Blame patches.suse/0004-efi-Lock-down-the-kernel-at-the-integrity-level-if-b.patch
|
Lee, Chun-Yi |
6a6d2e |
From a44d0b29e985f769540491f7f39b8ffe9ddc3768 Mon Sep 17 00:00:00 2001
|
|
Lee, Chun-Yi |
6a6d2e |
From: "Lee, Chun-Yi" <jlee@suse.com>
|
|
Lee, Chun-Yi |
6a6d2e |
Date: Tue, 26 Nov 2019 14:40:07 +0800
|
|
Lee, Chun-Yi |
6a6d2e |
Subject: [PATCH] efi: Lock down the kernel at the integrity level if booted in
|
|
Lee, Chun-Yi |
6a6d2e |
secure boot mode
|
|
Lee, Chun-Yi |
6a6d2e |
Patch-mainline: Never, SUSE specific tweak
|
|
Lee, Chun-Yi |
6a6d2e |
References: jsc#SLE-9870
|
|
Lee, Chun-Yi |
6a6d2e |
|
|
Lee, Chun-Yi |
6a6d2e |
The perf and bpf are restricted in confidentiality level, but those
|
|
Lee, Chun-Yi |
6a6d2e |
functions are available on SLE. So we use integrity level here.
|
|
Lee, Chun-Yi |
6a6d2e |
|
|
Lee, Chun-Yi |
6a6d2e |
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
|
|
Lee, Chun-Yi |
6a6d2e |
---
|
|
Lee, Chun-Yi |
6a6d2e |
arch/x86/kernel/setup.c | 2 +-
|
|
Lee, Chun-Yi |
6a6d2e |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
Lee, Chun-Yi |
6a6d2e |
|
|
Lee, Chun-Yi |
6a6d2e |
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
|
Lee, Chun-Yi |
6a6d2e |
index 303abf8..a94e2b0 100644
|
|
Lee, Chun-Yi |
6a6d2e |
--- a/arch/x86/kernel/setup.c
|
|
Lee, Chun-Yi |
6a6d2e |
+++ b/arch/x86/kernel/setup.c
|
|
Lee, Chun-Yi |
6a6d2e |
@@ -1032,7 +1032,7 @@ void __init setup_arch(char **cmdline_p)
|
|
Lee, Chun-Yi |
6a6d2e |
|
|
Lee, Chun-Yi |
6a6d2e |
#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
|
|
Lee, Chun-Yi |
6a6d2e |
if (efi_enabled(EFI_SECURE_BOOT))
|
|
Lee, Chun-Yi |
6a6d2e |
- security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_CONFIDENTIALITY_MAX);
|
|
Lee, Chun-Yi |
6a6d2e |
+ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
|
|
Lee, Chun-Yi |
6a6d2e |
#endif
|
|
Lee, Chun-Yi |
6a6d2e |
|
|
Lee, Chun-Yi |
6a6d2e |
dmi_setup();
|
|
Lee, Chun-Yi |
6a6d2e |
--
|
|
Lee, Chun-Yi |
6a6d2e |
2.16.4
|
|
Lee, Chun-Yi |
6a6d2e |
|