linux/debian/patches/features/all/lockdown/enable-cold-boot-attack-mit...

From: Matthew Garrett <mjg59@coreos.com>
Date: Tue, 12 Jan 2016 12:51:27 -0800
Subject: [18/18] Enable cold boot attack mitigation
Origin: https://github.com/mjg59/linux/commit/02d999574936dd234a508c0112a0200c135a5c34

[Lukas Wunner: Forward-ported to 4.11: adjust context]
---
 arch/x86/boot/compressed/eboot.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -604,6 +604,22 @@ void setup_graphics(struct boot_params *
 	}
 }
 
+#define MEMORY_ONLY_RESET_CONTROL_GUID \
+	EFI_GUID (0xe20939be, 0x32d4, 0x41be, 0xa1, 0x50, 0x89, 0x7f, 0x85, 0xd4, 0x98, 0x29)
+
+static void enable_reset_attack_mitigation(void)
+{
+	u8 val = 1;
+	efi_guid_t var_guid = MEMORY_ONLY_RESET_CONTROL_GUID;
+
+	/* Ignore the return value here - there's not really a lot we can do */
+	efi_early->call((unsigned long)sys_table->runtime->set_variable,
+			L"MemoryOverwriteRequestControl", &var_guid,
+			EFI_VARIABLE_NON_VOLATILE |
+			EFI_VARIABLE_BOOTSERVICE_ACCESS |
+			EFI_VARIABLE_RUNTIME_ACCESS, sizeof(val), val);
+}
+
 /*
  * Because the x86 boot code expects to be passed a boot_params we
  * need to create one ourselves (usually the bootloader would create
@@ -989,6 +1005,12 @@ struct boot_params *efi_main(struct efi_
 		setup_boot_services32(efi_early);
 
 	/*
+	 * Ask the firmware to clear memory if we don't have a clean
+	 * shutdown
+	 */
+	enable_reset_attack_mitigation();
+
+	/*
 	 * If the boot loader gave us a value for secure_boot then we use that,
 	 * otherwise we ask the BIOS.
 	 */
Add Matthew Garrett's securelevel patchset in preparation for Secure Boot support 2016-04-03 03:04:45 +00:00			`From: Matthew Garrett <mjg59@coreos.com>`
			`Date: Tue, 12 Jan 2016 12:51:27 -0800`
			`Subject: [18/18] Enable cold boot attack mitigation`
			`Origin: https://github.com/mjg59/linux/commit/02d999574936dd234a508c0112a0200c135a5c34`

Note Lukas Wunner's forward-porting work in patches 2017-04-19 23:48:59 +00:00			`[Lukas Wunner: Forward-ported to 4.11: adjust context]`
Add Matthew Garrett's securelevel patchset in preparation for Secure Boot support 2016-04-03 03:04:45 +00:00			`---`
			`arch/x86/boot/compressed/eboot.c \| 22 ++++++++++++++++++++++`
			`1 file changed, 22 insertions(+)`

			`--- a/arch/x86/boot/compressed/eboot.c`
			`+++ b/arch/x86/boot/compressed/eboot.c`
[arm64,x86] Replace securelevel patch set with lockdown patch set Matthew stopped maintaining the securelevel patch set, and David Howells has taken it up under the new name 'lockdown'. This is taken from: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git#efi-lock-down commits ddb99e118e37f324a4be65a411bb60ae62795cf9..0240fa7c7c948b19d57c0163d57e55296277ff3c Rebase the three patches not included there (cold boot mitigation, arm64 SB integration, MTD RAM restrictions). Update our kconfig for the renaming. 2017-04-20 01:38:29 +00:00			`@@ -604,6 +604,22 @@ void setup_graphics(struct boot_params *`
Add Matthew Garrett's securelevel patchset in preparation for Secure Boot support 2016-04-03 03:04:45 +00:00			`}`
			`}`

			`+#define MEMORY_ONLY_RESET_CONTROL_GUID \`
			`+ EFI_GUID (0xe20939be, 0x32d4, 0x41be, 0xa1, 0x50, 0x89, 0x7f, 0x85, 0xd4, 0x98, 0x29)`
			`+`
			`+static void enable_reset_attack_mitigation(void)`
			`+{`
			`+ u8 val = 1;`
			`+ efi_guid_t var_guid = MEMORY_ONLY_RESET_CONTROL_GUID;`
			`+`
			`+ /* Ignore the return value here - there's not really a lot we can do */`
			`+ efi_early->call((unsigned long)sys_table->runtime->set_variable,`
			`+ L"MemoryOverwriteRequestControl", &var_guid,`
			`+ EFI_VARIABLE_NON_VOLATILE \|`
			`+ EFI_VARIABLE_BOOTSERVICE_ACCESS \|`
			`+ EFI_VARIABLE_RUNTIME_ACCESS, sizeof(val), val);`
			`+}`
			`+`
Update to 4.11-rc6 Remove merged patches and rebase remaining patches. A portion of the secureboot patches have been upstreamed, but were changed substantially during review, primarily to avoid code duplication among arches. I've stripped the patches of the merged bits and rebased the remainder. Signed-off-by: Lukas Wunner <lukas@wunner.de> [bwh: Undo some incorrect context changes in bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch] 2017-04-19 09:30:57 +00:00			`/*`
			`* Because the x86 boot code expects to be passed a boot_params we`
			`* need to create one ourselves (usually the bootloader would create`
[arm64,x86] Replace securelevel patch set with lockdown patch set Matthew stopped maintaining the securelevel patch set, and David Howells has taken it up under the new name 'lockdown'. This is taken from: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git#efi-lock-down commits ddb99e118e37f324a4be65a411bb60ae62795cf9..0240fa7c7c948b19d57c0163d57e55296277ff3c Rebase the three patches not included there (cold boot mitigation, arm64 SB integration, MTD RAM restrictions). Update our kconfig for the renaming. 2017-04-20 01:38:29 +00:00			`@@ -989,6 +1005,12 @@ struct boot_params *efi_main(struct efi_`
Add Matthew Garrett's securelevel patchset in preparation for Secure Boot support 2016-04-03 03:04:45 +00:00			`setup_boot_services32(efi_early);`

[arm64,x86] Replace securelevel patch set with lockdown patch set Matthew stopped maintaining the securelevel patch set, and David Howells has taken it up under the new name 'lockdown'. This is taken from: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git#efi-lock-down commits ddb99e118e37f324a4be65a411bb60ae62795cf9..0240fa7c7c948b19d57c0163d57e55296277ff3c Rebase the three patches not included there (cold boot mitigation, arm64 SB integration, MTD RAM restrictions). Update our kconfig for the renaming. 2017-04-20 01:38:29 +00:00			`/*`
Add Matthew Garrett's securelevel patchset in preparation for Secure Boot support 2016-04-03 03:04:45 +00:00			`+ * Ask the firmware to clear memory if we don't have a clean`
			`+ * shutdown`
			`+ */`
			`+ enable_reset_attack_mitigation();`
			`+`
[arm64,x86] Replace securelevel patch set with lockdown patch set Matthew stopped maintaining the securelevel patch set, and David Howells has taken it up under the new name 'lockdown'. This is taken from: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git#efi-lock-down commits ddb99e118e37f324a4be65a411bb60ae62795cf9..0240fa7c7c948b19d57c0163d57e55296277ff3c Rebase the three patches not included there (cold boot mitigation, arm64 SB integration, MTD RAM restrictions). Update our kconfig for the renaming. 2017-04-20 01:38:29 +00:00			`+ /*`
			`* If the boot loader gave us a value for secure_boot then we use that,`
			`* otherwise we ask the BIOS.`
			`*/`