From: Lukas Wunner <lukas@wunner.de>
To: Aditya Garg <gargaditya08@live.com>
Cc: David Laight <David.Laight@ACULAB.COM>,
Ard Biesheuvel <ardb@kernel.org>,
Matthew Garrett <mjg59@srcf.ucam.org>,
Jeremy Kerr <jk@ozlabs.org>,
"joeyli.kernel@gmail.com" <joeyli.kernel@gmail.com>,
"zohar@linux.ibm.com" <zohar@linux.ibm.com>,
"jmorris@namei.org" <jmorris@namei.org>,
"eric.snowberg@oracle.com" <eric.snowberg@oracle.com>,
"dhowells@redhat.com" <dhowells@redhat.com>,
"jlee@suse.com" <jlee@suse.com>,
"James.Bottomley@hansenpartnership.com"
<James.Bottomley@HansenPartnership.com>,
"jarkko@kernel.org" <jarkko@kernel.org>,
"mic@digikod.net" <mic@digikod.net>,
"dmitry.kasatkin@gmail.com" <dmitry.kasatkin@gmail.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"stable@vger.kernel.org" <stable@vger.kernel.org>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
Orlando Chamberlain <redecorating@protonmail.com>,
Aun-Ali Zaidi <admin@kodeit.net>
Subject: Re: [PATCH v3] efi: Do not import certificates from UEFI Secure Boot for T2 Macs
Date: Sun, 13 Feb 2022 08:39:24 +0100 [thread overview]
Message-ID: <20220213073924.GA7648@wunner.de> (raw)
In-Reply-To: <7038A8ED-AC52-4966-836B-7B346713AEE9@live.com>
On Thu, Feb 10, 2022 at 10:47:25AM +0000, Aditya Garg wrote:
> +/* Apple Macs with T2 Security chip don't support these UEFI variables.
> + * The T2 chip manages the Secure Boot and does not allow Linux to boot
> + * if it is turned on. If turned off, an attempt to get certificates
> + * causes a crash, so we simply return 0 for them in each function.
> + */
> +
> +static const struct dmi_system_id uefi_skip_cert[] = {
> +
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,2") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,3") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,4") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,2") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,3") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,4") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,2") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir9,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacMini8,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacPro7,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,2") },
> + { }
> +};
The T2 is represented by a PCI device with ID 106B:1802. I think it
would be more elegant to sense presence of that device instead of
hardcoding a long dmi list, i.e.:
static bool apple_t2_present(void)
{
struct pci_dev *pdev;
if (!x86_apple_machine)
return false;
pdev = pci_get_device(PCI_VENDOR_ID_APPLE, 0x1802, NULL);
if (pdev) {
pci_put_dev(pdev);
return true;
}
return false;
}
next prev parent reply other threads:[~2022-02-13 7:47 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-09 14:27 [PATCH] efi: Do not import certificates from UEFI Secure Boot for T2 Macs Aditya Garg
2022-02-09 15:39 ` David Laight
2022-02-10 10:43 ` Aditya Garg
2022-02-10 10:44 ` [PATCH v2] " Aditya Garg
2022-02-10 10:47 ` [PATCH v3] " Aditya Garg
2022-02-13 7:39 ` Lukas Wunner [this message]
2022-02-13 8:36 ` Aditya Garg
2022-02-23 13:49 ` Aditya Garg
2022-02-10 10:47 ` [PATCH v2] " Ard Biesheuvel
2022-02-10 10:53 ` Aditya Garg
2022-02-09 16:49 ` [PATCH] " Matthew Garrett
2022-02-09 18:02 ` Aditya Garg
2022-02-09 18:35 ` Matthew Garrett
2022-02-09 19:37 ` Matthew Garrett
2022-02-10 4:43 ` Aditya Garg
2022-02-10 5:49 ` Aditya Garg
2022-02-10 18:09 ` Matthew Garrett
2022-02-11 4:51 ` Aditya Garg
2022-02-11 16:28 ` Matthew Garrett
2022-02-12 5:53 ` Aditya Garg
2022-02-12 19:42 ` Matthew Garrett
2022-02-13 8:22 ` Aditya Garg
2022-02-13 21:33 ` Matthew Garrett
2022-02-14 0:33 ` Aditya Garg
2022-02-10 5:54 ` Aditya Garg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220213073924.GA7648@wunner.de \
--to=lukas@wunner.de \
--cc=David.Laight@ACULAB.COM \
--cc=James.Bottomley@HansenPartnership.com \
--cc=admin@kodeit.net \
--cc=ardb@kernel.org \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=gargaditya08@live.com \
--cc=jarkko@kernel.org \
--cc=jk@ozlabs.org \
--cc=jlee@suse.com \
--cc=jmorris@namei.org \
--cc=joeyli.kernel@gmail.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=mjg59@srcf.ucam.org \
--cc=redecorating@protonmail.com \
--cc=stable@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).