From: Matthew Garrett Date: Tue, 12 Jan 2016 12:51:27 -0800 Subject: [18/18] Enable cold boot attack mitigation Origin: https://github.com/mjg59/linux/commit/02d999574936dd234a508c0112a0200c135a5c34 [Lukas Wunner: Forward-ported to 4.11: adjust context] --- arch/x86/boot/compressed/eboot.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) Index: linux/arch/x86/boot/compressed/eboot.c =================================================================== --- linux.orig/arch/x86/boot/compressed/eboot.c +++ linux/arch/x86/boot/compressed/eboot.c @@ -372,6 +372,22 @@ void setup_graphics(struct boot_params * } } +#define MEMORY_ONLY_RESET_CONTROL_GUID \ + EFI_GUID (0xe20939be, 0x32d4, 0x41be, 0xa1, 0x50, 0x89, 0x7f, 0x85, 0xd4, 0x98, 0x29) + +static void enable_reset_attack_mitigation(void) +{ + u8 val = 1; + efi_guid_t var_guid = MEMORY_ONLY_RESET_CONTROL_GUID; + + /* Ignore the return value here - there's not really a lot we can do */ + efi_early->call((unsigned long)sys_table->runtime->set_variable, + L"MemoryOverwriteRequestControl", &var_guid, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS, sizeof(val), val); +} + /* * Because the x86 boot code expects to be passed a boot_params we * need to create one ourselves (usually the bootloader would create @@ -783,6 +799,12 @@ efi_main(struct efi_config *c, struct bo efi_parse_options((char *)cmdline_paddr); /* + * Ask the firmware to clear memory if we don't have a clean + * shutdown + */ + enable_reset_attack_mitigation(); + + /* * If the boot loader gave us a value for secure_boot then we use that, * otherwise we ask the BIOS. */