From: Chester Lin <clin@suse.com>
Date: Thu, 11 Mar 2021 09:28:30 +0800
Subject: [PATCH] s390: lock down kernel in secure boot mode
Patch-mainline: never, only for SLE
References: bsc#1183746 jsc#SLE-7741
Lock down the kernel when IPL secure boot is enabled.
Signed-off-by: Chester Lin <clin@suse.com>
---
arch/s390/kernel/setup.c | 6 ++++++
security/lockdown/Kconfig | 2 +-
2 files changed, 7 insertions(+), 1 deletion(-)
--- a/arch/s390/kernel/setup.c
+++ b/arch/s390/kernel/setup.c
@@ -51,6 +51,7 @@
#include <linux/start_kernel.h>
#include <linux/hugetlb.h>
#include <linux/kmemleak.h>
+#include <linux/security.h>
#include <asm/boot_data.h>
#include <asm/ipl.h>
@@ -1121,4 +1122,9 @@ void __init setup_arch(char **cmdline_p)
/* Add system specific data to the random pool */
setup_randomness();
+
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
+ if (ipl_secure_flag)
+ security_lock_kernel_down("IPL Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
+#endif
}
--- a/security/lockdown/Kconfig
+++ b/security/lockdown/Kconfig
@@ -19,7 +19,7 @@ config SECURITY_LOCKDOWN_LSM_EARLY
config LOCK_DOWN_IN_EFI_SECURE_BOOT
bool "Lock down the kernel in EFI Secure Boot mode"
default n
- depends on (EFI || PPC) && SECURITY_LOCKDOWN_LSM_EARLY
+ depends on (EFI || PPC || S390) && SECURITY_LOCKDOWN_LSM_EARLY
help
UEFI Secure Boot provides a mechanism for ensuring that the firmware
will only load signed bootloaders and kernels. Secure boot mode may