|
Lee, Chun-Yi |
58846d |
From 15368f76d4997912318d35c52bfeb9041d85098e Mon Sep 17 00:00:00 2001
|
|
Lee, Chun-Yi |
58846d |
From: David Howells <dhowells@redhat.com>
|
|
Lee, Chun-Yi |
58846d |
Date: Mon, 30 Sep 2019 21:28:16 +0000
|
|
Lee, Chun-Yi |
58846d |
Subject: [PATCH 3/3] efi: Lock down the kernel if booted in secure boot mode
|
|
Lee, Chun-Yi |
58846d |
Patch-mainline: Never, Fedora Core 32
|
|
Lee, Chun-Yi |
58846d |
References: jsc#SLE-9870
|
|
Lee, Chun-Yi |
58846d |
|
|
Lee, Chun-Yi |
58846d |
UEFI Secure Boot provides a mechanism for ensuring that the firmware
|
|
Lee, Chun-Yi |
58846d |
will only load signed bootloaders and kernels. Certain use cases may
|
|
Lee, Chun-Yi |
58846d |
also require that all kernel modules also be signed. Add a
|
|
Lee, Chun-Yi |
58846d |
configuration option that to lock down the kernel - which includes
|
|
Lee, Chun-Yi |
58846d |
requiring validly signed modules - if the kernel is secure-booted.
|
|
Lee, Chun-Yi |
58846d |
|
|
Lee, Chun-Yi |
58846d |
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
Lee, Chun-Yi |
58846d |
Signed-off-by: Jeremy Cline <jcline@redhat.com>
|
|
Lee, Chun-Yi |
58846d |
Acked-by: Lee, Chun-Yi <jlee@suse.com>
|
|
Lee, Chun-Yi |
58846d |
---
|
|
Lee, Chun-Yi |
58846d |
arch/x86/kernel/setup.c | 8 ++++++++
|
|
Lee, Chun-Yi |
58846d |
security/lockdown/Kconfig | 13 +++++++++++++
|
|
Lee, Chun-Yi |
58846d |
2 files changed, 21 insertions(+)
|
|
Lee, Chun-Yi |
58846d |
|
|
Lee, Chun-Yi |
58846d |
--- a/arch/x86/kernel/setup.c
|
|
Lee, Chun-Yi |
58846d |
+++ b/arch/x86/kernel/setup.c
|
|
Lee, Chun-Yi |
58846d |
@@ -25,6 +25,7 @@
|
|
Lee, Chun-Yi |
58846d |
#include <linux/static_call.h>
|
|
Lee, Chun-Yi |
58846d |
#include <linux/swiotlb.h>
|
|
Lee, Chun-Yi |
58846d |
#include <linux/random.h>
|
|
Lee, Chun-Yi |
58846d |
+#include <linux/security.h>
|
|
Lee, Chun-Yi |
58846d |
|
|
Lee, Chun-Yi |
58846d |
#include <uapi/linux/mount.h>
|
|
Lee, Chun-Yi |
58846d |
|
|
Lee, Chun-Yi |
58846d |
@@ -1036,6 +1037,13 @@ void __init setup_arch(char **cmdline_p)
|
|
Lee, Chun-Yi |
58846d |
if (efi_enabled(EFI_BOOT))
|
|
Lee, Chun-Yi |
58846d |
efi_init();
|
|
Lee, Chun-Yi |
58846d |
|
|
Lee, Chun-Yi |
58846d |
+ efi_set_secure_boot(boot_params.secure_boot);
|
|
Lee, Chun-Yi |
58846d |
+
|
|
Lee, Chun-Yi |
58846d |
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
|
|
Lee, Chun-Yi |
58846d |
+ if (efi_enabled(EFI_SECURE_BOOT))
|
|
Lee, Chun-Yi |
58846d |
+ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_CONFIDENTIALITY_MAX);
|
|
Lee, Chun-Yi |
58846d |
+#endif
|
|
Lee, Chun-Yi |
58846d |
+
|
|
Lee, Chun-Yi |
58846d |
dmi_setup();
|
|
Lee, Chun-Yi |
58846d |
|
|
Lee, Chun-Yi |
58846d |
/*
|
|
Lee, Chun-Yi |
58846d |
--- a/security/lockdown/Kconfig
|
|
Lee, Chun-Yi |
58846d |
+++ b/security/lockdown/Kconfig
|
|
Lee, Chun-Yi |
58846d |
@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY
|
|
Lee, Chun-Yi |
58846d |
subsystem is fully initialised. If enabled, lockdown will
|
|
Lee, Chun-Yi |
58846d |
unconditionally be called before any other LSMs.
|
|
Lee, Chun-Yi |
58846d |
|
|
Lee, Chun-Yi |
58846d |
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
|
|
Lee, Chun-Yi |
58846d |
+ bool "Lock down the kernel in EFI Secure Boot mode"
|
|
Lee, Chun-Yi |
58846d |
+ default n
|
|
Lee, Chun-Yi |
58846d |
+ depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY
|
|
Lee, Chun-Yi |
58846d |
+ help
|
|
Lee, Chun-Yi |
58846d |
+ UEFI Secure Boot provides a mechanism for ensuring that the firmware
|
|
Lee, Chun-Yi |
58846d |
+ will only load signed bootloaders and kernels. Secure boot mode may
|
|
Lee, Chun-Yi |
58846d |
+ be determined from EFI variables provided by the system firmware if
|
|
Lee, Chun-Yi |
58846d |
+ not indicated by the boot parameters.
|
|
Lee, Chun-Yi |
58846d |
+
|
|
Lee, Chun-Yi |
58846d |
+ Enabling this option results in kernel lockdown being triggered if
|
|
Lee, Chun-Yi |
58846d |
+ EFI Secure Boot is set.
|
|
Lee, Chun-Yi |
58846d |
+
|
|
Lee, Chun-Yi |
58846d |
choice
|
|
Lee, Chun-Yi |
58846d |
prompt "Kernel default lockdown mode"
|
|
Lee, Chun-Yi |
58846d |
default LOCK_DOWN_KERNEL_FORCE_NONE
|