From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Message-ID: <1514a3d7-e479-4b6c-9073-f1022fd8834b@altlinux.org> Date: Wed, 20 May 2026 15:29:01 +0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: devel-kernel@lists.altlinux.org References: <20260506173722.1012394-1-egori@altlinux.org> <20260506173722.1012394-6-egori@altlinux.org> Content-Language: en-US, ru From: Egor Ignatov In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [d-kernel] [PATCH 5/6] efi: determine and pass Secure Boot state via FDT X-BeenThere: devel-kernel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux kernel packages development List-Id: ALT Linux kernel packages development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 May 2026 12:29:02 -0000 Archived-At: List-Archive: List-Post: On 5/9/26 3:28 AM, Vitaly Chikunov wrote: > On Wed, May 06, 2026 at 08:37:21PM +0300, Egor Ignatov wrote: >> From: Linn Crosetto >> >> Determine the state of UEFI Secure Boot in the EFI stub on platforms >> that use FDT-based EFI parameter passing (ARM, arm64, RISC-V), and > > Вроде бы у нас нет pesign для arm - так зачем нам патч для arm? Будет. >> forward it to the kernel through a new "linux,uefi-secure-boot" FDT >> property. The early init path then calls efi_set_secure_boot(), which >> on kernels with CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT triggers kernel >> lockdown — analogous to how x86 already does it via boot_params. >> >> Based on the Debian patch >> "arm64-add-kernel-config-option-to-lock-down-when-in-Secure-Boot-mode.patch" >> by Linn Crosetto. The original subject incorrectly implied an arm64-only >> change; the patch in fact only touches generic drivers/firmware/efi/ code >> that is shared by all FDT-based EFI architectures (ARM, arm64, RISC-V). >> Re-titled and re-described accordingly; the code is unchanged. >> >> Original commit message: >> >> arm64: add kernel config option to lock down when in Secure Boot mode >> Add a kernel configuration option to lock down the kernel, to restrict >> userspace's ability to modify the running kernel when UEFI Secure Boot >> is enabled. Based on the x86 patch by Matthew Garrett. >> Determine the state of Secure Boot in the EFI stub and pass this to the >> kernel using the FDT. >> >> Signed-off-by: Linn Crosetto >> >> Signed-off-by: Linn Crosetto >> [egori: re-titled and rewrote commit message; no code changes] >> Signed-off-by: Egor Ignatov > > В SUSE и Fedora этого патча нет - зачем он нам нужен? Обязателен ли он для > shim? Да, lockdown в режиме Secure Boot - обязателен. Альтернативная реализация в - Fedora: https://gitlab.com/cki-project/kernel-ark/-/commit/49294493d19cb66026abc13aa53c834a8b66bd93 - SUSE: https://github.com/SUSE/kernel-source/blob/master/patches.suse/arm64-lock-down-kernel-in-secure-boot-mode.patch >> --- >> drivers/firmware/efi/efi-init.c | 5 ++++- >> drivers/firmware/efi/fdtparams.c | 12 +++++++++++- >> drivers/firmware/efi/libstub/fdt.c | 6 ++++++ >> include/linux/efi.h | 3 ++- >> 4 files changed, 23 insertions(+), 3 deletions(-) >> >> diff --git a/drivers/firmware/efi/efi-init.c b/drivers/firmware/efi/efi-init.c >> index 6103b1a082..dea8d67c71 100644 >> --- a/drivers/firmware/efi/efi-init.c >> +++ b/drivers/firmware/efi/efi-init.c >> @@ -234,9 +234,10 @@ void __init efi_init(void) >> { >> struct efi_memory_map_data data; >> u64 efi_system_table; >> + u32 secure_boot; >> >> /* Grab UEFI information placed in FDT by stub */ >> - efi_system_table = efi_get_fdt_params(&data); >> + efi_system_table = efi_get_fdt_params(&data, &secure_boot); >> if (!efi_system_table) >> return; >> >> @@ -258,6 +259,8 @@ void __init efi_init(void) >> return; >> } >> >> + efi_set_secure_boot(secure_boot); >> + >> reserve_regions(); >> /* >> * For memblock manipulation, the cap should come after the memblock_add(). >> diff --git a/drivers/firmware/efi/fdtparams.c b/drivers/firmware/efi/fdtparams.c >> index b815d2a754..6f05b73c14 100644 >> --- a/drivers/firmware/efi/fdtparams.c >> +++ b/drivers/firmware/efi/fdtparams.c >> @@ -16,6 +16,7 @@ enum { >> MMSIZE, >> DCSIZE, >> DCVERS, >> + SBMODE, >> >> PARAMCOUNT >> }; >> @@ -26,6 +27,7 @@ static __initconst const char name[][22] = { >> [MMSIZE] = "MemMap Size ", >> [DCSIZE] = "MemMap Desc. Size ", >> [DCVERS] = "MemMap Desc. Version ", >> + [SBMODE] = "Secure Boot Enabled ", >> }; >> >> static __initconst const struct { >> @@ -43,6 +45,7 @@ static __initconst const struct { >> [MMSIZE] = "xen,uefi-mmap-size", >> [DCSIZE] = "xen,uefi-mmap-desc-size", >> [DCVERS] = "xen,uefi-mmap-desc-ver", >> + [SBMODE] = "", >> } >> }, { >> #endif >> @@ -53,6 +56,7 @@ static __initconst const struct { >> [MMSIZE] = "linux,uefi-mmap-size", >> [DCSIZE] = "linux,uefi-mmap-desc-size", >> [DCVERS] = "linux,uefi-mmap-desc-ver", >> + [SBMODE] = "linux,uefi-secure-boot", >> } >> } >> }; >> @@ -64,6 +68,11 @@ static int __init efi_get_fdt_prop(const void *fdt, int node, const char *pname, >> int len; >> u64 val; >> >> + if (!pname[0]) { >> + memset(var, 0, size); >> + return 0; >> + } >> + >> prop = fdt_getprop(fdt, node, pname, &len); >> if (!prop) >> return 1; >> @@ -81,7 +90,7 @@ static int __init efi_get_fdt_prop(const void *fdt, int node, const char *pname, >> return 0; >> } >> >> -u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm) >> +u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm, u32 *secure_boot) >> { >> const void *fdt = initial_boot_params; >> unsigned long systab; >> @@ -95,6 +104,7 @@ u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm) >> [MMSIZE] = { &mm->size, sizeof(mm->size) }, >> [DCSIZE] = { &mm->desc_size, sizeof(mm->desc_size) }, >> [DCVERS] = { &mm->desc_version, sizeof(mm->desc_version) }, >> + [SBMODE] = { secure_boot, sizeof(*secure_boot) }, >> }; >> >> BUILD_BUG_ON(ARRAY_SIZE(target) != ARRAY_SIZE(name)); >> diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c >> index 6a337f1f87..6c679da644 100644 >> --- a/drivers/firmware/efi/libstub/fdt.c >> +++ b/drivers/firmware/efi/libstub/fdt.c >> @@ -132,6 +132,12 @@ static efi_status_t update_fdt(void *orig_fdt, unsigned long orig_fdt_size, >> } >> } >> >> + fdt_val32 = cpu_to_fdt32(efi_get_secureboot()); >> + status = fdt_setprop(fdt, node, "linux,uefi-secure-boot", >> + &fdt_val32, sizeof(fdt_val32)); >> + if (status) >> + goto fdt_set_fail; >> + >> /* Shrink the FDT back to its minimum size: */ >> fdt_pack(fdt); >> >> diff --git a/include/linux/efi.h b/include/linux/efi.h >> index 4419ae4eae..d3d4533468 100644 >> --- a/include/linux/efi.h >> +++ b/include/linux/efi.h >> @@ -758,7 +758,8 @@ extern int efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md); >> extern int __efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md); >> extern void efi_mem_reserve(phys_addr_t addr, u64 size); >> extern int efi_mem_reserve_persistent(phys_addr_t addr, u64 size); >> -extern u64 efi_get_fdt_params(struct efi_memory_map_data *data); >> +extern u64 efi_get_fdt_params(struct efi_memory_map_data *data, >> + u32 *secure_boot); >> extern struct kobject *efi_kobj; >> >> extern int efi_reboot_quirk_mode; >> -- >> 2.50.1 >> >> _______________________________________________ >> devel-kernel mailing list >> devel-kernel@lists.altlinux.org >> https://lists.altlinux.org/mailman/listinfo/devel-kernel > _______________________________________________ > devel-kernel mailing list > devel-kernel@lists.altlinux.org > https://lists.altlinux.org/mailman/listinfo/devel-kernel -- Egor Ignatov ALT Linux Team