Fix secureboot ERROR
This commit is contained in:
parent
8bfda9e6c2
commit
e9c639009d
|
@ -0,0 +1,53 @@
|
|||
From 52e51f16407b7b34e26affb500a21e250d9fce0b Mon Sep 17 00:00:00 2001
|
||||
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
|
||||
Date: Wed, 1 Mar 2017 19:04:35 +0000
|
||||
Subject: [PATCH] efi/libstub: Treat missing SecureBoot variable as Secure Boot
|
||||
disabled
|
||||
|
||||
The newly refactored code that infers the firmware's Secure Boot state
|
||||
prints the following error when the EFI variable 'SecureBoot' does not
|
||||
exist:
|
||||
|
||||
EFI stub: ERROR: Could not determine UEFI Secure Boot status.
|
||||
|
||||
However, this variable is only guaranteed to be defined on a system that
|
||||
is Secure Boot capable to begin with, and so it is not an error if it is
|
||||
missing. So report Secure Boot as being disabled in this case, without
|
||||
printing any error messages.
|
||||
|
||||
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Matt Fleming <matt@codeblueprint.co.uk>
|
||||
Cc: Peter Zijlstra <peterz@infradead.org>
|
||||
Cc: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: linux-efi@vger.kernel.org
|
||||
Link: http://lkml.kernel.org/r/1488395076-29712-2-git-send-email-ard.biesheuvel@linaro.org
|
||||
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
||||
---
|
||||
drivers/firmware/efi/libstub/secureboot.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/firmware/efi/libstub/secureboot.c b/drivers/firmware/efi/libstub/secureboot.c
|
||||
index 6def402..5da36e5 100644
|
||||
--- a/drivers/firmware/efi/libstub/secureboot.c
|
||||
+++ b/drivers/firmware/efi/libstub/secureboot.c
|
||||
@@ -45,6 +45,8 @@ enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg)
|
||||
size = sizeof(secboot);
|
||||
status = get_efi_var(efi_SecureBoot_name, &efi_variable_guid,
|
||||
NULL, &size, &secboot);
|
||||
+ if (status == EFI_NOT_FOUND)
|
||||
+ goto secure_boot_disabled;
|
||||
if (status != EFI_SUCCESS)
|
||||
goto out_efi_err;
|
||||
|
||||
@@ -78,7 +80,5 @@ enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg)
|
||||
|
||||
out_efi_err:
|
||||
pr_efi_err(sys_table_arg, "Could not determine UEFI Secure Boot status.\n");
|
||||
- if (status == EFI_NOT_FOUND)
|
||||
- goto secure_boot_disabled;
|
||||
return efi_secureboot_mode_unknown;
|
||||
}
|
||||
--
|
||||
2.9.3
|
||||
|
|
@ -617,6 +617,8 @@ Patch859: 0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch
|
|||
# CVE-2017-2671 rhbz 1436649 1436663
|
||||
Patch860: 0001-ping-implement-proper-locking.patch
|
||||
|
||||
Patch861: 0001-efi-libstub-Treat-missing-SecureBoot-variable-as-Sec.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -2189,6 +2191,7 @@ fi
|
|||
* Wed Apr 05 2017 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Don't print MCEs when mcelog is running (rhbz 1438316)
|
||||
- CVE-2017-2671 Fix ping locking (rhbz 1436649 1436663)
|
||||
- Fix secureboot ERROR
|
||||
|
||||
* Tue Apr 04 2017 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- redisable CONFIG_IWLWIFI_PCIE_RTPM (rhbz 1429135)
|
||||
|
|
Loading…
Reference in New Issue