89 lines
2.9 KiB
Diff
89 lines
2.9 KiB
Diff
From: Linn Crosetto <linn@hpe.com>
|
|
Date: Tue, 30 Aug 2016 11:54:38 -0600
|
|
Subject: arm64: add kernel config option to lock down when in Secure Boot mode
|
|
Bug-Debian: https://bugs.debian.org/831827
|
|
Forwarded: no
|
|
|
|
Add a kernel configuration option to lock down the kernel, to restrict
|
|
userspace's ability to modify the running kernel when UEFI Secure Boot is
|
|
enabled. Based on the x86 patch by Matthew Garrett.
|
|
|
|
Determine the state of Secure Boot in the EFI stub and pass this to the
|
|
kernel using the FDT.
|
|
|
|
Signed-off-by: Linn Crosetto <linn@hpe.com>
|
|
[bwh: Forward-ported to 4.10: adjust context]
|
|
[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
|
|
[bwh: Forward-ported to 4.15 and lockdown patch set:
|
|
- Pass result of efi_get_secureboot() in stub through to
|
|
efi_set_secure_boot() in main kernel
|
|
- Use lockdown API and naming]
|
|
---
|
|
arch/arm64/Kconfig | 13 +++++++++++++
|
|
drivers/firmware/efi/arm-init.c | 7 +++++++
|
|
drivers/firmware/efi/efi.c | 3 ++-
|
|
drivers/firmware/efi/libstub/arm-stub.c | 2 +-
|
|
drivers/firmware/efi/libstub/efistub.h | 1 +
|
|
drivers/firmware/efi/libstub/fdt.c | 7 +++++++
|
|
include/linux/efi.h | 1 +
|
|
7 files changed, 32 insertions(+), 2 deletions(-)
|
|
|
|
--- a/drivers/firmware/efi/arm-init.c
|
|
+++ b/drivers/firmware/efi/arm-init.c
|
|
@@ -21,6 +21,7 @@
|
|
#include <linux/of_fdt.h>
|
|
#include <linux/platform_device.h>
|
|
#include <linux/screen_info.h>
|
|
+#include <linux/security.h>
|
|
|
|
#include <asm/efi.h>
|
|
|
|
@@ -252,6 +253,9 @@ void __init efi_init(void)
|
|
"Unexpected EFI_MEMORY_DESCRIPTOR version %ld",
|
|
efi.memmap.desc_version);
|
|
|
|
+ efi_set_secure_boot(params.secure_boot);
|
|
+ init_lockdown();
|
|
+
|
|
if (uefi_init() < 0) {
|
|
efi_memmap_unmap();
|
|
return;
|
|
--- a/drivers/firmware/efi/efi.c
|
|
+++ b/drivers/firmware/efi/efi.c
|
|
@@ -635,7 +635,8 @@ static __initdata struct params fdt_para
|
|
UEFI_PARAM("MemMap Address", "linux,uefi-mmap-start", mmap),
|
|
UEFI_PARAM("MemMap Size", "linux,uefi-mmap-size", mmap_size),
|
|
UEFI_PARAM("MemMap Desc. Size", "linux,uefi-mmap-desc-size", desc_size),
|
|
- UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver)
|
|
+ UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver),
|
|
+ UEFI_PARAM("Secure Boot Enabled", "linux,uefi-secure-boot", secure_boot)
|
|
};
|
|
|
|
static __initdata struct params xen_fdt_params[] = {
|
|
--- a/drivers/firmware/efi/libstub/fdt.c
|
|
+++ b/drivers/firmware/efi/libstub/fdt.c
|
|
@@ -158,6 +158,13 @@ static efi_status_t update_fdt(efi_syste
|
|
return efi_status;
|
|
}
|
|
}
|
|
+
|
|
+ fdt_val32 = cpu_to_fdt32(efi_get_secureboot(sys_table));
|
|
+ status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
|
|
+ &fdt_val32, sizeof(fdt_val32));
|
|
+ if (status)
|
|
+ goto fdt_set_fail;
|
|
+
|
|
return EFI_SUCCESS;
|
|
|
|
fdt_set_fail:
|
|
--- a/include/linux/efi.h
|
|
+++ b/include/linux/efi.h
|
|
@@ -749,6 +749,7 @@ struct efi_fdt_params {
|
|
u32 mmap_size;
|
|
u32 desc_size;
|
|
u32 desc_ver;
|
|
+ u32 secure_boot;
|
|
};
|
|
|
|
typedef struct {
|