Re: [PATCH v5] efi: Do not import certificates from UEFI Secure Boot for T2 Macs

From: Mimi Zohar
Date: Thu Apr 14 2022 - 10:13:08 EST


On Wed, 2022-04-13 at 14:04 +0000, Aditya Garg wrote:
> From: Aditya Garg <gargaditya08@xxxxxxxx>
>
> On Apple T2 Macs, when Linux reads the db and dbx efi variables to load
> UEFI Secure Boot certificates, a page fault occurs in Apple firmware
> code and EFI services are disabled with the following logs:
>
> Call Trace:
> <TASK>
> page_fault_oops+0x4f/0x2c0
> ? search_bpf_extables+0x6b/0x80
> ? search_module_extables+0x50/0x80
> ? search_exception_tables+0x5b/0x60
> kernelmode_fixup_or_oops+0x9e/0x110
> __bad_area_nosemaphore+0x155/0x190
> bad_area_nosemaphore+0x16/0x20
> do_kern_addr_fault+0x8c/0xa0
> exc_page_fault+0xd8/0x180
> asm_exc_page_fault+0x1e/0x30
> (Removed some logs from here)
> ? __efi_call+0x28/0x30
> ? switch_mm+0x20/0x30
> ? efi_call_rts+0x19a/0x8e0
> ? process_one_work+0x222/0x3f0
> ? worker_thread+0x4a/0x3d0
> ? kthread+0x17a/0x1a0
> ? process_one_work+0x3f0/0x3f0
> ? set_kthread_struct+0x40/0x40
> ? ret_from_fork+0x22/0x30
> </TASK>
> ---[ end trace 1f82023595a5927f ]---
> efi: Froze efi_rts_wq and disabled EFI Runtime Services
> integrity: Couldn't get size: 0x8000000000000015
> integrity: MODSIGN: Couldn't get UEFI db list
> efi: EFI Runtime Services are disabled!
> integrity: Couldn't get size: 0x8000000000000015
> integrity: Couldn't get UEFI dbx list
> integrity: Couldn't get size: 0x8000000000000015
> integrity: Couldn't get mokx list
> integrity: Couldn't get size: 0x80000000
>
> This also occurs when some other variables are read (see examples below,
> there are many more), but only when these variables are read at an early
> stage like db and dbx are to load UEFI certs.
>
> BridgeOSBootSessionUUID-4d1ede05-38c7-4a6a-9cc6-4bcca8b38c14
> KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
>
> On these Macs, we skip reading the EFI variables for the UEFI certificates.
> As a result without certificates, secure boot signature verification fails.
> As these Macs have a non-standard implementation of secure boot that only
> uses Apple's and Microsoft's keys (users can't add their own), securely
> booting Linux was never supported on this hardware, so skipping it
> shouldn't cause a regression.

Based on your explanation, there seems to be two issues - inability to
read EFI variables, "users can't add their own" keys. Neither of which
mean "a non-standard implementation of secure boot". Please fix the
"cause" and "affect" in the patch description and comments.

thanks,

Mimi