From: John S Gruber <JohnSGruber@gmail.com>
To: john.hubbard@gmail.com
Cc: "John S. Gruber" <JohnSGruber@gmail.com>,
bp@alien8.de, hpa@zytor.com, jhubbard@nvidia.com,
linux-kernel@vger.kernel.org, mingo@redhat.com,
tglx@linutronix.de, x86@kernel.org, stable@vger.kernel.org
Subject: [PATCH V2] x86/boot: Fix regression--secure boot info loss from bootparam sanitizing
Date: Mon, 2 Sep 2019 00:00:54 +0200 [thread overview]
Message-ID: <CAPotdmSPExAuQcy9iAHqX3js_fc4mMLQOTr5RBGvizyCOPcTQQ@mail.gmail.com> (raw)
In-Reply-To: <20190731054627.5627-2-jhubbard@nvidia.com>
From: "John S. Gruber" <JohnSGruber@gmail.com>
commit a90118c445cc ("x86/boot: Save fields explicitly, zero out everything
else") now zeros the secure boot information passed by the boot loader or
by the kernel's efi handover mechanism. Include boot-params.secure_boot
in the preserve field list.
I noted a change in my computers between running signed 5.3-rc4 and 5.3-rc6
with signed kernels using the efi handoff protocol with grub. The kernel
log message "Secure boot enabled" becomes "Secure boot could not be
determined". The efi_main function in arch/x86/boot/compressed/eboot.c sets
this field early but it is subsequently zeroed by the above referenced
commit in the file arch/x86/include/asm/bootparam_utils.h
Fixes: commit a90118c445cc ("x86/boot: Save fields explicitly, zero
out everything else")
Signed-off-by: John S. Gruber <JohnSGruber@gmail.com>
---
Adjusted the patch for John Hubbard's comments.
arch/x86/include/asm/bootparam_utils.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/x86/include/asm/bootparam_utils.h
b/arch/x86/include/asm/bootparam_utils.h
index 9e5f3c7..981fe92 100644
--- a/arch/x86/include/asm/bootparam_utils.h
+++ b/arch/x86/include/asm/bootparam_utils.h
@@ -70,6 +70,7 @@ static void sanitize_boot_params(struct boot_params
*boot_params)
BOOT_PARAM_PRESERVE(eddbuf_entries),
BOOT_PARAM_PRESERVE(edd_mbr_sig_buf_entries),
BOOT_PARAM_PRESERVE(edd_mbr_sig_buffer),
+ BOOT_PARAM_PRESERVE(secure_boot),
BOOT_PARAM_PRESERVE(hdr),
BOOT_PARAM_PRESERVE(e820_table),
BOOT_PARAM_PRESERVE(eddbuf),
--
2.7.4
next prev parent reply other threads:[~2019-09-01 22:00 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-31 5:46 [PATCH v2 0/1] x86/boot: save fields explicitly, zero out everything else john.hubbard
2019-07-31 5:46 ` [PATCH v2] " john.hubbard
2019-08-07 11:41 ` David Laight
2019-08-07 19:43 ` John Hubbard
2019-08-07 13:19 ` [tip:x86/boot] x86/boot: Save " tip-bot for John Hubbard
2019-08-07 13:28 ` tip-bot for John Hubbard
2019-08-10 7:40 ` [PATCH v2] x86/boot: save " Chris Clayton
2019-08-16 12:25 ` [tip:x86/urgent] x86/boot: Save " tip-bot for John Hubbard
2019-09-01 15:38 ` [PATCH] x86/boot: Fix regression--secure boot info loss from bootparam sanitizing John S Gruber
2019-09-01 18:36 ` John Hubbard
2019-09-01 22:00 ` John S Gruber [this message]
2019-09-02 7:23 ` [PATCH V2] " Borislav Petkov
2019-09-02 8:17 ` [tip: x86/urgent] x86/boot: Preserve boot_params.secure_boot from sanitizing tip-bot2 for John S. Gruber
2019-09-21 1:06 ` [PATCH] x86/boot: v4.4 stable and v4.9 stable boot failure due to dropped patch line John S Gruber
2019-09-21 1:38 ` John Hubbard
2019-09-21 4:27 ` Greg Kroah-Hartman
2019-08-05 20:28 ` [PATCH v2 0/1] x86/boot: save fields explicitly, zero out everything else John Hubbard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAPotdmSPExAuQcy9iAHqX3js_fc4mMLQOTr5RBGvizyCOPcTQQ@mail.gmail.com \
--to=johnsgruber@gmail.com \
--cc=bp@alien8.de \
--cc=hpa@zytor.com \
--cc=jhubbard@nvidia.com \
--cc=john.hubbard@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.