kernel/0001-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
Justin M. Forbes fa1dee0747 kernel-5.8.0-0.rc0.20200602gitf359287765c0.1
* Tue Jun 02 2020 CKI@GitLab <cki-project@redhat.com> [5.8.0-0.rc0.20200602gitf359287765c0.1]
- f359287765c0 rebase
- Fix update_scripts.sh unselective pattern sub (David Howells)
- Updated changelog for the release based on b0c3ba31be3e ("CKI@GitLab")
- Drop the static path configuration for the Sphinx docs (Jeremy Cline)
- Sign off generated configuration patches (Jeremy Cline)
- Use __make macro instead of make (Tom Stellard)
- redhat/configs: Enable CONFIG_SMC91X and disable CONFIG_SMC911X (Prarit Bhargava) [http://bugzilla.redhat.com/1722136]
Resolves: rhbz#

Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
2020-06-02 13:57:57 -05:00

73 lines
2.4 KiB
Diff

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Mon, 30 Sep 2019 21:28:16 +0000
Subject: [PATCH] efi: Lock down the kernel if booted in secure boot mode
UEFI Secure Boot provides a mechanism for ensuring that the firmware
will only load signed bootloaders and kernels. Certain use cases may
also require that all kernel modules also be signed. Add a
configuration option that to lock down the kernel - which includes
requiring validly signed modules - if the kernel is secure-booted.
Upstream Status: RHEL only
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Jeremy Cline <jcline@redhat.com>
---
arch/x86/kernel/setup.c | 8 ++++++++
security/lockdown/Kconfig | 13 +++++++++++++
2 files changed, 21 insertions(+)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 28d43754aeb6..19d57bfc12f9 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -18,6 +18,7 @@
#include <linux/sfi.h>
#include <linux/hugetlb.h>
#include <linux/tboot.h>
+#include <linux/security.h>
#include <linux/usb/xhci-dbgp.h>
#include <uapi/linux/mount.h>
@@ -1105,6 +1106,13 @@ void __init setup_arch(char **cmdline_p)
if (efi_enabled(EFI_BOOT))
efi_init();
+ efi_set_secure_boot(boot_params.secure_boot);
+
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
+ if (efi_enabled(EFI_SECURE_BOOT))
+ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
+#endif
+
dmi_setup();
/*
diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
index e84ddf484010..d0501353a4b9 100644
--- a/security/lockdown/Kconfig
+++ b/security/lockdown/Kconfig
@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY
subsystem is fully initialised. If enabled, lockdown will
unconditionally be called before any other LSMs.
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
+ bool "Lock down the kernel in EFI Secure Boot mode"
+ default n
+ depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY
+ help
+ UEFI Secure Boot provides a mechanism for ensuring that the firmware
+ will only load signed bootloaders and kernels. Secure boot mode may
+ be determined from EFI variables provided by the system firmware if
+ not indicated by the boot parameters.
+
+ Enabling this option results in kernel lockdown being triggered if
+ EFI Secure Boot is set.
+
choice
prompt "Kernel default lockdown mode"
default LOCK_DOWN_KERNEL_FORCE_NONE
--
2.26.2