On Fri, Aug 7, 2015 at 3:41 AM, Dave Young <dyoung(a)redhat.com> wrote:
Kexec reboot in case secure boot enabled does not keep the secure
boot mode
in new kernel, so later one can load unsigned kernel via legacy kexec_load.
Hm. Wasn't there code being written so that one could disable legacy
kexec and only have kexec_file? Perhaps that is queued for 4.3. I'm
wondering if as a general security measure we want to only have
kexec_file available in Fedora when that is possible.
I will add this patch regardless of that, but it seems like a good
question to answer. Thanks!
josh
Adding a patch to fix this by retain the secure_boot flag in original
kernel.
Signed-off-by: Dave Young <dyoung(a)redhat.com>
---
kernel.spec | 2 ++
...uefi-copy-secure_boot-flag-in-boot-params.patch | 30 ++++++++++++++++++++++
2 files changed, 32 insertions(+)
create mode 100644 kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
diff --git a/kernel.spec b/kernel.spec
index e91ef9d..469a2a2 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -587,6 +587,8 @@ Patch505:
0001-dm-fix-dm_merge_bvec-regression-on-32-bit-systems.patch
#rhbz 1244511
Patch507: HID-chicony-Add-support-for-Acer-Aspire-Switch-12.patch
+Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
+
Patch904: kdbus.patch
# END OF PATCH DEFINITIONS
diff --git a/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
b/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
new file mode 100644
index 0000000..e239ea9
--- /dev/null
+++ b/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
@@ -0,0 +1,30 @@
+From: Dave Young <dyoung(a)redhat.com>
+
+[PATCH] kexec/uefi: copy secure_boot flag in boot params across kexec reboot
+
+Kexec reboot in case secure boot being enabled does not keep the secure boot
+mode in new kernel, so later one can load unsigned kernel via legacy kexec_load.
+In this state, the system is missing the protections provided by secure boot.
+
+Adding a patch to fix this by retain the secure_boot flag in original kernel.
+
+secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the stub.
+Fixing this issue by copying secure_boot flag across kexec reboot.
+
+Signed-off-by: Dave Young <dyoung(a)redhat.com>
+---
+ arch/x86/kernel/kexec-bzimage64.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
+index 9642b9b..0539ec7 100644
+--- a/arch/x86/kernel/kexec-bzimage64.c
++++ b/arch/x86/kernel/kexec-bzimage64.c
+@@ -178,6 +178,7 @@ setup_efi_state(struct boot_params *params, unsigned long
params_load_addr,
+ if (efi_enabled(EFI_OLD_MEMMAP))
+ return 0;
+
++ params->secure_boot = boot_params.secure_boot;
+ ei->efi_loader_signature = current_ei->efi_loader_signature;
+ ei->efi_systab = current_ei->efi_systab;
+ ei->efi_systab_hi = current_ei->efi_systab_hi;
--
1.8.3.1
_______________________________________________
kernel mailing list
kernel(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/kernel