summaryrefslogtreecommitdiffstats
path: root/debian/patches/features/all/lockdown
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 01:02:38 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 01:02:38 +0000
commit08b74a000942a380fe028845f92cd3a0dee827d5 (patch)
treeaa78b4e12607c3e1fcce8d5cc42df4330792f118 /debian/patches/features/all/lockdown
parentAdding upstream version 4.19.249. (diff)
downloadlinux-08b74a000942a380fe028845f92cd3a0dee827d5.tar.xz
linux-08b74a000942a380fe028845f92cd3a0dee827d5.zip
Adding debian version 4.19.249-2.debian/4.19.249-2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--debian/patches/features/all/lockdown/0001-Add-the-ability-to-lock-down-access-to-the-running-k.patch164
-rw-r--r--debian/patches/features/all/lockdown/0003-ima-require-secure_boot-rules-in-lockdown-mode.patch75
-rw-r--r--debian/patches/features/all/lockdown/0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch95
-rw-r--r--debian/patches/features/all/lockdown/0005-Restrict-dev-mem-kmem-port-when-the-kernel-is-locked.patch35
-rw-r--r--debian/patches/features/all/lockdown/0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch42
-rw-r--r--debian/patches/features/all/lockdown/0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch36
-rw-r--r--debian/patches/features/all/lockdown/0008-kexec_file-Restrict-at-runtime-if-the-kernel-is-lock.patch40
-rw-r--r--debian/patches/features/all/lockdown/0009-hibernate-Disable-when-the-kernel-is-locked-down.patch31
-rw-r--r--debian/patches/features/all/lockdown/0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch32
-rw-r--r--debian/patches/features/all/lockdown/0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch104
-rw-r--r--debian/patches/features/all/lockdown/0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch46
-rw-r--r--debian/patches/features/all/lockdown/0013-x86-msr-Restrict-MSR-access-when-the-kernel-is-locke.patch50
-rw-r--r--debian/patches/features/all/lockdown/0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch55
-rw-r--r--debian/patches/features/all/lockdown/0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch32
-rw-r--r--debian/patches/features/all/lockdown/0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch32
-rw-r--r--debian/patches/features/all/lockdown/0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch40
-rw-r--r--debian/patches/features/all/lockdown/0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch43
-rw-r--r--debian/patches/features/all/lockdown/0020-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch29
-rw-r--r--debian/patches/features/all/lockdown/0021-Lock-down-TIOCSSERIAL.patch34
-rw-r--r--debian/patches/features/all/lockdown/0022-Lock-down-module-params-that-specify-hardware-parame.patch80
-rw-r--r--debian/patches/features/all/lockdown/0023-x86-mmiotrace-Lock-down-the-testmmiotrace-module.patch33
-rw-r--r--debian/patches/features/all/lockdown/0024-debugfs-Disallow-use-of-debugfs-files-when-the-kerne.patch53
-rw-r--r--debian/patches/features/all/lockdown/0025-Lock-down-proc-kcore.patch27
-rw-r--r--debian/patches/features/all/lockdown/0026-Lock-down-kprobes.patch29
-rw-r--r--debian/patches/features/all/lockdown/0027-bpf-Restrict-kernel-image-access-functions-when-the-.patch39
-rw-r--r--debian/patches/features/all/lockdown/0028-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch152
-rw-r--r--debian/patches/features/all/lockdown/0029-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch83
-rw-r--r--debian/patches/features/all/lockdown/0032-efi-Restrict-efivar_ssdt_load-when-the-kernel-is-loc.patch36
-rw-r--r--debian/patches/features/all/lockdown/ACPI-configfs-Disallow-loading-ACPI-tables-when-lock.patch44
-rw-r--r--debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch97
-rw-r--r--debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch50
-rw-r--r--debian/patches/features/all/lockdown/lockdown-refer-to-debian-wiki-until-manual-page-exists.patch34
-rw-r--r--debian/patches/features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch41
33 files changed, 1813 insertions, 0 deletions
diff --git a/debian/patches/features/all/lockdown/0001-Add-the-ability-to-lock-down-access-to-the-running-k.patch b/debian/patches/features/all/lockdown/0001-Add-the-ability-to-lock-down-access-to-the-running-k.patch
new file mode 100644
index 000000000..9a8cd7c82
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0001-Add-the-ability-to-lock-down-access-to-the-running-k.patch
@@ -0,0 +1,164 @@
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 8 Nov 2017 15:11:31 +0000
+Subject: [01/29] Add the ability to lock down access to the running kernel
+ image
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=6d350e2534bfaaaa3e523484b2ca44d22377e951
+
+Provide a single call to allow kernel code to determine whether the system
+should be locked down, thereby disallowing various accesses that might
+allow the running kernel image to be changed including the loading of
+modules that aren't validly signed with a key we recognise, fiddling with
+MSR registers and disallowing hibernation,
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: James Morris <james.l.morris@oracle.com>
+---
+ include/linux/kernel.h | 17 ++++++++++++++
+ include/linux/security.h | 8 +++++++
+ security/Kconfig | 8 +++++++
+ security/Makefile | 3 +++
+ security/lock_down.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 96 insertions(+)
+ create mode 100644 security/lock_down.c
+
+Index: linux/include/linux/kernel.h
+===================================================================
+--- linux.orig/include/linux/kernel.h
++++ linux/include/linux/kernel.h
+@@ -341,6 +341,23 @@ static inline void refcount_error_report
+ { }
+ #endif
+
++#ifdef CONFIG_LOCK_DOWN_KERNEL
++extern bool __kernel_is_locked_down(const char *what, bool first);
++#else
++static inline bool __kernel_is_locked_down(const char *what, bool first)
++{
++ return false;
++}
++#endif
++
++#define kernel_is_locked_down(what) \
++ ({ \
++ static bool message_given; \
++ bool locked_down = __kernel_is_locked_down(what, !message_given); \
++ message_given = true; \
++ locked_down; \
++ })
++
+ /* Internal, do not use. */
+ int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
+ int __must_check _kstrtol(const char *s, unsigned int base, long *res);
+Index: linux/include/linux/security.h
+===================================================================
+--- linux.orig/include/linux/security.h
++++ linux/include/linux/security.h
+@@ -1843,5 +1843,13 @@ static inline void free_secdata(void *se
+ { }
+ #endif /* CONFIG_SECURITY */
+
++#ifdef CONFIG_LOCK_DOWN_KERNEL
++extern void __init init_lockdown(void);
++#else
++static inline void __init init_lockdown(void)
++{
++}
++#endif
++
+ #endif /* ! __LINUX_SECURITY_H */
+
+Index: linux/security/Kconfig
+===================================================================
+--- linux.orig/security/Kconfig
++++ linux/security/Kconfig
+@@ -239,6 +239,14 @@ config STATIC_USERMODEHELPER_PATH
+ If you wish for all usermode helper programs to be disabled,
+ specify an empty string here (i.e. "").
+
++config LOCK_DOWN_KERNEL
++ bool "Allow the kernel to be 'locked down'"
++ help
++ Allow the kernel to be locked down under certain circumstances, for
++ instance if UEFI secure boot is enabled. Locking down the kernel
++ turns off various features that might otherwise allow access to the
++ kernel image (eg. setting MSR registers).
++
+ source security/selinux/Kconfig
+ source security/smack/Kconfig
+ source security/tomoyo/Kconfig
+Index: linux/security/Makefile
+===================================================================
+--- linux.orig/security/Makefile
++++ linux/security/Makefile
+@@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
+ # Object integrity file lists
+ subdir-$(CONFIG_INTEGRITY) += integrity
+ obj-$(CONFIG_INTEGRITY) += integrity/
++
++# Allow the kernel to be locked down
++obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o
+Index: linux/security/lock_down.c
+===================================================================
+--- /dev/null
++++ linux/security/lock_down.c
+@@ -0,0 +1,60 @@
++/* Lock down the kernel
++ *
++ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
++ * Written by David Howells (dhowells@redhat.com)
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public Licence
++ * as published by the Free Software Foundation; either version
++ * 2 of the Licence, or (at your option) any later version.
++ */
++
++#include <linux/security.h>
++#include <linux/export.h>
++
++static __ro_after_init bool kernel_locked_down;
++
++/*
++ * Put the kernel into lock-down mode.
++ */
++static void __init lock_kernel_down(const char *where)
++{
++ if (!kernel_locked_down) {
++ kernel_locked_down = true;
++ pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",
++ where);
++ }
++}
++
++static int __init lockdown_param(char *ignored)
++{
++ lock_kernel_down("command line");
++ return 0;
++}
++
++early_param("lockdown", lockdown_param);
++
++/*
++ * Lock the kernel down from very early in the arch setup. This must happen
++ * prior to things like ACPI being initialised.
++ */
++void __init init_lockdown(void)
++{
++#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
++ if (efi_enabled(EFI_SECURE_BOOT))
++ lock_kernel_down("EFI secure boot");
++#endif
++}
++
++/**
++ * kernel_is_locked_down - Find out if the kernel is locked down
++ * @what: Tag to use in notice generated if lockdown is in effect
++ */
++bool __kernel_is_locked_down(const char *what, bool first)
++{
++ if (what && first && kernel_locked_down)
++ pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n",
++ what);
++ return kernel_locked_down;
++}
++EXPORT_SYMBOL(__kernel_is_locked_down);
diff --git a/debian/patches/features/all/lockdown/0003-ima-require-secure_boot-rules-in-lockdown-mode.patch b/debian/patches/features/all/lockdown/0003-ima-require-secure_boot-rules-in-lockdown-mode.patch
new file mode 100644
index 000000000..0ab99ba64
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0003-ima-require-secure_boot-rules-in-lockdown-mode.patch
@@ -0,0 +1,75 @@
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Wed, 8 Nov 2017 15:11:32 +0000
+Subject: [03/29] ima: require secure_boot rules in lockdown mode
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=29c55d71a8185208c7962843a29c9a84ae27b2b0
+
+Require the "secure_boot" rules, whether or not it is specified
+on the boot command line, for both the builtin and custom policies
+in secure boot lockdown mode.
+
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+[bwh: Adjust context to apply after commits 6f0911a666d1
+ "ima: fix updating the ima_appraise flag" and ef96837b0de4
+ "ima: add build time policy"]
+---
+ security/integrity/ima/ima_policy.c | 39 +++++++++++++++++++++++++++----------
+ 1 file changed, 29 insertions(+), 10 deletions(-)
+
+Index: linux/security/integrity/ima/ima_policy.c
+===================================================================
+--- linux.orig/security/integrity/ima/ima_policy.c
++++ linux/security/integrity/ima/ima_policy.c
+@@ -481,14 +481,21 @@ static int ima_appraise_flag(enum ima_ho
+ */
+ void __init ima_init_policy(void)
+ {
+- int i, measure_entries, appraise_entries, secure_boot_entries;
++ int i;
++ int measure_entries = 0;
++ int appraise_entries = 0;
++ int secure_boot_entries = 0;
++ bool kernel_locked_down = __kernel_is_locked_down(NULL, false);
+
+ /* if !ima_policy set entries = 0 so we load NO default rules */
+- measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0;
+- appraise_entries = ima_use_appraise_tcb ?
+- ARRAY_SIZE(default_appraise_rules) : 0;
+- secure_boot_entries = ima_use_secure_boot ?
+- ARRAY_SIZE(secure_boot_rules) : 0;
++ if (ima_policy)
++ measure_entries = ARRAY_SIZE(dont_measure_rules);
++
++ if (ima_use_appraise_tcb)
++ appraise_entries = ARRAY_SIZE(default_appraise_rules);
++
++ if (ima_use_secure_boot || kernel_locked_down)
++ secure_boot_entries = ARRAY_SIZE(secure_boot_rules);
+
+ for (i = 0; i < measure_entries; i++)
+ list_add_tail(&dont_measure_rules[i].list, &ima_default_rules);
+@@ -510,11 +517,24 @@ void __init ima_init_policy(void)
+ /*
+ * Insert the builtin "secure_boot" policy rules requiring file
+ * signatures, prior to any other appraise rules.
++ * In secure boot lock-down mode, also require these appraise
++ * rules for custom policies.
+ */
+ for (i = 0; i < secure_boot_entries; i++) {
++ struct ima_rule_entry *entry;
++
++ /* Include for builtin policies */
+ list_add_tail(&secure_boot_rules[i].list, &ima_default_rules);
+ temp_ima_appraise |=
+ ima_appraise_flag(secure_boot_rules[i].func);
++
++ /* Include for custom policies */
++ if (kernel_locked_down) {
++ entry = kmemdup(&secure_boot_rules[i], sizeof(*entry),
++ GFP_KERNEL);
++ if (entry)
++ list_add_tail(&entry->list, &ima_policy_rules);
++ }
+ }
+
+ /*
diff --git a/debian/patches/features/all/lockdown/0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch b/debian/patches/features/all/lockdown/0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch
new file mode 100644
index 000000000..0ab5e258c
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch
@@ -0,0 +1,95 @@
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 8 Nov 2017 15:11:32 +0000
+Subject: [04/29] Enforce module signatures if the kernel is locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=1616ef1deccf5fdb525643a6b3efae34946a148d
+
+If the kernel is locked down, require that all modules have valid
+signatures that we can verify or that IMA can validate the file.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+[bwh: Adjust context to apply after commits 2c8fd268f418
+ "module: Do not access sig_enforce directly" and 5fdc7db6448a
+ "module: setup load info before module_sig_check()"]
+---
+ kernel/module.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+Index: linux/kernel/module.c
+===================================================================
+--- linux.orig/kernel/module.c
++++ linux/kernel/module.c
+@@ -64,6 +64,7 @@
+ #include <linux/bsearch.h>
+ #include <linux/dynamic_debug.h>
+ #include <linux/audit.h>
++#include <linux/ima.h>
+ #include <uapi/linux/module.h>
+ #include "module-internal.h"
+
+@@ -2784,7 +2785,8 @@ static inline void kmemleak_load_module(
+ #endif
+
+ #ifdef CONFIG_MODULE_SIG
+-static int module_sig_check(struct load_info *info, int flags)
++static int module_sig_check(struct load_info *info, int flags,
++ bool can_do_ima_check)
+ {
+ int err = -ENOKEY;
+ const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
+@@ -2808,13 +2810,16 @@ static int module_sig_check(struct load_
+ }
+
+ /* Not having a signature is only an error if we're strict. */
+- if (err == -ENOKEY && !is_module_sig_enforced())
++ if (err == -ENOKEY && !is_module_sig_enforced() &&
++ (!can_do_ima_check || !is_ima_appraise_enabled()) &&
++ !kernel_is_locked_down("Loading of unsigned modules"))
+ err = 0;
+
+ return err;
+ }
+ #else /* !CONFIG_MODULE_SIG */
+-static int module_sig_check(struct load_info *info, int flags)
++static int module_sig_check(struct load_info *info, int flags,
++ bool can_do_ima_check)
+ {
+ return 0;
+ }
+@@ -3662,7 +3667,7 @@ static int unknown_module_param_cb(char
+ /* Allocate and load the module: note that size of section 0 is always
+ zero, and we rely on this for optional sections. */
+ static int load_module(struct load_info *info, const char __user *uargs,
+- int flags)
++ int flags, bool can_do_ima_check)
+ {
+ struct module *mod;
+ long err = 0;
+@@ -3681,7 +3686,7 @@ static int load_module(struct load_info
+ goto free_copy;
+ }
+
+- err = module_sig_check(info, flags);
++ err = module_sig_check(info, flags, can_do_ima_check);
+ if (err)
+ goto free_copy;
+
+@@ -3876,7 +3881,7 @@ SYSCALL_DEFINE3(init_module, void __user
+ if (err)
+ return err;
+
+- return load_module(&info, uargs, 0);
++ return load_module(&info, uargs, 0, false);
+ }
+
+ SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags)
+@@ -3903,7 +3908,7 @@ SYSCALL_DEFINE3(finit_module, int, fd, c
+ info.hdr = hdr;
+ info.len = size;
+
+- return load_module(&info, uargs, flags);
++ return load_module(&info, uargs, flags, true);
+ }
+
+ static inline int within(unsigned long addr, void *start, unsigned long size)
diff --git a/debian/patches/features/all/lockdown/0005-Restrict-dev-mem-kmem-port-when-the-kernel-is-locked.patch b/debian/patches/features/all/lockdown/0005-Restrict-dev-mem-kmem-port-when-the-kernel-is-locked.patch
new file mode 100644
index 000000000..625f8f763
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0005-Restrict-dev-mem-kmem-port-when-the-kernel-is-locked.patch
@@ -0,0 +1,35 @@
+From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Wed, 8 Nov 2017 15:11:32 +0000
+Subject: [05/29] Restrict /dev/{mem,kmem,port} when the kernel is locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=8214bb0d847928bf08a7d8475f84c06541c5a352
+
+Allowing users to read and write to core kernel memory makes it possible
+for the kernel to be subverted, avoiding module loading restrictions, and
+also to steal cryptographic information.
+
+Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
+been locked down to prevent this.
+
+Also disallow /dev/port from being opened to prevent raw ioport access and
+thus DMA from being used to accomplish the same thing.
+
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
+---
+ drivers/char/mem.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+Index: linux/drivers/char/mem.c
+===================================================================
+--- linux.orig/drivers/char/mem.c
++++ linux/drivers/char/mem.c
+@@ -807,6 +807,8 @@ static loff_t memory_lseek(struct file *
+
+ static int open_port(struct inode *inode, struct file *filp)
+ {
++ if (kernel_is_locked_down("/dev/mem,kmem,port"))
++ return -EPERM;
+ return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
+ }
+
diff --git a/debian/patches/features/all/lockdown/0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch b/debian/patches/features/all/lockdown/0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch
new file mode 100644
index 000000000..522387d9a
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch
@@ -0,0 +1,42 @@
+From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Wed, 8 Nov 2017 15:11:32 +0000
+Subject: [06/29] kexec: Disable at runtime if the kernel is locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=6081db9ba435b757a3a3473d0cd50ee2252ccaeb
+
+kexec permits the loading and execution of arbitrary code in ring 0, which
+is something that lock-down is meant to prevent. It makes sense to disable
+kexec in this situation.
+
+This does not affect kexec_file_load() which can check for a signature on the
+image to be booted.
+
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Dave Young <dyoung@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+cc: kexec@lists.infradead.org
+[bwh: Adjust context to apply after commit a210fd32a46b
+ "kexec: add call to LSM hook in original kexec_load syscall"]
+---
+ kernel/kexec.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+Index: linux/kernel/kexec.c
+===================================================================
+--- linux.orig/kernel/kexec.c
++++ linux/kernel/kexec.c
+@@ -208,6 +208,13 @@ static inline int kexec_load_check(unsig
+ return result;
+
+ /*
++ * kexec can be used to circumvent module loading restrictions, so
++ * prevent loading in that case
++ */
++ if (kernel_is_locked_down("kexec of unsigned images"))
++ return -EPERM;
++
++ /*
+ * Verify we have a legal set of flags
+ * This leaves us room for future extensions.
+ */
diff --git a/debian/patches/features/all/lockdown/0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch b/debian/patches/features/all/lockdown/0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch
new file mode 100644
index 000000000..2024c04a6
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch
@@ -0,0 +1,36 @@
+From: Dave Young <dyoung@redhat.com>
+Date: Wed, 8 Nov 2017 15:11:32 +0000
+Subject: [07/29] Copy secure_boot flag in boot params across kexec reboot
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a6b7f780bdaa731f3e2970d65dcd52fe9ba2409d
+
+Kexec reboot in case secure boot being enabled does not keep the secure
+boot mode in new kernel, so later one can load unsigned kernel via legacy
+kexec_load. In this state, the system is missing the protections provided
+by secure boot.
+
+Adding a patch to fix this by retain the secure_boot flag in original
+kernel.
+
+secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
+stub. Fixing this issue by copying secure_boot flag across kexec reboot.
+
+Signed-off-by: Dave Young <dyoung@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
+cc: kexec@lists.infradead.org
+---
+ arch/x86/kernel/kexec-bzimage64.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+Index: linux/arch/x86/kernel/kexec-bzimage64.c
+===================================================================
+--- linux.orig/arch/x86/kernel/kexec-bzimage64.c
++++ linux/arch/x86/kernel/kexec-bzimage64.c
+@@ -182,6 +182,7 @@ setup_efi_state(struct boot_params *para
+ if (efi_enabled(EFI_OLD_MEMMAP))
+ return 0;
+
++ params->secure_boot = boot_params.secure_boot;
+ ei->efi_loader_signature = current_ei->efi_loader_signature;
+ ei->efi_systab = current_ei->efi_systab;
+ ei->efi_systab_hi = current_ei->efi_systab_hi;
diff --git a/debian/patches/features/all/lockdown/0008-kexec_file-Restrict-at-runtime-if-the-kernel-is-lock.patch b/debian/patches/features/all/lockdown/0008-kexec_file-Restrict-at-runtime-if-the-kernel-is-lock.patch
new file mode 100644
index 000000000..056936427
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0008-kexec_file-Restrict-at-runtime-if-the-kernel-is-lock.patch
@@ -0,0 +1,40 @@
+From: Chun-Yi Lee <joeyli.kernel@gmail.com>
+Date: Wed, 8 Nov 2017 15:11:33 +0000
+Subject: [08/29] kexec_file: Restrict at runtime if the kernel is locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=eed4aca0409692d7d24bc64f5c98d346cd0506c4
+
+When KEXEC_VERIFY_SIG is not enabled, kernel should not load images through
+kexec_file systemcall if the kernel is locked down unless IMA can be used
+to validate the image.
+
+This code was showed in Matthew's patch but not in git:
+https://lkml.org/lkml/2015/3/13/778
+
+Cc: Matthew Garrett <mjg59@srcf.ucam.org>
+Signed-off-by: Chun-Yi Lee <jlee@suse.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+cc: kexec@lists.infradead.org
+---
+ kernel/kexec_file.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+Index: linux/kernel/kexec_file.c
+===================================================================
+--- linux.orig/kernel/kexec_file.c
++++ linux/kernel/kexec_file.c
+@@ -328,6 +328,14 @@ SYSCALL_DEFINE5(kexec_file_load, int, ke
+ if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
+ return -EPERM;
+
++ /* Don't permit images to be loaded into trusted kernels if we're not
++ * going to verify the signature on them
++ */
++ if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) &&
++ !is_ima_appraise_enabled() &&
++ kernel_is_locked_down("kexec of unsigned images"))
++ return -EPERM;
++
+ /* Make sure we have a legal set of flags */
+ if (flags != (flags & KEXEC_FILE_FLAGS))
+ return -EINVAL;
diff --git a/debian/patches/features/all/lockdown/0009-hibernate-Disable-when-the-kernel-is-locked-down.patch b/debian/patches/features/all/lockdown/0009-hibernate-Disable-when-the-kernel-is-locked-down.patch
new file mode 100644
index 000000000..56060f80a
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0009-hibernate-Disable-when-the-kernel-is-locked-down.patch
@@ -0,0 +1,31 @@
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Wed, 8 Nov 2017 15:11:33 +0000
+Subject: [09/29] hibernate: Disable when the kernel is locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=480ddca2a40c2efd1c01cfa20d8f6c1377ddafe3
+
+There is currently no way to verify the resume image when returning
+from hibernate. This might compromise the signed modules trust model,
+so until we can work with signed hibernate images we disable it when the
+kernel is locked down.
+
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
+cc: linux-pm@vger.kernel.org
+---
+ kernel/power/hibernate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: linux/kernel/power/hibernate.c
+===================================================================
+--- linux.orig/kernel/power/hibernate.c
++++ linux/kernel/power/hibernate.c
+@@ -70,7 +70,7 @@ static const struct platform_hibernation
+
+ bool hibernation_available(void)
+ {
+- return (nohibernate == 0);
++ return nohibernate == 0 && !kernel_is_locked_down("Hibernation");
+ }
+
+ /**
diff --git a/debian/patches/features/all/lockdown/0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch b/debian/patches/features/all/lockdown/0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch
new file mode 100644
index 000000000..79b5f3461
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch
@@ -0,0 +1,32 @@
+From: Matthew Garrett <mjg59@srcf.ucam.org>
+Date: Wed, 8 Nov 2017 15:11:33 +0000
+Subject: [10/29] uswsusp: Disable when the kernel is locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=706def46d58e9c69e91db506305485731f615e44
+
+uswsusp allows a user process to dump and then restore kernel state, which
+makes it possible to modify the running kernel. Disable this if the kernel
+is locked down.
+
+Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+cc: linux-pm@vger.kernel.org
+---
+ kernel/power/user.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: linux/kernel/power/user.c
+===================================================================
+--- linux.orig/kernel/power/user.c
++++ linux/kernel/power/user.c
+@@ -52,6 +52,9 @@ static int snapshot_open(struct inode *i
+ if (!hibernation_available())
+ return -EPERM;
+
++ if (kernel_is_locked_down("/dev/snapshot"))
++ return -EPERM;
++
+ lock_system_sleep();
+
+ if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
diff --git a/debian/patches/features/all/lockdown/0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch b/debian/patches/features/all/lockdown/0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch
new file mode 100644
index 000000000..1f9186ab3
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch
@@ -0,0 +1,104 @@
+From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Wed, 8 Nov 2017 15:11:33 +0000
+Subject: [11/29] PCI: Lock down BAR access when the kernel is locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=d107d11fd7ac982a34b1233722cb3e72f9fe5a20
+
+Any hardware that can potentially generate DMA has to be locked down in
+order to avoid it being possible for an attacker to modify kernel code,
+allowing them to circumvent disabled module loading or module signing.
+Default to paranoid - in future we can potentially relax this for
+sufficiently IOMMU-isolated devices.
+
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
+cc: linux-pci@vger.kernel.org
+---
+ drivers/pci/pci-sysfs.c | 9 +++++++++
+ drivers/pci/proc.c | 9 ++++++++-
+ drivers/pci/syscall.c | 3 ++-
+ 3 files changed, 19 insertions(+), 2 deletions(-)
+
+Index: linux/drivers/pci/pci-sysfs.c
+===================================================================
+--- linux.orig/drivers/pci/pci-sysfs.c
++++ linux/drivers/pci/pci-sysfs.c
+@@ -905,6 +905,9 @@ static ssize_t pci_write_config(struct f
+ loff_t init_off = off;
+ u8 *data = (u8 *) buf;
+
++ if (kernel_is_locked_down("Direct PCI access"))
++ return -EPERM;
++
+ if (off > dev->cfg_size)
+ return 0;
+ if (off + count > dev->cfg_size) {
+@@ -1167,6 +1170,9 @@ static int pci_mmap_resource(struct kobj
+ enum pci_mmap_state mmap_type;
+ struct resource *res = &pdev->resource[bar];
+
++ if (kernel_is_locked_down("Direct PCI access"))
++ return -EPERM;
++
+ if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
+ return -EINVAL;
+
+@@ -1242,6 +1248,9 @@ static ssize_t pci_write_resource_io(str
+ struct bin_attribute *attr, char *buf,
+ loff_t off, size_t count)
+ {
++ if (kernel_is_locked_down("Direct PCI access"))
++ return -EPERM;
++
+ return pci_resource_io(filp, kobj, attr, buf, off, count, true);
+ }
+
+Index: linux/drivers/pci/proc.c
+===================================================================
+--- linux.orig/drivers/pci/proc.c
++++ linux/drivers/pci/proc.c
+@@ -117,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct
+ int size = dev->cfg_size;
+ int cnt;
+
++ if (kernel_is_locked_down("Direct PCI access"))
++ return -EPERM;
++
+ if (pos >= size)
+ return 0;
+ if (nbytes >= size)
+@@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct fi
+ #endif /* HAVE_PCI_MMAP */
+ int ret = 0;
+
++ if (kernel_is_locked_down("Direct PCI access"))
++ return -EPERM;
++
+ switch (cmd) {
+ case PCIIOC_CONTROLLER:
+ ret = pci_domain_nr(dev->bus);
+@@ -237,7 +243,8 @@ static int proc_bus_pci_mmap(struct file
+ struct pci_filp_private *fpriv = file->private_data;
+ int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM;
+
+- if (!capable(CAP_SYS_RAWIO))
++ if (!capable(CAP_SYS_RAWIO) ||
++ kernel_is_locked_down("Direct PCI access"))
+ return -EPERM;
+
+ if (fpriv->mmap_state == pci_mmap_io) {
+Index: linux/drivers/pci/syscall.c
+===================================================================
+--- linux.orig/drivers/pci/syscall.c
++++ linux/drivers/pci/syscall.c
+@@ -90,7 +90,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigne
+ u32 dword;
+ int err = 0;
+
+- if (!capable(CAP_SYS_ADMIN))
++ if (!capable(CAP_SYS_ADMIN) ||
++ kernel_is_locked_down("Direct PCI access"))
+ return -EPERM;
+
+ dev = pci_get_domain_bus_and_slot(0, bus, dfn);
diff --git a/debian/patches/features/all/lockdown/0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch b/debian/patches/features/all/lockdown/0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch
new file mode 100644
index 000000000..3a9d69dcb
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch
@@ -0,0 +1,46 @@
+From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Wed, 8 Nov 2017 15:11:34 +0000
+Subject: [12/29] x86: Lock down IO port access when the kernel is locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=00ebba940247d4c37c06da4aedecf6b80db213cf
+
+IO port access would permit users to gain access to PCI configuration
+registers, which in turn (on a lot of hardware) give access to MMIO
+register space. This would potentially permit root to trigger arbitrary
+DMA, so lock it down by default.
+
+This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
+KDDISABIO console ioctls.
+
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
+cc: x86@kernel.org
+---
+ arch/x86/kernel/ioport.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+Index: linux/arch/x86/kernel/ioport.c
+===================================================================
+--- linux.orig/arch/x86/kernel/ioport.c
++++ linux/arch/x86/kernel/ioport.c
+@@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, uns
+
+ if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
+ return -EINVAL;
+- if (turn_on && !capable(CAP_SYS_RAWIO))
++ if (turn_on && (!capable(CAP_SYS_RAWIO) ||
++ kernel_is_locked_down("ioperm")))
+ return -EPERM;
+
+ /*
+@@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, leve
+ return -EINVAL;
+ /* Trying to gain more privileges? */
+ if (level > old) {
+- if (!capable(CAP_SYS_RAWIO))
++ if (!capable(CAP_SYS_RAWIO) ||
++ kernel_is_locked_down("iopl"))
+ return -EPERM;
+ }
+ regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
diff --git a/debian/patches/features/all/lockdown/0013-x86-msr-Restrict-MSR-access-when-the-kernel-is-locke.patch b/debian/patches/features/all/lockdown/0013-x86-msr-Restrict-MSR-access-when-the-kernel-is-locke.patch
new file mode 100644
index 000000000..1a7a4d879
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0013-x86-msr-Restrict-MSR-access-when-the-kernel-is-locke.patch
@@ -0,0 +1,50 @@
+From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Wed, 8 Nov 2017 15:11:34 +0000
+Subject: [13/29] x86/msr: Restrict MSR access when the kernel is locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=696dcddb285558b4febf318fe620a344d2b2fa47
+
+Writing to MSRs should not be allowed if the kernel is locked down, since
+it could lead to execution of arbitrary code in kernel mode. Based on a
+patch by Kees Cook.
+
+MSR accesses are logged for the purposes of building up a whitelist as per
+Alan Cox's suggestion.
+
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
+cc: x86@kernel.org
+---
+ arch/x86/kernel/msr.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+Index: linux/arch/x86/kernel/msr.c
+===================================================================
+--- linux.orig/arch/x86/kernel/msr.c
++++ linux/arch/x86/kernel/msr.c
+@@ -84,6 +84,11 @@ static ssize_t msr_write(struct file *fi
+ int err = 0;
+ ssize_t bytes = 0;
+
++ if (kernel_is_locked_down("Direct MSR access")) {
++ pr_info("Direct access to MSR %x\n", reg);
++ return -EPERM;
++ }
++
+ if (count % 8)
+ return -EINVAL; /* Invalid chunk size */
+
+@@ -135,6 +140,11 @@ static long msr_ioctl(struct file *file,
+ err = -EFAULT;
+ break;
+ }
++ if (kernel_is_locked_down("Direct MSR access")) {
++ pr_info("Direct access to MSR %x\n", regs[1]); /* Display %ecx */
++ err = -EPERM;
++ break;
++ }
+ err = wrmsr_safe_regs_on_cpu(cpu, regs);
+ if (err)
+ break;
diff --git a/debian/patches/features/all/lockdown/0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch b/debian/patches/features/all/lockdown/0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch
new file mode 100644
index 000000000..295b46e88
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch
@@ -0,0 +1,55 @@
+From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Wed, 8 Nov 2017 15:11:34 +0000
+Subject: [14/29] asus-wmi: Restrict debugfs interface when the kernel is
+ locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=2e6d31b3176ee27d216bb92a3b108f6b19d4719a
+
+We have no way of validating what all of the Asus WMI methods do on a given
+machine - and there's a risk that some will allow hardware state to be
+manipulated in such a way that arbitrary code can be executed in the
+kernel, circumventing module loading restrictions. Prevent that if the
+kernel is locked down.
+
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
+cc: acpi4asus-user@lists.sourceforge.net
+cc: platform-driver-x86@vger.kernel.org
+---
+ drivers/platform/x86/asus-wmi.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+Index: linux/drivers/platform/x86/asus-wmi.c
+===================================================================
+--- linux.orig/drivers/platform/x86/asus-wmi.c
++++ linux/drivers/platform/x86/asus-wmi.c
+@@ -2002,6 +2002,9 @@ static int show_dsts(struct seq_file *m,
+ int err;
+ u32 retval = -1;
+
++ if (kernel_is_locked_down("Asus WMI"))
++ return -EPERM;
++
+ err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
+
+ if (err < 0)
+@@ -2018,6 +2021,9 @@ static int show_devs(struct seq_file *m,
+ int err;
+ u32 retval = -1;
+
++ if (kernel_is_locked_down("Asus WMI"))
++ return -EPERM;
++
+ err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
+ &retval);
+
+@@ -2042,6 +2048,9 @@ static int show_call(struct seq_file *m,
+ union acpi_object *obj;
+ acpi_status status;
+
++ if (kernel_is_locked_down("Asus WMI"))
++ return -EPERM;
++
+ status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
+ 0, asus->debug.method_id,
+ &input, &output);
diff --git a/debian/patches/features/all/lockdown/0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch b/debian/patches/features/all/lockdown/0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch
new file mode 100644
index 000000000..17778da72
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch
@@ -0,0 +1,32 @@
+From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Wed, 8 Nov 2017 15:11:34 +0000
+Subject: [15/29] ACPI: Limit access to custom_method when the kernel is locked
+ down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=5ff99c830aacf02f25816a0da427216fb63ba16d
+
+custom_method effectively allows arbitrary access to system memory, making
+it possible for an attacker to circumvent restrictions on module loading.
+Disable it if the kernel is locked down.
+
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
+cc: linux-acpi@vger.kernel.org
+---
+ drivers/acpi/custom_method.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: linux/drivers/acpi/custom_method.c
+===================================================================
+--- linux.orig/drivers/acpi/custom_method.c
++++ linux/drivers/acpi/custom_method.c
+@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *fil
+ struct acpi_table_header table;
+ acpi_status status;
+
++ if (kernel_is_locked_down("ACPI custom methods"))
++ return -EPERM;
++
+ if (!(*ppos)) {
+ /* parse the table header to get the table length */
+ if (count <= sizeof(struct acpi_table_header))
diff --git a/debian/patches/features/all/lockdown/0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch b/debian/patches/features/all/lockdown/0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch
new file mode 100644
index 000000000..f8ee397c8
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch
@@ -0,0 +1,32 @@
+From: Josh Boyer <jwboyer@redhat.com>
+Date: Wed, 8 Nov 2017 15:11:34 +0000
+Subject: [16/29] acpi: Ignore acpi_rsdp kernel param when the kernel has been
+ locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=67890a0361626ec3e035264656896c77670c414b
+
+This option allows userspace to pass the RSDP address to the kernel, which
+makes it possible for a user to modify the workings of hardware . Reject
+the option when the kernel is locked down.
+
+Signed-off-by: Josh Boyer <jwboyer@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
+cc: Dave Young <dyoung@redhat.com>
+cc: linux-acpi@vger.kernel.org
+---
+ drivers/acpi/osl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: linux/drivers/acpi/osl.c
+===================================================================
+--- linux.orig/drivers/acpi/osl.c
++++ linux/drivers/acpi/osl.c
+@@ -194,7 +194,7 @@ acpi_physical_address __init acpi_os_get
+ acpi_physical_address pa;
+
+ #ifdef CONFIG_KEXEC
+- if (acpi_rsdp)
++ if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification"))
+ return acpi_rsdp;
+ #endif
+ pa = acpi_arch_get_root_pointer();
diff --git a/debian/patches/features/all/lockdown/0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch b/debian/patches/features/all/lockdown/0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
new file mode 100644
index 000000000..fd12eedb2
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
@@ -0,0 +1,40 @@
+From: Linn Crosetto <linn@hpe.com>
+Date: Wed, 8 Nov 2017 15:11:34 +0000
+Subject: [17/29] acpi: Disable ACPI table override if the kernel is locked
+ down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=5976d26de05569951641ebeb95f7240993b66063
+
+From the kernel documentation (initrd_table_override.txt):
+
+ If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
+ to override nearly any ACPI table provided by the BIOS with an
+ instrumented, modified one.
+
+When securelevel is set, the kernel should disallow any unauthenticated
+changes to kernel space. ACPI tables contain code invoked by the kernel,
+so do not allow ACPI tables to be overridden if the kernel is locked down.
+
+Signed-off-by: Linn Crosetto <linn@hpe.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
+cc: linux-acpi@vger.kernel.org
+---
+ drivers/acpi/tables.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+Index: linux/drivers/acpi/tables.c
+===================================================================
+--- linux.orig/drivers/acpi/tables.c
++++ linux/drivers/acpi/tables.c
+@@ -532,6 +532,11 @@ void __init acpi_table_upgrade(void)
+ if (table_nr == 0)
+ return;
+
++ if (kernel_is_locked_down("ACPI table override")) {
++ pr_notice("kernel is locked down, ignoring table override\n");
++ return;
++ }
++
+ acpi_tables_addr =
+ memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
+ all_tables_size, PAGE_SIZE);
diff --git a/debian/patches/features/all/lockdown/0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch b/debian/patches/features/all/lockdown/0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch
new file mode 100644
index 000000000..396a506ac
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch
@@ -0,0 +1,43 @@
+From: Linn Crosetto <linn@hpe.com>
+Date: Wed, 8 Nov 2017 15:11:35 +0000
+Subject: [18/29] acpi: Disable APEI error injection if the kernel is locked
+ down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a9c239382bce17b9108f941130392151d5fff262
+
+ACPI provides an error injection mechanism, EINJ, for debugging and testing
+the ACPI Platform Error Interface (APEI) and other RAS features. If
+supported by the firmware, ACPI specification 5.0 and later provide for a
+way to specify a physical memory address to which to inject the error.
+
+Injecting errors through EINJ can produce errors which to the platform are
+indistinguishable from real hardware errors. This can have undesirable
+side-effects, such as causing the platform to mark hardware as needing
+replacement.
+
+While it does not provide a method to load unauthenticated privileged code,
+the effect of these errors may persist across reboots and affect trust in
+the underlying hardware, so disable error injection through EINJ if
+the kernel is locked down.
+
+Signed-off-by: Linn Crosetto <linn@hpe.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
+cc: linux-acpi@vger.kernel.org
+---
+ drivers/acpi/apei/einj.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: linux/drivers/acpi/apei/einj.c
+===================================================================
+--- linux.orig/drivers/acpi/apei/einj.c
++++ linux/drivers/acpi/apei/einj.c
+@@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u
+ int rc;
+ u64 base_addr, size;
+
++ if (kernel_is_locked_down("ACPI error injection"))
++ return -EPERM;
++
+ /* If user manually set "flags", make sure it is legal */
+ if (flags && (flags &
+ ~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
diff --git a/debian/patches/features/all/lockdown/0020-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch b/debian/patches/features/all/lockdown/0020-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch
new file mode 100644
index 000000000..2ed56ad5b
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0020-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch
@@ -0,0 +1,29 @@
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 8 Nov 2017 15:11:35 +0000
+Subject: [20/29] Prohibit PCMCIA CIS storage when the kernel is locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=18b2dfc74efeafbdbb8f5d4d28da6334b7e1f1ac
+
+Prohibit replacement of the PCMCIA Card Information Structure when the
+kernel is locked down.
+
+Suggested-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: linux-pcmcia@lists.infradead.org
+---
+ drivers/pcmcia/cistpl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: linux/drivers/pcmcia/cistpl.c
+===================================================================
+--- linux.orig/drivers/pcmcia/cistpl.c
++++ linux/drivers/pcmcia/cistpl.c
+@@ -1578,6 +1578,9 @@ static ssize_t pccard_store_cis(struct f
+ struct pcmcia_socket *s;
+ int error;
+
++ if (kernel_is_locked_down("Direct PCMCIA CIS storage"))
++ return -EPERM;
++
+ s = to_socket(container_of(kobj, struct device, kobj));
+
+ if (off)
diff --git a/debian/patches/features/all/lockdown/0021-Lock-down-TIOCSSERIAL.patch b/debian/patches/features/all/lockdown/0021-Lock-down-TIOCSSERIAL.patch
new file mode 100644
index 000000000..d906326a9
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0021-Lock-down-TIOCSSERIAL.patch
@@ -0,0 +1,34 @@
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 8 Nov 2017 15:11:35 +0000
+Subject: [21/29] Lock down TIOCSSERIAL
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=f5fdeda0622ca040961521819794193777a03e8a
+
+Lock down TIOCSSERIAL as that can be used to change the ioport and irq
+settings on a serial port. This only appears to be an issue for the serial
+drivers that use the core serial code. All other drivers seem to either
+ignore attempts to change port/irq or give an error.
+
+Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Jiri Slaby <jslaby@suse.com>
+---
+ drivers/tty/serial/serial_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+Index: linux/drivers/tty/serial/serial_core.c
+===================================================================
+--- linux.orig/drivers/tty/serial/serial_core.c
++++ linux/drivers/tty/serial/serial_core.c
+@@ -850,6 +850,12 @@ static int uart_set_info(struct tty_stru
+ new_flags = (__force upf_t)new_info->flags;
+ old_custom_divisor = uport->custom_divisor;
+
++ if ((change_port || change_irq) &&
++ kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels")) {
++ retval = -EPERM;
++ goto exit;
++ }
++
+ if (!capable(CAP_SYS_ADMIN)) {
+ retval = -EPERM;
+ if (change_irq || change_port ||
diff --git a/debian/patches/features/all/lockdown/0022-Lock-down-module-params-that-specify-hardware-parame.patch b/debian/patches/features/all/lockdown/0022-Lock-down-module-params-that-specify-hardware-parame.patch
new file mode 100644
index 000000000..3582e3106
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0022-Lock-down-module-params-that-specify-hardware-parame.patch
@@ -0,0 +1,80 @@
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 8 Nov 2017 15:11:36 +0000
+Subject: [22/29] Lock down module params that specify hardware parameters (eg.
+ ioport)
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=d20a28efda02a7ce70b943c15246ea2f07e780f4
+
+Provided an annotation for module parameters that specify hardware
+parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
+dma buffers and other types).
+
+Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ kernel/params.c | 26 +++++++++++++++++++++-----
+ 1 file changed, 21 insertions(+), 5 deletions(-)
+
+Index: linux/kernel/params.c
+===================================================================
+--- linux.orig/kernel/params.c
++++ linux/kernel/params.c
+@@ -108,13 +108,19 @@ bool parameq(const char *a, const char *
+ return parameqn(a, b, strlen(a)+1);
+ }
+
+-static void param_check_unsafe(const struct kernel_param *kp)
++static bool param_check_unsafe(const struct kernel_param *kp,
++ const char *doing)
+ {
+ if (kp->flags & KERNEL_PARAM_FL_UNSAFE) {
+ pr_notice("Setting dangerous option %s - tainting kernel\n",
+ kp->name);
+ add_taint(TAINT_USER, LOCKDEP_STILL_OK);
+ }
++
++ if (kp->flags & KERNEL_PARAM_FL_HWPARAM &&
++ kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels"))
++ return false;
++ return true;
+ }
+
+ static int parse_one(char *param,
+@@ -144,8 +150,10 @@ static int parse_one(char *param,
+ pr_debug("handling %s with %p\n", param,
+ params[i].ops->set);
+ kernel_param_lock(params[i].mod);
+- param_check_unsafe(&params[i]);
+- err = params[i].ops->set(val, &params[i]);
++ if (param_check_unsafe(&params[i], doing))
++ err = params[i].ops->set(val, &params[i]);
++ else
++ err = -EPERM;
+ kernel_param_unlock(params[i].mod);
+ return err;
+ }
+@@ -553,6 +561,12 @@ static ssize_t param_attr_show(struct mo
+ return count;
+ }
+
++#ifdef CONFIG_MODULES
++#define mod_name(mod) (mod)->name
++#else
++#define mod_name(mod) "unknown"
++#endif
++
+ /* sysfs always hands a nul-terminated string in buf. We rely on that. */
+ static ssize_t param_attr_store(struct module_attribute *mattr,
+ struct module_kobject *mk,
+@@ -565,8 +579,10 @@ static ssize_t param_attr_store(struct m
+ return -EPERM;
+
+ kernel_param_lock(mk->mod);
+- param_check_unsafe(attribute->param);
+- err = attribute->param->ops->set(buf, attribute->param);
++ if (param_check_unsafe(attribute->param, mod_name(mk->mod)))
++ err = attribute->param->ops->set(buf, attribute->param);
++ else
++ err = -EPERM;
+ kernel_param_unlock(mk->mod);
+ if (!err)
+ return len;
diff --git a/debian/patches/features/all/lockdown/0023-x86-mmiotrace-Lock-down-the-testmmiotrace-module.patch b/debian/patches/features/all/lockdown/0023-x86-mmiotrace-Lock-down-the-testmmiotrace-module.patch
new file mode 100644
index 000000000..47edb3442
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0023-x86-mmiotrace-Lock-down-the-testmmiotrace-module.patch
@@ -0,0 +1,33 @@
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 8 Nov 2017 15:11:36 +0000
+Subject: [23/29] x86/mmiotrace: Lock down the testmmiotrace module
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=20af3be0bcf6a78e3632770561fba6531dd3b444
+
+The testmmiotrace module shouldn't be permitted when the kernel is locked
+down as it can be used to arbitrarily read and write MMIO space.
+
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: David Howells <dhowells@redhat.com
+cc: Thomas Gleixner <tglx@linutronix.de>
+cc: Steven Rostedt <rostedt@goodmis.org>
+cc: Ingo Molnar <mingo@kernel.org>
+cc: "H. Peter Anvin" <hpa@zytor.com>
+cc: x86@kernel.org
+---
+ arch/x86/mm/testmmiotrace.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: linux/arch/x86/mm/testmmiotrace.c
+===================================================================
+--- linux.orig/arch/x86/mm/testmmiotrace.c
++++ linux/arch/x86/mm/testmmiotrace.c
+@@ -115,6 +115,9 @@ static int __init init(void)
+ {
+ unsigned long size = (read_far) ? (8 << 20) : (16 << 10);
+
++ if (kernel_is_locked_down("MMIO trace testing"))
++ return -EPERM;
++
+ if (mmio_address == 0) {
+ pr_err("you have to use the module argument mmio_address.\n");
+ pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n");
diff --git a/debian/patches/features/all/lockdown/0024-debugfs-Disallow-use-of-debugfs-files-when-the-kerne.patch b/debian/patches/features/all/lockdown/0024-debugfs-Disallow-use-of-debugfs-files-when-the-kerne.patch
new file mode 100644
index 000000000..2dd3fa020
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0024-debugfs-Disallow-use-of-debugfs-files-when-the-kerne.patch
@@ -0,0 +1,53 @@
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 8 Nov 2017 15:11:36 +0000
+Subject: [24/29] debugfs: Disallow use of debugfs files when the kernel is
+ locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=118cc5e1c27e1a75640cf2379c1299e12791063e
+
+Disallow opening of debugfs files when the kernel is locked down as various
+drivers give raw access to hardware through debugfs.
+
+Accesses to tracefs should use /sys/kernel/tracing/ rather than
+/sys/kernel/debug/tracing/. Possibly a symlink should be emplaced.
+
+Normal device interaction should be done through configfs or a miscdev, not
+debugfs.
+
+Note that this makes it unnecessary to specifically lock down show_dsts(),
+show_devs() and show_call() in the asus-wmi driver.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Andy Shevchenko <andy.shevchenko@gmail.com>
+cc: acpi4asus-user@lists.sourceforge.net
+cc: platform-driver-x86@vger.kernel.org
+cc: Matthew Garrett <matthew.garrett@nebula.com>
+cc: Thomas Gleixner <tglx@linutronix.de>
+[bwh: Forward-ported to 4.15]
+---
+ fs/debugfs/file.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+Index: linux/fs/debugfs/file.c
+===================================================================
+--- linux.orig/fs/debugfs/file.c
++++ linux/fs/debugfs/file.c
+@@ -142,6 +142,9 @@ static int open_proxy_open(struct inode
+ const struct file_operations *real_fops = NULL;
+ int r;
+
++ if (kernel_is_locked_down("debugfs"))
++ return -EPERM;
++
+ r = debugfs_file_get(dentry);
+ if (r)
+ return r == -EIO ? -ENOENT : r;
+@@ -267,6 +270,9 @@ static int full_proxy_open(struct inode
+ struct file_operations *proxy_fops = NULL;
+ int r;
+
++ if (kernel_is_locked_down("debugfs"))
++ return -EPERM;
++
+ r = debugfs_file_get(dentry);
+ if (r)
+ return r == -EIO ? -ENOENT : r;
diff --git a/debian/patches/features/all/lockdown/0025-Lock-down-proc-kcore.patch b/debian/patches/features/all/lockdown/0025-Lock-down-proc-kcore.patch
new file mode 100644
index 000000000..58df9739b
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0025-Lock-down-proc-kcore.patch
@@ -0,0 +1,27 @@
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 8 Nov 2017 15:11:37 +0000
+Subject: [25/29] Lock down /proc/kcore
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=797378dc4498207c3abc1101cfdc9ef2581d8c71
+
+Disallow access to /proc/kcore when the kernel is locked down to prevent
+access to cryptographic data.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+---
+ fs/proc/kcore.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+Index: linux/fs/proc/kcore.c
+===================================================================
+--- linux.orig/fs/proc/kcore.c
++++ linux/fs/proc/kcore.c
+@@ -545,6 +545,8 @@ out:
+
+ static int open_kcore(struct inode *inode, struct file *filp)
+ {
++ if (kernel_is_locked_down("/proc/kcore"))
++ return -EPERM;
+ if (!capable(CAP_SYS_RAWIO))
+ return -EPERM;
+
diff --git a/debian/patches/features/all/lockdown/0026-Lock-down-kprobes.patch b/debian/patches/features/all/lockdown/0026-Lock-down-kprobes.patch
new file mode 100644
index 000000000..e7d9f0b4e
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0026-Lock-down-kprobes.patch
@@ -0,0 +1,29 @@
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 8 Nov 2017 16:14:12 +0000
+Subject: [26/29] Lock down kprobes
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=cfacbbe6ef95336d99817fb8063c19bd36dfaa3d
+
+Disallow the creation of kprobes when the kernel is locked down by
+preventing their registration. This prevents kprobes from being used to
+access kernel memory, either to make modifications or to steal crypto data.
+
+Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ kernel/kprobes.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: linux/kernel/kprobes.c
+===================================================================
+--- linux.orig/kernel/kprobes.c
++++ linux/kernel/kprobes.c
+@@ -1548,6 +1548,9 @@ int register_kprobe(struct kprobe *p)
+ struct module *probed_mod;
+ kprobe_opcode_t *addr;
+
++ if (kernel_is_locked_down("Use of kprobes"))
++ return -EPERM;
++
+ /* Adjust probe address from symbol */
+ addr = kprobe_addr(p);
+ if (IS_ERR(addr))
diff --git a/debian/patches/features/all/lockdown/0027-bpf-Restrict-kernel-image-access-functions-when-the-.patch b/debian/patches/features/all/lockdown/0027-bpf-Restrict-kernel-image-access-functions-when-the-.patch
new file mode 100644
index 000000000..87273834c
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0027-bpf-Restrict-kernel-image-access-functions-when-the-.patch
@@ -0,0 +1,39 @@
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 24 May 2017 14:56:05 +0100
+Subject: [27/29] bpf: Restrict kernel image access functions when the kernel
+ is locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a13e9f58894129d9fd02fdb81b56ac7590704155
+
+There are some bpf functions can be used to read kernel memory:
+bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow
+private keys in kernel memory (e.g. the hibernation image signing key) to
+be read by an eBPF program and kernel memory to be altered without
+restriction.
+
+Completely prohibit the use of BPF when the kernel is locked down.
+
+Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: netdev@vger.kernel.org
+cc: Chun-Yi Lee <jlee@suse.com>
+cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
+[bwh: Adjust context to apply after commit dcab51f19b29
+ "bpf: Expose check_uarg_tail_zero()"]
+---
+ kernel/bpf/syscall.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: linux/kernel/bpf/syscall.c
+===================================================================
+--- linux.orig/kernel/bpf/syscall.c
++++ linux/kernel/bpf/syscall.c
+@@ -2378,6 +2378,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf
+ if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
++ if (kernel_is_locked_down("BPF"))
++ return -EPERM;
++
+ err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size);
+ if (err)
+ return err;
diff --git a/debian/patches/features/all/lockdown/0028-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch b/debian/patches/features/all/lockdown/0028-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch
new file mode 100644
index 000000000..be357055b
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0028-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch
@@ -0,0 +1,152 @@
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 8 Nov 2017 15:11:37 +0000
+Subject: [28/29] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=eb4a8603eb727afaeb9c6123eda2eda4b2757bf3
+
+UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT
+flag that can be passed to efi_enabled() to find out whether secure boot is
+enabled.
+
+Move the switch-statement in x86's setup_arch() that inteprets the
+secure_boot boot parameter to generic code and set the bit there.
+
+Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+cc: linux-efi@vger.kernel.org
+---
+ arch/x86/kernel/setup.c | 14 +-------------
+ drivers/firmware/efi/Makefile | 1 +
+ drivers/firmware/efi/secureboot.c | 38 ++++++++++++++++++++++++++++++++++++++
+ include/linux/efi.h | 16 ++++++++++------
+ 4 files changed, 50 insertions(+), 19 deletions(-)
+ create mode 100644 drivers/firmware/efi/secureboot.c
+
+Index: linux/arch/x86/kernel/setup.c
+===================================================================
+--- linux.orig/arch/x86/kernel/setup.c
++++ linux/arch/x86/kernel/setup.c
+@@ -1159,19 +1159,7 @@ void __init setup_arch(char **cmdline_p)
+ /* Allocate bigger log buffer */
+ setup_log_buf(1);
+
+- if (efi_enabled(EFI_BOOT)) {
+- switch (boot_params.secure_boot) {
+- case efi_secureboot_mode_disabled:
+- pr_info("Secure boot disabled\n");
+- break;
+- case efi_secureboot_mode_enabled:
+- pr_info("Secure boot enabled\n");
+- break;
+- default:
+- pr_info("Secure boot could not be determined\n");
+- break;
+- }
+- }
++ efi_set_secure_boot(boot_params.secure_boot);
+
+ reserve_initrd();
+
+Index: linux/drivers/firmware/efi/Makefile
+===================================================================
+--- linux.orig/drivers/firmware/efi/Makefile
++++ linux/drivers/firmware/efi/Makefile
+@@ -24,6 +24,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP) += fake_m
+ obj-$(CONFIG_EFI_BOOTLOADER_CONTROL) += efibc.o
+ obj-$(CONFIG_EFI_TEST) += test/
+ obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o
++obj-$(CONFIG_EFI) += secureboot.o
+ obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o
+
+ arm-obj-$(CONFIG_EFI) := arm-init.o arm-runtime.o
+Index: linux/drivers/firmware/efi/secureboot.c
+===================================================================
+--- /dev/null
++++ linux/drivers/firmware/efi/secureboot.c
+@@ -0,0 +1,38 @@
++/* Core kernel secure boot support.
++ *
++ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
++ * Written by David Howells (dhowells@redhat.com)
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public Licence
++ * as published by the Free Software Foundation; either version
++ * 2 of the Licence, or (at your option) any later version.
++ */
++
++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
++
++#include <linux/efi.h>
++#include <linux/kernel.h>
++#include <linux/printk.h>
++
++/*
++ * Decide what to do when UEFI secure boot mode is enabled.
++ */
++void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
++{
++ if (efi_enabled(EFI_BOOT)) {
++ switch (mode) {
++ case efi_secureboot_mode_disabled:
++ pr_info("Secure boot disabled\n");
++ break;
++ case efi_secureboot_mode_enabled:
++ set_bit(EFI_SECURE_BOOT, &efi.flags);
++ pr_info("Secure boot enabled\n");
++ break;
++ default:
++ pr_warning("Secure boot could not be determined (mode %u)\n",
++ mode);
++ break;
++ }
++ }
++}
+Index: linux/include/linux/efi.h
+===================================================================
+--- linux.orig/include/linux/efi.h
++++ linux/include/linux/efi.h
+@@ -1152,6 +1152,14 @@ extern int __init efi_setup_pcdp_console
+ #define EFI_DBG 8 /* Print additional debug info at runtime */
+ #define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */
+ #define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
++#define EFI_SECURE_BOOT 11 /* Are we in Secure Boot mode? */
++
++enum efi_secureboot_mode {
++ efi_secureboot_mode_unset,
++ efi_secureboot_mode_unknown,
++ efi_secureboot_mode_disabled,
++ efi_secureboot_mode_enabled,
++};
+
+ #ifdef CONFIG_EFI
+ /*
+@@ -1164,6 +1172,7 @@ static inline bool efi_enabled(int featu
+ extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused);
+
+ extern bool efi_is_table_address(unsigned long phys_addr);
++extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode);
+ #else
+ static inline bool efi_enabled(int feature)
+ {
+@@ -1182,6 +1191,7 @@ static inline bool efi_is_table_address(
+ {
+ return false;
+ }
++static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {}
+ #endif
+
+ extern int efi_status_to_err(efi_status_t status);
+@@ -1572,12 +1582,6 @@ static inline bool efi_runtime_disabled(
+
+ extern void efi_call_virt_check_flags(unsigned long flags, const char *call);
+
+-enum efi_secureboot_mode {
+- efi_secureboot_mode_unset,
+- efi_secureboot_mode_unknown,
+- efi_secureboot_mode_disabled,
+- efi_secureboot_mode_enabled,
+-};
+ enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table);
+
+ #ifdef CONFIG_RESET_ATTACK_MITIGATION
diff --git a/debian/patches/features/all/lockdown/0029-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/debian/patches/features/all/lockdown/0029-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
new file mode 100644
index 000000000..9ab10afb3
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0029-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
@@ -0,0 +1,83 @@
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 8 Nov 2017 15:11:37 +0000
+Subject: [29/29] efi: Lock down the kernel if booted in secure boot mode
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a364bd945ffc141a7b17cb331bda0d8ad68f7e72
+
+UEFI Secure Boot provides a mechanism for ensuring that the firmware will
+only load signed bootloaders and kernels. Certain use cases may also
+require that all kernel modules also be signed. Add a configuration option
+that to lock down the kernel - which includes requiring validly signed
+modules - if the kernel is secure-booted.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+cc: linux-efi@vger.kernel.org
+---
+ arch/x86/kernel/setup.c | 6 ++++--
+ security/Kconfig | 14 ++++++++++++++
+ security/lock_down.c | 1 +
+ 3 files changed, 19 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -65,6 +65,7 @@
+ #include <linux/dma-mapping.h>
+ #include <linux/ctype.h>
+ #include <linux/uaccess.h>
++#include <linux/security.h>
+
+ #include <linux/percpu.h>
+ #include <linux/crash_dump.h>
+@@ -1005,6 +1006,9 @@ void __init setup_arch(char **cmdline_p)
+ if (efi_enabled(EFI_BOOT))
+ efi_init();
+
++ efi_set_secure_boot(boot_params.secure_boot);
++ init_lockdown();
++
+ dmi_scan_machine();
+ dmi_memdev_walk();
+ dmi_set_dump_stack_arch_desc();
+@@ -1159,8 +1163,6 @@ void __init setup_arch(char **cmdline_p)
+ /* Allocate bigger log buffer */
+ setup_log_buf(1);
+
+- efi_set_secure_boot(boot_params.secure_boot);
+-
+ reserve_initrd();
+
+ acpi_table_upgrade();
+--- a/security/Kconfig
++++ b/security/Kconfig
+@@ -247,6 +247,21 @@ config LOCK_DOWN_KERNEL
+ turns off various features that might otherwise allow access to the
+ kernel image (eg. setting MSR registers).
+
++config LOCK_DOWN_IN_EFI_SECURE_BOOT
++ bool "Lock down the kernel in EFI Secure Boot mode"
++ default n
++ select LOCK_DOWN_KERNEL
++ depends on EFI
++ help
++ UEFI Secure Boot provides a mechanism for ensuring that the firmware
++ will only load signed bootloaders and kernels. Secure boot mode may
++ be determined from EFI variables provided by the system firmware if
++ not indicated by the boot parameters.
++
++ Enabling this option turns on results in kernel lockdown being
++ triggered if EFI Secure Boot is set.
++
++
+ source security/selinux/Kconfig
+ source security/smack/Kconfig
+ source security/tomoyo/Kconfig
+--- a/security/lock_down.c
++++ b/security/lock_down.c
+@@ -11,6 +11,7 @@
+
+ #include <linux/security.h>
+ #include <linux/export.h>
++#include <linux/efi.h>
+
+ static __ro_after_init bool kernel_locked_down;
+
diff --git a/debian/patches/features/all/lockdown/0032-efi-Restrict-efivar_ssdt_load-when-the-kernel-is-loc.patch b/debian/patches/features/all/lockdown/0032-efi-Restrict-efivar_ssdt_load-when-the-kernel-is-loc.patch
new file mode 100644
index 000000000..bb2f4f60b
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0032-efi-Restrict-efivar_ssdt_load-when-the-kernel-is-loc.patch
@@ -0,0 +1,36 @@
+From: Matthew Garrett <matthewgarrett@google.com>
+Date: Wed, 31 Jul 2019 15:16:16 -0700
+Subject: efi: Restrict efivar_ssdt_load when the kernel is locked down
+Origin: https://patchwork.kernel.org/patch/11069659/
+
+efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an
+EFI variable, which gives arbitrary code execution in ring 0. Prevent
+that when the kernel is locked down.
+
+Signed-off-by: Matthew Garrett <mjg59@google.com>
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: linux-efi@vger.kernel.org
+[bwh: Convert back to the non-LSM lockdown API]
+---
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -30,6 +30,7 @@
+ #include <linux/acpi.h>
+ #include <linux/ucs2_string.h>
+ #include <linux/memblock.h>
++#include <linux/security.h>
+
+ #include <asm/early_ioremap.h>
+
+@@ -241,6 +242,9 @@ static void generic_ops_unregister(void)
+ static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata;
+ static int __init efivar_ssdt_setup(char *str)
+ {
++ if (kernel_is_locked_down("ACPI tables"))
++ return -EPERM;
++
+ if (strlen(str) < sizeof(efivar_ssdt))
+ memcpy(efivar_ssdt, str, strlen(str));
+ else
diff --git a/debian/patches/features/all/lockdown/ACPI-configfs-Disallow-loading-ACPI-tables-when-lock.patch b/debian/patches/features/all/lockdown/ACPI-configfs-Disallow-loading-ACPI-tables-when-lock.patch
new file mode 100644
index 000000000..4970a4bd4
--- /dev/null
+++ b/debian/patches/features/all/lockdown/ACPI-configfs-Disallow-loading-ACPI-tables-when-lock.patch
@@ -0,0 +1,44 @@
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Mon, 15 Jun 2020 04:43:32 -0600
+Subject: ACPI: configfs: Disallow loading ACPI tables when locked down
+Origin: https://git.kernel.org/linus/75b0cea7bf307f362057cc778efe89af4c615354
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-15780
+
+Like other vectors already patched, this one here allows the root
+user to load ACPI tables, which enables arbitrary physical address
+writes, which in turn makes it possible to disable lockdown.
+
+Prevents this by checking the lockdown status before allowing a new
+ACPI table to be installed. The link in the trailer shows a PoC of
+how this might be used.
+
+Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh
+Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+[Salvatore Bonaccorso: Backport to v4.19.y: Use kernel_is_locked_down instead
+of security_locked_down]
+---
+ drivers/acpi/acpi_configfs.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/acpi_configfs.c
++++ b/drivers/acpi/acpi_configfs.c
+@@ -14,6 +14,7 @@
+ #include <linux/module.h>
+ #include <linux/configfs.h>
+ #include <linux/acpi.h>
++#include <linux/security.h>
+
+ #include "acpica/accommon.h"
+ #include "acpica/actables.h"
+@@ -33,6 +34,9 @@ static ssize_t acpi_table_aml_write(stru
+ struct acpi_table *table;
+ int ret;
+
++ if (kernel_is_locked_down("Modifying ACPI tables"))
++ return -EPERM;
++
+ table = container_of(cfg, struct acpi_table, cfg);
+
+ if (table->header) {
diff --git a/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch b/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
new file mode 100644
index 000000000..beb09c3e6
--- /dev/null
+++ b/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
@@ -0,0 +1,97 @@
+From: Linn Crosetto <linn@hpe.com>
+Date: Tue, 30 Aug 2016 11:54:38 -0600
+Subject: arm64: add kernel config option to lock down when in Secure Boot mode
+Bug-Debian: https://bugs.debian.org/831827
+Forwarded: no
+
+Add a kernel configuration option to lock down the kernel, to restrict
+userspace's ability to modify the running kernel when UEFI Secure Boot is
+enabled. Based on the x86 patch by Matthew Garrett.
+
+Determine the state of Secure Boot in the EFI stub and pass this to the
+kernel using the FDT.
+
+Signed-off-by: Linn Crosetto <linn@hpe.com>
+[bwh: Forward-ported to 4.10: adjust context]
+[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
+[bwh: Forward-ported to 4.15 and lockdown patch set:
+ - Pass result of efi_get_secureboot() in stub through to
+ efi_set_secure_boot() in main kernel
+ - Use lockdown API and naming]
+[bwh: Forward-ported to 4.19.3: adjust context in update_fdt()]
+[dannf: Moved init_lockdown() call after uefi_init(), fixing SB detection]
+---
+ arch/arm64/Kconfig | 13 +++++++++++++
+ drivers/firmware/efi/arm-init.c | 7 +++++++
+ drivers/firmware/efi/efi.c | 3 ++-
+ drivers/firmware/efi/libstub/arm-stub.c | 2 +-
+ drivers/firmware/efi/libstub/efistub.h | 1 +
+ drivers/firmware/efi/libstub/fdt.c | 7 +++++++
+ include/linux/efi.h | 1 +
+ 7 files changed, 32 insertions(+), 2 deletions(-)
+
+Index: linux/drivers/firmware/efi/arm-init.c
+===================================================================
+--- linux.orig/drivers/firmware/efi/arm-init.c
++++ linux/drivers/firmware/efi/arm-init.c
+@@ -21,6 +21,7 @@
+ #include <linux/of_fdt.h>
+ #include <linux/platform_device.h>
+ #include <linux/screen_info.h>
++#include <linux/security.h>
+
+ #include <asm/efi.h>
+
+@@ -257,6 +258,9 @@ void __init efi_init(void)
+ return;
+ }
+
++ efi_set_secure_boot(params.secure_boot);
++ init_lockdown();
++
+ reserve_regions();
+ efi_esrt_init();
+
+Index: linux/drivers/firmware/efi/efi.c
+===================================================================
+--- linux.orig/drivers/firmware/efi/efi.c
++++ linux/drivers/firmware/efi/efi.c
+@@ -660,7 +660,8 @@ static __initdata struct params fdt_para
+ UEFI_PARAM("MemMap Address", "linux,uefi-mmap-start", mmap),
+ UEFI_PARAM("MemMap Size", "linux,uefi-mmap-size", mmap_size),
+ UEFI_PARAM("MemMap Desc. Size", "linux,uefi-mmap-desc-size", desc_size),
+- UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver)
++ UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver),
++ UEFI_PARAM("Secure Boot Enabled", "linux,uefi-secure-boot", secure_boot)
+ };
+
+ static __initdata struct params xen_fdt_params[] = {
+Index: linux/drivers/firmware/efi/libstub/fdt.c
+===================================================================
+--- linux.orig/drivers/firmware/efi/libstub/fdt.c
++++ linux/drivers/firmware/efi/libstub/fdt.c
+@@ -159,6 +159,12 @@ static efi_status_t update_fdt(efi_syste
+ }
+ }
+
++ fdt_val32 = cpu_to_fdt32(efi_get_secureboot(sys_table));
++ status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
++ &fdt_val32, sizeof(fdt_val32));
++ if (status)
++ goto fdt_set_fail;
++
+ /* shrink the FDT back to its minimum size */
+ fdt_pack(fdt);
+
+Index: linux/include/linux/efi.h
+===================================================================
+--- linux.orig/include/linux/efi.h
++++ linux/include/linux/efi.h
+@@ -786,6 +786,7 @@ struct efi_fdt_params {
+ u32 mmap_size;
+ u32 desc_size;
+ u32 desc_ver;
++ u32 secure_boot;
+ };
+
+ typedef struct {
diff --git a/debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch b/debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch
new file mode 100644
index 000000000..7a3b8e9bb
--- /dev/null
+++ b/debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch
@@ -0,0 +1,50 @@
+From: Matthew Garrett <mjg59@coreos.com>
+Date: Tue, 12 Jan 2016 12:51:27 -0800
+Subject: [18/18] Enable cold boot attack mitigation
+Origin: https://github.com/mjg59/linux/commit/02d999574936dd234a508c0112a0200c135a5c34
+
+[Lukas Wunner: Forward-ported to 4.11: adjust context]
+---
+ arch/x86/boot/compressed/eboot.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+Index: linux/arch/x86/boot/compressed/eboot.c
+===================================================================
+--- linux.orig/arch/x86/boot/compressed/eboot.c
++++ linux/arch/x86/boot/compressed/eboot.c
+@@ -372,6 +372,22 @@ void setup_graphics(struct boot_params *
+ }
+ }
+
++#define MEMORY_ONLY_RESET_CONTROL_GUID \
++ EFI_GUID (0xe20939be, 0x32d4, 0x41be, 0xa1, 0x50, 0x89, 0x7f, 0x85, 0xd4, 0x98, 0x29)
++
++static void enable_reset_attack_mitigation(void)
++{
++ u8 val = 1;
++ efi_guid_t var_guid = MEMORY_ONLY_RESET_CONTROL_GUID;
++
++ /* Ignore the return value here - there's not really a lot we can do */
++ efi_early->call((unsigned long)sys_table->runtime->set_variable,
++ L"MemoryOverwriteRequestControl", &var_guid,
++ EFI_VARIABLE_NON_VOLATILE |
++ EFI_VARIABLE_BOOTSERVICE_ACCESS |
++ EFI_VARIABLE_RUNTIME_ACCESS, sizeof(val), val);
++}
++
+ /*
+ * Because the x86 boot code expects to be passed a boot_params we
+ * need to create one ourselves (usually the bootloader would create
+@@ -783,6 +799,12 @@ efi_main(struct efi_config *c, struct bo
+ efi_parse_options((char *)cmdline_paddr);
+
+ /*
++ * Ask the firmware to clear memory if we don't have a clean
++ * shutdown
++ */
++ enable_reset_attack_mitigation();
++
++ /*
+ * If the boot loader gave us a value for secure_boot then we use that,
+ * otherwise we ask the BIOS.
+ */
diff --git a/debian/patches/features/all/lockdown/lockdown-refer-to-debian-wiki-until-manual-page-exists.patch b/debian/patches/features/all/lockdown/lockdown-refer-to-debian-wiki-until-manual-page-exists.patch
new file mode 100644
index 000000000..586be8cab
--- /dev/null
+++ b/debian/patches/features/all/lockdown/lockdown-refer-to-debian-wiki-until-manual-page-exists.patch
@@ -0,0 +1,34 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun, 21 Apr 2019 00:17:13 +0100
+Subject: lockdown: Refer to Debian wiki until manual page exists
+Forwarded: not-needed
+
+The lockdown denial log message currently refers to a
+"kernel_lockdown.7" manual page, which is supposed to document it.
+That manual page hasn't been accepted by the man-pages project and
+doesn't even seem to have been submitted yet. For now, refer to the
+Debian wiki.
+
+---
+Index: linux/security/lock_down.c
+===================================================================
+--- linux.orig/security/lock_down.c
++++ linux/security/lock_down.c
+@@ -28,7 +28,7 @@ static void __init lock_kernel_down(cons
+ {
+ if (!kernel_locked_down) {
+ kernel_locked_down = true;
+- pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",
++ pr_notice("Kernel is locked down from %s; see https://wiki.debian.org/SecureBoot\n",
+ where);
+ }
+ }
+@@ -60,7 +60,7 @@ void __init init_lockdown(void)
+ bool __kernel_is_locked_down(const char *what, bool first)
+ {
+ if (what && first && kernel_locked_down)
+- pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n",
++ pr_notice("Lockdown: %s is restricted; see https://wiki.debian.org/SecureBoot\n",
+ what);
+ return kernel_locked_down;
+ }
diff --git a/debian/patches/features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch b/debian/patches/features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch
new file mode 100644
index 000000000..f02392f10
--- /dev/null
+++ b/debian/patches/features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch
@@ -0,0 +1,41 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Fri, 03 Jun 2016 00:48:39 +0100
+Subject: mtd: Disable slram and phram when locked down
+Forwarded: no
+
+The slram and phram drivers both allow mapping regions of physical
+address space such that they can then be read and written by userland
+through the MTD interface. This is probably usable to manipulate
+hardware into overwriting kernel code on many systems. Prevent that
+if locked down.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+Index: linux/drivers/mtd/devices/phram.c
+===================================================================
+--- linux.orig/drivers/mtd/devices/phram.c
++++ linux/drivers/mtd/devices/phram.c
+@@ -219,6 +219,9 @@ static int phram_setup(const char *val)
+ uint64_t len;
+ int i, ret;
+
++ if (kernel_is_locked_down("Command line-specified device addresses"))
++ return -EPERM;
++
+ if (strnlen(val, sizeof(buf)) >= sizeof(buf))
+ parse_err("parameter too long\n");
+
+Index: linux/drivers/mtd/devices/slram.c
+===================================================================
+--- linux.orig/drivers/mtd/devices/slram.c
++++ linux/drivers/mtd/devices/slram.c
+@@ -226,6 +226,9 @@ static int parse_cmdline(char *devname,
+ unsigned long devstart;
+ unsigned long devlength;
+
++ if (kernel_is_locked_down("Command line-specified device addresses"))
++ return -EPERM;
++
+ if ((!devname) || (!szstart) || (!szlength)) {
+ unregister_devices();
+ return(-EINVAL);