diff --git a/kernel.spec b/kernel.spec index e91ef9d14..469a2a2f7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -587,6 +587,8 @@ Patch505: 0001-dm-fix-dm_merge_bvec-regression-on-32-bit-systems.patch #rhbz 1244511 Patch507: HID-chicony-Add-support-for-Acer-Aspire-Switch-12.patch +Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch + Patch904: kdbus.patch # END OF PATCH DEFINITIONS diff --git a/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch b/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch new file mode 100644 index 000000000..e239ea908 --- /dev/null +++ b/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch @@ -0,0 +1,30 @@ +From: Dave Young + +[PATCH] kexec/uefi: copy secure_boot flag in boot params across kexec reboot + +Kexec reboot in case secure boot being enabled does not keep the secure boot +mode in new kernel, so later one can load unsigned kernel via legacy kexec_load. +In this state, the system is missing the protections provided by secure boot. + +Adding a patch to fix this by retain the secure_boot flag in original kernel. + +secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the stub. +Fixing this issue by copying secure_boot flag across kexec reboot. + +Signed-off-by: Dave Young +--- + arch/x86/kernel/kexec-bzimage64.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c +index 9642b9b..0539ec7 100644 +--- a/arch/x86/kernel/kexec-bzimage64.c ++++ b/arch/x86/kernel/kexec-bzimage64.c +@@ -178,6 +178,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, + if (efi_enabled(EFI_OLD_MEMMAP)) + return 0; + ++ params->secure_boot = boot_params.secure_boot; + ei->efi_loader_signature = current_ei->efi_loader_signature; + ei->efi_systab = current_ei->efi_systab; + ei->efi_systab_hi = current_ei->efi_systab_hi;