From: Chester Lin <clin@suse.com>
Date: Thu, 11 Mar 2021 09:28:30 +0800
Subject: [PATCH] s390: lock down kernel in secure boot mode
Patch-mainline: never, only for SLE
References: bsc#1183746 jsc#SLE-7741

Lock down the kernel when IPL secure boot is enabled.

Signed-off-by: Chester Lin <clin@suse.com>
---
 arch/s390/kernel/setup.c  |    6 ++++++
 security/lockdown/Kconfig |    2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

--- a/arch/s390/kernel/setup.c
+++ b/arch/s390/kernel/setup.c
@@ -49,6 +49,7 @@
 #include <linux/memory.h>
 #include <linux/compat.h>
 #include <linux/start_kernel.h>
+#include <linux/security.h>
 
 #include <asm/boot_data.h>
 #include <asm/ipl.h>
@@ -1207,4 +1208,9 @@ void __init setup_arch(char **cmdline_p)
 
 	/* Add system specific data to the random pool */
 	setup_randomness();
+
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
+	if (ipl_secure_flag)
+		security_lock_kernel_down("IPL Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
+#endif
 }
--- a/security/lockdown/Kconfig
+++ b/security/lockdown/Kconfig
@@ -19,7 +19,7 @@ config SECURITY_LOCKDOWN_LSM_EARLY
 config LOCK_DOWN_IN_EFI_SECURE_BOOT
 	bool "Lock down the kernel in EFI Secure Boot mode"
 	default n
-	depends on (EFI || PPC) && SECURITY_LOCKDOWN_LSM_EARLY
+	depends on (EFI || PPC || S390) && SECURITY_LOCKDOWN_LSM_EARLY
 	help
 	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
 	  will only load signed bootloaders and kernels.  Secure boot mode may