EFI fixes (take #2)
- Use the right variable to check for shim insecure mode - Wipe setup_data field when booting via EFI - Add missing error check to efibc driver -----BEGIN PGP SIGNATURE----- iQGzBAABCgAdFiEE+9lifEBpyUIVN1cpw08iOZLZjyQFAmMsbqYACgkQw08iOZLZ jyROTAwAoKK2463ZJb6H4JAPf3NWWy5lTiJE5GnQpf75soJENNJGQil2d2RBKDEs v8aBK6RleMTltmNesy7DNEHCi1It5zWNEPUIuo3AfteSHqeAZaebtfZ0JInatdGo umw3XriYxIG0XTr6SWktjzQvOrouT/+HqSLE/FdOHjFW3l2WXpWeqrZ69QRirrYL /tWVAwT5b8Y3Ds7lma4ivm8BZYEHVFdzHDUfZYh+YW13tRw23c93TNUF9vl9Pa83 My9ncQIB9UqDZ6KVze/7tQ9BG5WatRgDJb+QlLaBSXX5191qfouj1mW7waoJ+Gs9 ptQGBWGuOsGj9/85ixh+o9xjZrDq6sZksWI+pcbnJK7zQIrh2wBZI0xIaX79ekOM wUtavQ1QezuKntg7kZFgutMnUrqtCbEbQ9RL5JsbndQ8PkZH5v5XygwzBc/6h0pj ZgD3CQ04sDvy/UHhIARHDKzNCQldXjUyEVpAWwGlkPqTDqyPthtluzZ53kZbh+HX o+/rXcw8 =Earg -----END PGP SIGNATURE----- Merge tag 'efi-urgent-for-v6.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi Pull EFI fixes from Ard Biesheuvel: - Use the right variable to check for shim insecure mode - Wipe setup_data field when booting via EFI - Add missing error check to efibc driver * tag 'efi-urgent-for-v6.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi: efi: libstub: check Shim mode using MokSBStateRT efi: x86: Wipe setup_data on pure EFI boot efi: efibc: Guard against allocation failure
This commit is contained in:
commit
129e715218
@ -48,6 +48,9 @@ static int efibc_reboot_notifier_call(struct notifier_block *notifier,
|
||||
return NOTIFY_DONE;
|
||||
|
||||
wdata = kmalloc(MAX_DATA_LEN * sizeof(efi_char16_t), GFP_KERNEL);
|
||||
if (!wdata)
|
||||
return NOTIFY_DONE;
|
||||
|
||||
for (l = 0; l < MAX_DATA_LEN - 1 && str[l] != '\0'; l++)
|
||||
wdata[l] = str[l];
|
||||
wdata[l] = L'\0';
|
||||
|
@ -14,7 +14,7 @@
|
||||
|
||||
/* SHIM variables */
|
||||
static const efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID;
|
||||
static const efi_char16_t shim_MokSBState_name[] = L"MokSBState";
|
||||
static const efi_char16_t shim_MokSBState_name[] = L"MokSBStateRT";
|
||||
|
||||
static efi_status_t get_var(efi_char16_t *name, efi_guid_t *vendor, u32 *attr,
|
||||
unsigned long *data_size, void *data)
|
||||
@ -43,8 +43,8 @@ enum efi_secureboot_mode efi_get_secureboot(void)
|
||||
|
||||
/*
|
||||
* See if a user has put the shim into insecure mode. If so, and if the
|
||||
* variable doesn't have the runtime attribute set, we might as well
|
||||
* honor that.
|
||||
* variable doesn't have the non-volatile attribute set, we might as
|
||||
* well honor that.
|
||||
*/
|
||||
size = sizeof(moksbstate);
|
||||
status = get_efi_var(shim_MokSBState_name, &shim_guid,
|
||||
@ -53,7 +53,7 @@ enum efi_secureboot_mode efi_get_secureboot(void)
|
||||
/* If it fails, we don't care why. Default to secure */
|
||||
if (status != EFI_SUCCESS)
|
||||
goto secure_boot_enabled;
|
||||
if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS) && moksbstate == 1)
|
||||
if (!(attr & EFI_VARIABLE_NON_VOLATILE) && moksbstate == 1)
|
||||
return efi_secureboot_mode_disabled;
|
||||
|
||||
secure_boot_enabled:
|
||||
|
@ -516,6 +516,13 @@ efi_status_t __efiapi efi_pe_entry(efi_handle_t handle,
|
||||
hdr->ramdisk_image = 0;
|
||||
hdr->ramdisk_size = 0;
|
||||
|
||||
/*
|
||||
* Disregard any setup data that was provided by the bootloader:
|
||||
* setup_data could be pointing anywhere, and we have no way of
|
||||
* authenticating or validating the payload.
|
||||
*/
|
||||
hdr->setup_data = 0;
|
||||
|
||||
efi_stub_entry(handle, sys_table_arg, boot_params);
|
||||
/* not reached */
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user