Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 155ca95

Browse files
AdityaGarg8mimizohar
AdityaGarg8
authored and
mimizohar
committed
efi: Do not import certificates from UEFI Secure Boot for T2 Macs
On Apple T2 Macs, when Linux attempts to read the db and dbx efi variables at early boot to load UEFI Secure Boot certificates, a page fault occurs in Apple firmware code and EFI runtime services are disabled with the following logs: [Firmware Bug]: Page fault caused by firmware at PA: 0xffffb1edc0068000 WARNING: CPU: 3 PID: 104 at arch/x86/platform/efi/quirks.c:735 efi_crash_gracefully_on_page_fault+0x50/0xf0 (Removed some logs from here) Call Trace: <TASK> page_fault_oops+0x4f/0x2c0 ? search_bpf_extables+0x6b/0x80 ? search_module_extables+0x50/0x80 ? search_exception_tables+0x5b/0x60 kernelmode_fixup_or_oops+0x9e/0x110 __bad_area_nosemaphore+0x155/0x190 bad_area_nosemaphore+0x16/0x20 do_kern_addr_fault+0x8c/0xa0 exc_page_fault+0xd8/0x180 asm_exc_page_fault+0x1e/0x30 (Removed some logs from here) ? __efi_call+0x28/0x30 ? switch_mm+0x20/0x30 ? efi_call_rts+0x19a/0x8e0 ? process_one_work+0x222/0x3f0 ? worker_thread+0x4a/0x3d0 ? kthread+0x17a/0x1a0 ? process_one_work+0x3f0/0x3f0 ? set_kthread_struct+0x40/0x40 ? ret_from_fork+0x22/0x30 </TASK> ---[ end trace 1f82023595a5927f ]--- efi: Froze efi_rts_wq and disabled EFI Runtime Services integrity: Couldn't get size: 0x8000000000000015 integrity: MODSIGN: Couldn't get UEFI db list efi: EFI Runtime Services are disabled! integrity: Couldn't get size: 0x8000000000000015 integrity: Couldn't get UEFI dbx list integrity: Couldn't get size: 0x8000000000000015 integrity: Couldn't get mokx list integrity: Couldn't get size: 0x80000000 So we avoid reading these UEFI variables and thus prevent the crash. Cc: [email protected] Signed-off-by: Aditya Garg <[email protected]> Reviewed-by: Mimi Zohar <[email protected]> Signed-off-by: Mimi Zohar <[email protected]>
1 parent c46d541 commit 155ca95

File tree

2 files changed

+41
-0
lines changed

2 files changed

+41
-0
lines changed

security/integrity/platform_certs/keyring_handler.h

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,3 +35,11 @@ efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type);
3535
efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type);
3636

3737
#endif
38+
39+
#ifndef UEFI_QUIRK_SKIP_CERT
40+
#define UEFI_QUIRK_SKIP_CERT(vendor, product) \
41+
.matches = { \
42+
DMI_MATCH(DMI_BOARD_VENDOR, vendor), \
43+
DMI_MATCH(DMI_PRODUCT_NAME, product), \
44+
},
45+
#endif

security/integrity/platform_certs/load_uefi.c

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
#include <linux/kernel.h>
44
#include <linux/sched.h>
55
#include <linux/cred.h>
6+
#include <linux/dmi.h>
67
#include <linux/err.h>
78
#include <linux/efi.h>
89
#include <linux/slab.h>
@@ -12,6 +13,31 @@
1213
#include "../integrity.h"
1314
#include "keyring_handler.h"
1415

16+
/*
17+
* On T2 Macs reading the db and dbx efi variables to load UEFI Secure Boot
18+
* certificates causes occurrence of a page fault in Apple's firmware and
19+
* a crash disabling EFI runtime services. The following quirk skips reading
20+
* these variables.
21+
*/
22+
static const struct dmi_system_id uefi_skip_cert[] = {
23+
{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,1") },
24+
{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,2") },
25+
{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,3") },
26+
{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,4") },
27+
{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,1") },
28+
{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,2") },
29+
{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,3") },
30+
{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,4") },
31+
{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,1") },
32+
{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,2") },
33+
{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir9,1") },
34+
{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacMini8,1") },
35+
{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacPro7,1") },
36+
{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,1") },
37+
{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,2") },
38+
{ }
39+
};
40+
1541
/*
1642
* Look to see if a UEFI variable called MokIgnoreDB exists and return true if
1743
* it does.
@@ -138,6 +164,13 @@ static int __init load_uefi_certs(void)
138164
unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0;
139165
efi_status_t status;
140166
int rc = 0;
167+
const struct dmi_system_id *dmi_id;
168+
169+
dmi_id = dmi_first_match(uefi_skip_cert);
170+
if (dmi_id) {
171+
pr_err("Reading UEFI Secure Boot Certs is not supported on T2 Macs.\n");
172+
return false;
173+
}
141174

142175
if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE))
143176
return false;

0 commit comments

Comments
 (0)