091554e4a5b2a7647830a1c7beea781148b51509 is the first bad commit
commit 091554e4a5b2a7647830a1c7beea781148b51509
Author: Lenny Szubowicz <email address hidden>
Date: Tue Nov 30 12:04:00 2021 +0100
Because of system-specific EFI firmware limitations, EFI volatile
variables may not be capable of holding the required contents of
the Machine Owner Key (MOK) certificate store when the certificate
list grows above some size. Therefore, an EFI boot loader may pass
the MOK certs via a EFI configuration table created specifically for
this purpose to avoid this firmware limitation.
An EFI configuration table is a much more primitive mechanism
compared to EFI variables and is well suited for one-way passage
of static information from a pre-OS environment to the kernel.
This patch adds initial kernel support to recognize, parse,
and validate the EFI MOK configuration table, where named
entries contain the same data that would otherwise be provided
in similarly named EFI variables.
Additionally, this patch creates a sysfs binary file for each
EFI MOK configuration table entry found. These files are read-only
to root and are provided for use by user space utilities such as
mokutil.
A subsequent patch will load MOK certs into the trusted platform
key ring using this infrastructure.
Signed-off-by: Lenny Szubowicz <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Ard Biesheuvel <email address hidden>
(cherry picked from commit 58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5)
Signed-off-by: Dimitri John Ledkov <email address hidden>
Acked-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
Here is the result of a similar bisect on the bionic kernel :
https:/ /kernel. ubuntu. com/git/ ubuntu/ ubuntu- bionic. git/commit/ ?id=091554e4a5b 2a7647830a1c7be ea781148b51509
091554e4a5b2a76 47830a1c7beea78 1148b51509 is the first bad commit 47830a1c7beea78 1148b51509
commit 091554e4a5b2a76
Author: Lenny Szubowicz <email address hidden>
Date: Tue Nov 30 12:04:00 2021 +0100
efi: Support for MOK variable config table
BugLink: https:/ /bugs.launchpad .net/bugs/ 1928679
Because of system-specific EFI firmware limitations, EFI volatile
variables may not be capable of holding the required contents of
the Machine Owner Key (MOK) certificate store when the certificate
list grows above some size. Therefore, an EFI boot loader may pass
the MOK certs via a EFI configuration table created specifically for
this purpose to avoid this firmware limitation.
An EFI configuration table is a much more primitive mechanism
compared to EFI variables and is well suited for one-way passage
of static information from a pre-OS environment to the kernel.
This patch adds initial kernel support to recognize, parse,
and validate the EFI MOK configuration table, where named
entries contain the same data that would otherwise be provided
in similarly named EFI variables.
Additionally, this patch creates a sysfs binary file for each
EFI MOK configuration table entry found. These files are read-only
to root and are provided for use by user space utilities such as
mokutil.
A subsequent patch will load MOK certs into the trusted platform
key ring using this infrastructure.
Signed-off-by: Lenny Szubowicz <email address hidden> d1d9e89c8c5461f d1f6a27bb5)
Link: https://<email address hidden>
Signed-off-by: Ard Biesheuvel <email address hidden>
(cherry picked from commit 58c909022a5a56c
Signed-off-by: Dimitri John Ledkov <email address hidden>
Acked-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
arch/x86/ kernel/ setup.c | 1 + firmware/ efi/Makefile | 1 + firmware/ efi/arm- init.c | 1 + firmware/ efi/efi. c | 9 + firmware/ efi/mokvar- table.c | 360 +++++++ +++++++ +++++++ +++++++ +++++++ + linux/efi. h | 34 ++++ firmware/ efi/mokvar- table.c
drivers/
drivers/
drivers/
drivers/
include/
6 files changed, 406 insertions(+)
create mode 100644 drivers/