|
Lee, Chun-Yi |
a7d5b5 |
From: Chester Lin <clin@suse.com>
|
|
Lee, Chun-Yi |
a7d5b5 |
Date: Fri, 20 Nov 2020 14:08:38 +0800
|
|
Lee, Chun-Yi |
a7d5b5 |
Subject: arm64: lock down kernel in secure boot mode
|
|
Lee, Chun-Yi |
a7d5b5 |
References: jsc#SLE-15020
|
|
Lee, Chun-Yi |
a7d5b5 |
Patch-mainline: never, only for SLE
|
|
Lee, Chun-Yi |
a7d5b5 |
|
|
Lee, Chun-Yi |
a7d5b5 |
This kernel lockdown feature on ARM64 depends on IMA and EFI to query
|
|
Lee, Chun-Yi |
a7d5b5 |
secure boot mode. Because aarch64 initiates the EFI subsystem late so
|
|
Lee, Chun-Yi |
a7d5b5 |
the lockdown check must be put off until the EFI subsystem has been
|
|
Lee, Chun-Yi |
a7d5b5 |
initialized.
|
|
Lee, Chun-Yi |
a7d5b5 |
|
|
Lee, Chun-Yi |
a7d5b5 |
Signed-off-by: Chester Lin <clin@suse.com>
|
|
Lee, Chun-Yi |
a7d5b5 |
---
|
|
Lee, Chun-Yi |
a7d5b5 |
drivers/firmware/efi/secureboot.c | 18 ++++++++++++++++++
|
|
Lee, Chun-Yi |
a7d5b5 |
1 file changed, 18 insertions(+)
|
|
Lee, Chun-Yi |
a7d5b5 |
|
|
Lee, Chun-Yi |
a7d5b5 |
--- a/drivers/firmware/efi/secureboot.c
|
|
Lee, Chun-Yi |
a7d5b5 |
+++ b/drivers/firmware/efi/secureboot.c
|
|
Lee, Chun-Yi |
a7d5b5 |
@@ -14,6 +14,8 @@
|
|
Lee, Chun-Yi |
a7d5b5 |
#include <linux/efi.h>
|
|
Lee, Chun-Yi |
a7d5b5 |
#include <linux/kernel.h>
|
|
Lee, Chun-Yi |
a7d5b5 |
#include <linux/printk.h>
|
|
Lee, Chun-Yi |
a7d5b5 |
+#include <linux/init.h>
|
|
Lee, Chun-Yi |
a7d5b5 |
+#include <linux/ima.h>
|
|
Lee, Chun-Yi |
a7d5b5 |
|
|
Lee, Chun-Yi |
a7d5b5 |
/*
|
|
Lee, Chun-Yi |
a7d5b5 |
* Decide what to do when UEFI secure boot mode is enabled.
|
|
Lee, Chun-Yi |
a7d5b5 |
@@ -36,3 +38,19 @@ void __init efi_set_secure_boot(enum efi
|
|
Lee, Chun-Yi |
a7d5b5 |
}
|
|
Lee, Chun-Yi |
a7d5b5 |
}
|
|
Lee, Chun-Yi |
a7d5b5 |
}
|
|
Lee, Chun-Yi |
a7d5b5 |
+
|
|
Lee, Chun-Yi |
a7d5b5 |
+#if defined(CONFIG_ARM64) && defined(CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT)
|
|
Lee, Chun-Yi |
a7d5b5 |
+/*
|
|
Lee, Chun-Yi |
a7d5b5 |
+ * The arm64_kernel_lockdown() must run after efisubsys_init() because the
|
|
Lee, Chun-Yi |
a7d5b5 |
+ * the secure boot mode query relies on efi_rts_wq to call EFI_GET_VARIABLE.
|
|
Lee, Chun-Yi |
a7d5b5 |
+ */
|
|
Lee, Chun-Yi |
a7d5b5 |
+static int __init arm64_kernel_lockdown(void)
|
|
Lee, Chun-Yi |
a7d5b5 |
+{
|
|
Lee, Chun-Yi |
a7d5b5 |
+ if (arch_ima_get_secureboot())
|
|
Lee, Chun-Yi |
a7d5b5 |
+ security_lock_kernel_down("EFI Secure Boot mode",
|
|
Lee, Chun-Yi |
a7d5b5 |
+ LOCKDOWN_INTEGRITY_MAX);
|
|
Lee, Chun-Yi |
a7d5b5 |
+ return 0;
|
|
Lee, Chun-Yi |
a7d5b5 |
+}
|
|
Lee, Chun-Yi |
a7d5b5 |
+
|
|
Lee, Chun-Yi |
a7d5b5 |
+subsys_initcall(arm64_kernel_lockdown);
|
|
Lee, Chun-Yi |
a7d5b5 |
+#endif
|