Refresh "efi: Lock down the kernel if booted in secure boot mode"
This commit is contained in:
Salvatore Bonaccorso
parent
c0f84a03f2
commit
483528dfb0
|
|
@ -18,10 +18,8 @@ cc: linux-efi@vger.kernel.org
|
|||
security/lock_down.c | 1 +
|
||||
3 files changed, 19 insertions(+), 2 deletions(-)
|
||||
|
||||
Index: linux/arch/x86/kernel/setup.c
|
||||
===================================================================
|
||||
--- linux.orig/arch/x86/kernel/setup.c
|
||||
+++ linux/arch/x86/kernel/setup.c
|
||||
--- a/arch/x86/kernel/setup.c
|
||||
+++ b/arch/x86/kernel/setup.c
|
||||
@@ -65,6 +65,7 @@
|
||||
#include <linux/dma-mapping.h>
|
||||
#include <linux/ctype.h>
|
||||
|
|
@ -49,13 +47,11 @@ Index: linux/arch/x86/kernel/setup.c
|
|||
reserve_initrd();
|
||||
|
||||
acpi_table_upgrade();
|
||||
Index: linux/security/Kconfig
|
||||
===================================================================
|
||||
--- linux.orig/security/Kconfig
|
||||
+++ linux/security/Kconfig
|
||||
@@ -256,6 +256,20 @@ config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
|
||||
Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
|
||||
combination on a wired keyboard.
|
||||
--- a/security/Kconfig
|
||||
+++ b/security/Kconfig
|
||||
@@ -247,6 +247,21 @@ config LOCK_DOWN_KERNEL
|
||||
turns off various features that might otherwise allow access to the
|
||||
kernel image (eg. setting MSR registers).
|
||||
|
||||
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
|
||||
+ bool "Lock down the kernel in EFI Secure Boot mode"
|
||||
|
|
@ -71,18 +67,17 @@ Index: linux/security/Kconfig
|
|||
+ Enabling this option turns on results in kernel lockdown being
|
||||
+ triggered if EFI Secure Boot is set.
|
||||
+
|
||||
|
||||
+
|
||||
source security/selinux/Kconfig
|
||||
source security/smack/Kconfig
|
||||
Index: linux/security/lock_down.c
|
||||
===================================================================
|
||||
--- linux.orig/security/lock_down.c
|
||||
+++ linux/security/lock_down.c
|
||||
@@ -12,6 +12,7 @@
|
||||
source security/tomoyo/Kconfig
|
||||
--- a/security/lock_down.c
|
||||
+++ b/security/lock_down.c
|
||||
@@ -11,6 +11,7 @@
|
||||
|
||||
#include <linux/security.h>
|
||||
#include <linux/export.h>
|
||||
#include <linux/sysrq.h>
|
||||
+#include <linux/efi.h>
|
||||
#include <asm/setup.h>
|
||||
|
||||
#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
|
||||
static __ro_after_init bool kernel_locked_down;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue