Re: [PATCH V2 10/10] Add option to automatically enforce module signatureswhen in Secure Boot mode
From: H. Peter Anvin
Date: Fri Aug 30 2013 - 16:46:47 EST
On 08/29/2013 11:37 AM, Josh Boyer wrote:
>> setup_efi_pci(boot_params);
>> diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
>> index c15ddaf..d35da96 100644
>> --- a/arch/x86/include/uapi/asm/bootparam.h
>> +++ b/arch/x86/include/uapi/asm/bootparam.h
>> @@ -131,7 +131,8 @@ struct boot_params {
>> __u8 eddbuf_entries; /* 0x1e9 */
>> __u8 edd_mbr_sig_buf_entries; /* 0x1ea */
>> __u8 kbd_status; /* 0x1eb */
>> - __u8 _pad5[3]; /* 0x1ec */
>> + __u8 secure_boot; /* 0x1ec */
>> + __u8 _pad5[2]; /* 0x1ec */
>> /*
>> * The sentinel is set to a nonzero value (0xff) in header.S.
>> *
>
> You need to include the following chunk of code with this, otherwise the
> secure_boot variable gets cleared.
>
Not really.
There are three cases:
1. Boot stub only. Here we do the right thing with the bootparams.
2. Boot loader bypasses the boot stub completely. Here we MUST NOT do
what you suggest above.
3. Boot stub with a boot_params structure passed in. Here we should
run sanitize_boot_params() (an inline for a reason) in the boot
stub, before we set the secure_boot field. Once that is done, we
again don't need that modification.
-hpa
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/