From 15368f76d4997912318d35c52bfeb9041d85098e Mon Sep 17 00:00:00 2001

From: David Howells <dhowells@redhat.com>

Date: Mon, 30 Sep 2019 21:28:16 +0000

Subject: [PATCH 3/3] efi: Lock down the kernel if booted in secure boot mode

Patch-mainline: Never, Fedora Core 32

References: jsc#SLE-9870

UEFI Secure Boot provides a mechanism for ensuring that the firmware

will only load signed bootloaders and kernels.  Certain use cases may

also require that all kernel modules also be signed.  Add a

configuration option that to lock down the kernel - which includes

requiring validly signed modules - if the kernel is secure-booted.

Signed-off-by: David Howells <dhowells@redhat.com>

Signed-off-by: Jeremy Cline <jcline@redhat.com>

Acked-by: Lee, Chun-Yi <jlee@suse.com>

---

 arch/x86/kernel/setup.c   |    8 ++++++++

 security/lockdown/Kconfig |   13 +++++++++++++

 2 files changed, 21 insertions(+)

--- a/arch/x86/kernel/setup.c

+++ b/arch/x86/kernel/setup.c

@@ -25,6 +25,7 @@

 #include <linux/static_call.h>

 #include <linux/swiotlb.h>

 #include <linux/random.h>

+#include <linux/security.h>

 #include <uapi/linux/mount.h>

@@ -1036,6 +1037,13 @@ void __init setup_arch(char **cmdline_p)

 	if (efi_enabled(EFI_BOOT))

 		efi_init();

+	efi_set_secure_boot(boot_params.secure_boot);

+

+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT

+	if (efi_enabled(EFI_SECURE_BOOT))

+		security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_CONFIDENTIALITY_MAX);

+#endif

+

 	dmi_setup();

 	/*

--- a/security/lockdown/Kconfig

+++ b/security/lockdown/Kconfig

@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY

 	  subsystem is fully initialised. If enabled, lockdown will

 	  unconditionally be called before any other LSMs.

+config LOCK_DOWN_IN_EFI_SECURE_BOOT

+	bool "Lock down the kernel in EFI Secure Boot mode"

+	default n

+	depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY

+	help

+	  UEFI Secure Boot provides a mechanism for ensuring that the firmware

+	  will only load signed bootloaders and kernels.  Secure boot mode may

+	  be determined from EFI variables provided by the system firmware if

+	  not indicated by the boot parameters.

+

+	  Enabling this option results in kernel lockdown being triggered if

+	  EFI Secure Boot is set.

+

 choice

 	prompt "Kernel default lockdown mode"

 	default LOCK_DOWN_KERNEL_FORCE_NONE