From 1ebd53abbfa5871c89159699db18134ade90c7b0 Mon Sep 17 00:00:00 2001
From: dann frazier <dannf@debian.org>
Date: Wed, 13 Feb 2019 14:55:23 -0700
Subject: [PATCH] arm64: lockdown: Move init_lockdown() call after efi_init()

The lockdown code for arm64 currently fails to engage when in Secure Boot
mode. Seth Forshee noticed that this is because init_lockdown() checks
for efi_enabled(EFI_BOOT), but that bit doesn't get set until uefi_init()
is called.
---
 debian/changelog                                    |  3 +++
 ...add-kernel-config-option-to-lock-down-when.patch | 13 +++++++------
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 9d6bce36f..16ee08d9d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -24,6 +24,9 @@ linux (4.19.20-2) UNRELEASED; urgency=medium
     is enabled on Orange Pi Plus.
   * [armhf] Enable REGULATOR_SY8106A as module.
 
+  [ dann frazier ]
+  * arm64: lockdown: Move init_lockdown() call after uefi_init()
+
  -- Ben Hutchings <ben@decadent.org.uk>  Tue, 12 Feb 2019 12:49:10 +0000
 
 linux (4.19.20-1) unstable; urgency=medium
diff --git a/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch b/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
index 2bd2ce1d3..1f8fac6c4 100644
--- a/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
+++ b/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
@@ -19,6 +19,7 @@ Signed-off-by: Linn Crosetto <linn@hpe.com>
    efi_set_secure_boot() in main kernel
  - Use lockdown API and naming]
 [bwh: Forward-ported to 4.19.3: adjust context in update_fdt()]
+[dannf: Moved init_lockdown() call after uefi_init(), fixing SB detection]
 ---
  arch/arm64/Kconfig                      | 13 +++++++++++++
  drivers/firmware/efi/arm-init.c         |  7 +++++++
@@ -39,16 +40,16 @@ Signed-off-by: Linn Crosetto <linn@hpe.com>
  
  #include <asm/efi.h>
  
-@@ -252,6 +253,9 @@ void __init efi_init(void)
- 	     "Unexpected EFI_MEMORY_DESCRIPTOR version %ld",
- 	      efi.memmap.desc_version);
+@@ -257,6 +258,9 @@ void __init efi_init(void)
+ 		return;
+ 	}
  
 +	efi_set_secure_boot(params.secure_boot);
 +	init_lockdown();
 +
- 	if (uefi_init() < 0) {
- 		efi_memmap_unmap();
- 		return;
+ 	reserve_regions();
+ 	efi_esrt_init();
+ 
 --- a/drivers/firmware/efi/efi.c
 +++ b/drivers/firmware/efi/efi.c
 @@ -657,7 +657,8 @@ static __initdata struct params fdt_para