summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDave Young <dyoung@redhat.com>2015-08-07 15:41:45 +0800
committerJosh Boyer <jwboyer@fedoraproject.org>2015-08-07 07:17:02 -0400
commiteca4cec9a5d463365963c979ad2d68060116651c (patch)
treec863941fba07418e4a6ad66740136d15e10b3369
parent2d19b299b65c4b6111536780edf345257ccb7367 (diff)
downloadkernel-eca4cec9a5d463365963c979ad2d68060116651c.tar.gz
kernel-eca4cec9a5d463365963c979ad2d68060116651c.tar.xz
kernel-eca4cec9a5d463365963c979ad2d68060116651c.zip
kexec/uefi: copy secure boot flag in boot params across kexec reboot
Kexec reboot in case secure boot enabled does not keep the secure boot mode in new kernel, so later one can load unsigned kernel via legacy kexec_load. Adding a patch to fix this by retain the secure_boot flag in original kernel. Signed-off-by: Dave Young <dyoung@redhat.com>
-rw-r--r--kernel.spec2
-rw-r--r--kexec-uefi-copy-secure_boot-flag-in-boot-params.patch30
2 files changed, 32 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec
index e91ef9d14..469a2a2f7 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -587,6 +587,8 @@ Patch505: 0001-dm-fix-dm_merge_bvec-regression-on-32-bit-systems.patch
#rhbz 1244511
Patch507: HID-chicony-Add-support-for-Acer-Aspire-Switch-12.patch
+Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
+
Patch904: kdbus.patch
# END OF PATCH DEFINITIONS
diff --git a/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch b/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
new file mode 100644
index 000000000..e239ea908
--- /dev/null
+++ b/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
@@ -0,0 +1,30 @@
+From: Dave Young <dyoung@redhat.com>
+
+[PATCH] kexec/uefi: copy secure_boot flag in boot params across kexec reboot
+
+Kexec reboot in case secure boot being enabled does not keep the secure boot
+mode in new kernel, so later one can load unsigned kernel via legacy kexec_load.
+In this state, the system is missing the protections provided by secure boot.
+
+Adding a patch to fix this by retain the secure_boot flag in original kernel.
+
+secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the stub.
+Fixing this issue by copying secure_boot flag across kexec reboot.
+
+Signed-off-by: Dave Young <dyoung@redhat.com>
+---
+ arch/x86/kernel/kexec-bzimage64.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
+index 9642b9b..0539ec7 100644
+--- a/arch/x86/kernel/kexec-bzimage64.c
++++ b/arch/x86/kernel/kexec-bzimage64.c
+@@ -178,6 +178,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
+ if (efi_enabled(EFI_OLD_MEMMAP))
+ return 0;
+
++ params->secure_boot = boot_params.secure_boot;
+ ei->efi_loader_signature = current_ei->efi_loader_signature;
+ ei->efi_systab = current_ei->efi_systab;
+ ei->efi_systab_hi = current_ei->efi_systab_hi;