Message ID | 958B8D22-F11E-4B5D-9F44-6F0626DBCB63@live.com (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Series | [v7] efi: Do not import certificates from UEFI Secure Boot for T2 Macs | expand |
Context | Check | Description |
---|---|---|
netdev/tree_selection | success | Not a local patch |
Hi Aditya, On Fri, 2022-04-15 at 17:02 +0000, Aditya Garg wrote: > From: Aditya Garg <gargaditya08@live.com> > > On Apple T2 Macs, when Linux attempts to read the db and dbx efi variables > at early boot to load UEFI Secure Boot certificates, a page fault occurs > in Apple firmware code and EFI runtime services are disabled with the > following logs: Are there directions for installing Linux on a Mac with Apple firmware code? Are you dual booting Linux and Mac, or just Linux? While in secure boot mode, without being able to read the keys to verify the kernel image signature, the signature verification should fail. Has anyone else tested this patch? thanks, Mimi
> Are there directions for installing Linux on a Mac with Apple firmware > code? Well, directions of installing Linux on an Intel based Mac, which includes the T2 Macs is the same as on a normal PC. Though, in case of T2 Macs, we for now need to use customised ISOs, since some drivers and patches to support T2 Macs are yet to be upstreamed. An example of installing Ubuntu can be read here on https://wiki.t2linux.org/distributions/ubuntu/installation/ Talking about the official ISOs, for many distros, since CONFIG_LOAD_UEFI_KEYS is not enabled in their kernel config, we can install Linux using them, but they still lack many drivers required, since they are yet to be upstreamed. So the installation doesn’t work efficiently and we have to manually install custom kernels having those patches. In some distros like Ubuntu, they have CONFIG_LOAD_UEFI_KEYS enabled in their kernel config. In this case the crash as mentioned in the patch description occurs and EFI Runtime Services get disabled. Since installing GRUB requires access to NVRAM, the installation fails with official ISOs in this case. Thus, a custom ISO, with this patch incorporated in being used for now for users interested in Ubuntu on T2 Macs. > Are you dual booting Linux and Mac, or just Linux? I don’t think it actually matters, though in most of the cases, we dual boot macOS and Linux, but I do have seen cases who wipe out their macOS completely. But this doesn't affect the Secure Boot policy of these machines. > While in > secure boot mode, without being able to read the keys to verify the > kernel image signature, the signature verification should fail. If I enable secure boot in the BIOS settings (macOS Recovery), Apple’s firmware won't allow even the boot loader like GRUB, rEFInd to boot. It shall only allow Windows and macOS to Boot. You could see https://support.apple.com/en-in/HT208198 for more details. > > Has anyone else tested this patch? I work as a maintainer for Ubuntu for T2 Linux community and I have this patch incorporated in the kernels used for Ubuntu ISOs customised for T2 Macs, and thus have many users who have used the ISO and have a successful installation. Thus, there are many users who have tested this patch and are actually using it right now. We also need the have the NVRAM writes enabled so as to unlock the iGPU in Macs with both Intel and AMD GPU, and with this patch, we have been successfully able to unlock it, I hope I could answer your questions Regards Aditya
On Fri, 2022-05-13 at 18:31 +0000, Aditya Garg wrote: > > Are there directions for installing Linux on a Mac with Apple firmware > > code? > > Well, directions of installing Linux on an Intel based Mac, which > includes the T2 Macs is the same as on a normal PC. > > Though, in case of T2 Macs, we for now need to use customised ISOs, > since some drivers and patches to support T2 Macs are yet to be > upstreamed. > > An example of installing Ubuntu can be read here on > https://wiki.t2linux.org/distributions/ubuntu/installation/ > > Talking about the official ISOs, for many distros, since > CONFIG_LOAD_UEFI_KEYS is not enabled in their kernel config, we can > install Linux using them, but they still lack many drivers required, > since they are yet to be upstreamed. So the installation doesn’t work > efficiently and we have to manually install custom kernels having > those patches. > > In some distros like Ubuntu, they have CONFIG_LOAD_UEFI_KEYS enabled > in their kernel config. In this case the crash as mentioned in the > patch description occurs and EFI Runtime Services get disabled. Since > installing GRUB requires access to NVRAM, the installation fails with > official ISOs in this case. Thus, a custom ISO, with this patch > incorporated in being used for now for users interested in Ubuntu on > T2 Macs. > > > Are you dual booting Linux and Mac, or just Linux? > > I don’t think it actually matters, though in most of the cases, we > dual boot macOS and Linux, but I do have seen cases who wipe out > their macOS completely. But this doesn't affect the Secure Boot > policy of these machines. > > > While in > > secure boot mode, without being able to read the keys to verify the > > kernel image signature, the signature verification should fail. > > If I enable secure boot in the BIOS settings (macOS Recovery), > Apple’s firmware won't allow even the boot loader like GRUB, rEFInd > to boot. It shall only allow Windows and macOS to Boot. You could see > https://support.apple.com/en-in/HT208198 for more details. > > > > > Has anyone else tested this patch? > > I work as a maintainer for Ubuntu for T2 Linux community and I have > this patch incorporated in the kernels used for Ubuntu ISOs > customised for T2 Macs, and thus have many users who have used the > ISO and have a successful installation. Thus, there are many users > who have tested this patch and are actually using it right now. > We also need the have the NVRAM writes enabled so as to unlock the > iGPU in Macs with both Intel and AMD GPU, and with this patch, we > have been successfully able to unlock it, > > I hope I could answer your questions Yes, thank you. Based on the link above and https://wiki.t2linux.org/guides/kernel/, I was able boot a kernel with/without this patch. The patch is now queued in the next-integrity-testing branch. thanks, Mimi
diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h index 284558f30..212d894a8 100644 --- a/security/integrity/platform_certs/keyring_handler.h +++ b/security/integrity/platform_certs/keyring_handler.h @@ -35,3 +35,11 @@ efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type); efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type); #endif + +#ifndef UEFI_QUIRK_SKIP_CERT +#define UEFI_QUIRK_SKIP_CERT(vendor, product) \ + .matches = { \ + DMI_MATCH(DMI_BOARD_VENDOR, vendor), \ + DMI_MATCH(DMI_PRODUCT_NAME, product), \ + }, +#endif diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index 5f45c3c07..1a7e7d597 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -3,6 +3,7 @@ #include <linux/kernel.h> #include <linux/sched.h> #include <linux/cred.h> +#include <linux/dmi.h> #include <linux/err.h> #include <linux/efi.h> #include <linux/slab.h> @@ -12,6 +13,31 @@ #include "../integrity.h" #include "keyring_handler.h" +/* + * On T2 Macs reading the db and dbx efi variables to load UEFI Secure Boot + * certificates causes occurrence of a page fault in Apple's firmware and + * a crash disabling EFI runtime services. The following quirk skips reading + * these variables. + */ +static const struct dmi_system_id uefi_skip_cert[] = { + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,1") }, + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,2") }, + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,3") }, + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,4") }, + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,1") }, + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,2") }, + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,3") }, + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,4") }, + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,1") }, + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,2") }, + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir9,1") }, + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacMini8,1") }, + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacPro7,1") }, + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,1") }, + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,2") }, + { } +}; + /* * Look to see if a UEFI variable called MokIgnoreDB exists and return true if * it does. @@ -138,6 +164,13 @@ static int __init load_uefi_certs(void) unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0; efi_status_t status; int rc = 0; + const struct dmi_system_id *dmi_id; + + dmi_id = dmi_first_match(uefi_skip_cert); + if (dmi_id) { + pr_err("Reading UEFI Secure Boot Certs is not supported on T2 Macs.\n"); + return false; + } if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) return false;