kernel/MODSIGN-Don-t-try-secure-boot-if-EFI-runtime-is-disa.patch
Laura Abbott 9472421366 Gracefully bail out of secureboot when EFI runtime is disabled
- Fix for aarch64 boot regression (rhbz 1384701)
2016-10-18 14:23:11 -07:00

33 lines
993 B
Diff

From 71db1b222ecdf6cb4356f6f1e2bd45cd2f0e85e1 Mon Sep 17 00:00:00 2001
From: Laura Abbott <labbott@redhat.com>
Date: Tue, 18 Oct 2016 13:58:44 -0700
Subject: [PATCH] MODSIGN: Don't try secure boot if EFI runtime is disabled
Secure boot depends on having EFI runtime variable access. The code
does not handle a lack of runtime variables gracefully. Add a check
to just bail out of EFI runtime is disabled.
Signed-off-by: Laura Abbott <labbott@redhat.com>
---
kernel/modsign_uefi.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
index a41da14..2bdaf76 100644
--- a/kernel/modsign_uefi.c
+++ b/kernel/modsign_uefi.c
@@ -71,6 +71,10 @@ static int __init load_uefi_certs(void)
if (!efi_enabled(EFI_SECURE_BOOT))
return 0;
+ /* Things blow up if efi runtime is disabled */
+ if (efi_runtime_disabled())
+ return 0;
+
keyring = get_system_keyring();
if (!keyring) {
pr_err("MODSIGN: Couldn't get system keyring\n");
--
2.7.4