mirror of
https://github.com/raspberrypi/linux.git
synced 2026-01-02 07:43:34 +00:00
65237307f8
commit 155ca952c7 upstream.
On Apple T2 Macs, when Linux attempts to read the db and dbx efi variables
at early boot to load UEFI Secure Boot certificates, a page fault occurs
in Apple firmware code and EFI runtime services are disabled with the
following logs:
[Firmware Bug]: Page fault caused by firmware at PA: 0xffffb1edc0068000
WARNING: CPU: 3 PID: 104 at arch/x86/platform/efi/quirks.c:735 efi_crash_gracefully_on_page_fault+0x50/0xf0
(Removed some logs from here)
Call Trace:
<TASK>
page_fault_oops+0x4f/0x2c0
? search_bpf_extables+0x6b/0x80
? search_module_extables+0x50/0x80
? search_exception_tables+0x5b/0x60
kernelmode_fixup_or_oops+0x9e/0x110
__bad_area_nosemaphore+0x155/0x190
bad_area_nosemaphore+0x16/0x20
do_kern_addr_fault+0x8c/0xa0
exc_page_fault+0xd8/0x180
asm_exc_page_fault+0x1e/0x30
(Removed some logs from here)
? __efi_call+0x28/0x30
? switch_mm+0x20/0x30
? efi_call_rts+0x19a/0x8e0
? process_one_work+0x222/0x3f0
? worker_thread+0x4a/0x3d0
? kthread+0x17a/0x1a0
? process_one_work+0x3f0/0x3f0
? set_kthread_struct+0x40/0x40
? ret_from_fork+0x22/0x30
</TASK>
---[ end trace 1f82023595a5927f ]---
efi: Froze efi_rts_wq and disabled EFI Runtime Services
integrity: Couldn't get size: 0x8000000000000015
integrity: MODSIGN: Couldn't get UEFI db list
efi: EFI Runtime Services are disabled!
integrity: Couldn't get size: 0x8000000000000015
integrity: Couldn't get UEFI dbx list
integrity: Couldn't get size: 0x8000000000000015
integrity: Couldn't get mokx list
integrity: Couldn't get size: 0x80000000
So we avoid reading these UEFI variables and thus prevent the crash.
Cc: stable@vger.kernel.org
Signed-off-by: Aditya Garg <gargaditya08@live.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
41 lines
995 B
C
41 lines
995 B
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
|
|
#ifndef PLATFORM_CERTS_INTERNAL_H
|
|
#define PLATFORM_CERTS_INTERNAL_H
|
|
|
|
#include <linux/efi.h>
|
|
|
|
void blacklist_hash(const char *source, const void *data,
|
|
size_t len, const char *type,
|
|
size_t type_len);
|
|
|
|
/*
|
|
* Blacklist an X509 TBS hash.
|
|
*/
|
|
void blacklist_x509_tbs(const char *source, const void *data, size_t len);
|
|
|
|
/*
|
|
* Blacklist the hash of an executable.
|
|
*/
|
|
void blacklist_binary(const char *source, const void *data, size_t len);
|
|
|
|
/*
|
|
* Return the handler for particular signature list types found in the db.
|
|
*/
|
|
efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type);
|
|
|
|
/*
|
|
* Return the handler for particular signature list types found in the dbx.
|
|
*/
|
|
efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type);
|
|
|
|
#endif
|
|
|
|
#ifndef UEFI_QUIRK_SKIP_CERT
|
|
#define UEFI_QUIRK_SKIP_CERT(vendor, product) \
|
|
.matches = { \
|
|
DMI_MATCH(DMI_BOARD_VENDOR, vendor), \
|
|
DMI_MATCH(DMI_PRODUCT_NAME, product), \
|
|
},
|
|
#endif
|