diff options
Diffstat (limited to 'debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch')
-rw-r--r-- | debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch b/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch new file mode 100644 index 000000000..beb09c3e6 --- /dev/null +++ b/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch @@ -0,0 +1,97 @@ +From: Linn Crosetto <linn@hpe.com> +Date: Tue, 30 Aug 2016 11:54:38 -0600 +Subject: arm64: add kernel config option to lock down when in Secure Boot mode +Bug-Debian: https://bugs.debian.org/831827 +Forwarded: no + +Add a kernel configuration option to lock down the kernel, to restrict +userspace's ability to modify the running kernel when UEFI Secure Boot is +enabled. Based on the x86 patch by Matthew Garrett. + +Determine the state of Secure Boot in the EFI stub and pass this to the +kernel using the FDT. + +Signed-off-by: Linn Crosetto <linn@hpe.com> +[bwh: Forward-ported to 4.10: adjust context] +[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream] +[bwh: Forward-ported to 4.15 and lockdown patch set: + - Pass result of efi_get_secureboot() in stub through to + efi_set_secure_boot() in main kernel + - Use lockdown API and naming] +[bwh: Forward-ported to 4.19.3: adjust context in update_fdt()] +[dannf: Moved init_lockdown() call after uefi_init(), fixing SB detection] +--- + arch/arm64/Kconfig | 13 +++++++++++++ + drivers/firmware/efi/arm-init.c | 7 +++++++ + drivers/firmware/efi/efi.c | 3 ++- + drivers/firmware/efi/libstub/arm-stub.c | 2 +- + drivers/firmware/efi/libstub/efistub.h | 1 + + drivers/firmware/efi/libstub/fdt.c | 7 +++++++ + include/linux/efi.h | 1 + + 7 files changed, 32 insertions(+), 2 deletions(-) + +Index: linux/drivers/firmware/efi/arm-init.c +=================================================================== +--- linux.orig/drivers/firmware/efi/arm-init.c ++++ linux/drivers/firmware/efi/arm-init.c +@@ -21,6 +21,7 @@ + #include <linux/of_fdt.h> + #include <linux/platform_device.h> + #include <linux/screen_info.h> ++#include <linux/security.h> + + #include <asm/efi.h> + +@@ -257,6 +258,9 @@ void __init efi_init(void) + return; + } + ++ efi_set_secure_boot(params.secure_boot); ++ init_lockdown(); ++ + reserve_regions(); + efi_esrt_init(); + +Index: linux/drivers/firmware/efi/efi.c +=================================================================== +--- linux.orig/drivers/firmware/efi/efi.c ++++ linux/drivers/firmware/efi/efi.c +@@ -660,7 +660,8 @@ static __initdata struct params fdt_para + UEFI_PARAM("MemMap Address", "linux,uefi-mmap-start", mmap), + UEFI_PARAM("MemMap Size", "linux,uefi-mmap-size", mmap_size), + UEFI_PARAM("MemMap Desc. Size", "linux,uefi-mmap-desc-size", desc_size), +- UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver) ++ UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver), ++ UEFI_PARAM("Secure Boot Enabled", "linux,uefi-secure-boot", secure_boot) + }; + + static __initdata struct params xen_fdt_params[] = { +Index: linux/drivers/firmware/efi/libstub/fdt.c +=================================================================== +--- linux.orig/drivers/firmware/efi/libstub/fdt.c ++++ linux/drivers/firmware/efi/libstub/fdt.c +@@ -159,6 +159,12 @@ static efi_status_t update_fdt(efi_syste + } + } + ++ fdt_val32 = cpu_to_fdt32(efi_get_secureboot(sys_table)); ++ status = fdt_setprop(fdt, node, "linux,uefi-secure-boot", ++ &fdt_val32, sizeof(fdt_val32)); ++ if (status) ++ goto fdt_set_fail; ++ + /* shrink the FDT back to its minimum size */ + fdt_pack(fdt); + +Index: linux/include/linux/efi.h +=================================================================== +--- linux.orig/include/linux/efi.h ++++ linux/include/linux/efi.h +@@ -786,6 +786,7 @@ struct efi_fdt_params { + u32 mmap_size; + u32 desc_size; + u32 desc_ver; ++ u32 secure_boot; + }; + + typedef struct { |