From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 8 Sep 2019 12:06:32 +0000 (+0100)
Subject: 4.19-stable patches
X-Git-Tag: v4.4.192~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=717d3c261326bed9a22c62770ad76ed17586ba81;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	x86-boot-preserve-boot_params.secure_boot-from-sanitizing.patch
---

diff --git a/queue-4.19/series b/queue-4.19/series
index b42d1dd839b..2e9fb1eb61a 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -6,6 +6,7 @@ net-stmmac-dwmac-rk-don-t-fail-if-phy-regulator-is-absent.patch
 tcp-inherit-timestamp-on-mtu-probe.patch
 tcp-remove-empty-skb-from-write-queue-in-error-cases.patch
 net-rds-fix-info-leak-in-rds6_inc_info_copy.patch
+x86-boot-preserve-boot_params.secure_boot-from-sanitizing.patch
 spi-bcm2835aux-unifying-code-between-polling-and-int.patch
 spi-bcm2835aux-remove-dangerous-uncontrolled-read-of.patch
 spi-bcm2835aux-fix-corruptions-for-longer-spi-transf.patch
diff --git a/queue-4.19/x86-boot-preserve-boot_params.secure_boot-from-sanitizing.patch b/queue-4.19/x86-boot-preserve-boot_params.secure_boot-from-sanitizing.patch
new file mode 100644
index 00000000000..3ce308d0f3f
--- /dev/null
+++ b/queue-4.19/x86-boot-preserve-boot_params.secure_boot-from-sanitizing.patch
@@ -0,0 +1,56 @@
+From 29d9a0b50736768f042752070e5cdf4e4d4c00df Mon Sep 17 00:00:00 2001
+From: "John S. Gruber" <JohnSGruber@gmail.com>
+Date: Mon, 2 Sep 2019 00:00:54 +0200
+Subject: x86/boot: Preserve boot_params.secure_boot from sanitizing
+
+From: John S. Gruber <JohnSGruber@gmail.com>
+
+commit 29d9a0b50736768f042752070e5cdf4e4d4c00df upstream.
+
+Commit
+
+  a90118c445cc ("x86/boot: Save fields explicitly, zero out everything else")
+
+now zeroes the secure boot setting information (enabled/disabled/...)
+passed by the boot loader or by the kernel's EFI handover mechanism.
+
+The problem manifests itself with signed kernels using the EFI handoff
+protocol with grub and the kernel loses the information whether secure
+boot is enabled in the firmware, i.e., the log message "Secure boot
+enabled" becomes "Secure boot could not be determined".
+
+efi_main() arch/x86/boot/compressed/eboot.c sets this field early but it
+is subsequently zeroed by the above referenced commit.
+
+Include boot_params.secure_boot in the preserve field list.
+
+ [ bp: restructure commit message and massage. ]
+
+Fixes: a90118c445cc ("x86/boot: Save fields explicitly, zero out everything else")
+Signed-off-by: John S. Gruber <JohnSGruber@gmail.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: John Hubbard <jhubbard@nvidia.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: stable <stable@vger.kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/CAPotdmSPExAuQcy9iAHqX3js_fc4mMLQOTr5RBGvizyCOPcTQQ@mail.gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/bootparam_utils.h |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/include/asm/bootparam_utils.h
++++ b/arch/x86/include/asm/bootparam_utils.h
+@@ -71,6 +71,7 @@ static void sanitize_boot_params(struct
+ 			BOOT_PARAM_PRESERVE(eddbuf_entries),
+ 			BOOT_PARAM_PRESERVE(edd_mbr_sig_buf_entries),
+ 			BOOT_PARAM_PRESERVE(edd_mbr_sig_buffer),
++			BOOT_PARAM_PRESERVE(secure_boot),
+ 			BOOT_PARAM_PRESERVE(hdr),
+ 			BOOT_PARAM_PRESERVE(e820_table),
+ 			BOOT_PARAM_PRESERVE(eddbuf),