - -Move the switch-statement in x86's setup_arch() that inteprets the -secure_boot boot parameter to generic code and set the bit there. - -Upstream Status: RHEL only -Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> -cc: linux-efi@vger.kernel.org -[Rebased for context; efi_is_table_address was moved to arch/x86] -Signed-off-by: Jeremy Cline <jcline@redhat.com> ---- - arch/x86/kernel/setup.c | 14 +----------- - drivers/firmware/efi/Makefile | 1 + - drivers/firmware/efi/secureboot.c | 38 +++++++++++++++++++++++++++++++ - include/linux/efi.h | 18 ++++++++++----- - 4 files changed, 52 insertions(+), 19 deletions(-) - create mode 100644 drivers/firmware/efi/secureboot.c - -diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index e39ec0f88d28..08e9f5fc26a8 100644 ---- a/arch/x86/kernel/setup.c -+++ b/arch/x86/kernel/setup.c -@@ -1250,19 +1250,7 @@ void __init setup_arch(char **cmdline_p) - /* Allocate bigger log buffer */ - setup_log_buf(1); - -- if (efi_enabled(EFI_BOOT)) { -- switch (boot_params.secure_boot) { -- case efi_secureboot_mode_disabled: -- pr_info("Secure boot disabled\n"); -- break; -- case efi_secureboot_mode_enabled: -- pr_info("Secure boot enabled\n"); -- break; -- default: -- pr_info("Secure boot could not be determined\n"); -- break; -- } -- } -+ efi_set_secure_boot(boot_params.secure_boot); - - reserve_initrd(); - -diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile -index 7a216984552b..f0ef02d733af 100644 ---- a/drivers/firmware/efi/Makefile -+++ b/drivers/firmware/efi/Makefile -@@ -25,6 +25,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP) += fake_map.o - obj-$(CONFIG_EFI_BOOTLOADER_CONTROL) += efibc.o - obj-$(CONFIG_EFI_TEST) += test/ - obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o -+obj-$(CONFIG_EFI) += secureboot.o - obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o - obj-$(CONFIG_EFI_RCI2_TABLE) += rci2-table.o - obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE) += embedded-firmware.o -diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c -new file mode 100644 -index 000000000000..de0a3714a5d4 ---- /dev/null -+++ b/drivers/firmware/efi/secureboot.c -@@ -0,0 +1,38 @@ -+/* Core kernel secure boot support. -+ * -+ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved. -+ * Written by David Howells (dhowells@redhat.com) -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public Licence -+ * as published by the Free Software Foundation; either version -+ * 2 of the Licence, or (at your option) any later version. -+ */ -+ -+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt -+ -+#include <linux/efi.h> -+#include <linux/kernel.h> -+#include <linux/printk.h> -+ -+/* -+ * Decide what to do when UEFI secure boot mode is enabled. -+ */ -+void __init efi_set_secure_boot(enum efi_secureboot_mode mode) -+{ -+ if (efi_enabled(EFI_BOOT)) { -+ switch (mode) { -+ case efi_secureboot_mode_disabled: -+ pr_info("Secure boot disabled\n"); -+ break; -+ case efi_secureboot_mode_enabled: -+ set_bit(EFI_SECURE_BOOT, &efi.flags); -+ pr_info("Secure boot enabled\n"); -+ break; -+ default: -+ pr_warn("Secure boot could not be determined (mode %u)\n", -+ mode); -+ break; -+ } -+ } -+} -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 51503bf118ab..b35e693f20f3 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -778,6 +778,14 @@ extern int __init efi_setup_pcdp_console(char *); - #define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */ - #define EFI_MEM_NO_SOFT_RESERVE 11 /* Is the kernel configured to ignore soft reservations? */ - #define EFI_PRESERVE_BS_REGIONS 12 /* Are EFI boot-services memory segments available? */ -+#define EFI_SECURE_BOOT 13 /* Are we in Secure Boot mode? */ -+ -+enum efi_secureboot_mode { -+ efi_secureboot_mode_unset, -+ efi_secureboot_mode_unknown, -+ efi_secureboot_mode_disabled, -+ efi_secureboot_mode_enabled, -+}; - - #ifdef CONFIG_EFI - /* -@@ -789,6 +797,8 @@ static inline bool efi_enabled(int feature) - } - extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused); - -+extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode); -+ - bool __pure __efi_soft_reserve_enabled(void); - - static inline bool __pure efi_soft_reserve_enabled(void) -@@ -815,6 +825,8 @@ efi_capsule_pending(int *reset_type) - return false; - } - -+static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {} -+ - static inline bool efi_soft_reserve_enabled(void) - { - return false; -@@ -1086,12 +1098,6 @@ static inline bool efi_runtime_disabled(void) { return true; } - extern void efi_call_virt_check_flags(unsigned long flags, const char *call); - extern unsigned long efi_call_virt_save_flags(void); - --enum efi_secureboot_mode { -- efi_secureboot_mode_unset, -- efi_secureboot_mode_unknown, -- efi_secureboot_mode_disabled, -- efi_secureboot_mode_enabled, --}; - enum efi_secureboot_mode efi_get_secureboot(void); - - #ifdef CONFIG_RESET_ATTACK_MITIGATION --- -2.26.2 - |