84 lines
2.6 KiB
Diff
84 lines
2.6 KiB
Diff
From: David Howells <dhowells@redhat.com>
|
|
Date: Wed, 8 Nov 2017 15:11:37 +0000
|
|
Subject: [29/29] efi: Lock down the kernel if booted in secure boot mode
|
|
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a364bd945ffc141a7b17cb331bda0d8ad68f7e72
|
|
|
|
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
|
|
only load signed bootloaders and kernels. Certain use cases may also
|
|
require that all kernel modules also be signed. Add a configuration option
|
|
that to lock down the kernel - which includes requiring validly signed
|
|
modules - if the kernel is secure-booted.
|
|
|
|
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
|
|
cc: linux-efi@vger.kernel.org
|
|
---
|
|
arch/x86/kernel/setup.c | 6 ++++--
|
|
security/Kconfig | 14 ++++++++++++++
|
|
security/lock_down.c | 1 +
|
|
3 files changed, 19 insertions(+), 2 deletions(-)
|
|
|
|
--- a/arch/x86/kernel/setup.c
|
|
+++ b/arch/x86/kernel/setup.c
|
|
@@ -65,6 +65,7 @@
|
|
#include <linux/dma-mapping.h>
|
|
#include <linux/ctype.h>
|
|
#include <linux/uaccess.h>
|
|
+#include <linux/security.h>
|
|
|
|
#include <linux/percpu.h>
|
|
#include <linux/crash_dump.h>
|
|
@@ -1005,6 +1006,9 @@ void __init setup_arch(char **cmdline_p)
|
|
if (efi_enabled(EFI_BOOT))
|
|
efi_init();
|
|
|
|
+ efi_set_secure_boot(boot_params.secure_boot);
|
|
+ init_lockdown();
|
|
+
|
|
dmi_scan_machine();
|
|
dmi_memdev_walk();
|
|
dmi_set_dump_stack_arch_desc();
|
|
@@ -1159,8 +1163,6 @@ void __init setup_arch(char **cmdline_p)
|
|
/* Allocate bigger log buffer */
|
|
setup_log_buf(1);
|
|
|
|
- efi_set_secure_boot(boot_params.secure_boot);
|
|
-
|
|
reserve_initrd();
|
|
|
|
acpi_table_upgrade();
|
|
--- a/security/Kconfig
|
|
+++ b/security/Kconfig
|
|
@@ -247,6 +247,21 @@ config LOCK_DOWN_KERNEL
|
|
turns off various features that might otherwise allow access to the
|
|
kernel image (eg. setting MSR registers).
|
|
|
|
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
|
|
+ bool "Lock down the kernel in EFI Secure Boot mode"
|
|
+ default n
|
|
+ select LOCK_DOWN_KERNEL
|
|
+ depends on EFI
|
|
+ help
|
|
+ UEFI Secure Boot provides a mechanism for ensuring that the firmware
|
|
+ will only load signed bootloaders and kernels. Secure boot mode may
|
|
+ be determined from EFI variables provided by the system firmware if
|
|
+ not indicated by the boot parameters.
|
|
+
|
|
+ Enabling this option turns on results in kernel lockdown being
|
|
+ triggered if EFI Secure Boot is set.
|
|
+
|
|
+
|
|
source security/selinux/Kconfig
|
|
source security/smack/Kconfig
|
|
source security/tomoyo/Kconfig
|
|
--- a/security/lock_down.c
|
|
+++ b/security/lock_down.c
|
|
@@ -11,6 +11,7 @@
|
|
|
|
#include <linux/security.h>
|
|
#include <linux/export.h>
|
|
+#include <linux/efi.h>
|
|
|
|
static __ro_after_init bool kernel_locked_down;
|
|
|