Bug 1402049

Summary: The determined EFI secure boot status may be clobbered before the kernel can make use of it to lock down
Product: [Fedora] Fedora Reporter: David Howells <dhowells>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 24CC: cz172638, gansalmon, ichavero, itamar, jonathan, kernel-maint, madhu.chinakonda, mchehab
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-06 16:40:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description David Howells 2016-12-06 16:24:29 UTC 
Description of problem:

efi_main() stores the determined secure boot state in boot_params->secure_boot, but this is thereafter cleared in sanitize_boot_params() when the kernel is decompressed:

		memset(&boot_params->kbd_status, 0,
		       (char *)&boot_params->hdr -
		       (char *)&boot_params->kbd_status);

if boot_params->sentinel is set.
Comment 1 David Howells 2016-12-06 16:40:35 UTC 
Not actually a bug - lost part of a patch somewhere when porting to the upstream kernel.