From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: David Howells <dhowells@redhat.com>
Cc: Matt Fleming <matt@codeblueprint.co.uk>,
"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
keyrings@vger.kernel.org,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>
Subject: Re: [PATCH 0/7] efi: Pass secure boot mode to kernel [ver #7]
Date: Tue, 31 Jan 2017 16:45:13 +0000 [thread overview]
Message-ID: <CAKv+Gu9cTtmV+9-kWSzvFui7KHxrG6MsUfz0VET=714m2cGhbQ@mail.gmail.com> (raw)
In-Reply-To: <148587558696.4026.16034622623568539004.stgit@warthog.procyon.org.uk>
Hello David,
On 31 January 2017 at 15:13, David Howells <dhowells@redhat.com> wrote:
>
> Here's a set of patches that can determine the secure boot state of the
> UEFI BIOS and pass that along to the main kernel image. This involves
> generalising ARM's efi_get_secureboot() function and making it mixed-mode
> safe.
>
Could you please resend with the [ver #7] removed from the subject
lines? It is a bit tedious to have to manually modify each patch when
applying.
Thanks,
Ard.
> Changes:
>
> Ver 7:
>
> - Rebased on efi/next.
> - Remove the EFI_SECURE_BOOT flag bit and defer it for later. Don't
> - Preclear boot_params->secure_boot and don't clear it in
> sanitize_boot_params()[*]
> - Don't probe for the secure-boot mode if the boot loader gives us this
> mode (ie. if boot_params->secure_boot is non-zero).
>
> [*] There's a bug in grub2 whereby it copies too much, sets the sentinel
> byte and triggers the sanitisation.
>
> Ver 6:
>
> - Removed unnecessary variable init and trimmed comment.
> - Return efi_secureboot_mode_disabled directly rather than going to a
> place that just returns it.
> - Switched the last two patches.
>
> Ver 5:
>
> - Fix i386 compilation error (rsi should've been changed to esi).
> - Fix arm64 compilation error ('sys_table_arg' is a hidden macro parameter).
>
> Ver 4:
>
> - Use an enum to tell the kernel whether secure boot mode is enabled,
> disabled, couldn't be determined or wasn't even tried due to not being
> in EFI mode.
> - Support the UEFI-2.6 DeployedMode flag.
> - Don't clear boot_params->secure_boot in x86 sanitize_boot_params().
> - Preclear the boot_params->secure_boot on x86 head_*.S entry if we may
> not go through efi_main().
>
> The patches can be found here also:
>
> http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=efi-secure-boot
>
> at tag:
>
> efi-secure-boot-20170131
>
> David
> ---
> David Howells (6):
> x86/efi: Allow invocation of arbitrary runtime services
> arm/efi: Allow invocation of arbitrary runtime services
> efi: Add SHIM and image security database GUID definitions
> efi: Get the secure boot status
> efi: Handle secure boot from UEFI-2.6
> efi: Print the secure boot status in x86 setup_arch()
>
> Josh Boyer (1):
> efi: Disable secure boot if shim is in insecure mode
>
>
> Documentation/x86/zero-page.txt | 2 +
> arch/arm/include/asm/efi.h | 1
> arch/arm64/include/asm/efi.h | 1
> arch/x86/boot/compressed/eboot.c | 7 ++
> arch/x86/boot/compressed/head_32.S | 6 +-
> arch/x86/boot/compressed/head_64.S | 8 +-
> arch/x86/include/asm/efi.h | 5 +
> arch/x86/include/uapi/asm/bootparam.h | 3 +
> arch/x86/kernel/asm-offsets.c | 1
> arch/x86/kernel/setup.c | 14 ++++
> drivers/firmware/efi/libstub/Makefile | 2 -
> drivers/firmware/efi/libstub/arm-stub.c | 63 ++----------------
> drivers/firmware/efi/libstub/secureboot.c | 99 +++++++++++++++++++++++++++++
> include/linux/efi.h | 15 ++++
> 14 files changed, 161 insertions(+), 66 deletions(-)
> create mode 100644 drivers/firmware/efi/libstub/secureboot.c
>
next prev parent reply other threads:[~2017-01-31 16:45 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-31 15:13 [PATCH 0/7] efi: Pass secure boot mode to kernel [ver #7] David Howells
2017-01-31 15:13 ` [PATCH 1/7] x86/efi: Allow invocation of arbitrary runtime services " David Howells
2017-01-31 15:13 ` [PATCH 2/7] arm/efi: " David Howells
2017-01-31 15:13 ` [PATCH 3/7] efi: Add SHIM and image security database GUID definitions " David Howells
2017-01-31 15:13 ` [PATCH 4/7] efi: Get the secure boot status " David Howells
2017-01-31 17:37 ` kbuild test robot
2017-01-31 18:04 ` kbuild test robot
2017-02-02 21:34 ` Matt Fleming
2017-01-31 15:13 ` [PATCH 5/7] efi: Disable secure boot if shim is in insecure mode " David Howells
2017-01-31 15:14 ` [PATCH 6/7] efi: Handle secure boot from UEFI-2.6 " David Howells
2017-01-31 18:19 ` Ard Biesheuvel
2017-01-31 18:59 ` David Howells
2017-02-01 10:15 ` Ard Biesheuvel
2017-02-01 12:33 ` David Howells
2017-02-01 14:44 ` Ard Biesheuvel
2017-02-01 15:00 ` David Howells
2017-02-01 15:02 ` Ard Biesheuvel
2017-02-02 21:36 ` Matt Fleming
2017-02-02 21:45 ` Ard Biesheuvel
2017-02-01 10:02 ` David Howells
2017-01-31 15:14 ` [PATCH 7/7] efi: Print the secure boot status in x86 setup_arch() " David Howells
2017-02-03 16:07 ` Ard Biesheuvel
2017-02-03 16:21 ` David Howells
2017-02-03 16:23 ` Ard Biesheuvel
2017-02-03 16:27 ` David Howells
2017-02-03 16:29 ` David Howells
2017-02-03 16:29 ` Ard Biesheuvel
2017-02-03 17:00 ` Ard Biesheuvel
2017-02-03 17:19 ` David Howells
2017-01-31 16:45 ` Ard Biesheuvel [this message]
2017-01-31 17:04 ` [PATCH 0/7] efi: Pass secure boot mode to kernel " David Howells
2017-01-31 18:20 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAKv+Gu9cTtmV+9-kWSzvFui7KHxrG6MsUfz0VET=714m2cGhbQ@mail.gmail.com' \
--to=ard.biesheuvel@linaro.org \
--cc=dhowells@redhat.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matt@codeblueprint.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).