Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp1033351iob; Fri, 13 May 2022 20:24:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJygX3fDbIA6HLPTEX7NWM18tI7AncbdsEsSph6qX0tSeaAeqklQsO6SShW7QUAWYdqB/+Kv X-Received: by 2002:a5d:6da1:0:b0:20c:6969:b26a with SMTP id u1-20020a5d6da1000000b0020c6969b26amr6084940wrs.103.1652498691778; Fri, 13 May 2022 20:24:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652498691; cv=none; d=google.com; s=arc-20160816; b=zrjZC4ZJTjuJ71/tRQMqzpbAXvjOJYYdZDkV/pxwBm8yoW4L+yIhJTvXrUpPTpLFTT qw3GDEodjfSqGdW6LS3SOszXGSX0bypoDzsJhL4xMSHXloFNLLo8LyJjDPL0F9tWpRpJ WIMddAmpYP4c4+u+fVQrrdOl5elccdRzoXFwYiDHKGjkOsaZFGw5VEVICCNXuAZCnYPd YT//yrvN2yIISAAn981F1yMfcNYGoUccb44GSkSmYy22JBW+b+M6i33Q7nOOgL5pf+29 qjfZ1VAHxc/aLoErFuAHrmt/aluSrQf5PTVzpjBulu/iNW02sYnwkywMGviMW4y+9dzJ Qr+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature; bh=Rs/HrYaFsVOG7pHzpWHMzkvZ8QnbJVdvVi9OpbPAeQ8=; b=wuJ/mXOJb3Uslm6wL7N20y04LzfUPuwjwzpi6L41QLY3vSpIq0U2gOW9t2miO1nm2M uw500REqe/Tq1SdRpFlKQGsxKY80JEduOfA0kh01V9pnMocE8oeZZn6wEX3PlPWQNNVu ZMwOtrvecINX5zITKXhco8im1A/PtTVk0Dzr2kiReX2MgdG1PhhKIp7qEufaWH1ZcQny UMBaCxWwJ8B1uMO5yY9lLA4KLeeX474snBtKWHmdfaBMpJtEBjcV+6mwHWXJ3ogJAPXY /oMiXN5qollXcHZu5oWgkE/HdRMW4iKYT4kTFKDY0dirqhzpMH0FHVr39rVGYDiRyEWS mmXA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=XquKzgjs; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id c23-20020a05600c0ad700b003948e966d45si5986034wmr.171.2022.05.13.20.24.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 May 2022 20:24:51 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=XquKzgjs; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 3D5D3408729; Fri, 13 May 2022 17:01:50 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1381956AbiEMPZV (ORCPT + 99 others); Fri, 13 May 2022 11:25:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51050 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233504AbiEMPZT (ORCPT ); Fri, 13 May 2022 11:25:19 -0400 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A7C46E0CD; Fri, 13 May 2022 08:25:18 -0700 (PDT) Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 24DFBouj023613; Fri, 13 May 2022 15:24:54 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : subject : from : to : cc : date : in-reply-to : references : content-type : mime-version : content-transfer-encoding; s=pp1; bh=Rs/HrYaFsVOG7pHzpWHMzkvZ8QnbJVdvVi9OpbPAeQ8=; b=XquKzgjsrizj4CfhcryNFVGqew5wyyd7HPiDR9cLxA/QDQCBSyzQ3d4A+o5zkXiaJAUX uYdgcRXvAXKhfn14LipL3IDS6QPy1nl0ZpHRDmTYSdxaIsp+oDlqKWhgnTlhW0H0VegT 6f0XP/GtHdx6033jI2pf54HAI+TZSN4C3+345s1KBUw6ygzjiQtQ9G12DROr/KIURWcp D8q/7hu9aO6VxzekJS98QeVeeVOaIr4tucAriBBjecxgt93rSWsQKCL+HGFo3ASZMOGY TW1XRuw2FsM1iiOi/3UQZqTFaiytFNegAdnmqbnOuPgqG7yextuGnwf6US7V4/aJuhsp DA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3g1srpr8pk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 13 May 2022 15:24:54 +0000 Received: from m0098399.ppops.net (m0098399.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 24DFFQbg008263; Fri, 13 May 2022 15:24:53 GMT Received: from ppma06ams.nl.ibm.com (66.31.33a9.ip4.static.sl-reverse.com [169.51.49.102]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3g1srpr8nk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 13 May 2022 15:24:53 +0000 Received: from pps.filterd (ppma06ams.nl.ibm.com [127.0.0.1]) by ppma06ams.nl.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 24DFOp4I014120; Fri, 13 May 2022 15:24:51 GMT Received: from b06avi18878370.portsmouth.uk.ibm.com (b06avi18878370.portsmouth.uk.ibm.com [9.149.26.194]) by ppma06ams.nl.ibm.com with ESMTP id 3fyrkk4r9r-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 13 May 2022 15:24:50 +0000 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06avi18878370.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 24DFOOJ914549438 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 13 May 2022 15:24:24 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 96179A4053; Fri, 13 May 2022 15:24:48 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2D701A404D; Fri, 13 May 2022 15:24:46 +0000 (GMT) Received: from sig-9-65-91-25.ibm.com (unknown [9.65.91.25]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Fri, 13 May 2022 15:24:46 +0000 (GMT) Message-ID: <06062b288d675dc060f33041e9b2009c151698e6.camel@linux.ibm.com> Subject: Re: [PATCH v7] efi: Do not import certificates from UEFI Secure Boot for T2 Macs From: Mimi Zohar To: Aditya Garg , "jarkko@kernel.org" , "dmitry.kasatkin@gmail.com" , "jmorris@namei.org" , "serge@hallyn.com" , "ast@kernel.org" , "daniel@iogearbox.net" , "andrii@kernel.org" , "kafai@fb.com" , "songliubraving@fb.com" , "yhs@fb.com" , "john.fastabend@gmail.com" , "kpsingh@kernel.org" Cc: "linux-integrity@vger.kernel.org" , "keyrings@vger.kernel.org" , "linux-security-module@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "netdev@vger.kernel.org" , "bpf@vger.kernel.org" , Orlando Chamberlain , "admin@kodeit.net" , "stable@vger.kernel.org" Date: Fri, 13 May 2022 11:24:45 -0400 In-Reply-To: <958B8D22-F11E-4B5D-9F44-6F0626DBCB63@live.com> References: <652C3E9E-CB97-4C70-A961-74AF8AEF9E39@live.com> <94DD0D83-8FDE-4A61-AAF0-09A0175A0D0D@live.com> <590ED76A-EE91-4ED1-B524-BC23419C051E@live.com> <02125722-91FC-43D3-B63C-1B789C2DA8C3@live.com> <958B8D22-F11E-4B5D-9F44-6F0626DBCB63@live.com> Content-Type: text/plain; charset="ISO-8859-15" X-Mailer: Evolution 3.28.5 (3.28.5-18.el8) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 X-Proofpoint-GUID: nSTyBu9TLw378bJvOtb7YdyATbWM_IHn X-Proofpoint-ORIG-GUID: cEKFVC3VVbEMtznL2Syom3um3gN35hor X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-05-13_04,2022-05-13_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 mlxscore=0 suspectscore=0 bulkscore=0 adultscore=0 spamscore=0 clxscore=1011 phishscore=0 mlxlogscore=793 impostorscore=0 malwarescore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2205130067 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Aditya, On Fri, 2022-04-15 at 17:02 +0000, Aditya Garg wrote: > From: Aditya Garg > > On Apple T2 Macs, when Linux attempts to read the db and dbx efi variables > at early boot to load UEFI Secure Boot certificates, a page fault occurs > in Apple firmware code and EFI runtime services are disabled with the > following logs: Are there directions for installing Linux on a Mac with Apple firmware code? Are you dual booting Linux and Mac, or just Linux? While in secure boot mode, without being able to read the keys to verify the kernel image signature, the signature verification should fail. Has anyone else tested this patch? thanks, Mimi