49 lines
1.5 KiB
Diff
49 lines
1.5 KiB
Diff
From: Matthew Garrett <mjg59@coreos.com>
|
|
Date: Tue, 12 Jan 2016 12:51:27 -0800
|
|
Subject: [18/18] Enable cold boot attack mitigation
|
|
Origin: https://github.com/mjg59/linux/commit/02d999574936dd234a508c0112a0200c135a5c34
|
|
|
|
[Lukas Wunner: Forward-ported to 4.11: adjust context]
|
|
---
|
|
arch/x86/boot/compressed/eboot.c | 22 ++++++++++++++++++++++
|
|
1 file changed, 22 insertions(+)
|
|
|
|
--- a/arch/x86/boot/compressed/eboot.c
|
|
+++ b/arch/x86/boot/compressed/eboot.c
|
|
@@ -604,6 +604,22 @@ void setup_graphics(struct boot_params *
|
|
}
|
|
}
|
|
|
|
+#define MEMORY_ONLY_RESET_CONTROL_GUID \
|
|
+ EFI_GUID (0xe20939be, 0x32d4, 0x41be, 0xa1, 0x50, 0x89, 0x7f, 0x85, 0xd4, 0x98, 0x29)
|
|
+
|
|
+static void enable_reset_attack_mitigation(void)
|
|
+{
|
|
+ u8 val = 1;
|
|
+ efi_guid_t var_guid = MEMORY_ONLY_RESET_CONTROL_GUID;
|
|
+
|
|
+ /* Ignore the return value here - there's not really a lot we can do */
|
|
+ efi_early->call((unsigned long)sys_table->runtime->set_variable,
|
|
+ L"MemoryOverwriteRequestControl", &var_guid,
|
|
+ EFI_VARIABLE_NON_VOLATILE |
|
|
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
|
|
+ EFI_VARIABLE_RUNTIME_ACCESS, sizeof(val), val);
|
|
+}
|
|
+
|
|
/*
|
|
* Because the x86 boot code expects to be passed a boot_params we
|
|
* need to create one ourselves (usually the bootloader would create
|
|
@@ -989,6 +1005,12 @@ struct boot_params *efi_main(struct efi_
|
|
setup_boot_services32(efi_early);
|
|
|
|
/*
|
|
+ * Ask the firmware to clear memory if we don't have a clean
|
|
+ * shutdown
|
|
+ */
|
|
+ enable_reset_attack_mitigation();
|
|
+
|
|
+ /*
|
|
* If the boot loader gave us a value for secure_boot then we use that,
|
|
* otherwise we ask the BIOS.
|
|
*/
|