diff options
| -rw-r--r-- | kernel.spec | 10 | ||||
| -rw-r--r-- | secure-boot-20130206.patch (renamed from secure-boot-20130131.patch) | 58 | ||||
| -rw-r--r-- | sources | 2 |
3 files changed, 66 insertions, 4 deletions
diff --git a/kernel.spec b/kernel.spec index d4ef2125c..0ca562d66 100644 --- a/kernel.spec +++ b/kernel.spec @@ -95,7 +95,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 6 # The git snapshot level -%define gitrev 2 +%define gitrev 3 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -669,7 +669,7 @@ Patch800: crash-driver.patch # crypto/ # secure boot -Patch1000: secure-boot-20130131.patch +Patch1000: secure-boot-20130206.patch # virt + ksm patches @@ -1387,7 +1387,7 @@ ApplyPatch crash-driver.patch # crypto/ # secure boot -ApplyPatch secure-boot-20130131.patch +ApplyPatch secure-boot-20130206.patch # Assorted Virt Fixes @@ -2315,6 +2315,10 @@ fi # ||----w | # || || %changelog +* Wed Feb 06 2013 Josh Boyer <jwboyer@redhat.com> - 3.8.0-0.rc6.git3.1 +- Linux v3.8-rc6-98-g1589a3e +- Add patch to honor MokSBState (rhbz 907406) + * Tue Feb 05 2013 Josh Boyer <jwboyer@redhat.com> - 3.8.0-0.rc6.git2.1 - Linux v3.8-rc6-62-gfe547d7 - Enable CONFIG_DRM_VMWGFX_FBCON (rhbz 907620) diff --git a/secure-boot-20130131.patch b/secure-boot-20130206.patch index c58f5997c..479bf2719 100644 --- a/secure-boot-20130131.patch +++ b/secure-boot-20130206.patch @@ -1329,3 +1329,61 @@ index 4ed81e7..b11a0f4 100644 -- 1.8.1 +From 04a46ceeb9eb2dca0364ce836614de722e988c81 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@redhat.com> +Date: Tue, 5 Feb 2013 19:25:05 -0500 +Subject: [PATCH] efi: Disable secure boot if shim is in insecure mode + +A user can manually tell the shim boot loader to disable validation of +images it loads. When a user does this, it creates a UEFI variable called +MokSBState that does not have the runtime attribute set. Given that the +user explicitly disabled validation, we can honor that and not enable +secure boot mode if that variable is set. + +Signed-off-by: Josh Boyer <jwboyer@redhat.com> +--- + arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c +index 96bd86b..6e1331c 100644 +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -851,8 +851,9 @@ fail: + + static int get_secure_boot(efi_system_table_t *_table) + { +- u8 sb, setup; ++ u8 sb, setup, moksbstate; + unsigned long datasize = sizeof(sb); ++ u32 attr; + efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; + efi_status_t status; + +@@ -876,6 +877,23 @@ static int get_secure_boot(efi_system_table_t *_table) + if (setup == 1) + return 0; + ++ /* See if a user has put shim into insecure_mode. If so, and the variable ++ * doesn't have the runtime attribute set, we might as well honor that. ++ */ ++ var_guid = EFI_SHIM_LOCK_GUID; ++ status = efi_call_phys5(sys_table->runtime->get_variable, ++ L"MokSBState", &var_guid, &attr, &datasize, ++ &moksbstate); ++ ++ /* If it fails, we don't care why. Default to secure */ ++ if (status != EFI_SUCCESS) ++ return 1; ++ ++ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) { ++ if (moksbstate == 1) ++ return 0; ++ } ++ + return 1; + } + +-- +1.8.1 + @@ -1,3 +1,3 @@ 21223369d682bcf44bcdfe1521095983 linux-3.7.tar.xz 86fddbbbda8b9d7432ef479d055968e4 patch-3.8-rc6.xz -47c13c925f34642b05ed4524d62257ec patch-3.8-rc6-git2.xz +cf0916371135cca3495194b59f877b85 patch-3.8-rc6-git3.xz |