diff options
author | Laura Abbott <labbott@fedoraproject.org> | 2016-10-18 14:23:11 -0700 |
---|---|---|
committer | Laura Abbott <labbott@fedoraproject.org> | 2016-10-18 14:23:11 -0700 |
commit | 9472421366604c0504d9da77569f45c5b459c9bb (patch) | |
tree | e1014917339537a3cb48417b53afce6716143b8a /MODSIGN-Don-t-try-secure-boot-if-EFI-runtime-is-disa.patch | |
parent | 0d1e2dc5eb9ae008cf126f3b212357648bd9e3eb (diff) | |
download | kernel-9472421366604c0504d9da77569f45c5b459c9bb.tar.gz kernel-9472421366604c0504d9da77569f45c5b459c9bb.tar.xz kernel-9472421366604c0504d9da77569f45c5b459c9bb.zip |
Gracefully bail out of secureboot when EFI runtime is disabled
- Fix for aarch64 boot regression (rhbz 1384701)
Diffstat (limited to 'MODSIGN-Don-t-try-secure-boot-if-EFI-runtime-is-disa.patch')
-rw-r--r-- | MODSIGN-Don-t-try-secure-boot-if-EFI-runtime-is-disa.patch | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/MODSIGN-Don-t-try-secure-boot-if-EFI-runtime-is-disa.patch b/MODSIGN-Don-t-try-secure-boot-if-EFI-runtime-is-disa.patch new file mode 100644 index 000000000..6f5d8b6ab --- /dev/null +++ b/MODSIGN-Don-t-try-secure-boot-if-EFI-runtime-is-disa.patch @@ -0,0 +1,32 @@ +From 71db1b222ecdf6cb4356f6f1e2bd45cd2f0e85e1 Mon Sep 17 00:00:00 2001 +From: Laura Abbott <labbott@redhat.com> +Date: Tue, 18 Oct 2016 13:58:44 -0700 +Subject: [PATCH] MODSIGN: Don't try secure boot if EFI runtime is disabled + +Secure boot depends on having EFI runtime variable access. The code +does not handle a lack of runtime variables gracefully. Add a check +to just bail out of EFI runtime is disabled. + +Signed-off-by: Laura Abbott <labbott@redhat.com> +--- + kernel/modsign_uefi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c +index a41da14..2bdaf76 100644 +--- a/kernel/modsign_uefi.c ++++ b/kernel/modsign_uefi.c +@@ -71,6 +71,10 @@ static int __init load_uefi_certs(void) + if (!efi_enabled(EFI_SECURE_BOOT)) + return 0; + ++ /* Things blow up if efi runtime is disabled */ ++ if (efi_runtime_disabled()) ++ return 0; ++ + keyring = get_system_keyring(); + if (!keyring) { + pr_err("MODSIGN: Couldn't get system keyring\n"); +-- +2.7.4 + |