| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220213073924.GA7648@wunner.de>
Date: Sun, 13 Feb 2022 08:39:24 +0100
From: Lukas Wunner <lukas@...ner.de>
To: Aditya Garg <gargaditya08@...e.com>
Cc: David Laight <David.Laight@...LAB.COM>,
Ard Biesheuvel <ardb@...nel.org>,
Matthew Garrett <mjg59@...f.ucam.org>,
Jeremy Kerr <jk@...abs.org>,
"joeyli.kernel@...il.com" <joeyli.kernel@...il.com>,
"zohar@...ux.ibm.com" <zohar@...ux.ibm.com>,
"jmorris@...ei.org" <jmorris@...ei.org>,
"eric.snowberg@...cle.com" <eric.snowberg@...cle.com>,
"dhowells@...hat.com" <dhowells@...hat.com>,
"jlee@...e.com" <jlee@...e.com>,
"James.Bottomley@...senpartnership.com"
<James.Bottomley@...senPartnership.com>,
"jarkko@...nel.org" <jarkko@...nel.org>,
"mic@...ikod.net" <mic@...ikod.net>,
"dmitry.kasatkin@...il.com" <dmitry.kasatkin@...il.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
"linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>,
"linux-security-module@...r.kernel.org"
<linux-security-module@...r.kernel.org>,
"stable@...r.kernel.org" <stable@...r.kernel.org>,
"keyrings@...r.kernel.org" <keyrings@...r.kernel.org>,
"linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
Orlando Chamberlain <redecorating@...tonmail.com>,
Aun-Ali Zaidi <admin@...eit.net>
Subject: Re: [PATCH v3] efi: Do not import certificates from UEFI Secure Boot
for T2 Macs
On Thu, Feb 10, 2022 at 10:47:25AM +0000, Aditya Garg wrote:
> +/* Apple Macs with T2 Security chip don't support these UEFI variables.
> + * The T2 chip manages the Secure Boot and does not allow Linux to boot
> + * if it is turned on. If turned off, an attempt to get certificates
> + * causes a crash, so we simply return 0 for them in each function.
> + */
> +
> +static const struct dmi_system_id uefi_skip_cert[] = {
> +
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,2") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,3") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,4") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,2") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,3") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,4") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,2") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir9,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacMini8,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacPro7,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,2") },
> + { }
> +};
The T2 is represented by a PCI device with ID 106B:1802. I think it
would be more elegant to sense presence of that device instead of
hardcoding a long dmi list, i.e.:
static bool apple_t2_present(void)
{
struct pci_dev *pdev;
if (!x86_apple_machine)
return false;
pdev = pci_get_device(PCI_VENDOR_ID_APPLE, 0x1802, NULL);
if (pdev) {
pci_put_dev(pdev);
return true;
}
return false;
}
Powered by blists - more mailing lists