debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Refresh "efi: Lock down the kernel if booted in secure boot mode"

This commit is contained in:
Salvatore Bonaccorso 2020-03-21 09:12:48 +01:00
parent c0f84a03f2
commit 483528dfb0
1 changed files with 15 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
debian/patches/features/all/lockdown/0029-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch vendored
View File

@ -18,10 +18,8 @@ cc: linux-efi@vger.kernel.org
security/lock_down.c | 1 + security/lock_down.c | 1 +
3 files changed, 19 insertions(+), 2 deletions(-) 3 files changed, 19 insertions(+), 2 deletions(-)
Index: linux/arch/x86/kernel/setup.c --- a/arch/x86/kernel/setup.c
=================================================================== +++ b/arch/x86/kernel/setup.c
--- linux.orig/arch/x86/kernel/setup.c
+++ linux/arch/x86/kernel/setup.c
@@ -65,6 +65,7 @@ @@ -65,6 +65,7 @@
#include <linux/dma-mapping.h> #include <linux/dma-mapping.h>
#include <linux/ctype.h> #include <linux/ctype.h>
@ -49,13 +47,11 @@ Index: linux/arch/x86/kernel/setup.c
reserve_initrd(); reserve_initrd();
acpi_table_upgrade(); acpi_table_upgrade();
Index: linux/security/Kconfig --- a/security/Kconfig
=================================================================== +++ b/security/Kconfig
--- linux.orig/security/Kconfig @@ -247,6 +247,21 @@ config LOCK_DOWN_KERNEL
+++ linux/security/Kconfig turns off various features that might otherwise allow access to the
@@ -256,6 +256,20 @@ config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ kernel image (eg. setting MSR registers).
Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
combination on a wired keyboard.
+config LOCK_DOWN_IN_EFI_SECURE_BOOT +config LOCK_DOWN_IN_EFI_SECURE_BOOT
+ bool "Lock down the kernel in EFI Secure Boot mode" + bool "Lock down the kernel in EFI Secure Boot mode"
@ -71,18 +67,17 @@ Index: linux/security/Kconfig
+ Enabling this option turns on results in kernel lockdown being + Enabling this option turns on results in kernel lockdown being
+ triggered if EFI Secure Boot is set. + triggered if EFI Secure Boot is set.
+ +
+
source security/selinux/Kconfig source security/selinux/Kconfig
source security/smack/Kconfig source security/smack/Kconfig
Index: linux/security/lock_down.c source security/tomoyo/Kconfig
=================================================================== --- a/security/lock_down.c
--- linux.orig/security/lock_down.c +++ b/security/lock_down.c
+++ linux/security/lock_down.c @@ -11,6 +11,7 @@
@@ -12,6 +12,7 @@
#include <linux/security.h> #include <linux/security.h>
#include <linux/export.h> #include <linux/export.h>
#include <linux/sysrq.h>
+#include <linux/efi.h> +#include <linux/efi.h>
#include <asm/setup.h>
#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ static __ro_after_init bool kernel_locked_down;