Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp5941530pxb; Mon, 14 Feb 2022 11:14:52 -0800 (PST) X-Google-Smtp-Source: ABdhPJz3VPpYlrvoabl36FLpeLvHKTFffQnyYaxA2EK40rzGmS+QSynccp6sfIfsTM6rTwTo0ti7 X-Received: by 2002:a17:902:8c84:: with SMTP id t4mr489354plo.78.1644866091950; Mon, 14 Feb 2022 11:14:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644866091; cv=none; d=google.com; s=arc-20160816; b=tgB0jl3ucHqWzQX4i8vLPXzeX49RyOmG11JZ/Yf0hh1L+uXm/El7AGu6K0xvY/9Iyk R1nxo+RwOA+W5dLto5qDYxVIC0JnItGqt7abRtKJbTdllDuBY20p8TGl96Ebzs4n/xVa eWXKxga/empvK5eWTpvIozqmgSYQ1RQqf+y8apWzNHoh6gIm0hQlcTsOPOGslzxJarQU I0S29hq4bLrU0PIAc8Rk3ighnqiBgXpJhrfQuHIdSUkLpkOYoWTcb4XCwRp29gMbCMBp TxDJ2ifg0p4JBNnGSoyZI3cZqZ8d4iRvHBq8mAvFLP5iw8Z/7vsbVcJI12AZHVbPhp9E /lGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=6y4hd0jD7tW6LeCEiOndy3QcfEsy+ehHkcOxjYW+iAc=; b=A9Xb2aAUrNBTbu63Co3v4xqCTN7WyW80lEwqKOZut7gUgH80RiWS2m9jQSReLgtuDu XVPKm71c7hVlLaW9ueuCpKb5nNUtezrH9zlNCzUuk2CFcvD2u6GMsrk/+llfLImoGCV5 csAswQ2WDkOlHsArMLm+r0zji1qre/lM/cqvY1KR7FfoDofybutSXIphu7OsrxDAcLSY R9BH6s+y6O0+LspUvTlQK9ZISsEG42LOsvTCu6EM2I/+jcgq7Hg2EdBqN+NFMQNb5/Jf IzDbUfkVxyspVYk7Uby7wzxBDoUrd+E+Ih/FcOReUCGY39Vtxzb54ENb/Oqsky72ydy5 7onA== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id y6si12263709plk.55.2022.02.14.11.14.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Feb 2022 11:14:51 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id E0297BC2C; Mon, 14 Feb 2022 11:07:38 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234266AbiBMHrX (ORCPT + 99 others); Sun, 13 Feb 2022 02:47:23 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:58156 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229555AbiBMHrV (ORCPT ); Sun, 13 Feb 2022 02:47:21 -0500 X-Greylist: delayed 468 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Sat, 12 Feb 2022 23:47:15 PST Received: from bmailout2.hostsharing.net (bmailout2.hostsharing.net [IPv6:2a01:37:3000::53df:4ef0:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 361756267; Sat, 12 Feb 2022 23:47:14 -0800 (PST) Received: from h08.hostsharing.net (h08.hostsharing.net [83.223.95.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.hostsharing.net", Issuer "RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1" (verified OK)) by bmailout2.hostsharing.net (Postfix) with ESMTPS id 5CA532800B3D2; Sun, 13 Feb 2022 08:39:24 +0100 (CET) Received: by h08.hostsharing.net (Postfix, from userid 100393) id 3FDC22DEC2D; Sun, 13 Feb 2022 08:39:24 +0100 (CET) Date: Sun, 13 Feb 2022 08:39:24 +0100 From: Lukas Wunner To: Aditya Garg Cc: David Laight , Ard Biesheuvel , Matthew Garrett , Jeremy Kerr , "joeyli.kernel@gmail.com" , "zohar@linux.ibm.com" , "jmorris@namei.org" , "eric.snowberg@oracle.com" , "dhowells@redhat.com" , "jlee@suse.com" , "James.Bottomley@hansenpartnership.com" , "jarkko@kernel.org" , "mic@digikod.net" , "dmitry.kasatkin@gmail.com" , Linux Kernel Mailing List , "linux-efi@vger.kernel.org" , "linux-security-module@vger.kernel.org" , "stable@vger.kernel.org" , "keyrings@vger.kernel.org" , "linux-integrity@vger.kernel.org" , Orlando Chamberlain , Aun-Ali Zaidi Subject: Re: [PATCH v3] efi: Do not import certificates from UEFI Secure Boot for T2 Macs Message-ID: <20220213073924.GA7648@wunner.de> References: <9D0C961D-9999-4C41-A44B-22FEAF0DAB7F@live.com> <755cffe1dfaf43ea87cfeea124160fe0@AcuMS.aculab.com> <20103919-A276-4CA6-B1AD-6E45DB58500B@live.com> <7038A8ED-AC52-4966-836B-7B346713AEE9@live.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7038A8ED-AC52-4966-836B-7B346713AEE9@live.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 10, 2022 at 10:47:25AM +0000, Aditya Garg wrote: > +/* Apple Macs with T2 Security chip don't support these UEFI variables. > + * The T2 chip manages the Secure Boot and does not allow Linux to boot > + * if it is turned on. If turned off, an attempt to get certificates > + * causes a crash, so we simply return 0 for them in each function. > + */ > + > +static const struct dmi_system_id uefi_skip_cert[] = { > + > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,1") }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,2") }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,3") }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,4") }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,1") }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,2") }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,3") }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,4") }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,1") }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,2") }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir9,1") }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacMini8,1") }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacPro7,1") }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,1") }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,2") }, > + { } > +}; The T2 is represented by a PCI device with ID 106B:1802. I think it would be more elegant to sense presence of that device instead of hardcoding a long dmi list, i.e.: static bool apple_t2_present(void) { struct pci_dev *pdev; if (!x86_apple_machine) return false; pdev = pci_get_device(PCI_VENDOR_ID_APPLE, 0x1802, NULL); if (pdev) { pci_put_dev(pdev); return true; } return false; }