[Skiboot] [PATCH] core/fast-reboot: disable fast-reboot when firmware secureboot is enabled
Eric Richter
erichte at linux.ibm.com
Thu Apr 9 08:14:20 AEST 2020
The possible impact of the current fast-reboot design on secure/trusted
boot is unclear, and will likely need additional review and testing.
While fast-reboot is disabled by default, it can be enabled by two
nvram parameters -- one of which circumvents the built-in
disable_fast_reboot() mechanism.
This patch prevents all calls to fast_reboot() when firmware secure boot
is enabled.
Signed-off-by: Eric Richter <erichte at linux.ibm.com>
---
core/fast-reboot.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/core/fast-reboot.c b/core/fast-reboot.c
index 02f0ca05..c4361bb1 100644
--- a/core/fast-reboot.c
+++ b/core/fast-reboot.c
@@ -23,6 +23,8 @@
#include <ipmi.h>
#include <direct-controls.h>
#include <nvram.h>
+#include <types.h>
+#include <secureboot.h>
/* Flag tested by the OPAL entry code */
static volatile bool fast_boot_release;
@@ -109,6 +111,12 @@ void fast_reboot(void)
return;
}
+ if (is_fw_secureboot()) {
+ prlog(PR_DEBUG,
+ "RESET: Fast reboot disabled by FW secureboot\n");
+ return;
+ }
+
/*
* Ensure all other CPUs have left OPAL calls.
*/
--
2.21.1
More information about the Skiboot
mailing list