x86/boot: Preserve boot_params.secure_boot from sanitizing [Linux 4.14.143]

This Linux kernel change "x86/boot: Preserve boot_params.secure_boot from sanitizing" is included in the Linux 4.14.143 release. This change is authored by John S. Gruber <JohnSGruber [at] gmail.com> on Mon Sep 2 00:00:54 2019 +0200. The commit for this change in Linux stable tree is 7342208 (patch) which is from upstream commit 29d9a0b. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream 29d9a0b.

x86/boot: Preserve boot_params.secure_boot from sanitizing

commit 29d9a0b50736768f042752070e5cdf4e4d4c00df upstream.

Commit

  a90118c445cc ("x86/boot: Save fields explicitly, zero out everything else")

now zeroes the secure boot setting information (enabled/disabled/...)
passed by the boot loader or by the kernel's EFI handover mechanism.

The problem manifests itself with signed kernels using the EFI handoff
protocol with grub and the kernel loses the information whether secure
boot is enabled in the firmware, i.e., the log message "Secure boot
enabled" becomes "Secure boot could not be determined".

efi_main() arch/x86/boot/compressed/eboot.c sets this field early but it
is subsequently zeroed by the above referenced commit.

Include boot_params.secure_boot in the preserve field list.

 [ bp: restructure commit message and massage. ]

Fixes: a90118c445cc ("x86/boot: Save fields explicitly, zero out everything else")
Signed-off-by: John S. Gruber <JohnSGruber@gmail.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: John Hubbard <jhubbard@nvidia.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: stable <stable@vger.kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86-ml <x86@kernel.org>
Link: https://lkml.kernel.org/r/CAPotdmSPExAuQcy9iAHqX3js_fc4mMLQOTr5RBGvizyCOPcTQQ@mail.gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

There is one line of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 arch/x86/include/asm/bootparam_utils.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/x86/include/asm/bootparam_utils.h b/arch/x86/include/asm/bootparam_utils.h
index d3983fd..8fa49cf 100644
--- a/arch/x86/include/asm/bootparam_utils.h
+++ b/arch/x86/include/asm/bootparam_utils.h
@@ -71,6 +71,7 @@ static void sanitize_boot_params(struct boot_params *boot_params)
            BOOT_PARAM_PRESERVE(eddbuf_entries),
            BOOT_PARAM_PRESERVE(edd_mbr_sig_buf_entries),
            BOOT_PARAM_PRESERVE(edd_mbr_sig_buffer),
+           BOOT_PARAM_PRESERVE(secure_boot),
            BOOT_PARAM_PRESERVE(hdr),
            BOOT_PARAM_PRESERVE(e820_table),
            BOOT_PARAM_PRESERVE(eddbuf),

Leave a Reply

Your email address will not be published. Required fields are marked *