All of lore.kernel.org
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Matthew Garrett <mjg59@google.com>
Cc: linux-efi <linux-efi@vger.kernel.org>,
	Nayna Jain <nayna@linux.ibm.com>,
	kexec@lists.infradead.org,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	David Howells <dhowells@redhat.com>,
	Seth Forshee <seth.forshee@canonical.com>,
	LSM List <linux-security-module@vger.kernel.org>,
	Justin Forbes <jforbes@redhat.com>,
	linux-integrity <linux-integrity@vger.kernel.org>
Subject: Re: [PATCH 3/3] x86/ima: retry detecting secure boot mode
Date: Mon, 11 Mar 2019 12:54:52 -0400	[thread overview]
Message-ID: <1552323292.6100.45.camel@linux.ibm.com> (raw)
In-Reply-To: <CACdnJut3Y7CogvgtNsEcrEtA1WOxSb9OWP_wZ=3xNgCft2oeDw@mail.gmail.com>

On Fri, 2019-03-08 at 09:51 -0800, Matthew Garrett wrote:
> On Fri, Mar 8, 2019 at 5:40 AM Mimi Zohar <zohar@linux.ibm.com> wrote:
> >
> > On Thu, 2019-03-07 at 14:50 -0800, Matthew Garrett wrote:
> > > Is the issue that it gives incorrect results on the first read, or is
> > > the issue that it gives incorrect results before ExitBootServices() is
> > > called? If the former then we should read twice in the boot stub, if
> > > the latter then we should figure out a way to do this immediately
> > > after ExitBootServices() instead.
> >
> > Detecting the secure boot mode isn't the problem.  On boot, I am
> > seeing "EFI stub: UEFI Secure Boot is enabled", but setup_arch() emits
> > "Secure boot could not be determined".
> >
> > In efi_main() the secure_boot mode is initially unset, so
> > efi_get_secureboot() is called.  efi_get_secureboot() returns the
> > secure_boot mode correctly as enabled.  The problem seems to be in
> > saving the secure_boot mode for later use.
> 
> Hm. And this only happens on certain firmware versions? If something's
> stepping on boot_params then we have bigger problems.

I was seeing this problem before and after updating the system
firmware on my laptop last summer.  If updating the firmware had
resolved the problem, I wouldn't have included this patch.

Mimi


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Matthew Garrett <mjg59@google.com>
Cc: Justin Forbes <jforbes@redhat.com>,
	linux-integrity <linux-integrity@vger.kernel.org>,
	LSM List <linux-security-module@vger.kernel.org>,
	linux-efi <linux-efi@vger.kernel.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	David Howells <dhowells@redhat.com>,
	Seth Forshee <seth.forshee@canonical.com>,
	kexec@lists.infradead.org, Nayna Jain <nayna@linux.ibm.com>
Subject: Re: [PATCH 3/3] x86/ima: retry detecting secure boot mode
Date: Mon, 11 Mar 2019 12:54:52 -0400	[thread overview]
Message-ID: <1552323292.6100.45.camel@linux.ibm.com> (raw)
In-Reply-To: <CACdnJut3Y7CogvgtNsEcrEtA1WOxSb9OWP_wZ=3xNgCft2oeDw@mail.gmail.com>

On Fri, 2019-03-08 at 09:51 -0800, Matthew Garrett wrote:
> On Fri, Mar 8, 2019 at 5:40 AM Mimi Zohar <zohar@linux.ibm.com> wrote:
> >
> > On Thu, 2019-03-07 at 14:50 -0800, Matthew Garrett wrote:
> > > Is the issue that it gives incorrect results on the first read, or is
> > > the issue that it gives incorrect results before ExitBootServices() is
> > > called? If the former then we should read twice in the boot stub, if
> > > the latter then we should figure out a way to do this immediately
> > > after ExitBootServices() instead.
> >
> > Detecting the secure boot mode isn't the problem.  On boot, I am
> > seeing "EFI stub: UEFI Secure Boot is enabled", but setup_arch() emits
> > "Secure boot could not be determined".
> >
> > In efi_main() the secure_boot mode is initially unset, so
> > efi_get_secureboot() is called.  efi_get_secureboot() returns the
> > secure_boot mode correctly as enabled.  The problem seems to be in
> > saving the secure_boot mode for later use.
> 
> Hm. And this only happens on certain firmware versions? If something's
> stepping on boot_params then we have bigger problems.

I was seeing this problem before and after updating the system
firmware on my laptop last summer.  If updating the firmware had
resolved the problem, I wouldn't have included this patch.

Mimi

  parent reply	other threads:[~2019-03-11 16:55 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-19 19:56 [PATCH 0/3] selftest/ima: fail kexec_load syscall Mimi Zohar
2018-11-19 19:56 ` Mimi Zohar
2018-11-19 19:56 ` [PATCH 1/3] ima: add error mesage to kexec_load Mimi Zohar
2018-11-19 19:56   ` Mimi Zohar
2018-11-19 19:56 ` [PATCH 2/3] selftests/ima: kexec_load syscall test Mimi Zohar
2018-11-19 19:56   ` Mimi Zohar
2018-11-19 19:56 ` [PATCH 3/3] x86/ima: retry detecting secure boot mode Mimi Zohar
2018-11-19 19:56   ` Mimi Zohar
2019-03-07 22:28   ` Matthew Garrett
2019-03-07 22:28     ` Matthew Garrett
     [not found]     ` <CAFbkSA39RwB+E4SaG_ueu-_B=y7JytEYKw1+eXNQ_eCuMfnv=g@mail.gmail.com>
2019-03-07 22:44       ` Matthew Garrett
2019-03-07 22:44         ` Matthew Garrett
2019-03-07 22:48         ` Mimi Zohar
2019-03-07 22:48           ` Mimi Zohar
2019-03-07 22:50           ` Matthew Garrett
2019-03-07 22:50             ` Matthew Garrett
2019-03-08 13:39             ` Mimi Zohar
2019-03-08 13:39               ` Mimi Zohar
2019-03-08 17:51               ` Matthew Garrett
2019-03-08 17:51                 ` Matthew Garrett
2019-03-08 18:43                 ` Mimi Zohar
2019-03-08 18:43                   ` Mimi Zohar
2019-03-08 20:22                   ` Matthew Garrett
2019-03-08 20:22                     ` Matthew Garrett
2019-03-11 16:54                 ` Mimi Zohar [this message]
2019-03-11 16:54                   ` Mimi Zohar
2019-03-11 19:20                   ` Matthew Garrett
2019-03-11 19:20                     ` Matthew Garrett

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1552323292.6100.45.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=dhowells@redhat.com \
    --cc=jforbes@redhat.com \
    --cc=kexec@lists.infradead.org \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mjg59@google.com \
    --cc=nayna@linux.ibm.com \
    --cc=seth.forshee@canonical.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.