[opensuse-kernel] [PATCH 0/33] Backported patches for support UEFI variable filesystem
Patch-mainline: v3.8-rc1..v3.9-rc2
Target: openSUSE 12.3
Test steps:
+ build; make modules_install; make install
+ mount -t efivarfs none /sys/firmware/efi/efivars/
or create file
/lib/systemd/system/sys-firmware-efi-efivars.mount [1]
+ ls /sys/firmware/efi/efivars will show up all EFI variables
+ Try the small create[2]/delete[3] programs from Gary Lin
The create program will create a EFI variable is TestVar, then we can see it show up
in /sys/firmware/efi/efivars. And, delete program can remove it.
Backported 33 patches:
0001-efi-Add-support-for-a-UEFI-variable-filesystem.patch
0002-efi-Handle-deletions-and-size-changes-in-efivarfs_w.patch
0003-efi-add-efivars-kobject-to-efi-sysfs-folder.patch
0004-efivarfs-Add-documentation-for-the-EFI-variable-fil.patch
0005-efivarfs-efivarfs_file_read-ensure-we-free-data-in.patch
0006-efivarfs-efivarfs_create-ensure-we-drop-our-refer.patch
0007-efivarfs-efivarfs_fill_super-fix-inode-reference.patch
0008-efivarfs-efivarfs_fill_super-ensure-we-free-our-t.patch
0009-efivarfs-efivarfs_fill_super-ensure-we-clean-up-c.patch
0010-efivarfs-Implement-exclusive-access-for-get-set-_v.patch
0011-efivarfs-Return-an-error-if-we-fail-to-read-a-variab.patch
0012-efi-Clarify-GUID-length-calculations.patch
0013-efivarfs-Replace-magic-number-with-sizeof-attributes.patch
0014-efivarfs-Add-unique-magic-number.patch
0015-efivarfs-Make-datasize-unsigned-long.patch
0016-efivarfs-Return-a-consistent-error-when-efivarfs_get.patch
0017-efivarfs-Fix-return-value-of-efivarfs_file_write.patch
0018-efivarfs-Use-query_variable_info-to-limit-kmalloc.patch
0019-efivarfs-Make-efivarfs_fill_super-static.patch
0020-efivarfs-Drop-link-count-of-the-right-inode.patch
0021-efivarfs-Never-return-ENOENT-from-firmware.patch
0022-efivarfs-Delete-dentry-from-dcache-in-efivarfs_file_.patch
0023-efi_pstore-Check-remaining-space-with-QueryVariableI.patch
0024-pstore-Avoid-deadlock-in-panic-and-emergency-restart.patch
0025-efi_pstore-Avoid-deadlock-in-non-blocking-paths.patch
0026-efivarfs-guid-part-of-filenames-are-case-insensitive.patch
0027-efivars-Disable-external-interrupt-while-holding-efi.patch
0028-efi_pstore-Introducing-workqueue-updating-sysfs.patch
0029-efivarfs-Validate-filenames-much-more-aggressively.patch
0030-efi-be-more-paranoid-about-available-space-when-crea.patch
0031-efivars-efivarfs_valid_name-should-handle-pstore-syn.patch
0032-efivarfs-return-accurate-error-code-in-efivarfs_fill.patch
0033-efivars-Sanitise-string-length-returned-by.patch
[1]
/lib/systemd/system/sys-firmware-efi-efivars.mount (already sent to systemd mailing list for review)
[Unit]
Description=EFI Variables File System
Documentation=https://www.kernel.org/doc/Documentation/filesystems/efivarfs.txt
DefaultDependencies=no
ConditionPathExists=/sys/firmware/efi/efivars
Before=sysinit.target
[Mount]
What=efivarfs
Where=/sys/firmware/efi/efivars
Type=efivarfs
[2]
create.c
#include
From: Matthew Garrett
From: Jeremy Kerr
From: Lee, Chun-Yi
From: Matt Fleming
From: Andy Whitcroft
From: Andy Whitcroft
From: Andy Whitcroft
From: Andy Whitcroft
From: Andy Whitcroft
From: Jeremy Kerr
From: Matt Fleming
From: Jeremy Kerr
From: Matt Fleming
From: Matt Fleming
From: Matt Fleming
From: Matt Fleming
From: Matt Fleming
From: Matt Fleming
From: Matt Fleming
From: Lingzhu Xiang
From: Matt Fleming
From: Matt Fleming
From: Seiji Aguchi
From: Seiji Aguchi
From: Seiji Aguchi
From: Matt Fleming
From: Seiji Aguchi
From: Seiji Aguchi
From: Matt Fleming
From: Matthew Garrett
From: Matt Fleming
From: Matt Fleming
From: Matt Fleming
On HP z220 system (firmware version 1.54), some EFI variables are incorrectly named :
ls -d /sys/firmware/efi/vars/*8be4d* | grep -v -- -8be returns /sys/firmware/efi/vars/dbxDefault-pport8be4df61-93ca-11d2-aa0d-00e098032b8c /sys/firmware/efi/vars/KEKDefault-pport8be4df61-93ca-11d2-aa0d-00e098032b8c /sys/firmware/efi/vars/SecureBoot-pport8be4df61-93ca-11d2-aa0d-00e098032b8c /sys/firmware/efi/vars/SetupMode-Information8be4df61-93ca-11d2-aa0d-00e098032b8c
Since 'variable_name' is a string, we can validate its size by
searching for the terminating NULL character.
Reported-by: Frederic Crozat
On Tue, Apr 02, 2013 at 10:04:35AM +0800, Lee, Chun-Yi wrote:
Patch-mainline: v3.8-rc1..v3.9-rc2 Target: openSUSE 12.3 Test steps: + build; make modules_install; make install + mount -t efivarfs none /sys/firmware/efi/efivars/ or create file /lib/systemd/system/sys-firmware-efi-efivars.mount [1] + ls /sys/firmware/efi/efivars will show up all EFI variables + Try the small create[2]/delete[3] programs from Gary Lin The create program will create a EFI variable is TestVar, then we can see it show up in /sys/firmware/efi/efivars. And, delete program can remove it.
Why are these patches being proposed? Why is this feature needed in the 3.7 openSUSE kernel, after it has been released in 12.3? 13.1 will have a newer kernel, so this isn't needed there. confused, greg k-h -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
Hi Greg, 於 一,2013-04-01 於 19:13 -0700,Greg KH 提到:
On Tue, Apr 02, 2013 at 10:04:35AM +0800, Lee, Chun-Yi wrote:
Patch-mainline: v3.8-rc1..v3.9-rc2 Target: openSUSE 12.3 Test steps: + build; make modules_install; make install + mount -t efivarfs none /sys/firmware/efi/efivars/ or create file /lib/systemd/system/sys-firmware-efi-efivars.mount [1] + ls /sys/firmware/efi/efivars will show up all EFI variables + Try the small create[2]/delete[3] programs from Gary Lin The create program will create a EFI variable is TestVar, then we can see it show up in /sys/firmware/efi/efivars. And, delete program can remove it.
Why are these patches being proposed? Why is this feature needed in the 3.7 openSUSE kernel, after it has been released in 12.3? 13.1 will have a newer kernel, so this isn't needed there.
confused,
greg k-h
Ludwig created a openSUSE bug, bnc#808680, we need the above 33 patches to enable efi variable filesystem for support MOK. Thanks a lot! Joey Lee -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On Tue, Apr 02, 2013 at 10:23:21AM +0800, joeyli wrote:
Hi Greg,
於 一,2013-04-01 於 19:13 -0700,Greg KH 提到:
On Tue, Apr 02, 2013 at 10:04:35AM +0800, Lee, Chun-Yi wrote:
Patch-mainline: v3.8-rc1..v3.9-rc2 Target: openSUSE 12.3 Test steps: + build; make modules_install; make install + mount -t efivarfs none /sys/firmware/efi/efivars/ or create file /lib/systemd/system/sys-firmware-efi-efivars.mount [1] + ls /sys/firmware/efi/efivars will show up all EFI variables + Try the small create[2]/delete[3] programs from Gary Lin The create program will create a EFI variable is TestVar, then we can see it show up in /sys/firmware/efi/efivars. And, delete program can remove it.
Why are these patches being proposed? Why is this feature needed in the 3.7 openSUSE kernel, after it has been released in 12.3? 13.1 will have a newer kernel, so this isn't needed there.
confused,
greg k-h
Ludwig created a openSUSE bug, bnc#808680, we need the above 33 patches to enable efi variable filesystem for support MOK.
So we don't support MOK now, but you are going to change this in an update to 12.3 somehow? That sounds like a 13.1 feature to me, how can we add this to 12.3 so late? thanks, greg k-h -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
於 一,2013-04-01 於 19:37 -0700,Greg KH 提到:
On Tue, Apr 02, 2013 at 10:23:21AM +0800, joeyli wrote:
Hi Greg,
於 一,2013-04-01 於 19:13 -0700,Greg KH 提到:
On Tue, Apr 02, 2013 at 10:04:35AM +0800, Lee, Chun-Yi wrote:
Patch-mainline: v3.8-rc1..v3.9-rc2 Target: openSUSE 12.3 Test steps: + build; make modules_install; make install + mount -t efivarfs none /sys/firmware/efi/efivars/ or create file /lib/systemd/system/sys-firmware-efi-efivars.mount [1] + ls /sys/firmware/efi/efivars will show up all EFI variables + Try the small create[2]/delete[3] programs from Gary Lin The create program will create a EFI variable is TestVar, then we can see it show up in /sys/firmware/efi/efivars. And, delete program can remove it.
Why are these patches being proposed? Why is this feature needed in the 3.7 openSUSE kernel, after it has been released in 12.3? 13.1 will have a newer kernel, so this isn't needed there.
confused,
greg k-h
Ludwig created a openSUSE bug, bnc#808680, we need the above 33 patches to enable efi variable filesystem for support MOK.
So we don't support MOK now, but you are going to change this in an update to 12.3 somehow? That sounds like a 13.1 feature to me, how can we add this to 12.3 so late?
thanks,
greg k-h
Sorry for I didn't aware the mokutil was added in openSUSE 12.3 repo. If anyone install mokutil from repo, then it doesn't work unless kernel support EFI variable filesystem. Thanks a lot! Joey Lee -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On Tue, Apr 02, 2013 at 10:58:54AM +0800, joeyli wrote:
於 一,2013-04-01 於 19:37 -0700,Greg KH 提到:
On Tue, Apr 02, 2013 at 10:23:21AM +0800, joeyli wrote:
Hi Greg,
於 一,2013-04-01 於 19:13 -0700,Greg KH 提到:
On Tue, Apr 02, 2013 at 10:04:35AM +0800, Lee, Chun-Yi wrote:
Patch-mainline: v3.8-rc1..v3.9-rc2 Target: openSUSE 12.3 Test steps: + build; make modules_install; make install + mount -t efivarfs none /sys/firmware/efi/efivars/ or create file /lib/systemd/system/sys-firmware-efi-efivars.mount [1] + ls /sys/firmware/efi/efivars will show up all EFI variables + Try the small create[2]/delete[3] programs from Gary Lin The create program will create a EFI variable is TestVar, then we can see it show up in /sys/firmware/efi/efivars. And, delete program can remove it.
Why are these patches being proposed? Why is this feature needed in the 3.7 openSUSE kernel, after it has been released in 12.3? 13.1 will have a newer kernel, so this isn't needed there.
confused,
greg k-h
Ludwig created a openSUSE bug, bnc#808680, we need the above 33 patches to enable efi variable filesystem for support MOK.
So we don't support MOK now, but you are going to change this in an update to 12.3 somehow? That sounds like a 13.1 feature to me, how can we add this to 12.3 so late?
thanks,
greg k-h
Sorry for I didn't aware the mokutil was added in openSUSE 12.3 repo. If anyone install mokutil from repo, then it doesn't work unless kernel support EFI variable filesystem.
But why would someone even try to use mokutil with the 12.3 kernel as it isn't supported? Isn't this a bit late to be adding major features to the kernel? After we have released and hopefully stabilized it? I can't recall us ever doing that before, have we? greg k-h -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
於 一,2013-04-01 於 20:28 -0700,Greg KH 提到:
On Tue, Apr 02, 2013 at 10:58:54AM +0800, joeyli wrote:
於 一,2013-04-01 於 19:37 -0700,Greg KH 提到:
On Tue, Apr 02, 2013 at 10:23:21AM +0800, joeyli wrote:
Hi Greg,
於 一,2013-04-01 於 19:13 -0700,Greg KH 提到:
On Tue, Apr 02, 2013 at 10:04:35AM +0800, Lee, Chun-Yi wrote:
Patch-mainline: v3.8-rc1..v3.9-rc2 Target: openSUSE 12.3 Test steps: + build; make modules_install; make install + mount -t efivarfs none /sys/firmware/efi/efivars/ or create file /lib/systemd/system/sys-firmware-efi-efivars.mount [1] + ls /sys/firmware/efi/efivars will show up all EFI variables + Try the small create[2]/delete[3] programs from Gary Lin The create program will create a EFI variable is TestVar, then we can see it show up in /sys/firmware/efi/efivars. And, delete program can remove it.
Why are these patches being proposed? Why is this feature needed in the 3.7 openSUSE kernel, after it has been released in 12.3? 13.1 will have a newer kernel, so this isn't needed there.
confused,
greg k-h
Ludwig created a openSUSE bug, bnc#808680, we need the above 33 patches to enable efi variable filesystem for support MOK.
So we don't support MOK now, but you are going to change this in an update to 12.3 somehow? That sounds like a 13.1 feature to me, how can we add this to 12.3 so late?
thanks,
greg k-h
Sorry for I didn't aware the mokutil was added in openSUSE 12.3 repo. If anyone install mokutil from repo, then it doesn't work unless kernel support EFI variable filesystem.
But why would someone even try to use mokutil with the 12.3 kernel as it isn't supported?
I checked with Gary Lin for the relationship between shim with mokutil, actually, no correlation between them unless we want support MOK. I don' t know why mokutil was pushed to 12.3 repo if we don't support MOK in openSUSE 12.3 If possible, maybe we should remove mokutil from 12.3 repo.
Isn't this a bit late to be adding major features to the kernel? After we have released and hopefully stabilized it? I can't recall us ever doing that before, have we?
greg k-h
Yes, add EFI variable filesystem is a big change to kernel especially there still have problem on upstream for handle the space of flash and garbage collection behavior on buggy bios. We will also need a patch to systemd for mount efivars system when booting. I also prefer to support this function in 13.1, but we need remove mokutil from 12.3 repo. Thanks a lot! Joey Lee -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
Le mardi 02 avril 2013 à 12:53 +0800, joeyli a écrit :
於 一,2013-04-01 於 20:28 -0700,Greg KH 提到:
On Tue, Apr 02, 2013 at 10:58:54AM +0800, joeyli wrote:
Sorry for I didn't aware the mokutil was added in openSUSE 12.3 repo. If anyone install mokutil from repo, then it doesn't work unless kernel support EFI variable filesystem.
But why would someone even try to use mokutil with the 12.3 kernel as it isn't supported?
I checked with Gary Lin for the relationship between shim with mokutil, actually, no correlation between them unless we want support MOK. I don' t know why mokutil was pushed to 12.3 repo if we don't support MOK in openSUSE 12.3
If possible, maybe we should remove mokutil from 12.3 repo.
Yes, please, this sounds much more reasonable. -- Jean Delvare Suse L3 -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
joeyli wrote:
於 一,2013-04-01 於 20:28 -0700,Greg KH 提到:
On Tue, Apr 02, 2013 at 10:58:54AM +0800, joeyli wrote:
於 一,2013-04-01 於 19:37 -0700,Greg KH 提到:
On Tue, Apr 02, 2013 at 10:23:21AM +0800, joeyli wrote:
Hi Greg, 於 一,2013-04-01 於 19:13 -0700,Greg KH 提到:
On Tue, Apr 02, 2013 at 10:04:35AM +0800, Lee, Chun-Yi wrote: > Patch-mainline: v3.8-rc1..v3.9-rc2 > Target: openSUSE 12.3 > Test steps: > + build; make modules_install; make install > + mount -t efivarfs none /sys/firmware/efi/efivars/ > or create file > /lib/systemd/system/sys-firmware-efi-efivars.mount [1] > + ls /sys/firmware/efi/efivars will show up all EFI variables > + Try the small create[2]/delete[3] programs from Gary Lin > The create program will create a EFI variable is TestVar, then we can see it show up > in /sys/firmware/efi/efivars. And, delete program can remove it.
Why are these patches being proposed? Why is this feature needed in the 3.7 openSUSE kernel, after it has been released in 12.3? 13.1 will have a newer kernel, so this isn't needed there.
Ludwig created a openSUSE bug, bnc#808680, we need the above 33 patches to enable efi variable filesystem for support MOK.
So we don't support MOK now, but you are going to change this in an update to 12.3 somehow? That sounds like a 13.1 feature to me, how can we add this to 12.3 so late?
Sorry for I didn't aware the mokutil was added in openSUSE 12.3 repo. If anyone install mokutil from repo, then it doesn't work unless kernel support EFI variable filesystem.
But why would someone even try to use mokutil with the 12.3 kernel as it isn't supported?
I checked with Gary Lin for the relationship between shim with mokutil, actually, no correlation between them unless we want support MOK. I don' t know why mokutil was pushed to 12.3 repo if we don't support MOK in openSUSE 12.3
We have secure boot support in 12.3. The discussion in the bug report indicates that mokutil is needed to tell shim to call MokManager. Which in turn must be run to enroll custom keys for booting kernels signed with a key other than the openSUSE one. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On Tue, Apr 2, 2013 at 11:27 AM, Ludwig Nussel
But why would someone even try to use mokutil with the 12.3 kernel as it isn't supported?
Well, someone may want to install 3.8 kernel ...
I checked with Gary Lin for the relationship between shim with mokutil, actually, no correlation between them unless we want support MOK. I don' t know why mokutil was pushed to 12.3 repo if we don't support MOK in openSUSE 12.3
We have secure boot support in 12.3. The discussion in the bug report indicates that mokutil is needed to tell shim to call MokManager. Which in turn must be run to enroll custom keys for booting kernels signed with a key other than the openSUSE one.
We just went through it in testing patch for grub2 on secure boot system. You can enroll keys using EFI MokManager, you do not need OS level mokutil for that. Or your firmware may offer option to do it (was not the case). -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
Andrey Borzenkov wrote:
On Tue, Apr 2, 2013 at 11:27 AM, Ludwig Nussel
wrote: But why would someone even try to use mokutil with the 12.3 kernel as it isn't supported?
Well, someone may want to install 3.8 kernel ...
I checked with Gary Lin for the relationship between shim with mokutil, actually, no correlation between them unless we want support MOK. I don' t know why mokutil was pushed to 12.3 repo if we don't support MOK in openSUSE 12.3
We have secure boot support in 12.3. The discussion in the bug report indicates that mokutil is needed to tell shim to call MokManager. Which in turn must be run to enroll custom keys for booting kernels signed with a key other than the openSUSE one.
We just went through it in testing patch for grub2 on secure boot system. You can enroll keys using EFI MokManager, you do not need OS level mokutil for that.
Are you saying there's a patch for grub2 that makes it call MokManger? Normally it would just not load a kernel signed with an unknown signature so you will never see MokManager. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On Tue, Apr 2, 2013 at 3:31 PM, Ludwig Nussel
Andrey Borzenkov wrote:
On Tue, Apr 2, 2013 at 11:27 AM, Ludwig Nussel
wrote: But why would someone even try to use mokutil with the 12.3 kernel as it isn't supported?
Well, someone may want to install 3.8 kernel ...
I checked with Gary Lin for the relationship between shim with mokutil, actually, no correlation between them unless we want support MOK. I don' t know why mokutil was pushed to 12.3 repo if we don't support MOK in openSUSE 12.3
We have secure boot support in 12.3. The discussion in the bug report indicates that mokutil is needed to tell shim to call MokManager. Which in turn must be run to enroll custom keys for booting kernels signed with a key other than the openSUSE one.
We just went through it in testing patch for grub2 on secure boot system. You can enroll keys using EFI MokManager, you do not need OS level mokutil for that.
Are you saying there's a patch for grub2 that makes it call MokManger?
No. There was a patch to grub2, but to test it on secure boot system you need to enroll certificate. Package with this patch was only available from my home project, so of course it could not use openSUSE certificate. So Michael made patch to include certificate used to verify signature in grub2 package and MokManager was used to enroll this certificate. https://bugzilla.novell.com/show_bug.cgi?id=809038
Normally it would just not load a kernel signed with an unknown signature so you will never see MokManager.
I think plan was for shim to offer start MokManager if booting fails, but I do not remember code. grub2 itself does not start MokManager (may be it should; it could be easily integrated into grub.cfg). -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
participants (6)
-
Andrey Borzenkov
-
Greg KH
-
Jean Delvare
-
joeyli
-
Lee, Chun-Yi
-
Ludwig Nussel