From: Matthew Garrett <mjg59@coreos.com>
Date: Tue, 12 Jan 2016 12:51:27 -0800
Subject: [18/18] Enable cold boot attack mitigation
Origin: https://github.com/mjg59/linux/commit/02d999574936dd234a508c0112a0200c135a5c34

[Lukas Wunner: Forward-ported to 4.11: adjust context]
---
 arch/x86/boot/compressed/eboot.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index 8b4c5e001157..0813490ca6e0 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -371,6 +371,22 @@ void setup_graphics(struct boot_params *boot_params)
 	}
 }
 
+#define MEMORY_ONLY_RESET_CONTROL_GUID \
+	EFI_GUID (0xe20939be, 0x32d4, 0x41be, 0xa1, 0x50, 0x89, 0x7f, 0x85, 0xd4, 0x98, 0x29)
+
+static void enable_reset_attack_mitigation(void)
+{
+	u8 val = 1;
+	efi_guid_t var_guid = MEMORY_ONLY_RESET_CONTROL_GUID;
+
+	/* Ignore the return value here - there's not really a lot we can do */
+	efi_early->call((unsigned long)sys_table->runtime->set_variable,
+			L"MemoryOverwriteRequestControl", &var_guid,
+			EFI_VARIABLE_NON_VOLATILE |
+			EFI_VARIABLE_BOOTSERVICE_ACCESS |
+			EFI_VARIABLE_RUNTIME_ACCESS, sizeof(val), val);
+}
+
 /*
  * Because the x86 boot code expects to be passed a boot_params we
  * need to create one ourselves (usually the bootloader would create
@@ -765,6 +781,12 @@ efi_main(struct efi_config *c, struct boot_params *boot_params)
 			 ((u64)boot_params->ext_cmd_line_ptr << 32));
 	efi_parse_options((char *)cmdline_paddr);
 
+	/*
+	 * Ask the firmware to clear memory if we don't have a clean
+	 * shutdown
+	 */
+	enable_reset_attack_mitigation();
+
 	/*
 	 * If the boot loader gave us a value for secure_boot then we use that,
 	 * otherwise we ask the BIOS.