kexec/uefi: copy secure boot flag in boot params across kexec reboot
Kexec reboot in case secure boot enabled does not keep the secure boot mode in new kernel, so later one can load unsigned kernel via legacy kexec_load. Adding a patch to fix this by retain the secure_boot flag in original kernel. Signed-off-by: Dave Young <dyoung@redhat.com>
This commit is contained in:
		
							parent
							
								
									2d19b299b6
								
							
						
					
					
						commit
						eca4cec9a5
					
				| @ -587,6 +587,8 @@ Patch505: 0001-dm-fix-dm_merge_bvec-regression-on-32-bit-systems.patch | ||||
| #rhbz 1244511 | ||||
| Patch507: HID-chicony-Add-support-for-Acer-Aspire-Switch-12.patch | ||||
| 
 | ||||
| Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch | ||||
| 
 | ||||
| Patch904: kdbus.patch | ||||
| 
 | ||||
| # END OF PATCH DEFINITIONS | ||||
|  | ||||
							
								
								
									
										30
									
								
								kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										30
									
								
								kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,30 @@ | ||||
| From: Dave Young <dyoung@redhat.com> | ||||
| 
 | ||||
| [PATCH] kexec/uefi: copy secure_boot flag in boot params across kexec reboot | ||||
| 
 | ||||
| Kexec reboot in case secure boot being enabled does not keep the secure boot | ||||
| mode in new kernel, so later one can load unsigned kernel via legacy kexec_load. | ||||
| In this state, the system is missing the protections provided by secure boot. | ||||
| 
 | ||||
| Adding a patch to fix this by retain the secure_boot flag in original kernel. | ||||
| 
 | ||||
| secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the stub. | ||||
| Fixing this issue by copying secure_boot flag across kexec reboot. | ||||
| 
 | ||||
| Signed-off-by: Dave Young <dyoung@redhat.com> | ||||
| ---
 | ||||
|  arch/x86/kernel/kexec-bzimage64.c | 1 + | ||||
|  1 file changed, 1 insertion(+) | ||||
| 
 | ||||
| diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
 | ||||
| index 9642b9b..0539ec7 100644
 | ||||
| --- a/arch/x86/kernel/kexec-bzimage64.c
 | ||||
| +++ b/arch/x86/kernel/kexec-bzimage64.c
 | ||||
| @@ -178,6 +178,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
 | ||||
|  	if (efi_enabled(EFI_OLD_MEMMAP)) | ||||
|  		return 0; | ||||
|   | ||||
| +	params->secure_boot = boot_params.secure_boot;
 | ||||
|  	ei->efi_loader_signature = current_ei->efi_loader_signature; | ||||
|  	ei->efi_systab = current_ei->efi_systab; | ||||
|  	ei->efi_systab_hi = current_ei->efi_systab_hi; | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user