#
847c5336 |
|
25-Jan-2022 |
Eric Snowberg <eric.snowberg@oracle.com> |
efi/mokvar: move up init order Move up the init order so it can be used by the new machine keyring. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
|
#
47e1e233 |
|
20-Jul-2021 |
Borislav Petkov <bp@suse.de> |
efi/mokvar: Reserve the table only if it is in boot services data One of the SUSE QA tests triggered: localhost kernel: efi: Failed to lookup EFI memory descriptor for 0x000000003dcf8000 which comes from x86's version of efi_arch_mem_reserve() trying to reserve a memory region. Usually, that function expects EFI_BOOT_SERVICES_DATA memory descriptors but the above case is for the MOKvar table which is allocated in the EFI shim as runtime services. That lead to a fix changing the allocation of that table to boot services. However, that fix broke booting SEV guests with that shim leading to this kernel fix 8d651ee9c71b ("x86/ioremap: Map EFI-reserved memory as encrypted for SEV") which extended the ioremap hint to map reserved EFI boot services as decrypted too. However, all that wasn't needed, IMO, because that error message in efi_arch_mem_reserve() was innocuous in this case - if the MOKvar table is not in boot services, then it doesn't need to be reserved in the first place because it is, well, in runtime services which *should* be reserved anyway. So do that reservation for the MOKvar table only if it is allocated in boot services data. I couldn't find any requirement about where that table should be allocated in, unlike the ESRT which allocation is mandated to be done in boot services data by the UEFI spec. Signed-off-by: Borislav Petkov <bp@suse.de> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
|
#
cc383a9e |
|
02-Oct-2020 |
Ard Biesheuvel <ardb@kernel.org> |
efi: mokvar: add missing include of asm/early_ioremap.h Nathan reports that building the new mokvar table code for 32-bit ARM fails with errors such as error: implicit declaration of function 'early_memunmap' error: implicit declaration of function 'early_memremap' This is caused by the lack of an explicit #include of the appropriate header, and ARM apparently does not inherit that inclusion via another header file. So add the #include. Tested-by: Nathan Chancellor <natechancellor@gmail.com> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
|
#
b89114cd |
|
24-Sep-2020 |
Ard Biesheuvel <ardb@kernel.org> |
efi: mokvar-table: fix some issues in new code Fix a couple of issues in the new mokvar-table handling code, as pointed out by Arvind and Boris: - don't bother checking the end of the physical region against the start address of the mokvar table, - ensure that we enter the loop with err = -EINVAL, - replace size_t with unsigned long to appease pedantic type equality checks. Reviewed-by: Arvind Sankar <nivedita@alum.mit.edu> Reviewed-by: Lenny Szubowicz <lszubowi@redhat.com> Tested-by: Borislav Petkov <bp@suse.de> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
|
#
58c90902 |
|
04-Sep-2020 |
Lenny Szubowicz <lszubowi@redhat.com> |
efi: Support for MOK variable config table Because of system-specific EFI firmware limitations, EFI volatile variables may not be capable of holding the required contents of the Machine Owner Key (MOK) certificate store when the certificate list grows above some size. Therefore, an EFI boot loader may pass the MOK certs via a EFI configuration table created specifically for this purpose to avoid this firmware limitation. An EFI configuration table is a much more primitive mechanism compared to EFI variables and is well suited for one-way passage of static information from a pre-OS environment to the kernel. This patch adds initial kernel support to recognize, parse, and validate the EFI MOK configuration table, where named entries contain the same data that would otherwise be provided in similarly named EFI variables. Additionally, this patch creates a sysfs binary file for each EFI MOK configuration table entry found. These files are read-only to root and are provided for use by user space utilities such as mokutil. A subsequent patch will load MOK certs into the trusted platform key ring using this infrastructure. Signed-off-by: Lenny Szubowicz <lszubowi@redhat.com> Link: https://lore.kernel.org/r/20200905013107.10457-2-lszubowi@redhat.com Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
|