From e70c11320f7076d1ecc4bdfabb3a68293bbcb515 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 12 Jan 2016 12:51:27 -0800 Subject: [PATCH] Enable cold boot attack mitigation [Lukas Wunner: Forward-ported to 4.11: adjust context] Gbp-Pq: Topic features/all/lockdown Gbp-Pq: Name enable-cold-boot-attack-mitigation.patch --- arch/x86/boot/compressed/eboot.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c index e56dbc67e83..c2213a74b3c 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -606,6 +606,22 @@ void setup_graphics(struct boot_params *boot_params) } } +#define MEMORY_ONLY_RESET_CONTROL_GUID \ + EFI_GUID (0xe20939be, 0x32d4, 0x41be, 0xa1, 0x50, 0x89, 0x7f, 0x85, 0xd4, 0x98, 0x29) + +static void enable_reset_attack_mitigation(void) +{ + u8 val = 1; + efi_guid_t var_guid = MEMORY_ONLY_RESET_CONTROL_GUID; + + /* Ignore the return value here - there's not really a lot we can do */ + efi_early->call((unsigned long)sys_table->runtime->set_variable, + L"MemoryOverwriteRequestControl", &var_guid, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS, sizeof(val), val); +} + /* * Because the x86 boot code expects to be passed a boot_params we * need to create one ourselves (usually the bootloader would create @@ -990,6 +1006,12 @@ struct boot_params *efi_main(struct efi_config *c, else setup_boot_services32(efi_early); + /* + * Ask the firmware to clear memory if we don't have a clean + * shutdown + */ + enable_reset_attack_mitigation(); + /* * If the boot loader gave us a value for secure_boot then we use that, * otherwise we ask the BIOS. -- 2.30.2