diff options
Diffstat (limited to 'debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch')
-rw-r--r-- | debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch b/debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch new file mode 100644 index 000000000..7a3b8e9bb --- /dev/null +++ b/debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch @@ -0,0 +1,50 @@ +From: Matthew Garrett <mjg59@coreos.com> +Date: Tue, 12 Jan 2016 12:51:27 -0800 +Subject: [18/18] Enable cold boot attack mitigation +Origin: https://github.com/mjg59/linux/commit/02d999574936dd234a508c0112a0200c135a5c34 + +[Lukas Wunner: Forward-ported to 4.11: adjust context] +--- + arch/x86/boot/compressed/eboot.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +Index: linux/arch/x86/boot/compressed/eboot.c +=================================================================== +--- linux.orig/arch/x86/boot/compressed/eboot.c ++++ linux/arch/x86/boot/compressed/eboot.c +@@ -372,6 +372,22 @@ void setup_graphics(struct boot_params * + } + } + ++#define MEMORY_ONLY_RESET_CONTROL_GUID \ ++ EFI_GUID (0xe20939be, 0x32d4, 0x41be, 0xa1, 0x50, 0x89, 0x7f, 0x85, 0xd4, 0x98, 0x29) ++ ++static void enable_reset_attack_mitigation(void) ++{ ++ u8 val = 1; ++ efi_guid_t var_guid = MEMORY_ONLY_RESET_CONTROL_GUID; ++ ++ /* Ignore the return value here - there's not really a lot we can do */ ++ efi_early->call((unsigned long)sys_table->runtime->set_variable, ++ L"MemoryOverwriteRequestControl", &var_guid, ++ EFI_VARIABLE_NON_VOLATILE | ++ EFI_VARIABLE_BOOTSERVICE_ACCESS | ++ EFI_VARIABLE_RUNTIME_ACCESS, sizeof(val), val); ++} ++ + /* + * Because the x86 boot code expects to be passed a boot_params we + * need to create one ourselves (usually the bootloader would create +@@ -783,6 +799,12 @@ efi_main(struct efi_config *c, struct bo + efi_parse_options((char *)cmdline_paddr); + + /* ++ * Ask the firmware to clear memory if we don't have a clean ++ * shutdown ++ */ ++ enable_reset_attack_mitigation(); ++ ++ /* + * If the boot loader gave us a value for secure_boot then we use that, + * otherwise we ask the BIOS. + */ |