lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 Apr 2022 09:30:42 -0400 From: Mimi Zohar <zohar@...ux.ibm.com> To: Aditya Garg <gargaditya08@...e.com>, "jarkko@...nel.org" <jarkko@...nel.org>, "dmitry.kasatkin@...il.com" <dmitry.kasatkin@...il.com>, "jmorris@...ei.org" <jmorris@...ei.org>, "serge@...lyn.com" <serge@...lyn.com>, "ast@...nel.org" <ast@...nel.org>, "daniel@...earbox.net" <daniel@...earbox.net>, "andrii@...nel.org" <andrii@...nel.org>, "kafai@...com" <kafai@...com>, "songliubraving@...com" <songliubraving@...com>, "yhs@...com" <yhs@...com>, "john.fastabend@...il.com" <john.fastabend@...il.com>, "kpsingh@...nel.org" <kpsingh@...nel.org> Cc: "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>, "keyrings@...r.kernel.org" <keyrings@...r.kernel.org>, "linux-security-module@...r.kernel.org" <linux-security-module@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "bpf@...r.kernel.org" <bpf@...r.kernel.org>, Orlando Chamberlain <redecorating@...tonmail.com>, "admin@...eit.net" <admin@...eit.net>, "stable@...r.kernel.org" <stable@...r.kernel.org> Subject: Re: [PATCH v5] efi: Do not import certificates from UEFI Secure Boot for T2 Macs On Wed, 2022-04-13 at 14:04 +0000, Aditya Garg wrote: > From: Aditya Garg <gargaditya08@...e.com> > > On Apple T2 Macs, when Linux reads the db and dbx efi variables to load > UEFI Secure Boot certificates, a page fault occurs in Apple firmware > code and EFI services are disabled with the following logs: > > Call Trace: > <TASK> > page_fault_oops+0x4f/0x2c0 > ? search_bpf_extables+0x6b/0x80 > ? search_module_extables+0x50/0x80 > ? search_exception_tables+0x5b/0x60 > kernelmode_fixup_or_oops+0x9e/0x110 > __bad_area_nosemaphore+0x155/0x190 > bad_area_nosemaphore+0x16/0x20 > do_kern_addr_fault+0x8c/0xa0 > exc_page_fault+0xd8/0x180 > asm_exc_page_fault+0x1e/0x30 > (Removed some logs from here) > ? __efi_call+0x28/0x30 > ? switch_mm+0x20/0x30 > ? efi_call_rts+0x19a/0x8e0 > ? process_one_work+0x222/0x3f0 > ? worker_thread+0x4a/0x3d0 > ? kthread+0x17a/0x1a0 > ? process_one_work+0x3f0/0x3f0 > ? set_kthread_struct+0x40/0x40 > ? ret_from_fork+0x22/0x30 > </TASK> > ---[ end trace 1f82023595a5927f ]--- > efi: Froze efi_rts_wq and disabled EFI Runtime Services > integrity: Couldn't get size: 0x8000000000000015 > integrity: MODSIGN: Couldn't get UEFI db list > efi: EFI Runtime Services are disabled! > integrity: Couldn't get size: 0x8000000000000015 > integrity: Couldn't get UEFI dbx list > integrity: Couldn't get size: 0x8000000000000015 > integrity: Couldn't get mokx list > integrity: Couldn't get size: 0x80000000 > > This also occurs when some other variables are read (see examples below, > there are many more), but only when these variables are read at an early > stage like db and dbx are to load UEFI certs. > > BridgeOSBootSessionUUID-4d1ede05-38c7-4a6a-9cc6-4bcca8b38c14 > KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c > > On these Macs, we skip reading the EFI variables for the UEFI certificates. > As a result without certificates, secure boot signature verification fails. > As these Macs have a non-standard implementation of secure boot that only > uses Apple's and Microsoft's keys (users can't add their own), securely > booting Linux was never supported on this hardware, so skipping it > shouldn't cause a regression. Based on your explanation, there seems to be two issues - inability to read EFI variables, "users can't add their own" keys. Neither of which mean "a non-standard implementation of secure boot". Please fix the "cause" and "affect" in the patch description and comments. thanks, Mimi
Powered by blists - more mailing lists