Re: [PATCH V2 1/3] efi: Support for MOK variable config table
From: Nathan Chancellor <hidden>
Date: 2020-10-01 21:07:37
Also in:
linux-efi, lkml, platform-driver-x86
On Thu, Oct 01, 2020 at 10:57:07PM +0200, Ard Biesheuvel wrote:
On Thu, 1 Oct 2020 at 19:44, Nathan Chancellor [off-list ref] wrote:quoted
On Fri, Sep 04, 2020 at 09:31:05PM -0400, Lenny Szubowicz wrote:quoted
Because of system-specific EFI firmware limitations, EFI volatile variables may not be capable of holding the required contents of the Machine Owner Key (MOK) certificate store when the certificate list grows above some size. Therefore, an EFI boot loader may pass the MOK certs via a EFI configuration table created specifically for this purpose to avoid this firmware limitation. An EFI configuration table is a much more primitive mechanism compared to EFI variables and is well suited for one-way passage of static information from a pre-OS environment to the kernel. This patch adds initial kernel support to recognize, parse, and validate the EFI MOK configuration table, where named entries contain the same data that would otherwise be provided in similarly named EFI variables. Additionally, this patch creates a sysfs binary file for each EFI MOK configuration table entry found. These files are read-only to root and are provided for use by user space utilities such as mokutil. A subsequent patch will load MOK certs into the trusted platform key ring using this infrastructure. Signed-off-by: Lenny Szubowicz <redacted>I have not seen this reported yet but this breaks arm allyesconfig and allmodconfig when CPU_LITTLE_ENDIAN is force selected (because CONFIG_EFI will actually be enabled): $ cat le.config CONFIG_CPU_BIG_ENDIAN=n $ make -skj"$(nproc)" ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- KCONFIG_ALLCONFIG=le.config allyesconfig drivers/firmware/efi/mokvar-table.o drivers/firmware/efi/mokvar-table.c: In function 'efi_mokvar_table_init': drivers/firmware/efi/mokvar-table.c:139:5: error: implicit declaration of function 'early_memunmap' [-Werror=implicit-function-declaration] 139 | early_memunmap(va, map_size); | ^~~~~~~~~~~~~~ drivers/firmware/efi/mokvar-table.c:148:9: error: implicit declaration of function 'early_memremap' [-Werror=implicit-function-declaration] 148 | va = early_memremap(efi.mokvar_table, map_size); | ^~~~~~~~~~~~~~ drivers/firmware/efi/mokvar-table.c:148:7: warning: assignment to 'void *' from 'int' makes pointer from integer without a cast [-Wint-conversion] 148 | va = early_memremap(efi.mokvar_table, map_size); | ^ cc1: some warnings being treated as errors make[4]: *** [scripts/Makefile.build:283: drivers/firmware/efi/mokvar-table.o] Error 1 Cheers, NathanHi Nathan, Does adding #include <asm/early_ioremap.h> to drivers/firmware/efi/mokvar-table.c fix the issue?
Indeed, that was much simpler than I thought it would be... If you send or apply a patch, feel free to add: Tested-by: Nathan Chancellor <redacted> Cheers, Nathan