linux/debian/patches/features/all/securelevel/enable-cold-boot-attack-mit...

50 lines
1.5 KiB
Diff
Raw Normal View History

From: Matthew Garrett <mjg59@coreos.com>
Date: Tue, 12 Jan 2016 12:51:27 -0800
Subject: [18/18] Enable cold boot attack mitigation
Origin: https://github.com/mjg59/linux/commit/02d999574936dd234a508c0112a0200c135a5c34
---
arch/x86/boot/compressed/eboot.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index 28c24d80d0a0..b0413ba639af 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -1051,6 +1051,22 @@ void setup_graphics(struct boot_params *boot_params)
}
}
+#define MEMORY_ONLY_RESET_CONTROL_GUID \
+ EFI_GUID (0xe20939be, 0x32d4, 0x41be, 0xa1, 0x50, 0x89, 0x7f, 0x85, 0xd4, 0x98, 0x29)
+
+static void enable_reset_attack_mitigation(void)
+{
+ u8 val = 1;
+ efi_guid_t var_guid = MEMORY_ONLY_RESET_CONTROL_GUID;
+
+ /* Ignore the return value here - there's not really a lot we can do */
+ efi_early->call((unsigned long)sys_table->runtime->set_variable,
+ L"MemoryOverwriteRequestControl", &var_guid,
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_RUNTIME_ACCESS, sizeof(val), val);
+}
+
static int get_secure_boot(void)
{
u8 sb, setup, moksbstate;
@@ -1482,6 +1498,12 @@ struct boot_params *efi_main(struct efi_config *c,
else
setup_boot_services32(efi_early);
+ /*
+ * Ask the firmware to clear memory if we don't have a clean
+ * shutdown
+ */
+ enable_reset_attack_mitigation();
+
sanitize_boot_params(boot_params);
boot_params->secure_boot = get_secure_boot();