1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
From: Linn Crosetto <linn@hpe.com>
Date: Tue, 30 Aug 2016 11:54:38 -0600
Subject: arm64: add kernel config option to lock down when in Secure Boot mode
Bug-Debian: https://bugs.debian.org/831827
Forwarded: no
Add a kernel configuration option to lock down the kernel, to restrict
userspace's ability to modify the running kernel when UEFI Secure Boot is
enabled. Based on the x86 patch by Matthew Garrett.
Determine the state of Secure Boot in the EFI stub and pass this to the
kernel using the FDT.
Signed-off-by: Linn Crosetto <linn@hpe.com>
[bwh: Forward-ported to 4.10: adjust context]
[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
[bwh: Forward-ported to 4.15 and lockdown patch set:
- Pass result of efi_get_secureboot() in stub through to
efi_set_secure_boot() in main kernel
- Use lockdown API and naming]
[bwh: Forward-ported to 4.19.3: adjust context in update_fdt()]
[dannf: Moved init_lockdown() call after uefi_init(), fixing SB detection]
---
arch/arm64/Kconfig | 13 +++++++++++++
drivers/firmware/efi/arm-init.c | 7 +++++++
drivers/firmware/efi/efi.c | 3 ++-
drivers/firmware/efi/libstub/arm-stub.c | 2 +-
drivers/firmware/efi/libstub/efistub.h | 1 +
drivers/firmware/efi/libstub/fdt.c | 7 +++++++
include/linux/efi.h | 1 +
7 files changed, 32 insertions(+), 2 deletions(-)
Index: linux/drivers/firmware/efi/arm-init.c
===================================================================
--- linux.orig/drivers/firmware/efi/arm-init.c
+++ linux/drivers/firmware/efi/arm-init.c
@@ -21,6 +21,7 @@
#include <linux/of_fdt.h>
#include <linux/platform_device.h>
#include <linux/screen_info.h>
+#include <linux/security.h>
#include <asm/efi.h>
@@ -257,6 +258,9 @@ void __init efi_init(void)
return;
}
+ efi_set_secure_boot(params.secure_boot);
+ init_lockdown();
+
reserve_regions();
efi_esrt_init();
Index: linux/drivers/firmware/efi/efi.c
===================================================================
--- linux.orig/drivers/firmware/efi/efi.c
+++ linux/drivers/firmware/efi/efi.c
@@ -660,7 +660,8 @@ static __initdata struct params fdt_para
UEFI_PARAM("MemMap Address", "linux,uefi-mmap-start", mmap),
UEFI_PARAM("MemMap Size", "linux,uefi-mmap-size", mmap_size),
UEFI_PARAM("MemMap Desc. Size", "linux,uefi-mmap-desc-size", desc_size),
- UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver)
+ UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver),
+ UEFI_PARAM("Secure Boot Enabled", "linux,uefi-secure-boot", secure_boot)
};
static __initdata struct params xen_fdt_params[] = {
Index: linux/drivers/firmware/efi/libstub/fdt.c
===================================================================
--- linux.orig/drivers/firmware/efi/libstub/fdt.c
+++ linux/drivers/firmware/efi/libstub/fdt.c
@@ -159,6 +159,12 @@ static efi_status_t update_fdt(efi_syste
}
}
+ fdt_val32 = cpu_to_fdt32(efi_get_secureboot(sys_table));
+ status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
+ &fdt_val32, sizeof(fdt_val32));
+ if (status)
+ goto fdt_set_fail;
+
/* shrink the FDT back to its minimum size */
fdt_pack(fdt);
Index: linux/include/linux/efi.h
===================================================================
--- linux.orig/include/linux/efi.h
+++ linux/include/linux/efi.h
@@ -786,6 +786,7 @@ struct efi_fdt_params {
u32 mmap_size;
u32 desc_size;
u32 desc_ver;
+ u32 secure_boot;
};
typedef struct {
|