summaryrefslogtreecommitdiffstats
path: root/debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch')
-rw-r--r--debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch50
1 files changed, 50 insertions, 0 deletions
diff --git a/debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch b/debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch
new file mode 100644
index 000000000..7a3b8e9bb
--- /dev/null
+++ b/debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch
@@ -0,0 +1,50 @@
+From: Matthew Garrett <mjg59@coreos.com>
+Date: Tue, 12 Jan 2016 12:51:27 -0800
+Subject: [18/18] Enable cold boot attack mitigation
+Origin: https://github.com/mjg59/linux/commit/02d999574936dd234a508c0112a0200c135a5c34
+
+[Lukas Wunner: Forward-ported to 4.11: adjust context]
+---
+ arch/x86/boot/compressed/eboot.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+Index: linux/arch/x86/boot/compressed/eboot.c
+===================================================================
+--- linux.orig/arch/x86/boot/compressed/eboot.c
++++ linux/arch/x86/boot/compressed/eboot.c
+@@ -372,6 +372,22 @@ void setup_graphics(struct boot_params *
+ }
+ }
+
++#define MEMORY_ONLY_RESET_CONTROL_GUID \
++ EFI_GUID (0xe20939be, 0x32d4, 0x41be, 0xa1, 0x50, 0x89, 0x7f, 0x85, 0xd4, 0x98, 0x29)
++
++static void enable_reset_attack_mitigation(void)
++{
++ u8 val = 1;
++ efi_guid_t var_guid = MEMORY_ONLY_RESET_CONTROL_GUID;
++
++ /* Ignore the return value here - there's not really a lot we can do */
++ efi_early->call((unsigned long)sys_table->runtime->set_variable,
++ L"MemoryOverwriteRequestControl", &var_guid,
++ EFI_VARIABLE_NON_VOLATILE |
++ EFI_VARIABLE_BOOTSERVICE_ACCESS |
++ EFI_VARIABLE_RUNTIME_ACCESS, sizeof(val), val);
++}
++
+ /*
+ * Because the x86 boot code expects to be passed a boot_params we
+ * need to create one ourselves (usually the bootloader would create
+@@ -783,6 +799,12 @@ efi_main(struct efi_config *c, struct bo
+ efi_parse_options((char *)cmdline_paddr);
+
+ /*
++ * Ask the firmware to clear memory if we don't have a clean
++ * shutdown
++ */
++ enable_reset_attack_mitigation();
++
++ /*
+ * If the boot loader gave us a value for secure_boot then we use that,
+ * otherwise we ask the BIOS.
+ */