diff options
author | Christian Barcenas <christian@cbarcenas.com> | 2020-04-04 11:48:25 -0700 |
---|---|---|
committer | Christian Barcenas <christian@cbarcenas.com> | 2020-04-04 11:48:25 -0700 |
commit | 652272d7026a2596b6987a27f7c3942b371d7f9d (patch) | |
tree | b95298962d00af88e37f088de0537d1dc3673fd0 | |
parent | 5c5fadac9a7822b60bd03e220ef29e64cf0a9390 (diff) | |
download | kernel_replicant_linux-652272d7026a2596b6987a27f7c3942b371d7f9d.tar.gz kernel_replicant_linux-652272d7026a2596b6987a27f7c3942b371d7f9d.tar.bz2 kernel_replicant_linux-652272d7026a2596b6987a27f7c3942b371d7f9d.zip |
[x86] Drop EFI cold boot mitigation patch in favor of upstream
enable-cold-boot-attack-mitigation.patch is unnecessary because this
functionality is already present in upstream. It is is enabled with
CONFIG_RESET_ATTACK_MITIGATION=y.
Additionaly, efi_early was removed in 5.6, so the patch in its current
form causes a FTBFS.
-rw-r--r-- | debian/changelog | 1 | ||||
-rw-r--r-- | debian/config/config | 3 | ||||
-rw-r--r-- | debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch | 48 | ||||
-rw-r--r-- | debian/patches/series | 1 |
4 files changed, 2 insertions, 51 deletions
diff --git a/debian/changelog b/debian/changelog index 09480124de90..c62e9a490e8c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -25,6 +25,7 @@ linux (5.6.2-1~exp1) UNRELEASED; urgency=medium [ Christian Barcenas ] * linux-kbuild: Stop building conmakehash * linux-cpupower: Add libcap to Build-Depends and turbostat linker flags + * [x86] Drop EFI cold boot mitigation patch in favor of upstream -- Ben Hutchings <benh@debian.org> Mon, 30 Mar 2020 14:50:42 +0100 diff --git a/debian/config/config b/debian/config/config index 198ac18cf5f3..8c4d4a4126b4 100644 --- a/debian/config/config +++ b/debian/config/config @@ -588,8 +588,7 @@ CONFIG_EFI_VARS_PSTORE=m CONFIG_EFI_BOOTLOADER_CONTROL=m CONFIG_EFI_CAPSULE_LOADER=m # CONFIG_EFI_TEST is not set -#. Until userland clears the flag on clean shutdown -# CONFIG_RESET_ATTACK_MITIGATION is not set +CONFIG_RESET_ATTACK_MITIGATION=y ## ## file: drivers/firmware/google/Kconfig diff --git a/debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch b/debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch deleted file mode 100644 index aceb0cd5391d..000000000000 --- a/debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: Matthew Garrett <mjg59@coreos.com> -Date: Tue, 12 Jan 2016 12:51:27 -0800 -Subject: [18/18] Enable cold boot attack mitigation -Origin: https://github.com/mjg59/linux/commit/02d999574936dd234a508c0112a0200c135a5c34 - -[Lukas Wunner: Forward-ported to 4.11: adjust context] ---- - arch/x86/boot/compressed/eboot.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -343,6 +343,22 @@ void setup_graphics(struct boot_params * - } - } - -+#define MEMORY_ONLY_RESET_CONTROL_GUID \ -+ EFI_GUID (0xe20939be, 0x32d4, 0x41be, 0xa1, 0x50, 0x89, 0x7f, 0x85, 0xd4, 0x98, 0x29) -+ -+static void enable_reset_attack_mitigation(void) -+{ -+ u8 val = 1; -+ efi_guid_t var_guid = MEMORY_ONLY_RESET_CONTROL_GUID; -+ -+ /* Ignore the return value here - there's not really a lot we can do */ -+ efi_early->call((unsigned long)sys_table->runtime->set_variable, -+ L"MemoryOverwriteRequestControl", &var_guid, -+ EFI_VARIABLE_NON_VOLATILE | -+ EFI_VARIABLE_BOOTSERVICE_ACCESS | -+ EFI_VARIABLE_RUNTIME_ACCESS, sizeof(val), val); -+} -+ - void startup_32(struct boot_params *boot_params); - - void __noreturn efi_stub_entry(efi_handle_t handle, -@@ -734,6 +750,12 @@ struct boot_params *efi_main(efi_handle_ - efi_parse_options((char *)cmdline_paddr); - - /* -+ * Ask the firmware to clear memory if we don't have a clean -+ * shutdown -+ */ -+ enable_reset_attack_mitigation(); -+ -+ /* - * If the boot loader gave us a value for secure_boot then we use that, - * otherwise we ask the BIOS. - */ diff --git a/debian/patches/series b/debian/patches/series index 8f828f0c2c14..b694f76f3083 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -96,7 +96,6 @@ bugfix/all/partially-revert-net-socket-implement-64-bit-timestamps.patch # Lockdown missing pieces features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch -features/all/lockdown/enable-cold-boot-attack-mitigation.patch features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # until the "kernel_lockdown.7" manual page exists |