Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

avoid EFIv2 runtime services on Apple x86 machines #690

Merged
merged 1 commit into from
Jan 15, 2025
Merged

avoid EFIv2 runtime services on Apple x86 machines #690

merged 1 commit into from
Jan 15, 2025

Conversation

eduardacatrinei
Copy link
Contributor

While booting a MacBookPro15,2 (the last Intel model, 2019).
The shim 15.8 got stuck in RT->QueryVariableInfo().
Previously, these devices shipped with EFI firmware version 1.10, and we had a quirk in place for this (#364)
However, Apple updated the firmware to version 2.40, but it still doesn't implement runtime services.

Logs and a screen recording have been attached to this comment.
#364 (comment)

Related to:
#385
#457
https://nvd.nist.gov/vuln/detail/CVE-2022-48769

@eduardacatrinei
Copy link
Contributor Author

@vathpela can you take a look here?

@AdityaGarg8
Copy link

Does this make Apple's T2 chip recognise the signature? Or it just makes it bootable with secure boot turned off?

@eduardacatrinei
Copy link
Contributor Author

This will help prevent a black screen when trying a distro based on shim.
According with Apple_T2_Security_Chip_Overview, it will not recognize the signature.

NOTE: There is currently no trust provided for the the Microsoft Corporation
UEFI CA 2011, which would allow verification of code signed by Microsoft
partners. This UEFI CA is commonly used to verify the authenticity of
bootloaders for other operating systems such as Linux variants.

@vathpela vathpela force-pushed the main branch 2 times, most recently from e5d23fd to 88e1022 Compare January 15, 2025 21:24
@eduardacatrinei @vathpela
avoid EFIv2 runtime services on Apple x86 machines
5c1656b 
While booting a MacBookPro15,2 (the last Intel model, 2019), shim 15.8
gets stuck in RT->QueryVariableInfo().  Previously, these devices
shipped with EFI firmware version 1.10, and we had a quirk in place for
this (rhboot#364).  However, Apple updated the firmware to version 2.40, but
it still doesn't implement runtime services.

This patch adds a test for Apple as the vendor, and treats that as
equivalent to having an older major UEFI version.

Signed-off-by: Eduard Acatrinei <[email protected]>
@vathpela
Copy link
Contributor

I've made a small change to not trust that ST->FirmwareVendor is a properly formatted string, but other than that it looks good to me.

@vathpela vathpela merged commit ad8692e into rhboot:main Jan 15, 2025
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vathpela vathpela vathpela approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@eduardacatrinei @AdityaGarg8 @vathpela