On 9/1/19 8:38 AM, John S Gruber wrote:

From: "John S. Gruber" JohnSGruber@gmail.com

commit a90118c445cc ("x86/boot: Save fields explicitly, zero out everything else") now zeros the secure boot information passed by the boot loader or by the kernel's efi handover mechanism.

Include boot-params.secure_boot in the preserve field list.

Signed-off-by: John S. Gruber JohnSGruber@gmail.com

I noted a change in my computers between running signed 5.3-rc4 and 5.3-rc6 with signed kernels using the efi handoff protocol with grub. The kernel log message "Secure boot enabled" becomes "Secure boot could not be determined". The efi_main function in arch/x86/boot/compressed/eboot.c sets this field early but it is subsequently zeroed by the above referenced commit in the file arch/x86/include/asm/bootparam_utils.h

Applies to 5.3-rc6.

Hi,

The fix itself looks good, so you can add:

Reviewed-by: John Hubbard jhubbard@nvidia.com

...but note that the commit description should get a few tweaks:

1. Your description above is actually well-suited for the commit log, so please add that in. Especially the symptoms are desirable to have on record.

2. This should Cc: stable@vger.kernel.org, because the whole thing made it into -stable and those kernels need this fix.

3. Also need a Fixes tag:

Fixes: commit a90118c445cc ("x86/boot: Save fields explicitly, zero out everything else")

thanks,