On Wed, 2022-04-13 at 14:04 +0000, Aditya Garg wrote: > From: Aditya Garg <gargaditya08@xxxxxxxx> > > On Apple T2 Macs, when Linux reads the db and dbx efi variables to load > UEFI Secure Boot certificates, a page fault occurs in Apple firmware > code and EFI services are disabled with the following logs: > > Call Trace: > <TASK> > page_fault_oops+0x4f/0x2c0 > ? search_bpf_extables+0x6b/0x80 > ? search_module_extables+0x50/0x80 > ? search_exception_tables+0x5b/0x60 > kernelmode_fixup_or_oops+0x9e/0x110 > __bad_area_nosemaphore+0x155/0x190 > bad_area_nosemaphore+0x16/0x20 > do_kern_addr_fault+0x8c/0xa0 > exc_page_fault+0xd8/0x180 > asm_exc_page_fault+0x1e/0x30 > (Removed some logs from here) > ? __efi_call+0x28/0x30 > ? switch_mm+0x20/0x30 > ? efi_call_rts+0x19a/0x8e0 > ? process_one_work+0x222/0x3f0 > ? worker_thread+0x4a/0x3d0 > ? kthread+0x17a/0x1a0 > ? process_one_work+0x3f0/0x3f0 > ? set_kthread_struct+0x40/0x40 > ? ret_from_fork+0x22/0x30 > </TASK> > ---[ end trace 1f82023595a5927f ]--- > efi: Froze efi_rts_wq and disabled EFI Runtime Services > integrity: Couldn't get size: 0x8000000000000015 > integrity: MODSIGN: Couldn't get UEFI db list > efi: EFI Runtime Services are disabled! > integrity: Couldn't get size: 0x8000000000000015 > integrity: Couldn't get UEFI dbx list > integrity: Couldn't get size: 0x8000000000000015 > integrity: Couldn't get mokx list > integrity: Couldn't get size: 0x80000000 > > This also occurs when some other variables are read (see examples below, > there are many more), but only when these variables are read at an early > stage like db and dbx are to load UEFI certs. > > BridgeOSBootSessionUUID-4d1ede05-38c7-4a6a-9cc6-4bcca8b38c14 > KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c > > On these Macs, we skip reading the EFI variables for the UEFI certificates. > As a result without certificates, secure boot signature verification fails. > As these Macs have a non-standard implementation of secure boot that only > uses Apple's and Microsoft's keys (users can't add their own), securely > booting Linux was never supported on this hardware, so skipping it > shouldn't cause a regression. Based on your explanation, there seems to be two issues - inability to read EFI variables, "users can't add their own" keys. Neither of which mean "a non-standard implementation of secure boot". Please fix the "cause" and "affect" in the patch description and comments. thanks, Mimi
