forked from rpms/kernel
Gracefully bail out of secureboot when EFI runtime is disabled
- Fix for aarch64 boot regression (rhbz 1384701)
This commit is contained in:
Laura Abbott
parent
0d1e2dc5eb
commit
9472421366
@ -0,0 +1,47 @@
|
||||
From 23339319c91c79986976381d4cea75f6608dee68 Mon Sep 17 00:00:00 2001
|
||||
From: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
|
||||
Date: Mon, 17 Oct 2016 15:18:48 +0100
|
||||
Subject: [PATCH] arm64: kernel: numa: fix ACPI boot cpu numa node mapping
|
||||
|
||||
Commit 7ba5f605f3a0 ("arm64/numa: remove the limitation that cpu0 must
|
||||
bind to node0") removed the numa cpu<->node mapping restriction whereby
|
||||
logical cpu 0 always corresponds to numa node 0; removing the
|
||||
restriction was correct, in that it does not really exist in practice
|
||||
but the commit only updated the early mapping of logical cpu 0 to its
|
||||
real numa node for the DT boot path, missing the ACPI one, leading to
|
||||
boot failures on ACPI systems with numa enabled owing to missing
|
||||
node<->cpu map for logical cpu 0.
|
||||
|
||||
Fix the issue by updating the ACPI boot path with code that carries out
|
||||
the early cpu<->node mapping also for the boot cpu (ie cpu 0), mirroring
|
||||
what is currently done in the DT boot path.
|
||||
|
||||
Fixes: 7ba5f605f3a0 ("arm64/numa: remove the limitation that cpu0 must bind to node0")
|
||||
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
|
||||
Tested-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Reported-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Cc: Will Deacon <will.deacon@arm.com>
|
||||
Cc: Laszlo Ersek <lersek@redhat.com>
|
||||
Cc: Hanjun Guo <hanjun.guo@linaro.org>
|
||||
Cc: Andrew Jones <drjones@redhat.com>
|
||||
Cc: Zhen Lei <thunder.leizhen@huawei.com>
|
||||
Cc: Catalin Marinas <catalin.marinas@arm.com>
|
||||
---
|
||||
arch/arm64/kernel/smp.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/arch/arm64/kernel/smp.c b/arch/arm64/kernel/smp.c
|
||||
index d3f151c..8507703 100644
|
||||
--- a/arch/arm64/kernel/smp.c
|
||||
+++ b/arch/arm64/kernel/smp.c
|
||||
@@ -544,6 +544,7 @@ acpi_map_gic_cpu_interface(struct acpi_madt_generic_interrupt *processor)
|
||||
return;
|
||||
}
|
||||
bootcpu_valid = true;
|
||||
+ early_map_cpu_to_node(0, acpi_numa_get_nid(0, hwid));
|
||||
return;
|
||||
}
|
||||
|
||||
--
|
||||
2.7.4
|
||||
|
||||
32
MODSIGN-Don-t-try-secure-boot-if-EFI-runtime-is-disa.patch
Normal file
32
MODSIGN-Don-t-try-secure-boot-if-EFI-runtime-is-disa.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From 71db1b222ecdf6cb4356f6f1e2bd45cd2f0e85e1 Mon Sep 17 00:00:00 2001
|
||||
From: Laura Abbott <labbott@redhat.com>
|
||||
Date: Tue, 18 Oct 2016 13:58:44 -0700
|
||||
Subject: [PATCH] MODSIGN: Don't try secure boot if EFI runtime is disabled
|
||||
|
||||
Secure boot depends on having EFI runtime variable access. The code
|
||||
does not handle a lack of runtime variables gracefully. Add a check
|
||||
to just bail out of EFI runtime is disabled.
|
||||
|
||||
Signed-off-by: Laura Abbott <labbott@redhat.com>
|
||||
---
|
||||
kernel/modsign_uefi.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
|
||||
index a41da14..2bdaf76 100644
|
||||
--- a/kernel/modsign_uefi.c
|
||||
+++ b/kernel/modsign_uefi.c
|
||||
@@ -71,6 +71,10 @@ static int __init load_uefi_certs(void)
|
||||
if (!efi_enabled(EFI_SECURE_BOOT))
|
||||
return 0;
|
||||
|
||||
+ /* Things blow up if efi runtime is disabled */
|
||||
+ if (efi_runtime_disabled())
|
||||
+ return 0;
|
||||
+
|
||||
keyring = get_system_keyring();
|
||||
if (!keyring) {
|
||||
pr_err("MODSIGN: Couldn't get system keyring\n");
|
||||
--
|
||||
2.7.4
|
||||
|
||||
@ -595,6 +595,8 @@ Patch502: firmware-Drop-WARN-from-usermodehelper_read_trylock-.patch
|
||||
|
||||
Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
|
||||
|
||||
Patch509: MODSIGN-Don-t-try-secure-boot-if-EFI-runtime-is-disa.patch
|
||||
|
||||
#CVE-2016-3134 rhbz 1317383 1317384
|
||||
Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
|
||||
|
||||
@ -604,6 +606,9 @@ Patch848: 0001-cpupower-Correct-return-type-of-cpu_power_is_cpu_onl.patch
|
||||
#ongoing complaint, full discussion delayed until ksummit/plumbers
|
||||
Patch849: 0001-iio-Use-event-header-from-kernel-tree.patch
|
||||
|
||||
#rhbz 1384701
|
||||
Patch850: 0001-arm64-kernel-numa-fix-ACPI-boot-cpu-numa-node-mappin.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
@ -2142,6 +2147,10 @@ fi
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Tue Oct 18 2016 Laura Abbott <labbott@redhat.com>
|
||||
- Gracefully bail out of secureboot when EFI runtime is disabled
|
||||
- Fix for aarch64 boot regression (rhbz 1384701)
|
||||
|
||||
* Tue Oct 18 2016 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||
- Disable ACPI_CPPC_CPUFREQ on aarch64
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user