ACK: [CVE-2015-7837][vivid, xenial] UBUNTU: SAUCE: (no-up) kexec/uefi: copy secure_boot flag in boot params across kexec reboot

[Colin Ian King]

On 29/09/16 15:43, Luis Henriques wrote:
> From: Dave Young <dyoung at redhat.com>
> 
> Kexec reboot in case secure boot being enabled does not keep the secure
> boot mode in new kernel, so later one can load unsigned kernel via legacy
> kexec_load.  In this state, the system is missing the protections provided
> by secure boot. Adding a patch to fix this by retain the secure_boot flag
> in original kernel.
> 
> secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
> stub. Fixing this issue by copying secure_boot flag across kexec reboot.
> 
> Signed-off-by: Dave Young <dyoung at redhat.com>
> CVE-2015-7837
> (cherry-picked from https://github.com/mjg59/linux/commit/4b2b64d5a6ebc84214755ebccd599baef7c1b798)
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
>  arch/x86/kernel/kexec-bzimage64.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> index 0f8a6bbaaa44..e6ac33011068 100644
> --- a/arch/x86/kernel/kexec-bzimage64.c
> +++ b/arch/x86/kernel/kexec-bzimage64.c
> @@ -180,6 +180,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
>  	if (efi_enabled(EFI_OLD_MEMMAP))
>  		return 0;
>  
> +	params->secure_boot = boot_params.secure_boot;
>  	ei->efi_loader_signature = current_ei->efi_loader_signature;
>  	ei->efi_systab = current_ei->efi_systab;
>  	ei->efi_systab_hi = current_ei->efi_systab_hi;
> 
Simple 1 line fix, looks sane to me

Acked-by: Colin Ian King <colin.king at canonical.com>