Re: [PATCH] efi: Do not import certificates from UEFI Secure Boot for T2 Macs

From: Aditya Garg
Date: Wed Feb 09 2022 - 13:02:50 EST

Next message: Jason A. Donenfeld: "[PATCH v2] random: make more consistent use of integer types"
Previous message: pr-tracker-bot: "Re: [GIT PULL] Crypto Fixes for 5.17"
In reply to: Matthew Garrett: "Re: [PATCH] efi: Do not import certificates from UEFI Secure Boot for T2 Macs"
Next in thread: Matthew Garrett: "Re: [PATCH] efi: Do not import certificates from UEFI Secure Boot for T2 Macs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On 09-Feb-2022, at 10:19 PM, Matthew Garrett <mjg59@xxxxxxxxxxxxx> wrote:
>
> On Wed, Feb 09, 2022 at 02:27:51PM +0000, Aditya Garg wrote:
>> From: Aditya Garg <gargaditya08@xxxxxxxx>
>>
>> On T2 Macs, the secure boot is handled by the T2 Chip. If enabled, only
>> macOS and Windows are allowed to boot on these machines. Thus we need to
>> disable secure boot for Linux. If we boot into Linux after disabling
>> secure boot, if CONFIG_LOAD_UEFI_KEYS is enabled, EFI Runtime services
>> fail to start, with the following logs in dmesg
>
> Which specific variable request is triggering the failure? Do any
> runtime variable accesses work on these machines?
Commit f5390cd0b43c2e54c7cf5506c7da4a37c5cef746 in Linus’ tree was also added to force EFI v1.1 on these machines, since v2.4, reported by them was causing kernel panics.

So, EFI 1.1 without import certificates seems to work and have been able to modify the variables, thus the remaining EFI variable accesses seem to work.

Next message: Jason A. Donenfeld: "[PATCH v2] random: make more consistent use of integer types"
Previous message: pr-tracker-bot: "Re: [GIT PULL] Crypto Fixes for 5.17"
In reply to: Matthew Garrett: "Re: [PATCH] efi: Do not import certificates from UEFI Secure Boot for T2 Macs"
Next in thread: Matthew Garrett: "Re: [PATCH] efi: Do not import certificates from UEFI Secure Boot for T2 Macs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]