summaryrefslogtreecommitdiffstats
path: root/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch')
-rw-r--r--debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch97
1 files changed, 97 insertions, 0 deletions
diff --git a/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch b/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
new file mode 100644
index 000000000..beb09c3e6
--- /dev/null
+++ b/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
@@ -0,0 +1,97 @@
+From: Linn Crosetto <linn@hpe.com>
+Date: Tue, 30 Aug 2016 11:54:38 -0600
+Subject: arm64: add kernel config option to lock down when in Secure Boot mode
+Bug-Debian: https://bugs.debian.org/831827
+Forwarded: no
+
+Add a kernel configuration option to lock down the kernel, to restrict
+userspace's ability to modify the running kernel when UEFI Secure Boot is
+enabled. Based on the x86 patch by Matthew Garrett.
+
+Determine the state of Secure Boot in the EFI stub and pass this to the
+kernel using the FDT.
+
+Signed-off-by: Linn Crosetto <linn@hpe.com>
+[bwh: Forward-ported to 4.10: adjust context]
+[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
+[bwh: Forward-ported to 4.15 and lockdown patch set:
+ - Pass result of efi_get_secureboot() in stub through to
+ efi_set_secure_boot() in main kernel
+ - Use lockdown API and naming]
+[bwh: Forward-ported to 4.19.3: adjust context in update_fdt()]
+[dannf: Moved init_lockdown() call after uefi_init(), fixing SB detection]
+---
+ arch/arm64/Kconfig | 13 +++++++++++++
+ drivers/firmware/efi/arm-init.c | 7 +++++++
+ drivers/firmware/efi/efi.c | 3 ++-
+ drivers/firmware/efi/libstub/arm-stub.c | 2 +-
+ drivers/firmware/efi/libstub/efistub.h | 1 +
+ drivers/firmware/efi/libstub/fdt.c | 7 +++++++
+ include/linux/efi.h | 1 +
+ 7 files changed, 32 insertions(+), 2 deletions(-)
+
+Index: linux/drivers/firmware/efi/arm-init.c
+===================================================================
+--- linux.orig/drivers/firmware/efi/arm-init.c
++++ linux/drivers/firmware/efi/arm-init.c
+@@ -21,6 +21,7 @@
+ #include <linux/of_fdt.h>
+ #include <linux/platform_device.h>
+ #include <linux/screen_info.h>
++#include <linux/security.h>
+
+ #include <asm/efi.h>
+
+@@ -257,6 +258,9 @@ void __init efi_init(void)
+ return;
+ }
+
++ efi_set_secure_boot(params.secure_boot);
++ init_lockdown();
++
+ reserve_regions();
+ efi_esrt_init();
+
+Index: linux/drivers/firmware/efi/efi.c
+===================================================================
+--- linux.orig/drivers/firmware/efi/efi.c
++++ linux/drivers/firmware/efi/efi.c
+@@ -660,7 +660,8 @@ static __initdata struct params fdt_para
+ UEFI_PARAM("MemMap Address", "linux,uefi-mmap-start", mmap),
+ UEFI_PARAM("MemMap Size", "linux,uefi-mmap-size", mmap_size),
+ UEFI_PARAM("MemMap Desc. Size", "linux,uefi-mmap-desc-size", desc_size),
+- UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver)
++ UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver),
++ UEFI_PARAM("Secure Boot Enabled", "linux,uefi-secure-boot", secure_boot)
+ };
+
+ static __initdata struct params xen_fdt_params[] = {
+Index: linux/drivers/firmware/efi/libstub/fdt.c
+===================================================================
+--- linux.orig/drivers/firmware/efi/libstub/fdt.c
++++ linux/drivers/firmware/efi/libstub/fdt.c
+@@ -159,6 +159,12 @@ static efi_status_t update_fdt(efi_syste
+ }
+ }
+
++ fdt_val32 = cpu_to_fdt32(efi_get_secureboot(sys_table));
++ status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
++ &fdt_val32, sizeof(fdt_val32));
++ if (status)
++ goto fdt_set_fail;
++
+ /* shrink the FDT back to its minimum size */
+ fdt_pack(fdt);
+
+Index: linux/include/linux/efi.h
+===================================================================
+--- linux.orig/include/linux/efi.h
++++ linux/include/linux/efi.h
+@@ -786,6 +786,7 @@ struct efi_fdt_params {
+ u32 mmap_size;
+ u32 desc_size;
+ u32 desc_ver;
++ u32 secure_boot;
+ };
+
+ typedef struct {