[PATCH v3] efi: Do not import certificates from UEFI Secure Boot for T2 Macs
Lukas Wunner
lukas at wunner.de
Sun Feb 13 07:39:24 UTC 2022
On Thu, Feb 10, 2022 at 10:47:25AM +0000, Aditya Garg wrote:
> +/* Apple Macs with T2 Security chip don't support these UEFI variables.
> + * The T2 chip manages the Secure Boot and does not allow Linux to boot
> + * if it is turned on. If turned off, an attempt to get certificates
> + * causes a crash, so we simply return 0 for them in each function.
> + */
> +
> +static const struct dmi_system_id uefi_skip_cert[] = {
> +
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,2") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,3") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,4") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,2") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,3") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,4") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,2") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir9,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacMini8,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacPro7,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,2") },
> + { }
> +};
The T2 is represented by a PCI device with ID 106B:1802. I think it
would be more elegant to sense presence of that device instead of
hardcoding a long dmi list, i.e.:
static bool apple_t2_present(void)
{
struct pci_dev *pdev;
if (!x86_apple_machine)
return false;
pdev = pci_get_device(PCI_VENDOR_ID_APPLE, 0x1802, NULL);
if (pdev) {
pci_put_dev(pdev);
return true;
}
return false;
}
More information about the Linux-security-module-archive
mailing list