From: Chester Lin <clin@suse.com>

Date: Fri, 20 Nov 2020 14:08:38 +0800

Subject: arm64: lock down kernel in secure boot mode

References: jsc#SLE-15020

Patch-mainline: never, only for SLE

This kernel lockdown feature on ARM64 depends on IMA and EFI to query

secure boot mode. Because aarch64 initiates the EFI subsystem late so

the lockdown check must be put off until the EFI subsystem has been

initialized.

Signed-off-by: Chester Lin <clin@suse.com>

---

 drivers/firmware/efi/secureboot.c |   18 ++++++++++++++++++

 1 file changed, 18 insertions(+)

--- a/drivers/firmware/efi/secureboot.c

+++ b/drivers/firmware/efi/secureboot.c

@@ -14,6 +14,8 @@

 #include <linux/efi.h>

 #include <linux/kernel.h>

 #include <linux/printk.h>

+#include <linux/init.h>

+#include <linux/ima.h>

 /*

  * Decide what to do when UEFI secure boot mode is enabled.

@@ -36,3 +38,19 @@ void __init efi_set_secure_boot(enum efi

 		}

 	}

 }

+

+#if defined(CONFIG_ARM64) && defined(CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT)

+/*

+ * The arm64_kernel_lockdown() must run after efisubsys_init() because the

+ * the secure boot mode query relies on efi_rts_wq to call EFI_GET_VARIABLE.

+ */

+static int __init arm64_kernel_lockdown(void)

+{

+	if (arch_ima_get_secureboot())

+		security_lock_kernel_down("EFI Secure Boot mode",

+					LOCKDOWN_INTEGRITY_MAX);

+	return 0;

+}

+

+subsys_initcall(arm64_kernel_lockdown);

+#endif