Bug 1498159 - incorrect downstream-only Platform Reset Attack Mitigation patch in the F24-F26 kernels
Summary: incorrect downstream-only Platform Reset Attack Mitigation patch in the F24-F...
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 26
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2017-10-03 15:05 UTC by Laszlo Ersek
Modified: 2017-12-13 09:57 UTC (History)
22 users (show)

Fixed In Version: kernel-4.14.4-200.fc26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-12-13 09:57:51 UTC
Type: Bug

Attachments (Terms of Use)

Description Laszlo Ersek 2017-10-03 15:05:40 UTC
The patch called "Enable cold boot attack mitigation" (applied as part of "efi-lockdown.patch") is incorrect; it creates the MemoryOverwriteRequestControl UEFI variable even if the firmware platform does not support it. Only the platform firmware should create this variable; the OS kernel should only read and write it, but never create it.

According to the "TCG Platform Reset Attack
Mitigation Specification", version 1.0, May 15, 2008,

5 Interface for UEFI
5.1 UEFI Variable
5.1.1 The MemoryOverwriteRequestControl
Start of informative comment:
The OS loader should not create the variable. Rather, the firmware is required to create it and must support the semantics described here.

The patch included by the F24-F26 kernels does not check for the existence of the variable, it only sets the variable. If the variable is missing, then the OS creates it, which is wrong.

- Fedora 26:

- Fedora 25:

- Fedora 24:

More details:

An updated variant of the same patch is scheduled for release in the upstream v4.14 kernel (it's part of v4.14-rc1); this version of the patch *does* check for the existence of the UEFI variable.


Please replace the old variant of the patch with the new variant. Thanks.

Comment 1 Laszlo Ersek 2017-12-13 09:43:23 UTC
The upstream patch I mentioned in comment 0 has indeed been released as part of v4.14: commit ccc829ba3624 ("efi/libstub: Enable reset attack mitigation", 2017-08-26).

Comment 2 Laszlo Ersek 2017-12-13 09:52:45 UTC
Fedora 26 was rebased to v4.14 in dist-git commit c75cb4d7fbb5 ("Linux v4.14.4 rebase", 2017-12-08).

Among other things, this dist-git commit modified "efi-lockdown.patch", and removed:

Subject: [PATCH 27/32] Enable cold boot attack mitigation

(see 65673e37e61d in comment 0).

So, I guess this bug is fixed, in Fedora 26.

Fedora 24 is no longer supported, but Fedora 25 appears to be; I'm moving this report to F25 then. (Latest upstream base for F25 seems to be v4.13.16, from dist-git commit c75cb4d7fbb5, "Linux v4.14.4 rebase", 2017-12-08).

... LOL, Bugzilla doesn't let me change the Version field to "25"! What gives?

Comment 3 Laszlo Ersek 2017-12-13 09:57:51 UTC
Sorry, I managed to confuse myself -- F25 reached End-of-Life just yesterday, according to Wikipedia. Closing this one for good.

Note You need to log in before you can comment on or make changes to this bug.