diff options
Diffstat (limited to 'debian/patches/features/all/lockdown/0029-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch')
| -rw-r--r-- | debian/patches/features/all/lockdown/0029-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/debian/patches/features/all/lockdown/0029-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/debian/patches/features/all/lockdown/0029-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch new file mode 100644 index 000000000..9ab10afb3 --- /dev/null +++ b/debian/patches/features/all/lockdown/0029-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch @@ -0,0 +1,83 @@ +From: David Howells <dhowells@redhat.com> +Date: Wed, 8 Nov 2017 15:11:37 +0000 +Subject: [29/29] efi: Lock down the kernel if booted in secure boot mode +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a364bd945ffc141a7b17cb331bda0d8ad68f7e72 + +UEFI Secure Boot provides a mechanism for ensuring that the firmware will +only load signed bootloaders and kernels. Certain use cases may also +require that all kernel modules also be signed. Add a configuration option +that to lock down the kernel - which includes requiring validly signed +modules - if the kernel is secure-booted. + +Signed-off-by: David Howells <dhowells@redhat.com> +Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> +cc: linux-efi@vger.kernel.org +--- + arch/x86/kernel/setup.c | 6 ++++-- + security/Kconfig | 14 ++++++++++++++ + security/lock_down.c | 1 + + 3 files changed, 19 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -65,6 +65,7 @@ + #include <linux/dma-mapping.h> + #include <linux/ctype.h> + #include <linux/uaccess.h> ++#include <linux/security.h> + + #include <linux/percpu.h> + #include <linux/crash_dump.h> +@@ -1005,6 +1006,9 @@ void __init setup_arch(char **cmdline_p) + if (efi_enabled(EFI_BOOT)) + efi_init(); + ++ efi_set_secure_boot(boot_params.secure_boot); ++ init_lockdown(); ++ + dmi_scan_machine(); + dmi_memdev_walk(); + dmi_set_dump_stack_arch_desc(); +@@ -1159,8 +1163,6 @@ void __init setup_arch(char **cmdline_p) + /* Allocate bigger log buffer */ + setup_log_buf(1); + +- efi_set_secure_boot(boot_params.secure_boot); +- + reserve_initrd(); + + acpi_table_upgrade(); +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -247,6 +247,21 @@ config LOCK_DOWN_KERNEL + turns off various features that might otherwise allow access to the + kernel image (eg. setting MSR registers). + ++config LOCK_DOWN_IN_EFI_SECURE_BOOT ++ bool "Lock down the kernel in EFI Secure Boot mode" ++ default n ++ select LOCK_DOWN_KERNEL ++ depends on EFI ++ help ++ UEFI Secure Boot provides a mechanism for ensuring that the firmware ++ will only load signed bootloaders and kernels. Secure boot mode may ++ be determined from EFI variables provided by the system firmware if ++ not indicated by the boot parameters. ++ ++ Enabling this option turns on results in kernel lockdown being ++ triggered if EFI Secure Boot is set. ++ ++ + source security/selinux/Kconfig + source security/smack/Kconfig + source security/tomoyo/Kconfig +--- a/security/lock_down.c ++++ b/security/lock_down.c +@@ -11,6 +11,7 @@ + + #include <linux/security.h> + #include <linux/export.h> ++#include <linux/efi.h> + + static __ro_after_init bool kernel_locked_down; + |