Hi,

This is introduced by a Debian specific patch
features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch

The following patch fixes it.

>8
From: Gabriel Krisman Bertazi <kris...@collabora.com>
Subject: [PATCH] arm64: Don't disable EFI boot mode on linux,uefi-secure-boot
 table absence

The Debian specific out-of-tree kernel patch titled ("arm64: add kernel
config option to lock down when in Secure Boot mode") introduces a
regression for EFI-booted systems that don't have a
"linux,uefi-secure-boot" FDT entry.

In these systems, when the table is not found, it causes the FDT
function to error out and not return other UEFI tables, in particular
the System Table, which makes the kernel think it is not running on EFI
mode.

Instead, let the EFI mode boot continue with the correct System Table,
and consider the efi secureboot mode as unknown.

This regression was found at least as early as the debian port to 5.4.19,
but it still affects the most recent 5.7.6 debian kernel.

Signed-off-by: Gabriel Krisman Bertazi <kris...@collabora.com>
---
 drivers/firmware/efi/arm-init.c  |  2 +-
 drivers/firmware/efi/fdtparams.c | 18 +++++++++++-------
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/drivers/firmware/efi/arm-init.c b/drivers/firmware/efi/arm-init.c
index 78fcfbe3ddb9..fcb60320e77a 100644
--- a/drivers/firmware/efi/arm-init.c
+++ b/drivers/firmware/efi/arm-init.c
@@ -206,7 +206,7 @@ void __init efi_init(void)
 {
        struct efi_memory_map_data data;
        u64 efi_system_table;
-       u32 secure_boot;
+       u32 secure_boot = efi_secureboot_mode_unknown;
 
        /* Grab UEFI information placed in FDT by stub */
        efi_system_table = efi_get_fdt_params(&data, &secure_boot);
diff --git a/drivers/firmware/efi/fdtparams.c b/drivers/firmware/efi/fdtparams.c
index 152ca7cfccc9..78c36e582408 100644
--- a/drivers/firmware/efi/fdtparams.c
+++ b/drivers/firmware/efi/fdtparams.c
@@ -96,13 +96,15 @@ u64 __init efi_get_fdt_params(struct efi_memory_map_data 
*mm, u32 *secure_boot)
        struct {
                void    *var;
                int     size;
+               int     required;
+
        } target[] = {
-               [SYSTAB] = { &systab,           sizeof(systab) },
-               [MMBASE] = { &mm->phys_map,     sizeof(mm->phys_map) },
-               [MMSIZE] = { &mm->size,         sizeof(mm->size) },
-               [DCSIZE] = { &mm->desc_size,    sizeof(mm->desc_size) },
-               [DCVERS] = { &mm->desc_version, sizeof(mm->desc_version) },
-               [SBMODE] = { secure_boot,       sizeof(*secure_boot) },
+               [SYSTAB] = {&systab,            sizeof(systab), 1},
+               [MMBASE] = {&mm->phys_map,      sizeof(mm->phys_map), 1},
+               [MMSIZE] = {&mm->size,          sizeof(mm->size), 1},
+               [DCSIZE] = {&mm->desc_size,     sizeof(mm->desc_size), 1},
+               [DCVERS] = {&mm->desc_version,  sizeof(mm->desc_version), 1},
+               [SBMODE] = {secure_boot,        sizeof(*secure_boot), 0 },
        };
 
        BUILD_BUG_ON(ARRAY_SIZE(target) != ARRAY_SIZE(name));
@@ -125,8 +127,10 @@ u64 __init efi_get_fdt_params(struct efi_memory_map_data 
*mm, u32 *secure_boot)
                                continue;
                        if (!j)
                                goto notfound;
+
                        pr_err("Can't find property '%s' in DT!\n", pname);
-                       return 0;
+                       if (target[j].required)
+                               return 0;
                }
                return systab;
        }
-- 
2.27.0

Reply via email to