rpms/kernel
9
2
Fork 4
Code Issues Pull Requests Releases Activity

Linux v3.8-rc6-98-g1589a3e

Browse Source 
- Add patch to honor MokSBState (rhbz 907406)
This commit is contained in:
Josh Boyer 2013-02-06 09:22:56 -05:00
parent f6882f7b83
commit b342019593
3 changed files with 66 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
kernel.spec
View File

@ -95,7 +95,7 @@ Summary: The Linux kernel
# The rc snapshot level # The rc snapshot level
%define rcrev 6 %define rcrev 6
# The git snapshot level # The git snapshot level
%define gitrev 2 %define gitrev 3
# Set rpm version accordingly # Set rpm version accordingly
%define rpmversion 3.%{upstream_sublevel}.0 %define rpmversion 3.%{upstream_sublevel}.0
%endif %endif
@ -669,7 +669,7 @@ Patch800: crash-driver.patch
# crypto/ # crypto/
# secure boot # secure boot
Patch1000: secure-boot-20130131.patch Patch1000: secure-boot-20130206.patch
# virt + ksm patches # virt + ksm patches
@ -1387,7 +1387,7 @@ ApplyPatch crash-driver.patch
# crypto/ # crypto/
# secure boot # secure boot
ApplyPatch secure-boot-20130131.patch ApplyPatch secure-boot-20130206.patch
# Assorted Virt Fixes # Assorted Virt Fixes
@ -2315,6 +2315,10 @@ fi
# ||----w | # ||----w |
# || || # || ||
%changelog %changelog
* Wed Feb 06 2013 Josh Boyer <jwboyer@redhat.com> - 3.8.0-0.rc6.git3.1
- Linux v3.8-rc6-98-g1589a3e
- Add patch to honor MokSBState (rhbz 907406)
* Tue Feb 05 2013 Josh Boyer <jwboyer@redhat.com> - 3.8.0-0.rc6.git2.1 * Tue Feb 05 2013 Josh Boyer <jwboyer@redhat.com> - 3.8.0-0.rc6.git2.1
- Linux v3.8-rc6-62-gfe547d7 - Linux v3.8-rc6-62-gfe547d7
- Enable CONFIG_DRM_VMWGFX_FBCON (rhbz 907620) - Enable CONFIG_DRM_VMWGFX_FBCON (rhbz 907620)

58
secure-boot-20130131.patch → secure-boot-20130206.patch
View File

@ -1329,3 +1329,61 @@ index 4ed81e7..b11a0f4 100644
-- --
1.8.1 1.8.1
From 04a46ceeb9eb2dca0364ce836614de722e988c81 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Tue, 5 Feb 2013 19:25:05 -0500
Subject: [PATCH] efi: Disable secure boot if shim is in insecure mode
A user can manually tell the shim boot loader to disable validation of
images it loads. When a user does this, it creates a UEFI variable called
MokSBState that does not have the runtime attribute set. Given that the
user explicitly disabled validation, we can honor that and not enable
secure boot mode if that variable is set.
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
---
arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index 96bd86b..6e1331c 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -851,8 +851,9 @@ fail:
static int get_secure_boot(efi_system_table_t *_table)
{
- u8 sb, setup;
+ u8 sb, setup, moksbstate;
unsigned long datasize = sizeof(sb);
+ u32 attr;
efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
efi_status_t status;
@@ -876,6 +877,23 @@ static int get_secure_boot(efi_system_table_t *_table)
if (setup == 1)
return 0;
+ /* See if a user has put shim into insecure_mode. If so, and the variable
+ * doesn't have the runtime attribute set, we might as well honor that.
+ */
+ var_guid = EFI_SHIM_LOCK_GUID;
+ status = efi_call_phys5(sys_table->runtime->get_variable,
+ L"MokSBState", &var_guid, &attr, &datasize,
+ &moksbstate);
+
+ /* If it fails, we don't care why. Default to secure */
+ if (status != EFI_SUCCESS)
+ return 1;
+
+ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
+ if (moksbstate == 1)
+ return 0;
+ }
+
return 1;
}
--
1.8.1

2
sources
View File

@ -1,3 +1,3 @@
21223369d682bcf44bcdfe1521095983 linux-3.7.tar.xz 21223369d682bcf44bcdfe1521095983 linux-3.7.tar.xz
86fddbbbda8b9d7432ef479d055968e4 patch-3.8-rc6.xz 86fddbbbda8b9d7432ef479d055968e4 patch-3.8-rc6.xz
47c13c925f34642b05ed4524d62257ec patch-3.8-rc6-git2.xz cf0916371135cca3495194b59f877b85 patch-3.8-rc6-git3.xz