From 7c7bd69c75eae55b3fec8da4cc7dabf2ee4200b3 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 8 Sep 2019 13:05:53 +0100
Subject: [PATCH] 4.14-stable patches

added patches:
	x86-boot-preserve-boot_params.secure_boot-from-sanitizing.patch
---
 queue-4.14/series                             |  1 +
 ...t_params.secure_boot-from-sanitizing.patch | 56 +++++++++++++++++++
 2 files changed, 57 insertions(+)
 create mode 100644 queue-4.14/x86-boot-preserve-boot_params.secure_boot-from-sanitizing.patch

diff --git a/queue-4.14/series b/queue-4.14/series
index 64e075965c4..51f066502c7 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -37,3 +37,4 @@ tcp-inherit-timestamp-on-mtu-probe.patch
 tcp-remove-empty-skb-from-write-queue-in-error-cases.patch
 net-sched-act_sample-fix-psample-group-handling-on-overwrite.patch
 mld-fix-memory-leak-in-mld_del_delrec.patch
+x86-boot-preserve-boot_params.secure_boot-from-sanitizing.patch
diff --git a/queue-4.14/x86-boot-preserve-boot_params.secure_boot-from-sanitizing.patch b/queue-4.14/x86-boot-preserve-boot_params.secure_boot-from-sanitizing.patch
new file mode 100644
index 00000000000..3ce308d0f3f
--- /dev/null
+++ b/queue-4.14/x86-boot-preserve-boot_params.secure_boot-from-sanitizing.patch
@@ -0,0 +1,56 @@
+From 29d9a0b50736768f042752070e5cdf4e4d4c00df Mon Sep 17 00:00:00 2001
+From: "John S. Gruber" <JohnSGruber@gmail.com>
+Date: Mon, 2 Sep 2019 00:00:54 +0200
+Subject: x86/boot: Preserve boot_params.secure_boot from sanitizing
+
+From: John S. Gruber <JohnSGruber@gmail.com>
+
+commit 29d9a0b50736768f042752070e5cdf4e4d4c00df upstream.
+
+Commit
+
+  a90118c445cc ("x86/boot: Save fields explicitly, zero out everything else")
+
+now zeroes the secure boot setting information (enabled/disabled/...)
+passed by the boot loader or by the kernel's EFI handover mechanism.
+
+The problem manifests itself with signed kernels using the EFI handoff
+protocol with grub and the kernel loses the information whether secure
+boot is enabled in the firmware, i.e., the log message "Secure boot
+enabled" becomes "Secure boot could not be determined".
+
+efi_main() arch/x86/boot/compressed/eboot.c sets this field early but it
+is subsequently zeroed by the above referenced commit.
+
+Include boot_params.secure_boot in the preserve field list.
+
+ [ bp: restructure commit message and massage. ]
+
+Fixes: a90118c445cc ("x86/boot: Save fields explicitly, zero out everything else")
+Signed-off-by: John S. Gruber <JohnSGruber@gmail.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: John Hubbard <jhubbard@nvidia.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: stable <stable@vger.kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/CAPotdmSPExAuQcy9iAHqX3js_fc4mMLQOTr5RBGvizyCOPcTQQ@mail.gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/bootparam_utils.h |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/include/asm/bootparam_utils.h
++++ b/arch/x86/include/asm/bootparam_utils.h
+@@ -71,6 +71,7 @@ static void sanitize_boot_params(struct
+ 			BOOT_PARAM_PRESERVE(eddbuf_entries),
+ 			BOOT_PARAM_PRESERVE(edd_mbr_sig_buf_entries),
+ 			BOOT_PARAM_PRESERVE(edd_mbr_sig_buffer),
++			BOOT_PARAM_PRESERVE(secure_boot),
+ 			BOOT_PARAM_PRESERVE(hdr),
+ 			BOOT_PARAM_PRESERVE(e820_table),
+ 			BOOT_PARAM_PRESERVE(eddbuf),
-- 
2.47.3