Enable cold boot attack mitigation

[Lukas Wunner: Forward-ported to 4.11: adjust context]

Gbp-Pq: Topic features/all/lockdown
Gbp-Pq: Name enable-cold-boot-attack-mitigation.patch

diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index 48db9732b684b7e72d79dec4acb3160f91dca90c..23b20444085c52dd229678d5c4c9cf1f29bf26f5 100644 (file)
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -608,6 +608,22 @@ void setup_graphics(struct boot_params *boot_params)
        }
 }
 
+#define MEMORY_ONLY_RESET_CONTROL_GUID \
+       EFI_GUID (0xe20939be, 0x32d4, 0x41be, 0xa1, 0x50, 0x89, 0x7f, 0x85, 0xd4, 0x98, 0x29)
+
+static void enable_reset_attack_mitigation(void)
+{
+       u8 val = 1;
+       efi_guid_t var_guid = MEMORY_ONLY_RESET_CONTROL_GUID;
+
+       /* Ignore the return value here - there's not really a lot we can do */
+       efi_early->call((unsigned long)sys_table->runtime->set_variable,
+                       L"MemoryOverwriteRequestControl", &var_guid,
+                       EFI_VARIABLE_NON_VOLATILE |
+                       EFI_VARIABLE_BOOTSERVICE_ACCESS |
+                       EFI_VARIABLE_RUNTIME_ACCESS, sizeof(val), val);
+}
+
 /*
  * Because the x86 boot code expects to be passed a boot_params we
  * need to create one ourselves (usually the bootloader would create
@@ -992,6 +1008,12 @@ struct boot_params *efi_main(struct efi_config *c,
        else
                setup_boot_services32(efi_early);
 
+       /*
+        * Ask the firmware to clear memory if we don't have a clean
+        * shutdown
+        */
+       enable_reset_attack_mitigation();
+
        /*
         * If the boot loader gave us a value for secure_boot then we use that,
         * otherwise we ask the BIOS.