Matthew Garret on the Linux Kernel Lockdown Patch, and UEFI

Re: Kernel Lockdown Patch:
https://firmwaresecurity.com/2018/04/04/linus-on-uefi-and-kernel-lockdown-patch/
https://firmwaresecurity.com/2017/10/19/linux-kernel-lockdown-patch/
https://firmwaresecurity.com/2017/04/11/background-for-kernel-lockdown-patch/
https://firmwaresecurity.com/2017/04/05/linux-kernel-lockdown-2/
https://firmwaresecurity.com/2016/11/17/linux-kernel-lockdown/

Matthew Garret of Google has a new blog post that gives some background on this patch, w/r/t UEFI:

https://mjg59.dreamwidth.org/50577.html

Linus on UEFI and Kernel Lockdown patch

This is a fascinating thread to read. Linus does not understand UEFI, he doesn’t understand how his code works on many systems. I get that he wishes UEFI didn’t exist, but many Linux users access Linux via Windows PCs. It is not valid to ignore the boot issues on those systems, especially in a world getting more and more security-aware.

I confess that I sometimes act like Linus as well, I’m ashamed to say. But I’m not responsible for one of the most important open source projects around; if I was I’d try to be a bit more mature to the contributors, lower ratio of UPPERCASE OBSCENETIES per constructive feedback. Linux users who have UEFI-based systems owe a lot of thanks to Matthew and a handful of others, like Peter, …in spite of Linus.

https://lkml.org/lkml/2018/4/3/817

https://lkml.org/lkml/2018/4/4/565

https://lkml.org/lkml/2018/4/3/847

http://vger.kernel.org/majordomo-info.html

Linux ACPI support for ARM-v8

Earlier this month, Linaro announced their effort to upstream the Linux patches to enable ACPI on ARMv8. It appears the patch may make it in Linux 4.1, but it is not done yet.

The Linaro blog post credits a large list of people who helped: UEFI Forums’ ACPI Working Group, Linaro, ARM, Red Hat, Huwaei, Qualcomm, AMD, AMD, APM, HP, other Linaro LEG members, and Linux kernel maintainers, including Linus.

As part of this effort, on March 26th, ARM hosted a Firmware Summit focused on ARMv8 and ACPI, with dozens attending, including SoC vendors, BIOS vendors, firmware and kernel developers, ODMs and OEMs.

The Linux kernel checking comment for this patchset includes this description:

‘This series introduces preliminary ACPI 5.1 support to the arm64 kernel using the “hardware reduced” profile. We don’t support any peripherals yet, so it’s fairly limited in scope:
– MEMORY init (UEFI)
– ACPI discovery (RSDP via UEFI)
– CPU init (FADT)
– GIC init (MADT)
– SMP boot (MADT + PSCI)
– ACPI Kconfig options (dependent on EXPERT)
ACPI for arm64 has been in development for a while now and hardware has been available that can boot with either FDT or ACPI tables. This has been made possible by both changes to the ACPI spec to cater for ARM-based machines (known as “hardware-reduced” in ACPI parlance) but also a Linaro-driven effort to get this supported on top of the Linux kernel. This pull request is the result of that work. These changes allow us to initialise the CPUs, interrupt controller, and timers via ACPI tables, with memory information and cmdline coming from EFI. We don’t support a hybrid ACPI/FDT scheme. Of course, there is still plenty of work to do (a serial console would be nice!) but I expect that to happen on a per-driver basis after this core series has been merged.’

Upon accepting the patch, Linus said:

‘No earth-shattering new features come to mind, even if initial support for ACPI on arm64 looks funny. Depending on what you care about, your notion of “big new feature” may differ from mine, of course. There’s a lot of work all over, and some of it might just make a big difference to your use cases.’

This *is* big new feature, if you care about firmware and Linux.
More Information:

https://www.linaro.org/blog/collaborative-effort-to-upstream-acpi/