The patch called "Enable cold boot attack mitigation" (applied as part of "efi-lockdown.patch") is incorrect; it creates the MemoryOverwriteRequestControl UEFI variable even if the firmware platform does not support it. Only the platform firmware should create this variable; the OS kernel should only read and write it, but never create it. According to the "TCG Platform Reset Attack Mitigation Specification", version 1.0, May 15, 2008, 5 Interface for UEFI 5.1 UEFI Variable 5.1.1 The MemoryOverwriteRequestControl Start of informative comment: [...] The OS loader should not create the variable. Rather, the firmware is required to create it and must support the semantics described here. [...] The patch included by the F24-F26 kernels does not check for the existence of the variable, it only sets the variable. If the variable is missing, then the OS creates it, which is wrong. - Fedora 26: https://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git/commit/?id=65673e37e61d - Fedora 25: https://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git/commit/?id=1f4e5e657685 - Fedora 24: https://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git/commit/?id=677765d4db8e More details: https://lists.01.org/pipermail/edk2-devel/2017-September/015526.html An updated variant of the same patch is scheduled for release in the upstream v4.14 kernel (it's part of v4.14-rc1); this version of the patch *does* check for the existence of the UEFI variable. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ccc829ba3624b Please replace the old variant of the patch with the new variant. Thanks.
The upstream patch I mentioned in comment 0 has indeed been released as part of v4.14: commit ccc829ba3624 ("efi/libstub: Enable reset attack mitigation", 2017-08-26).
Fedora 26 was rebased to v4.14 in dist-git commit c75cb4d7fbb5 ("Linux v4.14.4 rebase", 2017-12-08). Among other things, this dist-git commit modified "efi-lockdown.patch", and removed: Subject: [PATCH 27/32] Enable cold boot attack mitigation (see 65673e37e61d in comment 0). So, I guess this bug is fixed, in Fedora 26. Fedora 24 is no longer supported, but Fedora 25 appears to be; I'm moving this report to F25 then. (Latest upstream base for F25 seems to be v4.13.16, from dist-git commit c75cb4d7fbb5, "Linux v4.14.4 rebase", 2017-12-08). ... LOL, Bugzilla doesn't let me change the Version field to "25"! What gives?
Sorry, I managed to confuse myself -- F25 reached End-of-Life just yesterday, according to Wikipedia. Closing this one for good.