From 63434b81b962e6b5fde7cfd7ee54ebae93aad5c2 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Thu, 2 Apr 2020 16:16:32 +1100
Subject: [PATCH] powerpc: lock down kernel in secure boot mode
References: bsc#1176918 ltc#186474 jsc#SLE-13644
Patch-mainline: never, lockdown patches are not accepted
PowerNV has recently gained Secure Boot support. If it's enabled through
the firmware and bootloader stack, then lock down the kernel.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Acked-by: Michal Suchanek <msuchanek@suse.de>
---
arch/powerpc/kernel/setup-common.c | 12 ++++++++++++
security/lockdown/Kconfig | 2 +-
2 files changed, 13 insertions(+), 1 deletion(-)
--- a/arch/powerpc/kernel/setup-common.c
+++ b/arch/powerpc/kernel/setup-common.c
@@ -33,6 +33,7 @@
#include <linux/of_platform.h>
#include <linux/hugetlb.h>
#include <linux/pgtable.h>
+#include <linux/security.h>
#include <asm/debugfs.h>
#include <asm/io.h>
#include <asm/paca.h>
@@ -66,6 +67,7 @@
#include <asm/cpu_has_feature.h>
#include <asm/kasan.h>
#include <asm/mce.h>
+#include <asm/secure_boot.h>
#include "setup.h"
@@ -865,6 +867,16 @@ void __init setup_arch(char **cmdline_p)
*/
initialize_cache_info();
+ /*
+ * Lock down the kernel if booted in secure mode. This is required to
+ * maintain kernel integrity.
+ */
+ if (IS_ENABLED(CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT)) {
+ if (is_ppc_secureboot_enabled())
+ security_lock_kernel_down("Power Secure Boot mode",
+ LOCKDOWN_INTEGRITY_MAX);
+ }
+
/* Initialize RTAS if available. */
rtas_initialize();
--- a/security/lockdown/Kconfig
+++ b/security/lockdown/Kconfig
@@ -19,7 +19,7 @@ config SECURITY_LOCKDOWN_LSM_EARLY
config LOCK_DOWN_IN_EFI_SECURE_BOOT
bool "Lock down the kernel in EFI Secure Boot mode"
default n
- depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY
+ depends on (EFI || PPC) && SECURITY_LOCKDOWN_LSM_EARLY
help
UEFI Secure Boot provides a mechanism for ensuring that the firmware
will only load signed bootloaders and kernels. Secure boot mode may