* [GIT PULL] efi: Pass secure boot mode to kernel
@ 2016-12-08 11:45 David Howells
[not found] ` <4561.1481197517-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
[not found] ` <20161208115652.GE5462-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org>
0 siblings, 2 replies; 5+ messages in thread
From: David Howells @ 2016-12-08 11:45 UTC (permalink / raw)
To: matt-mF/unelCI9GS6iBeEJttW/XRex20P6io,
ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A
Cc: linux-efi-u79uwXL29TY76Z2rM5mHXA,
linux-kernel-u79uwXL29TY76Z2rM5mHXA,
dhowells-H+wXaHxf7aLQT0dZR+AlfA,
linux-security-module-u79uwXL29TY76Z2rM5mHXA,
keyrings-u79uwXL29TY76Z2rM5mHXA,
linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r
Hi Matt, Ard,
Is it too late to request this for the upcoming merge window? Also, I've made
Lukas's requested changes and reposted just that patch in my reply to him. Do
you want me to repost the lot?
Here's a set of patches that can determine the secure boot state of the
UEFI BIOS and pass that along to the main kernel image. This involves
generalising ARM's efi_get_secureboot() function and making it mixed-mode
safe.
Changes:
Ver 6:
- Removed unnecessary variable init and trimmed comment.
- Return efi_secureboot_mode_disabled directly rather than going to a
place that just returns it.
- Switched the last two patches.
Ver 5:
- Fix i386 compilation error (rsi should've been changed to esi).
- Fix arm64 compilation error ('sys_table_arg' is a hidden macro parameter).
Ver 4:
- Use an enum to tell the kernel whether secure boot mode is enabled,
disabled, couldn't be determined or wasn't even tried due to not being
in EFI mode.
- Support the UEFI-2.6 DeployedMode flag.
- Don't clear boot_params->secure_boot in x86 sanitize_boot_params().
- Preclear the boot_params->secure_boot on x86 head_*.S entry if we may
not go through efi_main().
David
---
The following changes since commit 018edcfac4c3b140366ad51b0907f3becb5bb624:
efi/libstub: Make efi_random_alloc() allocate below 4 GB on 32-bit (2016-11-25 07:15:23 +0100)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/efi-secure-boot-20161208
for you to fetch changes up to e71dd6bffca41faf7b4458c230e5c3d3c2b16d3e:
efi: Add EFI_SECURE_BOOT bit (2016-12-08 08:19:04 +0000)
----------------------------------------------------------------
EFI secure boot
----------------------------------------------------------------
Ard Biesheuvel (1):
efi: use typed function pointers for runtime services table
David Howells (5):
x86/efi: Allow invocation of arbitrary runtime services
arm/efi: Allow invocation of arbitrary runtime services
efi: Add SHIM and image security database GUID definitions
efi: Get the secure boot status
efi: Handle secure boot from UEFI-2.6
Josh Boyer (2):
efi: Disable secure boot if shim is in insecure mode
efi: Add EFI_SECURE_BOOT bit
Documentation/x86/zero-page.txt | 2 +
arch/arm/include/asm/efi.h | 1 +
arch/arm64/include/asm/efi.h | 1 +
arch/x86/boot/compressed/eboot.c | 3 +
arch/x86/boot/compressed/head_32.S | 7 ++-
arch/x86/boot/compressed/head_64.S | 9 +--
arch/x86/include/asm/bootparam_utils.h | 5 +-
arch/x86/include/asm/efi.h | 5 ++
arch/x86/include/uapi/asm/bootparam.h | 3 +-
arch/x86/kernel/asm-offsets.c | 1 +
arch/x86/kernel/setup.c | 15 +++++
drivers/firmware/efi/libstub/Makefile | 2 +-
drivers/firmware/efi/libstub/arm-stub.c | 63 ++------------------
drivers/firmware/efi/libstub/secureboot.c | 99 +++++++++++++++++++++++++++++++
include/linux/efi.h | 52 ++++++++++------
15 files changed, 182 insertions(+), 86 deletions(-)
create mode 100644 drivers/firmware/efi/libstub/secureboot.c
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [GIT PULL] efi: Pass secure boot mode to kernel
[not found] ` <4561.1481197517-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
@ 2016-12-08 11:56 ` Matt Fleming
0 siblings, 0 replies; 5+ messages in thread
From: Matt Fleming @ 2016-12-08 11:56 UTC (permalink / raw)
To: David Howells
Cc: ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A,
linux-efi-u79uwXL29TY76Z2rM5mHXA,
linux-kernel-u79uwXL29TY76Z2rM5mHXA,
linux-security-module-u79uwXL29TY76Z2rM5mHXA,
keyrings-u79uwXL29TY76Z2rM5mHXA,
linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r
On Thu, 08 Dec, at 11:45:17AM, David Howells wrote:
> Hi Matt, Ard,
>
> Is it too late to request this for the upcoming merge window?
For something as non-trivial as this, yes, it's too late. We generally
close the EFI tree window for new features around -rc5 time.
> Also, I've made
> Lukas's requested changes and reposted just that patch in my reply to him. Do
> you want me to repost the lot?
Please do, yeah.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [GIT PULL] efi: Pass secure boot mode to kernel
[not found] ` <20161208115652.GE5462-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org>
@ 2017-01-05 14:41 ` David Howells
2017-01-09 10:15 ` Matt Fleming
2017-01-09 10:40 ` David Howells
0 siblings, 2 replies; 5+ messages in thread
From: David Howells @ 2017-01-05 14:41 UTC (permalink / raw)
To: Matt Fleming
Cc: dhowells-H+wXaHxf7aLQT0dZR+AlfA,
ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A,
linux-efi-u79uwXL29TY76Z2rM5mHXA,
linux-kernel-u79uwXL29TY76Z2rM5mHXA,
linux-security-module-u79uwXL29TY76Z2rM5mHXA,
keyrings-u79uwXL29TY76Z2rM5mHXA,
linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r
Matt Fleming <matt-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org> wrote:
> > Is it too late to request this for the upcoming merge window?
>
> For something as non-trivial as this, yes, it's too late. We generally
> close the EFI tree window for new features around -rc5 time.
Can I request that it be pulled now? Are you going to update efi/core?
Thanks,
David
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [GIT PULL] efi: Pass secure boot mode to kernel
2017-01-05 14:41 ` David Howells
@ 2017-01-09 10:15 ` Matt Fleming
2017-01-09 10:40 ` David Howells
1 sibling, 0 replies; 5+ messages in thread
From: Matt Fleming @ 2017-01-09 10:15 UTC (permalink / raw)
To: David Howells
Cc: linux-efi, ard.biesheuvel, linux-kernel, linux-security-module,
keyrings, linux-arm-kernel
On Thu, 05 Jan, at 02:41:09PM, David Howells wrote:
> Matt Fleming <matt@codeblueprint.co.uk> wrote:
>
> > > Is it too late to request this for the upcoming merge window?
> >
> > For something as non-trivial as this, yes, it's too late. We generally
> > close the EFI tree window for new features around -rc5 time.
>
> Can I request that it be pulled now? Are you going to update efi/core?
Sorry for the delay David. I've just returned from annual leave and
I'll take a look at this series this week.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [GIT PULL] efi: Pass secure boot mode to kernel
2017-01-05 14:41 ` David Howells
2017-01-09 10:15 ` Matt Fleming
@ 2017-01-09 10:40 ` David Howells
1 sibling, 0 replies; 5+ messages in thread
From: David Howells @ 2017-01-09 10:40 UTC (permalink / raw)
To: Matt Fleming
Cc: linux-efi, ard.biesheuvel, linux-kernel, dhowells,
linux-security-module, keyrings, linux-arm-kernel
Matt Fleming <matt@codeblueprint.co.uk> wrote:
> > Can I request that it be pulled now? Are you going to update efi/core?
>
> Sorry for the delay David. I've just returned from annual leave and
> I'll take a look at this series this week.
That's okay, thanks!
David
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-01-09 10:40 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-12-08 11:45 [GIT PULL] efi: Pass secure boot mode to kernel David Howells
[not found] ` <4561.1481197517-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-12-08 11:56 ` Matt Fleming
[not found] ` <20161208115652.GE5462-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org>
2017-01-05 14:41 ` David Howells
2017-01-09 10:15 ` Matt Fleming
2017-01-09 10:40 ` David Howells
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).