From 9472421366604c0504d9da77569f45c5b459c9bb Mon Sep 17 00:00:00 2001
From: Laura Abbott <labbott@fedoraproject.org>
Date: Oct 18 2016 21:23:11 +0000
Subject: Gracefully bail out of secureboot when EFI runtime is disabled


- Fix for aarch64 boot regression (rhbz 1384701)

---

diff --git a/0001-arm64-kernel-numa-fix-ACPI-boot-cpu-numa-node-mappin.patch b/0001-arm64-kernel-numa-fix-ACPI-boot-cpu-numa-node-mappin.patch
new file mode 100644
index 0000000..bfe4c96
--- /dev/null
+++ b/0001-arm64-kernel-numa-fix-ACPI-boot-cpu-numa-node-mappin.patch
@@ -0,0 +1,47 @@
+From 23339319c91c79986976381d4cea75f6608dee68 Mon Sep 17 00:00:00 2001
+From: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Date: Mon, 17 Oct 2016 15:18:48 +0100
+Subject: [PATCH] arm64: kernel: numa: fix ACPI boot cpu numa node mapping
+
+Commit 7ba5f605f3a0 ("arm64/numa: remove the limitation that cpu0 must
+bind to node0") removed the numa cpu<->node mapping restriction whereby
+logical cpu 0 always corresponds to numa node 0; removing the
+restriction was correct, in that it does not really exist in practice
+but the commit only updated the early mapping of logical cpu 0 to its
+real numa node for the DT boot path, missing the ACPI one, leading to
+boot failures on ACPI systems with numa enabled owing to missing
+node<->cpu map for logical cpu 0.
+
+Fix the issue by updating the ACPI boot path with code that carries out
+the early cpu<->node mapping also for the boot cpu (ie cpu 0), mirroring
+what is currently done in the DT boot path.
+
+Fixes: 7ba5f605f3a0 ("arm64/numa: remove the limitation that cpu0 must bind to node0")
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Tested-by: Laszlo Ersek <lersek@redhat.com>
+Reported-by: Laszlo Ersek <lersek@redhat.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Laszlo Ersek <lersek@redhat.com>
+Cc: Hanjun Guo <hanjun.guo@linaro.org>
+Cc: Andrew Jones <drjones@redhat.com>
+Cc: Zhen Lei <thunder.leizhen@huawei.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+---
+ arch/arm64/kernel/smp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/kernel/smp.c b/arch/arm64/kernel/smp.c
+index d3f151c..8507703 100644
+--- a/arch/arm64/kernel/smp.c
++++ b/arch/arm64/kernel/smp.c
+@@ -544,6 +544,7 @@ acpi_map_gic_cpu_interface(struct acpi_madt_generic_interrupt *processor)
+ 			return;
+ 		}
+ 		bootcpu_valid = true;
++		early_map_cpu_to_node(0, acpi_numa_get_nid(0, hwid));
+ 		return;
+ 	}
+ 
+-- 
+2.7.4
+
diff --git a/MODSIGN-Don-t-try-secure-boot-if-EFI-runtime-is-disa.patch b/MODSIGN-Don-t-try-secure-boot-if-EFI-runtime-is-disa.patch
new file mode 100644
index 0000000..6f5d8b6
--- /dev/null
+++ b/MODSIGN-Don-t-try-secure-boot-if-EFI-runtime-is-disa.patch
@@ -0,0 +1,32 @@
+From 71db1b222ecdf6cb4356f6f1e2bd45cd2f0e85e1 Mon Sep 17 00:00:00 2001
+From: Laura Abbott <labbott@redhat.com>
+Date: Tue, 18 Oct 2016 13:58:44 -0700
+Subject: [PATCH] MODSIGN: Don't try secure boot if EFI runtime is disabled
+
+Secure boot depends on having EFI runtime variable access. The code
+does not handle a lack of runtime variables gracefully. Add a check
+to just bail out of EFI runtime is disabled.
+
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+---
+ kernel/modsign_uefi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
+index a41da14..2bdaf76 100644
+--- a/kernel/modsign_uefi.c
++++ b/kernel/modsign_uefi.c
+@@ -71,6 +71,10 @@ static int __init load_uefi_certs(void)
+ 	if (!efi_enabled(EFI_SECURE_BOOT))
+ 		return 0;
+ 
++	/* Things blow up if efi runtime is disabled */
++	if (efi_runtime_disabled())
++		return 0;
++
+ 	keyring = get_system_keyring();
+ 	if (!keyring) {
+ 		pr_err("MODSIGN: Couldn't get system keyring\n");
+-- 
+2.7.4
+
diff --git a/kernel.spec b/kernel.spec
index ecfb526..7d34b3a 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -595,6 +595,8 @@ Patch502: firmware-Drop-WARN-from-usermodehelper_read_trylock-.patch
 
 Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
 
+Patch509: MODSIGN-Don-t-try-secure-boot-if-EFI-runtime-is-disa.patch
+
 #CVE-2016-3134 rhbz 1317383 1317384
 Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
 
@@ -604,6 +606,9 @@ Patch848: 0001-cpupower-Correct-return-type-of-cpu_power_is_cpu_onl.patch
 #ongoing complaint, full discussion delayed until ksummit/plumbers
 Patch849: 0001-iio-Use-event-header-from-kernel-tree.patch
 
+#rhbz 1384701
+Patch850: 0001-arm64-kernel-numa-fix-ACPI-boot-cpu-numa-node-mappin.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2142,6 +2147,10 @@ fi
 #
 #
 %changelog
+* Tue Oct 18 2016 Laura Abbott <labbott@redhat.com>
+- Gracefully bail out of secureboot when EFI runtime is disabled
+- Fix for aarch64 boot regression (rhbz 1384701)
+
 * Tue Oct 18 2016 Peter Robinson <pbrobinson@fedoraproject.org>
 - Disable ACPI_CPPC_CPUFREQ on aarch64