diff options
author | Justin M. Forbes <jforbes@redhat.com> | 2017-04-05 12:23:02 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@redhat.com> | 2017-04-05 12:23:02 -0500 |
commit | f3cfeb0ef70cc166f6364fef17ca4580e5924bc2 (patch) | |
tree | ed84a63edffabe5d98e0f12ed8f89c7f7cb0d8b0 | |
parent | 090bfba49cf37ee6020c2beda8d8df12ba81ba44 (diff) | |
download | kernel-f3cfeb0ef70cc166f6364fef17ca4580e5924bc2.tar.gz kernel-f3cfeb0ef70cc166f6364fef17ca4580e5924bc2.tar.xz kernel-f3cfeb0ef70cc166f6364fef17ca4580e5924bc2.zip |
Fix secureboot ERROR
-rw-r--r-- | 0001-efi-libstub-Treat-missing-SecureBoot-variable-as-Sec.patch | 53 | ||||
-rw-r--r-- | kernel.spec | 3 |
2 files changed, 56 insertions, 0 deletions
diff --git a/0001-efi-libstub-Treat-missing-SecureBoot-variable-as-Sec.patch b/0001-efi-libstub-Treat-missing-SecureBoot-variable-as-Sec.patch new file mode 100644 index 000000000..3bbdac708 --- /dev/null +++ b/0001-efi-libstub-Treat-missing-SecureBoot-variable-as-Sec.patch @@ -0,0 +1,53 @@ +From 52e51f16407b7b34e26affb500a21e250d9fce0b Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel <ard.biesheuvel@linaro.org> +Date: Wed, 1 Mar 2017 19:04:35 +0000 +Subject: [PATCH] efi/libstub: Treat missing SecureBoot variable as Secure Boot + disabled + +The newly refactored code that infers the firmware's Secure Boot state +prints the following error when the EFI variable 'SecureBoot' does not +exist: + + EFI stub: ERROR: Could not determine UEFI Secure Boot status. + +However, this variable is only guaranteed to be defined on a system that +is Secure Boot capable to begin with, and so it is not an error if it is +missing. So report Secure Boot as being disabled in this case, without +printing any error messages. + +Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Matt Fleming <matt@codeblueprint.co.uk> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: linux-efi@vger.kernel.org +Link: http://lkml.kernel.org/r/1488395076-29712-2-git-send-email-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar <mingo@kernel.org> +--- + drivers/firmware/efi/libstub/secureboot.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/firmware/efi/libstub/secureboot.c b/drivers/firmware/efi/libstub/secureboot.c +index 6def402..5da36e5 100644 +--- a/drivers/firmware/efi/libstub/secureboot.c ++++ b/drivers/firmware/efi/libstub/secureboot.c +@@ -45,6 +45,8 @@ enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg) + size = sizeof(secboot); + status = get_efi_var(efi_SecureBoot_name, &efi_variable_guid, + NULL, &size, &secboot); ++ if (status == EFI_NOT_FOUND) ++ goto secure_boot_disabled; + if (status != EFI_SUCCESS) + goto out_efi_err; + +@@ -78,7 +80,5 @@ enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg) + + out_efi_err: + pr_efi_err(sys_table_arg, "Could not determine UEFI Secure Boot status.\n"); +- if (status == EFI_NOT_FOUND) +- goto secure_boot_disabled; + return efi_secureboot_mode_unknown; + } +-- +2.9.3 + diff --git a/kernel.spec b/kernel.spec index 203bf13c8..bf4311efd 100644 --- a/kernel.spec +++ b/kernel.spec @@ -617,6 +617,8 @@ Patch859: 0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch # CVE-2017-2671 rhbz 1436649 1436663 Patch860: 0001-ping-implement-proper-locking.patch +Patch861: 0001-efi-libstub-Treat-missing-SecureBoot-variable-as-Sec.patch + # END OF PATCH DEFINITIONS %endif @@ -2189,6 +2191,7 @@ fi * Wed Apr 05 2017 Justin M. Forbes <jforbes@fedoraproject.org> - Don't print MCEs when mcelog is running (rhbz 1438316) - CVE-2017-2671 Fix ping locking (rhbz 1436649 1436663) +- Fix secureboot ERROR * Tue Apr 04 2017 Justin M. Forbes <jforbes@fedoraproject.org> - redisable CONFIG_IWLWIFI_PCIE_RTPM (rhbz 1429135) |