Re: [BUG][SEVERE] Enabling EFI runtime services causes panics in the T2 security chip on Macs equipped with it.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Orlando Chamberlain <redecorating@protonmail.com>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: Aditya Garg <gargaditya08@live.com>,
	"jk@ozlabs.org" <jk@ozlabs.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Aun-Ali Zaidi <admin@kodeit.net>
Subject: Re: [BUG][SEVERE] Enabling EFI runtime services causes panics in the T2 security chip on Macs equipped with it.
Date: Tue, 11 Jan 2022 05:17:26 +0000	[thread overview]
Message-ID: <20220111051717.25b86946@localhost> (raw)
In-Reply-To: <CAMj1kXEjmJxS-_r4HK_v_Qm85y2oeawk+bWUpSY7mV5NLFCm4g@mail.gmail.com>

On Tue, 11 Jan 2022 04:45:35 +1100
"Ard Biesheuvel" <ardb@kernel.org> wrote:

> On Mon, 10 Jan 2022 at 17:37, Ard Biesheuvel <ardb@kernel.org> wrote:
> >
> > On Mon, 10 Jan 2022 at 17:28, Aditya Garg <gargaditya08@live.com>
> > wrote:  
> ...
> > > >>
> > > >> This seems to be triggered by EFI_QUERY_VARIABLE_INFO here
> > > >>  
> > > >
> > > > This is interesting. QueryVariableInfo() was introduced in EFI
> > > > 2.00, and for a very long time, Intel MACs would claim to
> > > > implement EFI 1.10 only. This means Linux would never attempt
> > > > to use QueryVariableInfo() on such platforms.
> > > >
> > > > Can you please check your boot log which revision it claims to
> > > > implement now?
> > > >
> > > > Mine says
> > > >
> > > > efi: EFI v1.10 by Apple  
> > >
> > > Mine says
> > >
> > > efi: EFI v2.40 by Apple
> > >  
> 
> Can you check whether things work as before after applying the change
> below?
> 
> diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
> index 147c30a81f15..d7203355cc69 100644
> --- a/arch/x86/platform/efi/efi.c
> +++ b/arch/x86/platform/efi/efi.c
> @@ -399,7 +399,7 @@ static int __init efi_systab_init(unsigned long
> phys) efi_nr_tables           = systab32->nr_tables;
>         }
> 
> -       efi.runtime_version = hdr->revision;
> +       efi.runtime_version = EFI_1_10_SYSTEM_TABLE_REVISION;
> 
>         efi_systab_report_header(hdr, efi_fw_vendor);
>         early_memunmap(p, size);

This patch works for me, I was able to use `efibootmgr -t 2` without
panics and the change to the boot timeout value persisted after a
reboot. (I don't think the Apple firmware would actually use this
timeout value for a timeout time, but it is an nvram vairable that i
was able to write to)

efi: EFI v2.40 by Apple
efi: ACPI=0x7affe000 ACPI 2.0=0x7affe014 SMBIOS=0x7aed0000 SMBIOS 3.0=0x7aece000 
SMBIOS 3.1.1 present.
DMI: Apple Inc. MacBookPro16,1/Mac-E1008331FDC96864, BIOS 1715.60.5.0.0 (iBridge: 19.16.10647.0.0,0) 11/16/2021

("iBridge" might be something to use for a quirk, as it should cover
all Macs with the T2 chip)


--

next prev parent reply	other threads:[~2022-01-11  5:17 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-10 15:37 [BUG][SEVERE] Enabling EFI runtime services causes panics in the T2 security chip on Macs equipped with it Aditya Garg
2022-01-10 16:02 ` Ard Biesheuvel
2022-01-10 16:27   ` Aditya Garg
2022-01-10 16:37     ` Ard Biesheuvel
2022-01-10 17:45       ` Ard Biesheuvel
2022-01-11  5:17         ` Orlando Chamberlain [this message]
2022-01-11  7:35           ` Aditya Garg
2022-01-11  7:32         ` Aditya Garg
2022-01-12  6:23         ` Aditya Garg
2022-01-12  8:21           ` Ard Biesheuvel
2022-01-12  9:06             ` Orlando Chamberlain
2022-01-12  9:13               ` Ard Biesheuvel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220111051717.25b86946@localhost \
    --to=redecorating@protonmail.com \
    --cc=admin@kodeit.net \
    --cc=ardb@kernel.org \
    --cc=gargaditya08@live.com \
    --cc=jk@ozlabs.org \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.