From: Chester Lin <clin@suse.com>
Date: Fri, 20 Nov 2020 14:08:38 +0800
Subject: arm64: lock down kernel in secure boot mode
References: jsc#SLE-15020
Patch-mainline: never, only for SLE

This kernel lockdown feature on ARM64 depends on IMA and EFI to query
secure boot mode. Because aarch64 initiates the EFI subsystem late so
the lockdown check must be put off until the EFI subsystem has been
initialized.

Signed-off-by: Chester Lin <clin@suse.com>
---
 drivers/firmware/efi/secureboot.c |   18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

--- a/drivers/firmware/efi/secureboot.c
+++ b/drivers/firmware/efi/secureboot.c
@@ -14,6 +14,8 @@
 #include <linux/efi.h>
 #include <linux/kernel.h>
 #include <linux/printk.h>
+#include <linux/init.h>
+#include <linux/ima.h>
 
 /*
  * Decide what to do when UEFI secure boot mode is enabled.
@@ -36,3 +38,19 @@ void __init efi_set_secure_boot(enum efi
 		}
 	}
 }
+
+#if defined(CONFIG_ARM64) && defined(CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT)
+/*
+ * The arm64_kernel_lockdown() must run after efisubsys_init() because the
+ * the secure boot mode query relies on efi_rts_wq to call EFI_GET_VARIABLE.
+ */
+static int __init arm64_kernel_lockdown(void)
+{
+	if (arch_ima_get_secureboot())
+		security_lock_kernel_down("EFI Secure Boot mode",
+					LOCKDOWN_INTEGRITY_MAX);
+	return 0;
+}
+
+subsys_initcall(arm64_kernel_lockdown);
+#endif