From: John S Gruber <JohnSGruber@gmail.com>
To: john.hubbard@gmail.com
Cc: "John S. Gruber" <JohnSGruber@gmail.com>,
bp@alien8.de, hpa@zytor.com, jhubbard@nvidia.com,
linux-kernel@vger.kernel.org, mingo@redhat.com,
tglx@linutronix.de, x86@kernel.org, stable@vger.kernel.org
Subject: [PATCH V2] x86/boot: Fix regression--secure boot info loss from bootparam sanitizing
Date: Mon, 2 Sep 2019 00:00:54 +0200 [thread overview]
Message-ID: <CAPotdmSPExAuQcy9iAHqX3js_fc4mMLQOTr5RBGvizyCOPcTQQ@mail.gmail.com> (raw)
In-Reply-To: <20190731054627.5627-2-jhubbard@nvidia.com>
From: "John S. Gruber" <JohnSGruber@gmail.com>
commit a90118c445cc ("x86/boot: Save fields explicitly, zero out everything
else") now zeros the secure boot information passed by the boot loader or
by the kernel's efi handover mechanism. Include boot-params.secure_boot
in the preserve field list.
I noted a change in my computers between running signed 5.3-rc4 and 5.3-rc6
with signed kernels using the efi handoff protocol with grub. The kernel
log message "Secure boot enabled" becomes "Secure boot could not be
determined". The efi_main function in arch/x86/boot/compressed/eboot.c sets
this field early but it is subsequently zeroed by the above referenced
commit in the file arch/x86/include/asm/bootparam_utils.h
Fixes: commit a90118c445cc ("x86/boot: Save fields explicitly, zero
out everything else")
Signed-off-by: John S. Gruber <JohnSGruber@gmail.com>
---
Adjusted the patch for John Hubbard's comments.
arch/x86/include/asm/bootparam_utils.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/x86/include/asm/bootparam_utils.h
b/arch/x86/include/asm/bootparam_utils.h
index 9e5f3c7..981fe92 100644
--- a/arch/x86/include/asm/bootparam_utils.h
+++ b/arch/x86/include/asm/bootparam_utils.h
@@ -70,6 +70,7 @@ static void sanitize_boot_params(struct boot_params
*boot_params)
BOOT_PARAM_PRESERVE(eddbuf_entries),
BOOT_PARAM_PRESERVE(edd_mbr_sig_buf_entries),
BOOT_PARAM_PRESERVE(edd_mbr_sig_buffer),
+ BOOT_PARAM_PRESERVE(secure_boot),
BOOT_PARAM_PRESERVE(hdr),
BOOT_PARAM_PRESERVE(e820_table),
BOOT_PARAM_PRESERVE(eddbuf),
--
2.7.4
next prev parent reply other threads:[~2019-09-01 22:00 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-31 5:46 [PATCH v2 0/1] x86/boot: save fields explicitly, zero out everything else john.hubbard
2019-07-31 5:46 ` [PATCH v2] " john.hubbard
2019-08-07 11:41 ` David Laight
2019-08-07 19:43 ` John Hubbard
2019-08-07 13:19 ` [tip:x86/boot] x86/boot: Save " tip-bot for John Hubbard
2019-08-07 13:28 ` tip-bot for John Hubbard
2019-08-10 7:40 ` [PATCH v2] x86/boot: save " Chris Clayton
2019-08-16 12:25 ` [tip:x86/urgent] x86/boot: Save " tip-bot for John Hubbard
2019-09-01 15:38 ` [PATCH] x86/boot: Fix regression--secure boot info loss from bootparam sanitizing John S Gruber
2019-09-01 18:36 ` John Hubbard
2019-09-01 22:00 ` John S Gruber [this message]
2019-09-02 7:23 ` [PATCH V2] " Borislav Petkov
2019-09-02 8:17 ` [tip: x86/urgent] x86/boot: Preserve boot_params.secure_boot from sanitizing tip-bot2 for John S. Gruber
2019-08-05 20:28 ` [PATCH v2 0/1] x86/boot: save fields explicitly, zero out everything else John Hubbard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAPotdmSPExAuQcy9iAHqX3js_fc4mMLQOTr5RBGvizyCOPcTQQ@mail.gmail.com \
--to=johnsgruber@gmail.com \
--cc=bp@alien8.de \
--cc=hpa@zytor.com \
--cc=jhubbard@nvidia.com \
--cc=john.hubbard@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).