From 79b500c983f2399294fca8bcd153b50a955d0aa1 Mon Sep 17 00:00:00 2001 From: Maximilian Luz Date: Sun, 9 Jun 2024 19:48:58 +0200 Subject: [PATCH] Revert "efi/x86: Set the PE/COFF header's NX compat flag unconditionally" This reverts commit 891f8890a4a3663da7056542757022870b499bc1. Revert because of compatibility issues of MS Surface devices and GRUB with NX. In short, these devices get stuck on boot with NX advertised. So to not advertise it, add the respective option back in. Signed-off-by: Maximilian Luz Patchset: secureboot --- arch/x86/boot/header.S | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S index 9bea5a1e2c52..25848f886ad6 100644 --- a/arch/x86/boot/header.S +++ b/arch/x86/boot/header.S @@ -111,7 +111,11 @@ extra_header_fields: .long salign # SizeOfHeaders .long 0 # CheckSum .word IMAGE_SUBSYSTEM_EFI_APPLICATION # Subsystem (EFI application) +#ifdef CONFIG_EFI_DXE_MEM_ATTRIBUTES .word IMAGE_DLLCHARACTERISTICS_NX_COMPAT # DllCharacteristics +#else + .word 0 # DllCharacteristics +#endif #ifdef CONFIG_X86_32 .long 0 # SizeOfStackReserve .long 0 # SizeOfStackCommit -- 2.51.0 From 8447597cf4fbb341325e07ef2a75d92393a15f29 Mon Sep 17 00:00:00 2001 From: "J. Eduardo" Date: Sun, 25 Aug 2024 14:17:45 +0200 Subject: [PATCH] PM: hibernate: Add a lockdown_hibernate parameter This allows the user to tell the kernel that they know better (namely, they secured their swap properly), and that it can enable hibernation. Signed-off-by: Kelvie Wong Link: https://github.com/linux-surface/kernel/pull/158 Link: https://gist.github.com/brknkfr/95d1925ccdbb7a2d18947c168dfabbee Patchset: secureboot --- Documentation/admin-guide/kernel-parameters.txt | 5 +++++ kernel/power/hibernate.c | 10 +++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 5a7a83c411e9..f67ddee8c4b4 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -3298,6 +3298,11 @@ to extract confidential information from the kernel are also disabled. + lockdown_hibernate [HIBERNATION] + Enable hibernation even if lockdown is enabled. Enable this only if + your swap is encrypted and secured properly, as an attacker can + modify the kernel offline during hibernation. + locktorture.acq_writer_lim= [KNL] Set the time limit in jiffies for a lock acquisition. Acquisitions exceeding this limit diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c index 2f66ab453823..bb9e800b3374 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -38,6 +38,7 @@ #include "power.h" +static int lockdown_hibernate; static int nocompress; static int noresume; static int nohibernate; @@ -98,7 +99,7 @@ bool hibernation_in_progress(void) bool hibernation_available(void) { return nohibernate == 0 && - !security_locked_down(LOCKDOWN_HIBERNATION) && + (lockdown_hibernate || !security_locked_down(LOCKDOWN_HIBERNATION)) && !secretmem_active() && !cxl_mem_active(); } @@ -1483,6 +1484,12 @@ static int __init nohibernate_setup(char *str) return 1; } +static int __init lockdown_hibernate_setup(char *str) +{ + lockdown_hibernate = 1; + return 1; +} + static const char * const comp_alg_enabled[] = { #if IS_ENABLED(CONFIG_CRYPTO_LZO) COMPRESSION_ALGO_LZO, @@ -1540,3 +1547,4 @@ __setup("hibernate=", hibernate_setup); __setup("resumewait", resumewait_setup); __setup("resumedelay=", resumedelay_setup); __setup("nohibernate", nohibernate_setup); +__setup("lockdown_hibernate", lockdown_hibernate_setup); -- 2.51.0