2022-02-09 16:04:08

by David Laight

[permalink] [raw]
Subject: RE: [PATCH] efi: Do not import certificates from UEFI Secure Boot for T2 Macs

From: Aditya Garg
> Sent: 09 February 2022 14:28
>
> On T2 Macs, the secure boot is handled by the T2 Chip. If enabled, only
> macOS and Windows are allowed to boot on these machines. Thus we need to
> disable secure boot for Linux. If we boot into Linux after disabling
> secure boot, if CONFIG_LOAD_UEFI_KEYS is enabled, EFI Runtime services
> fail to start, with the following logs in dmesg
>
..
> +static const struct dmi_system_id uefi_apple_ignore[] = {
> + {
> + .matches = {
> + DMI_MATCH(DMI_BOARD_VENDOR, "Apple Inc."),
> + DMI_MATCH(DMI_PRODUCT_NAME, "MacBookPro15,1"),
> + },

I think I'd use:
#define xxx(vendor, product) \
.matches = {
DMI_MATCH(DMI_BOARD_VENDOR, vendor), \
DMI_MATCH(DMI_PRODUCT_NAME, product), \
}
somewhere with a suitable name (bikeshed blue) to reduce
the code size of this table.

David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)



2022-02-10 17:59:06

by Aditya Garg

[permalink] [raw]
Subject: Re: [PATCH] efi: Do not import certificates from UEFI Secure Boot for T2 Macs



> On 09-Feb-2022, at 9:09 PM, David Laight <[email protected]> wrote:
>
> From: Aditya Garg
>> Sent: 09 February 2022 14:28
>>
>> On T2 Macs, the secure boot is handled by the T2 Chip. If enabled, only
>> macOS and Windows are allowed to boot on these machines. Thus we need to
>> disable secure boot for Linux. If we boot into Linux after disabling
>> secure boot, if CONFIG_LOAD_UEFI_KEYS is enabled, EFI Runtime services
>> fail to start, with the following logs in dmesg
>>
> ..
>> +static const struct dmi_system_id uefi_apple_ignore[] = {
>> + {
>> + .matches = {
>> + DMI_MATCH(DMI_BOARD_VENDOR, "Apple Inc."),
>> + DMI_MATCH(DMI_PRODUCT_NAME, "MacBookPro15,1"),
>> + },
>
> I think I'd use:
> #define xxx(vendor, product) \
> .matches = {
> DMI_MATCH(DMI_BOARD_VENDOR, vendor), \
> DMI_MATCH(DMI_PRODUCT_NAME, product), \
> }
> somewhere with a suitable name (bikeshed blue) to reduce
> the code size of this table.
>
Alright, I’ll send a v2 with this addressed.
> David
>
> -
> Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
> Registration No: 1397386 (Wales)
>