Pull in the s390 auto-lockdown patch
RHEL had a patch to automatically lock down s390 which never made its way up to Fedora. Signed-off-by: Jeremy Cline <jcline@redhat.com>
This commit is contained in:
		
							parent
							
								
									7cc57104b0
								
							
						
					
					
						commit
						59eca17780
					
				| @ -802,6 +802,8 @@ Patch204: efi-secureboot.patch | ||||
| 
 | ||||
| Patch205: lift-lockdown-sysrq.patch | ||||
| 
 | ||||
| Patch206: s390-Lock-down-the-kernel-when-the-IPL-secure-flag-i.patch | ||||
| 
 | ||||
| # 300 - ARM patches | ||||
| Patch300: arm64-Add-option-of-13-for-FORCE_MAX_ZONEORDER.patch | ||||
| 
 | ||||
|  | ||||
							
								
								
									
										66
									
								
								s390-Lock-down-the-kernel-when-the-IPL-secure-flag-i.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										66
									
								
								s390-Lock-down-the-kernel-when-the-IPL-secure-flag-i.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,66 @@ | ||||
| From eaa12998810bd9db85dec71f0da55fd5aae73d0f Mon Sep 17 00:00:00 2001 | ||||
| From: Jeremy Cline <jcline@redhat.com> | ||||
| Date: Wed, 30 Oct 2019 14:37:49 +0000 | ||||
| Subject: [PATCH] s390: Lock down the kernel when the IPL secure flag is set | ||||
| 
 | ||||
| Automatically lock down the kernel to LOCKDOWN_CONFIDENTIALITY_MAX if | ||||
| the IPL secure flag is set. | ||||
| 
 | ||||
| Suggested-by: Philipp Rudo <prudo@redhat.com> | ||||
| Signed-off-by: Jeremy Cline <jcline@redhat.com> | ||||
| ---
 | ||||
|  arch/s390/include/asm/ipl.h | 1 + | ||||
|  arch/s390/kernel/ipl.c      | 5 +++++ | ||||
|  arch/s390/kernel/setup.c    | 4 ++++ | ||||
|  3 files changed, 10 insertions(+) | ||||
| 
 | ||||
| diff --git a/arch/s390/include/asm/ipl.h b/arch/s390/include/asm/ipl.h
 | ||||
| index 084e71b7272a..1d1b5ec7357b 100644
 | ||||
| --- a/arch/s390/include/asm/ipl.h
 | ||||
| +++ b/arch/s390/include/asm/ipl.h
 | ||||
| @@ -109,6 +109,7 @@ int ipl_report_add_component(struct ipl_report *report, struct kexec_buf *kbuf,
 | ||||
|  			     unsigned char flags, unsigned short cert); | ||||
|  int ipl_report_add_certificate(struct ipl_report *report, void *key, | ||||
|  			       unsigned long addr, unsigned long len); | ||||
| +bool ipl_get_secureboot(void);
 | ||||
|   | ||||
|  /* | ||||
|   * DIAG 308 support | ||||
| diff --git a/arch/s390/kernel/ipl.c b/arch/s390/kernel/ipl.c
 | ||||
| index 6837affc19e8..2d3f3d00e05c 100644
 | ||||
| --- a/arch/s390/kernel/ipl.c
 | ||||
| +++ b/arch/s390/kernel/ipl.c
 | ||||
| @@ -1842,3 +1842,8 @@ int ipl_report_free(struct ipl_report *report)
 | ||||
|  } | ||||
|   | ||||
|  #endif | ||||
| +
 | ||||
| +bool ipl_get_secureboot(void)
 | ||||
| +{
 | ||||
| +	return !!ipl_secure_flag;
 | ||||
| +}
 | ||||
| diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c
 | ||||
| index 9cbf490fd162..0510ecdfc3f6 100644
 | ||||
| --- a/arch/s390/kernel/setup.c
 | ||||
| +++ b/arch/s390/kernel/setup.c
 | ||||
| @@ -49,6 +49,7 @@
 | ||||
|  #include <linux/memory.h> | ||||
|  #include <linux/compat.h> | ||||
|  #include <linux/start_kernel.h> | ||||
| +#include <linux/security.h>
 | ||||
|   | ||||
|  #include <asm/boot_data.h> | ||||
|  #include <asm/ipl.h> | ||||
| @@ -1096,6 +1097,9 @@ void __init setup_arch(char **cmdline_p)
 | ||||
|   | ||||
|  	log_component_list(); | ||||
|   | ||||
| +	if (ipl_get_secureboot())
 | ||||
| +		security_lock_kernel_down("Secure IPL mode", LOCKDOWN_CONFIDENTIALITY_MAX);
 | ||||
| +
 | ||||
|  	/* Have one command line that is parsed and saved in /proc/cmdline */ | ||||
|  	/* boot_command_line has been already set up in early.c */ | ||||
|  	*cmdline_p = boot_command_line; | ||||
| -- 
 | ||||
| 2.24.1 | ||||
| 
 | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user