| Message ID | 9ed04df9-2811-e30b-1524-0a0f198128ce@canonical.com |
|---|---|
| State | New |
| Headers | show |
My concern with this patch set, other than the enormity of it, is that there just doesn't looking like much in the way of testing has been done. Can we get more (some) testing done on real hardware and on multiple vendors? Brad On Tue, Aug 09, 2016 at 10:47:04AM -0600, Tim Gardner wrote: > http://bugs.launchpad.net/bugs/1608854 > > This backport is the result of an oversight made when applying UEFI > patches to support signed module enforcement in a secure boot > environment with a MOK variable override > (http://bugs.launchpad.net/bugs/1593075). Arm64 architecture support for > EFI did not exist in a vanilla v3.13 kernel, so I assumed I could simply > disable arm64 EFI support when I began to encounter compile issues with > the UEFI patches. However, I failed to remember that Dann Frazier had > done a partial backport sufficient to boot arm64 on an EFI platform. > Disabling arm64 EFI was kind of a goof and was not noticed by any of the > reviewers. > > I've a few more comments in the bug report at > https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1608854/comments/17 > > rtg > -- > Tim Gardner tim.gardner@canonical.com > The following changes since commit af29983bbae30cfaf4124879b50cb12e68a84195: > > powerpc/tm: Always reclaim in start_thread() for exec() class syscalls (2016-07-29 09:15:59 -0700) > > are available in the git repository at: > > git://kernel.ubuntu.com/rtg/ubuntu-trusty.git > > for you to fetch changes up to bfba7f3e1d73db181f52d58494f22cb43e0a2722: > > UBUNTU: SAUCE: UEFI: Set EFI_SECURE_BOOT bit in x86_efi_facility (2016-08-09 09:39:34 -0600) > > ---------------------------------------------------------------- > Andrzej Zaborowski (1): > efi-pstore: Fix an overflow on 32-bit builds > > Ard Biesheuvel (4): > efi/arm64: ignore dtb= when UEFI SecureBoot is enabled > efi/arm64: efistub: remove local copy of linux_banner > arm64/efi: map the entire UEFI vendor string before reading it > arm64/efi: add missing call to early_ioremap_reset() > > Borislav Petkov (9): > x86/efi: Simplify EFI_DEBUG > x86/efi: Runtime services virtual mapping > x86/efi: Check krealloc return value > x86/efi: Fix 32-bit fallout > x86/efi: Quirk out SGI UV > x86/efi: Dump the EFI page table > x86, pageattr: Export page unmapping interface > x86/efi: Make efi virtual runtime map passing more robust > x86/efi: Split efi_enter_virtual_mode > > Bruno Prémont (1): > x86, ia64: Move EFI_FB vga_default_device() initialization to pci_vga_fixup() > > Catalin Marinas (2): > efi: Fix compiler warnings (unused, const, type) > efi: fdt: Do not report an error during boot if UEFI is not available > > Daeseok Youn (1): > efi: Use NULL instead of 0 for pointer > > Dan Carpenter (2): > efi: Fix error handling in add_sysfs_runtime_map_entry() > efi: Small leak on error in runtime map code > > Dave Young (8): > x86/efi: Remove unused variables in __map_region() > x86/efi: Add a wrapper function efi_map_region_fixed() > x86/efi: Fix off-by-one bug in EFI Boot Services reservation > x86/efi: Cleanup efi_enter_virtual_mode() function > efi: Export more EFI table variables to sysfs > efi: Export EFI runtime memory mapping to sysfs > x86/efi: Pass necessary EFI data for kexec via setup_data > x86/efi: parse_efi_setup() build fix > > Dmitry Skorodumov (1): > x86/efi: Use all 64 bit of efi_memmap in setup_e820() > > Fabian Frederick (1): > fs/efivarfs/super.c: use static const for dentry_operations > > Geyslan G. Bem (1): > efivarfs: 'efivarfs_file_write' function reorganization > > Guenter Roeck (1): > firmware: Do not use WARN_ON(!spin_is_locked()) > > H. Peter Anvin (1): > efi: x86: Handle arbitrary Unicode characters > > Ingo Molnar (1): > efi: Disable interrupts around EFI calls, not in the epilog/prolog calls > > Joe Perches (1): > x86/efi: Style neatening > > Josh Boyer (4): > UBUNTU: SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted > UBUNTU: SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI > UBUNTU: SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot > UBUNTU: SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode > > Leif Lindholm (2): > efi: efi-stub-helper cleanup > arm64: efi: only attempt efi map setup if booting via EFI > > Madper Xie (1): > x86/efi: Delete out-of-date comments of efi_query_variable_store > > Mark Salter (5): > efi: create memory map iteration helper > efi: add helper function to get UEFI params from FDT > arm64: add EFI runtime services > arm64: efi: add EFI stub > doc: arm64: add description of EFI stub support > > Matt Fleming (29): > x86/efi: Delete superfluous global variables > x86/efi: Allow mapping BGRT on x86-32 > x86/efi: Check status field to validate BGRT header > efi: Move facility flags to struct efi > efi: Set feature flags inside feature init functions > ia64/efi: Implement efi_enabled() > x86, tools: Consolidate #ifdef code > x86/efi: Delete dead code when checking for non-native > efi: Add separate 32-bit/64-bit definitions > x86/efi: Build our own EFI services pointer table > x86/efi: Add early thunk code to go from 64-bit to 32-bit > x86/efi: Firmware agnostic handover entry points > x86/efi: Wire up CONFIG_EFI_MIXED > x86/efi: Re-disable interrupts after calling firmware services > x86, tools: Fix up compiler warnings > x86/efi: Preserve segment registers in mixed mode > x86/efi: Rip out phys_efi_get_time() > x86/efi: Restore 'attr' argument to query_variable_info() > x86/efi: Delete most of the efi_call* macros > efivars: Use local variables instead of a pointer dereference > efivars: Check size of user object > efivars: Stop passing a struct argument to efivar_validate() > efivars: Refactor sanity checking code into separate function > efivars: Add compatibility code for compat tasks > x86/efi: Fix boot failure with EFI stub > x86/efi: Fix boot crash by mapping EFI memmap entries bottom-up at runtime, instead of top-down > efi/reboot: Add generic wrapper around EfiResetSystem() > x86/reboot: Add EFI reboot quirk for ACPI Hardware Reduced flag > efi/reboot: Allow powering off machines using EFI > > Matthew Garrett (9): > UBUNTU: SAUCE: UEFI: Add secure_modules() call > UBUNTU: SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled > UBUNTU: SAUCE: UEFI: x86: Lock down IO port access when module security is enabled > UBUNTU: SAUCE: UEFI: ACPI: Limit access to custom_method > UBUNTU: SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading is restricted > UBUNTU: SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is restricted > UBUNTU: SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module loading restrictions > UBUNTU: SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted > UBUNTU: SAUCE: UEFI: Add option to automatically enforce module signatures when in Secure Boot mode > > Peter Jones (3): > efi: Make our variable validation list include the guid > lib/ucs2_string: Add ucs2 -> utf8 helper functions > efi: Use ucs2_as_utf8 in efivarfs instead of open coding a bad version > > Ricardo Neri (3): > x86/efi: Implement a __efi_call_virt macro > x86/efi: Save and restore FPU context around efi_calls (x86_64) > x86/efi: Save and restore FPU context around efi_calls (i386) > > Ross Lagerwall (1): > efivarfs: Ensure VariableName is NUL-terminated > > Roy Franz (5): > efi: Add shared printk wrapper for consistent prefixing > efi: Add get_dram_base() helper function > doc: efi-stub.txt updates for ARM > efi: Add shared FDT related functions for ARM/ARM64 > x86/efi: Store upper bits of command line buffer address in ext_cmd_line_ptr > > Semen Protsenko (1): > efi/arm64: Store Runtime Services revision > > Silvan Jegen (1): > doc: Fix trivial spelling mistake in efi-stub.txt > > Tim Gardner (56): > Revert "UBUNTU: SAUCE: UEFI: Set EFI_SECURE_BOOT bit in x86_efi_facility" > Revert "UBUNTU: SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl" > Revert "UBUNTU: SAUCE: UEFI: Display MOKSBState when disabled" > Revert "UBUNTU: SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode" > Revert "UBUNTU: SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot" > Revert "UBUNTU: SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI" > Revert "UBUNTU: SAUCE: UEFI: Add option to automatically enforce module signatures when in Secure Boot mode" > Revert "UBUNTU: SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted" > Revert "UBUNTU: SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module loading restrictions" > Revert "UBUNTU: SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted" > Revert "UBUNTU: SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is restricted" > Revert "UBUNTU: SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading is restricted" > Revert "UBUNTU: SAUCE: UEFI: ACPI: Limit access to custom_method" > Revert "UBUNTU: SAUCE: UEFI: x86: Lock down IO port access when module security is enabled" > Revert "UBUNTU: SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled" > Revert "UBUNTU: SAUCE: UEFI: Add secure_modules() call" > Revert "x86/efi: Fix boot failure with EFI stub" > Revert "x86/efi: Build our own EFI services pointer table" > Revert "efi: Add separate 32-bit/64-bit definitions" > Revert "efi: Disable interrupts around EFI calls, not in the epilog/prolog calls" > Revert "x86/efi: Use all 64 bit of efi_memmap in setup_e820()" > Revert "x86/efi: Store upper bits of command line buffer address in ext_cmd_line_ptr" > Revert "efivarfs: Ensure VariableName is NUL-terminated" > Revert "efi/libstub: Fix boundary checking in efi_high_alloc()" > Revert "arm64: efi: only attempt efi map setup if booting via EFI" > Revert "UBUNTU: arm64: Implement efi_enabled()" > Revert "efi/arm64: ignore dtb= when UEFI SecureBoot is enabled" > Revert "doc: arm64: add description of EFI stub support" > Revert "UBUNTU: Move get_dram_base to arm private file" > Revert "arm64: efi: add EFI stub" > Revert "arm64: add EFI runtime services" > Revert "efi: Add shared FDT related functions for ARM/ARM64" > Revert "efi: add helper function to get UEFI params from FDT" > Revert "doc: efi-stub.txt updates for ARM" > Revert "efi: Add get_dram_base() helper function" > Revert "efi: create memory map iteration helper" > Revert "x86, ia64: Move EFI_FB vga_default_device() initialization to pci_vga_fixup()" > Revert "firmware: Do not use WARN_ON(!spin_is_locked())" > Revert "efi-pstore: Fix an overflow on 32-bit builds" > Revert "x86/efi: Fix 32-bit fallout" > Revert "x86/efi: Check krealloc return value" > Revert "x86/efi: Runtime services virtual mapping" > Revert "x86/efi: Fix off-by-one bug in EFI Boot Services reservation" > UBUNTU: SAUCE: Merge tag 'efi-next' of git://git.kernel.org/.../mfleming/efi into x86/efi > UBUNTU: [Config] CONFIG_EFI_RUNTIME_MAP=y > UBUNTU: SAUCE: Merge tag 'v3.13-rc7' into x86/efi-kexec to resolve conflicts > UBUNTU: v3.14 - Bacported EFI up to v3.14 > UBUNTU: [Config] CONFIG_EFI_MIXED=y > UBUNTU: SAUCE: Merge remote-tracking branch 'tip/x86/efi-mixed' into efi-for-mingo > UBUNTU: SAUCE: merge with v3.15 > UBUNTU: SAUCE: merge with v3.16 > UBUNTU: [Config] CONFIG_LIBFDT=y > UBUNTU: [Config] CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y > UBUNTU: SAUCE: UEFI: Display MOKSBState when disabled > UBUNTU: SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl > UBUNTU: SAUCE: UEFI: Set EFI_SECURE_BOOT bit in x86_efi_facility > > Yinghai Lu (1): > efi/libstub: Fix boundary checking in efi_high_alloc() > > Documentation/ABI/testing/sysfs-firmware-efi | 20 + > .../ABI/testing/sysfs-firmware-efi-runtime-map | 34 + > Documentation/efi-stub.txt | 2 +- > arch/arm64/include/asm/efi.h | 1 - > arch/arm64/kernel/efi-stub.c | 8 - > arch/arm64/kernel/efi.c | 27 +- > arch/arm64/kernel/setup.c | 1 + > arch/ia64/kernel/efi.c | 7 + > arch/ia64/kernel/process.c | 2 +- > arch/ia64/pci/fixup.c | 21 + > arch/x86/Kconfig | 14 + > arch/x86/Kconfig.debug | 9 + > arch/x86/boot/Makefile | 2 +- > arch/x86/boot/compressed/eboot.c | 904 ++++++++++++++++----- > arch/x86/boot/compressed/efi_stub_64.S | 29 + > arch/x86/boot/compressed/head_32.S | 2 +- > arch/x86/boot/compressed/head_64.S | 64 +- > arch/x86/boot/header.S | 15 +- > arch/x86/boot/tools/build.c | 100 +-- > arch/x86/include/asm/efi.h | 159 ++-- > arch/x86/include/asm/pgtable_types.h | 2 + > arch/x86/include/uapi/asm/bootparam.h | 1 + > arch/x86/kernel/reboot.c | 26 +- > arch/x86/kernel/setup.c | 80 +- > arch/x86/mm/pageattr.c | 44 +- > arch/x86/pci/fixup.c | 21 + > arch/x86/platform/efi/Makefile | 1 + > arch/x86/platform/efi/early_printk.c | 83 +- > arch/x86/platform/efi/efi-bgrt.c | 12 +- > arch/x86/platform/efi/efi.c | 752 ++++++++++++----- > arch/x86/platform/efi/efi_32.c | 10 +- > arch/x86/platform/efi/efi_64.c | 389 ++++++++- > arch/x86/platform/efi/efi_stub_64.S | 247 ++++-- > arch/x86/platform/efi/efi_thunk_64.S | 65 ++ > arch/x86/platform/uv/bios_uv.c | 2 +- > block/partitions/efi.h | 9 +- > debian.master/config/amd64/config.common.amd64 | 1 - > debian.master/config/arm64/config.common.arm64 | 1 - > debian.master/config/config.common.ubuntu | 6 + > debian.master/config/i386/config.common.i386 | 1 - > drivers/firmware/efi/Kconfig | 11 + > drivers/firmware/efi/Makefile | 3 +- > drivers/firmware/efi/arm-stub.c | 39 +- > drivers/firmware/efi/efi-stub-helper.c | 187 +++-- > drivers/firmware/efi/efi.c | 78 +- > drivers/firmware/efi/efivars.c | 221 +++-- > drivers/firmware/efi/fdt.c | 12 +- > drivers/firmware/efi/reboot.c | 56 ++ > drivers/firmware/efi/runtime-map.c | 181 +++++ > drivers/firmware/efi/vars.c | 82 +- > fs/efivarfs/file.c | 13 +- > fs/efivarfs/super.c | 9 +- > include/linux/efi.h | 46 +- > include/linux/ucs2_string.h | 4 + > lib/ucs2_string.c | 62 ++ > notes.txt | 1 + > 56 files changed, 3217 insertions(+), 962 deletions(-) > create mode 100644 Documentation/ABI/testing/sysfs-firmware-efi > create mode 100644 Documentation/ABI/testing/sysfs-firmware-efi-runtime-map > create mode 100644 arch/x86/platform/efi/efi_thunk_64.S > create mode 100644 drivers/firmware/efi/reboot.c > create mode 100644 drivers/firmware/efi/runtime-map.c > create mode 100644 notes.txt > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
Well, this patchset has turned out to be a bit of a boondogle. While it fixed the arm64 regression (https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1608854/comments/20), it has also caused amd64 regressions on some Dell laptops. I've been working with the certification folks (the laptop owners) but have found no solution. All of the failing units are in Asia which makes it difficult to debug boot issues. I'm inclined to revert Trusty to Ubuntu-3.13.0-91.138 functionality wrt EFI support. Anyone that needs secure boot and signed module enforcement will just have to run lts-xenial. rtg On 08/10/2016 02:42 PM, Brad Figg wrote: > > My concern with this patch set, other than the enormity of it, is that > there just doesn't looking like much in the way of testing has been done. > Can we get more (some) testing done on real hardware and on multiple vendors? > > Brad > > On Tue, Aug 09, 2016 at 10:47:04AM -0600, Tim Gardner wrote: >> http://bugs.launchpad.net/bugs/1608854 >> >> This backport is the result of an oversight made when applying UEFI >> patches to support signed module enforcement in a secure boot >> environment with a MOK variable override >> (http://bugs.launchpad.net/bugs/1593075). Arm64 architecture support for >> EFI did not exist in a vanilla v3.13 kernel, so I assumed I could simply >> disable arm64 EFI support when I began to encounter compile issues with >> the UEFI patches. However, I failed to remember that Dann Frazier had >> done a partial backport sufficient to boot arm64 on an EFI platform. >> Disabling arm64 EFI was kind of a goof and was not noticed by any of the >> reviewers. >> >> I've a few more comments in the bug report at >> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1608854/comments/17 >> >> rtg >> -- >> Tim Gardner tim.gardner@canonical.com > >> The following changes since commit af29983bbae30cfaf4124879b50cb12e68a84195: >> >> powerpc/tm: Always reclaim in start_thread() for exec() class syscalls (2016-07-29 09:15:59 -0700) >> >> are available in the git repository at: >> >> git://kernel.ubuntu.com/rtg/ubuntu-trusty.git >> >> for you to fetch changes up to bfba7f3e1d73db181f52d58494f22cb43e0a2722: >> >> UBUNTU: SAUCE: UEFI: Set EFI_SECURE_BOOT bit in x86_efi_facility (2016-08-09 09:39:34 -0600) >> >> ---------------------------------------------------------------- >> Andrzej Zaborowski (1): >> efi-pstore: Fix an overflow on 32-bit builds >> >> Ard Biesheuvel (4): >> efi/arm64: ignore dtb= when UEFI SecureBoot is enabled >> efi/arm64: efistub: remove local copy of linux_banner >> arm64/efi: map the entire UEFI vendor string before reading it >> arm64/efi: add missing call to early_ioremap_reset() >> >> Borislav Petkov (9): >> x86/efi: Simplify EFI_DEBUG >> x86/efi: Runtime services virtual mapping >> x86/efi: Check krealloc return value >> x86/efi: Fix 32-bit fallout >> x86/efi: Quirk out SGI UV >> x86/efi: Dump the EFI page table >> x86, pageattr: Export page unmapping interface >> x86/efi: Make efi virtual runtime map passing more robust >> x86/efi: Split efi_enter_virtual_mode >> >> Bruno Prémont (1): >> x86, ia64: Move EFI_FB vga_default_device() initialization to pci_vga_fixup() >> >> Catalin Marinas (2): >> efi: Fix compiler warnings (unused, const, type) >> efi: fdt: Do not report an error during boot if UEFI is not available >> >> Daeseok Youn (1): >> efi: Use NULL instead of 0 for pointer >> >> Dan Carpenter (2): >> efi: Fix error handling in add_sysfs_runtime_map_entry() >> efi: Small leak on error in runtime map code >> >> Dave Young (8): >> x86/efi: Remove unused variables in __map_region() >> x86/efi: Add a wrapper function efi_map_region_fixed() >> x86/efi: Fix off-by-one bug in EFI Boot Services reservation >> x86/efi: Cleanup efi_enter_virtual_mode() function >> efi: Export more EFI table variables to sysfs >> efi: Export EFI runtime memory mapping to sysfs >> x86/efi: Pass necessary EFI data for kexec via setup_data >> x86/efi: parse_efi_setup() build fix >> >> Dmitry Skorodumov (1): >> x86/efi: Use all 64 bit of efi_memmap in setup_e820() >> >> Fabian Frederick (1): >> fs/efivarfs/super.c: use static const for dentry_operations >> >> Geyslan G. Bem (1): >> efivarfs: 'efivarfs_file_write' function reorganization >> >> Guenter Roeck (1): >> firmware: Do not use WARN_ON(!spin_is_locked()) >> >> H. Peter Anvin (1): >> efi: x86: Handle arbitrary Unicode characters >> >> Ingo Molnar (1): >> efi: Disable interrupts around EFI calls, not in the epilog/prolog calls >> >> Joe Perches (1): >> x86/efi: Style neatening >> >> Josh Boyer (4): >> UBUNTU: SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted >> UBUNTU: SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI >> UBUNTU: SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot >> UBUNTU: SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode >> >> Leif Lindholm (2): >> efi: efi-stub-helper cleanup >> arm64: efi: only attempt efi map setup if booting via EFI >> >> Madper Xie (1): >> x86/efi: Delete out-of-date comments of efi_query_variable_store >> >> Mark Salter (5): >> efi: create memory map iteration helper >> efi: add helper function to get UEFI params from FDT >> arm64: add EFI runtime services >> arm64: efi: add EFI stub >> doc: arm64: add description of EFI stub support >> >> Matt Fleming (29): >> x86/efi: Delete superfluous global variables >> x86/efi: Allow mapping BGRT on x86-32 >> x86/efi: Check status field to validate BGRT header >> efi: Move facility flags to struct efi >> efi: Set feature flags inside feature init functions >> ia64/efi: Implement efi_enabled() >> x86, tools: Consolidate #ifdef code >> x86/efi: Delete dead code when checking for non-native >> efi: Add separate 32-bit/64-bit definitions >> x86/efi: Build our own EFI services pointer table >> x86/efi: Add early thunk code to go from 64-bit to 32-bit >> x86/efi: Firmware agnostic handover entry points >> x86/efi: Wire up CONFIG_EFI_MIXED >> x86/efi: Re-disable interrupts after calling firmware services >> x86, tools: Fix up compiler warnings >> x86/efi: Preserve segment registers in mixed mode >> x86/efi: Rip out phys_efi_get_time() >> x86/efi: Restore 'attr' argument to query_variable_info() >> x86/efi: Delete most of the efi_call* macros >> efivars: Use local variables instead of a pointer dereference >> efivars: Check size of user object >> efivars: Stop passing a struct argument to efivar_validate() >> efivars: Refactor sanity checking code into separate function >> efivars: Add compatibility code for compat tasks >> x86/efi: Fix boot failure with EFI stub >> x86/efi: Fix boot crash by mapping EFI memmap entries bottom-up at runtime, instead of top-down >> efi/reboot: Add generic wrapper around EfiResetSystem() >> x86/reboot: Add EFI reboot quirk for ACPI Hardware Reduced flag >> efi/reboot: Allow powering off machines using EFI >> >> Matthew Garrett (9): >> UBUNTU: SAUCE: UEFI: Add secure_modules() call >> UBUNTU: SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled >> UBUNTU: SAUCE: UEFI: x86: Lock down IO port access when module security is enabled >> UBUNTU: SAUCE: UEFI: ACPI: Limit access to custom_method >> UBUNTU: SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading is restricted >> UBUNTU: SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is restricted >> UBUNTU: SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module loading restrictions >> UBUNTU: SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted >> UBUNTU: SAUCE: UEFI: Add option to automatically enforce module signatures when in Secure Boot mode >> >> Peter Jones (3): >> efi: Make our variable validation list include the guid >> lib/ucs2_string: Add ucs2 -> utf8 helper functions >> efi: Use ucs2_as_utf8 in efivarfs instead of open coding a bad version >> >> Ricardo Neri (3): >> x86/efi: Implement a __efi_call_virt macro >> x86/efi: Save and restore FPU context around efi_calls (x86_64) >> x86/efi: Save and restore FPU context around efi_calls (i386) >> >> Ross Lagerwall (1): >> efivarfs: Ensure VariableName is NUL-terminated >> >> Roy Franz (5): >> efi: Add shared printk wrapper for consistent prefixing >> efi: Add get_dram_base() helper function >> doc: efi-stub.txt updates for ARM >> efi: Add shared FDT related functions for ARM/ARM64 >> x86/efi: Store upper bits of command line buffer address in ext_cmd_line_ptr >> >> Semen Protsenko (1): >> efi/arm64: Store Runtime Services revision >> >> Silvan Jegen (1): >> doc: Fix trivial spelling mistake in efi-stub.txt >> >> Tim Gardner (56): >> Revert "UBUNTU: SAUCE: UEFI: Set EFI_SECURE_BOOT bit in x86_efi_facility" >> Revert "UBUNTU: SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl" >> Revert "UBUNTU: SAUCE: UEFI: Display MOKSBState when disabled" >> Revert "UBUNTU: SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode" >> Revert "UBUNTU: SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot" >> Revert "UBUNTU: SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI" >> Revert "UBUNTU: SAUCE: UEFI: Add option to automatically enforce module signatures when in Secure Boot mode" >> Revert "UBUNTU: SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted" >> Revert "UBUNTU: SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module loading restrictions" >> Revert "UBUNTU: SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted" >> Revert "UBUNTU: SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is restricted" >> Revert "UBUNTU: SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading is restricted" >> Revert "UBUNTU: SAUCE: UEFI: ACPI: Limit access to custom_method" >> Revert "UBUNTU: SAUCE: UEFI: x86: Lock down IO port access when module security is enabled" >> Revert "UBUNTU: SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled" >> Revert "UBUNTU: SAUCE: UEFI: Add secure_modules() call" >> Revert "x86/efi: Fix boot failure with EFI stub" >> Revert "x86/efi: Build our own EFI services pointer table" >> Revert "efi: Add separate 32-bit/64-bit definitions" >> Revert "efi: Disable interrupts around EFI calls, not in the epilog/prolog calls" >> Revert "x86/efi: Use all 64 bit of efi_memmap in setup_e820()" >> Revert "x86/efi: Store upper bits of command line buffer address in ext_cmd_line_ptr" >> Revert "efivarfs: Ensure VariableName is NUL-terminated" >> Revert "efi/libstub: Fix boundary checking in efi_high_alloc()" >> Revert "arm64: efi: only attempt efi map setup if booting via EFI" >> Revert "UBUNTU: arm64: Implement efi_enabled()" >> Revert "efi/arm64: ignore dtb= when UEFI SecureBoot is enabled" >> Revert "doc: arm64: add description of EFI stub support" >> Revert "UBUNTU: Move get_dram_base to arm private file" >> Revert "arm64: efi: add EFI stub" >> Revert "arm64: add EFI runtime services" >> Revert "efi: Add shared FDT related functions for ARM/ARM64" >> Revert "efi: add helper function to get UEFI params from FDT" >> Revert "doc: efi-stub.txt updates for ARM" >> Revert "efi: Add get_dram_base() helper function" >> Revert "efi: create memory map iteration helper" >> Revert "x86, ia64: Move EFI_FB vga_default_device() initialization to pci_vga_fixup()" >> Revert "firmware: Do not use WARN_ON(!spin_is_locked())" >> Revert "efi-pstore: Fix an overflow on 32-bit builds" >> Revert "x86/efi: Fix 32-bit fallout" >> Revert "x86/efi: Check krealloc return value" >> Revert "x86/efi: Runtime services virtual mapping" >> Revert "x86/efi: Fix off-by-one bug in EFI Boot Services reservation" >> UBUNTU: SAUCE: Merge tag 'efi-next' of git://git.kernel.org/.../mfleming/efi into x86/efi >> UBUNTU: [Config] CONFIG_EFI_RUNTIME_MAP=y >> UBUNTU: SAUCE: Merge tag 'v3.13-rc7' into x86/efi-kexec to resolve conflicts >> UBUNTU: v3.14 - Bacported EFI up to v3.14 >> UBUNTU: [Config] CONFIG_EFI_MIXED=y >> UBUNTU: SAUCE: Merge remote-tracking branch 'tip/x86/efi-mixed' into efi-for-mingo >> UBUNTU: SAUCE: merge with v3.15 >> UBUNTU: SAUCE: merge with v3.16 >> UBUNTU: [Config] CONFIG_LIBFDT=y >> UBUNTU: [Config] CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y >> UBUNTU: SAUCE: UEFI: Display MOKSBState when disabled >> UBUNTU: SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl >> UBUNTU: SAUCE: UEFI: Set EFI_SECURE_BOOT bit in x86_efi_facility >> >> Yinghai Lu (1): >> efi/libstub: Fix boundary checking in efi_high_alloc() >> >> Documentation/ABI/testing/sysfs-firmware-efi | 20 + >> .../ABI/testing/sysfs-firmware-efi-runtime-map | 34 + >> Documentation/efi-stub.txt | 2 +- >> arch/arm64/include/asm/efi.h | 1 - >> arch/arm64/kernel/efi-stub.c | 8 - >> arch/arm64/kernel/efi.c | 27 +- >> arch/arm64/kernel/setup.c | 1 + >> arch/ia64/kernel/efi.c | 7 + >> arch/ia64/kernel/process.c | 2 +- >> arch/ia64/pci/fixup.c | 21 + >> arch/x86/Kconfig | 14 + >> arch/x86/Kconfig.debug | 9 + >> arch/x86/boot/Makefile | 2 +- >> arch/x86/boot/compressed/eboot.c | 904 ++++++++++++++++----- >> arch/x86/boot/compressed/efi_stub_64.S | 29 + >> arch/x86/boot/compressed/head_32.S | 2 +- >> arch/x86/boot/compressed/head_64.S | 64 +- >> arch/x86/boot/header.S | 15 +- >> arch/x86/boot/tools/build.c | 100 +-- >> arch/x86/include/asm/efi.h | 159 ++-- >> arch/x86/include/asm/pgtable_types.h | 2 + >> arch/x86/include/uapi/asm/bootparam.h | 1 + >> arch/x86/kernel/reboot.c | 26 +- >> arch/x86/kernel/setup.c | 80 +- >> arch/x86/mm/pageattr.c | 44 +- >> arch/x86/pci/fixup.c | 21 + >> arch/x86/platform/efi/Makefile | 1 + >> arch/x86/platform/efi/early_printk.c | 83 +- >> arch/x86/platform/efi/efi-bgrt.c | 12 +- >> arch/x86/platform/efi/efi.c | 752 ++++++++++++----- >> arch/x86/platform/efi/efi_32.c | 10 +- >> arch/x86/platform/efi/efi_64.c | 389 ++++++++- >> arch/x86/platform/efi/efi_stub_64.S | 247 ++++-- >> arch/x86/platform/efi/efi_thunk_64.S | 65 ++ >> arch/x86/platform/uv/bios_uv.c | 2 +- >> block/partitions/efi.h | 9 +- >> debian.master/config/amd64/config.common.amd64 | 1 - >> debian.master/config/arm64/config.common.arm64 | 1 - >> debian.master/config/config.common.ubuntu | 6 + >> debian.master/config/i386/config.common.i386 | 1 - >> drivers/firmware/efi/Kconfig | 11 + >> drivers/firmware/efi/Makefile | 3 +- >> drivers/firmware/efi/arm-stub.c | 39 +- >> drivers/firmware/efi/efi-stub-helper.c | 187 +++-- >> drivers/firmware/efi/efi.c | 78 +- >> drivers/firmware/efi/efivars.c | 221 +++-- >> drivers/firmware/efi/fdt.c | 12 +- >> drivers/firmware/efi/reboot.c | 56 ++ >> drivers/firmware/efi/runtime-map.c | 181 +++++ >> drivers/firmware/efi/vars.c | 82 +- >> fs/efivarfs/file.c | 13 +- >> fs/efivarfs/super.c | 9 +- >> include/linux/efi.h | 46 +- >> include/linux/ucs2_string.h | 4 + >> lib/ucs2_string.c | 62 ++ >> notes.txt | 1 + >> 56 files changed, 3217 insertions(+), 962 deletions(-) >> create mode 100644 Documentation/ABI/testing/sysfs-firmware-efi >> create mode 100644 Documentation/ABI/testing/sysfs-firmware-efi-runtime-map >> create mode 100644 arch/x86/platform/efi/efi_thunk_64.S >> create mode 100644 drivers/firmware/efi/reboot.c >> create mode 100644 drivers/firmware/efi/runtime-map.c >> create mode 100644 notes.txt > >> -- >> kernel-team mailing list >> kernel-team@lists.ubuntu.com >> https://lists.ubuntu.com/mailman/listinfo/kernel-team > >