On Wed, 2022-04-13 at 14:04 +0000, Aditya Garg wrote:
From: Aditya Garg gargaditya08@live.com
On Apple T2 Macs, when Linux reads the db and dbx efi variables to load UEFI Secure Boot certificates, a page fault occurs in Apple firmware code and EFI services are disabled with the following logs:
Call Trace:
<TASK> page_fault_oops+0x4f/0x2c0 ? search_bpf_extables+0x6b/0x80 ? search_module_extables+0x50/0x80 ? search_exception_tables+0x5b/0x60 kernelmode_fixup_or_oops+0x9e/0x110 __bad_area_nosemaphore+0x155/0x190 bad_area_nosemaphore+0x16/0x20 do_kern_addr_fault+0x8c/0xa0 exc_page_fault+0xd8/0x180 asm_exc_page_fault+0x1e/0x30 (Removed some logs from here) ? __efi_call+0x28/0x30 ? switch_mm+0x20/0x30 ? efi_call_rts+0x19a/0x8e0 ? process_one_work+0x222/0x3f0 ? worker_thread+0x4a/0x3d0 ? kthread+0x17a/0x1a0 ? process_one_work+0x3f0/0x3f0 ? set_kthread_struct+0x40/0x40 ? ret_from_fork+0x22/0x30 </TASK> ---[ end trace 1f82023595a5927f ]--- efi: Froze efi_rts_wq and disabled EFI Runtime Services integrity: Couldn't get size: 0x8000000000000015 integrity: MODSIGN: Couldn't get UEFI db list efi: EFI Runtime Services are disabled! integrity: Couldn't get size: 0x8000000000000015 integrity: Couldn't get UEFI dbx list integrity: Couldn't get size: 0x8000000000000015 integrity: Couldn't get mokx list integrity: Couldn't get size: 0x80000000
This also occurs when some other variables are read (see examples below, there are many more), but only when these variables are read at an early stage like db and dbx are to load UEFI certs.
BridgeOSBootSessionUUID-4d1ede05-38c7-4a6a-9cc6-4bcca8b38c14 KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
On these Macs, we skip reading the EFI variables for the UEFI certificates. As a result without certificates, secure boot signature verification fails. As these Macs have a non-standard implementation of secure boot that only uses Apple's and Microsoft's keys (users can't add their own), securely booting Linux was never supported on this hardware, so skipping it shouldn't cause a regression.
Based on your explanation, there seems to be two issues - inability to read EFI variables, "users can't add their own" keys. Neither of which mean "a non-standard implementation of secure boot". Please fix the "cause" and "affect" in the patch description and comments.
thanks,
Mimi