From: Aditya Garg <gargaditya08@live.com>
To: Matthew Garrett <mjg59@srcf.ucam.org>
Cc: Ard Biesheuvel <ardb@kernel.org>, Jeremy Kerr <jk@ozlabs.org>,
"joeyli.kernel@gmail.com" <joeyli.kernel@gmail.com>,
"zohar@linux.ibm.com" <zohar@linux.ibm.com>,
"jmorris@namei.org" <jmorris@namei.org>,
"eric.snowberg@oracle.com" <eric.snowberg@oracle.com>,
"dhowells@redhat.com" <dhowells@redhat.com>,
"jlee@suse.com" <jlee@suse.com>,
"James.Bottomley@hansenpartnership.com"
<James.Bottomley@HansenPartnership.com>,
"jarkko@kernel.org" <jarkko@kernel.org>,
"mic@digikod.net" <mic@digikod.net>,
"dmitry.kasatkin@gmail.com" <dmitry.kasatkin@gmail.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"stable@vger.kernel.org" <stable@vger.kernel.org>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
Orlando Chamberlain <redecorating@protonmail.com>,
Aun-Ali Zaidi <admin@kodeit.net>
Subject: Re: [PATCH] efi: Do not import certificates from UEFI Secure Boot for T2 Macs
Date: Wed, 9 Feb 2022 18:02:34 +0000 [thread overview]
Message-ID: <5A3C2EBF-13FF-4C37-B2A0-1533A818109F@live.com> (raw)
In-Reply-To: <20220209164957.GB12763@srcf.ucam.org>
> On 09-Feb-2022, at 10:19 PM, Matthew Garrett <mjg59@srcf.ucam.org> wrote:
>
> On Wed, Feb 09, 2022 at 02:27:51PM +0000, Aditya Garg wrote:
>> From: Aditya Garg <gargaditya08@live.com>
>>
>> On T2 Macs, the secure boot is handled by the T2 Chip. If enabled, only
>> macOS and Windows are allowed to boot on these machines. Thus we need to
>> disable secure boot for Linux. If we boot into Linux after disabling
>> secure boot, if CONFIG_LOAD_UEFI_KEYS is enabled, EFI Runtime services
>> fail to start, with the following logs in dmesg
>
> Which specific variable request is triggering the failure? Do any
> runtime variable accesses work on these machines?
Commit f5390cd0b43c2e54c7cf5506c7da4a37c5cef746 in Linus’ tree was also added to force EFI v1.1 on these machines, since v2.4, reported by them was causing kernel panics.
So, EFI 1.1 without import certificates seems to work and have been able to modify the variables, thus the remaining EFI variable accesses seem to work.
next prev parent reply other threads:[~2022-02-09 18:02 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-09 14:27 [PATCH] efi: Do not import certificates from UEFI Secure Boot for T2 Macs Aditya Garg
2022-02-09 15:39 ` David Laight
2022-02-10 10:43 ` Aditya Garg
2022-02-10 10:44 ` [PATCH v2] " Aditya Garg
2022-02-10 10:47 ` [PATCH v3] " Aditya Garg
2022-02-13 7:39 ` Lukas Wunner
2022-02-13 8:36 ` Aditya Garg
2022-02-23 13:49 ` Aditya Garg
2022-02-10 10:47 ` [PATCH v2] " Ard Biesheuvel
2022-02-10 10:53 ` Aditya Garg
2022-02-09 16:49 ` [PATCH] " Matthew Garrett
2022-02-09 18:02 ` Aditya Garg [this message]
2022-02-09 18:35 ` Matthew Garrett
2022-02-09 19:37 ` Matthew Garrett
2022-02-10 4:43 ` Aditya Garg
2022-02-10 5:49 ` Aditya Garg
2022-02-10 18:09 ` Matthew Garrett
2022-02-11 4:51 ` Aditya Garg
2022-02-11 16:28 ` Matthew Garrett
2022-02-12 5:53 ` Aditya Garg
2022-02-12 19:42 ` Matthew Garrett
2022-02-13 8:22 ` Aditya Garg
2022-02-13 21:33 ` Matthew Garrett
2022-02-14 0:33 ` Aditya Garg
2022-02-10 5:54 ` Aditya Garg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5A3C2EBF-13FF-4C37-B2A0-1533A818109F@live.com \
--to=gargaditya08@live.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=admin@kodeit.net \
--cc=ardb@kernel.org \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=jarkko@kernel.org \
--cc=jk@ozlabs.org \
--cc=jlee@suse.com \
--cc=jmorris@namei.org \
--cc=joeyli.kernel@gmail.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=mjg59@srcf.ucam.org \
--cc=redecorating@protonmail.com \
--cc=stable@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.