[x86] Drop EFI cold boot mitigation patch in favor of upstream

enable-cold-boot-attack-mitigation.patch is unnecessary because this
functionality is already present in upstream. It is is enabled with
CONFIG_RESET_ATTACK_MITIGATION=y.

Additionaly, efi_early was removed in 5.6, so the patch in its current
form causes a FTBFS.

4 files changed, 2 insertions, 51 deletions

diff --git a/debian/changelog b/debian/changelog
index 09480124de90..c62e9a490e8c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -25,6 +25,7 @@ linux (5.6.2-1~exp1) UNRELEASED; urgency=medium
   [ Christian Barcenas ]
   * linux-kbuild: Stop building conmakehash
   * linux-cpupower: Add libcap to Build-Depends and turbostat linker flags
+  * [x86] Drop EFI cold boot mitigation patch in favor of upstream
 
  -- Ben Hutchings <benh@debian.org>  Mon, 30 Mar 2020 14:50:42 +0100
 
diff --git a/debian/config/config b/debian/config/config
index 198ac18cf5f3..8c4d4a4126b4 100644
--- a/debian/config/config
+++ b/debian/config/config
@@ -588,8 +588,7 @@ CONFIG_EFI_VARS_PSTORE=m
 CONFIG_EFI_BOOTLOADER_CONTROL=m
 CONFIG_EFI_CAPSULE_LOADER=m
 # CONFIG_EFI_TEST is not set
-#. Until userland clears the flag on clean shutdown
-# CONFIG_RESET_ATTACK_MITIGATION is not set
+CONFIG_RESET_ATTACK_MITIGATION=y
 
 ##
 ## file: drivers/firmware/google/Kconfig
diff --git a/debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch b/debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch
deleted file mode 100644
index aceb0cd5391d..000000000000
--- a/debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From: Matthew Garrett <mjg59@coreos.com>
-Date: Tue, 12 Jan 2016 12:51:27 -0800
-Subject: [18/18] Enable cold boot attack mitigation
-Origin: https://github.com/mjg59/linux/commit/02d999574936dd234a508c0112a0200c135a5c34
-
-[Lukas Wunner: Forward-ported to 4.11: adjust context]
----
- arch/x86/boot/compressed/eboot.c | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
---- a/arch/x86/boot/compressed/eboot.c
-+++ b/arch/x86/boot/compressed/eboot.c
-@@ -343,6 +343,22 @@ void setup_graphics(struct boot_params *
- 	}
- }
- 
-+#define MEMORY_ONLY_RESET_CONTROL_GUID \
-+	EFI_GUID (0xe20939be, 0x32d4, 0x41be, 0xa1, 0x50, 0x89, 0x7f, 0x85, 0xd4, 0x98, 0x29)
-+
-+static void enable_reset_attack_mitigation(void)
-+{
-+	u8 val = 1;
-+	efi_guid_t var_guid = MEMORY_ONLY_RESET_CONTROL_GUID;
-+
-+	/* Ignore the return value here - there's not really a lot we can do */
-+	efi_early->call((unsigned long)sys_table->runtime->set_variable,
-+			L"MemoryOverwriteRequestControl", &var_guid,
-+			EFI_VARIABLE_NON_VOLATILE |
-+			EFI_VARIABLE_BOOTSERVICE_ACCESS |
-+			EFI_VARIABLE_RUNTIME_ACCESS, sizeof(val), val);
-+}
-+
- void startup_32(struct boot_params *boot_params);
- 
- void __noreturn efi_stub_entry(efi_handle_t handle,
-@@ -734,6 +750,12 @@ struct boot_params *efi_main(efi_handle_
- 	efi_parse_options((char *)cmdline_paddr);
- 
- 	/*
-+	 * Ask the firmware to clear memory if we don't have a clean
-+	 * shutdown
-+	 */
-+	enable_reset_attack_mitigation();
-+
-+	/*
- 	 * If the boot loader gave us a value for secure_boot then we use that,
- 	 * otherwise we ask the BIOS.
- 	 */
diff --git a/debian/patches/series b/debian/patches/series
index 8f828f0c2c14..b694f76f3083 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -96,7 +96,6 @@ bugfix/all/partially-revert-net-socket-implement-64-bit-timestamps.patch
 # Lockdown missing pieces
 features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch
 features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
-features/all/lockdown/enable-cold-boot-attack-mitigation.patch
 features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch
 features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
 # until the "kernel_lockdown.7" manual page exists