Tree - kernel/kernel-source - Pagure for openSUSE

kernel / kernel-source

Source
Stats
Files

Commit: c9f801deb73d69cb815199861d1f433ea476f4a2
Blob Blame History Raw
From f50c0b5acda25d18a316bbbe65c6716458809a9e Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Fri, 16 Sep 2022 10:45:22 +0800
Subject: [PATCH] efi: do not automatically generate secret key
Patch-mainline: Never, SUSE-specific
References: jsc#PED-1444

EFI secret key function is not a official solution in kernel mainline.
(upstream prefers TPM solution) Only SLE kernel carries it. So I want to
prevent automatically EFI secret-key in theh first boot. Here are some
reasons:

- Not every user wants to use hibernation with secure boot. Actually all
  other distros direct lock-down hibernation when secure boot is enabled.

- The EFI secret key consumed limited firmware NVRAM space. But it is only
  for hibernation verification. NO any other features used it.

- Not all firmwares support EFI_RNG_PROTOCOL for HMAC secret key
  generation.

- Sometimes the key generation log scared who doesn't want to use
  hibernation with secure boot or his machine doesn't have EFI_RNG_PROTOCOL.
  (e.g. bsc#1199228)

After patched, user can still use /sys/firmware/efi/secret-key/regen to
trigger the secret key generation for hibernation verification. After reboot,
the secret key will be generated and user can use hibernation with secure
boot. It means SLE kernel will not automatically secret key for hibernation.
Let user trigger the creation of secret key. (jsc#PED-1444)

Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
 drivers/firmware/efi/libstub/efi_secret_key.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/firmware/efi/libstub/efi_secret_key.c b/drivers/firmware/efi/libstub/efi_secret_key.c
index 9f73bff6b..7dde6dbf0 100644
--- a/drivers/firmware/efi/libstub/efi_secret_key.c
+++ b/drivers/firmware/efi/libstub/efi_secret_key.c
@@ -218,10 +218,12 @@ void efi_setup_secret_key(struct boot_params *params)
 		break;
 
 	case EFI_NOT_FOUND:
-		status = create_secret_key(skey_setup);
-		if (status == EFI_SUCCESS) {
-			key_size = SECRET_KEY_SIZE;
-			status = get_secret_key(&attributes, &key_size, skey_setup);
+		if (found_regen_flag()) {
+			status = create_secret_key(skey_setup);
+			if (status == EFI_SUCCESS) {
+				key_size = SECRET_KEY_SIZE;
+				status = get_secret_key(&attributes, &key_size, skey_setup);
+			}
 		}
 		break;
 
-- 
2.35.3
kernel / kernel-source

Source Code

Files
