From 58846dd186a67d7e33439e61d41bb477e087a606 Mon Sep 17 00:00:00 2001 From: Lee, Chun-Yi Date: Feb 23 2023 03:31:08 +0000 Subject: efi: Lock down the kernel if booted in secure boot mode (jsc#SLE-9870, bsc#1198101). - Update config files. - The shim for openSUSE Tumbleweed needs to be reviewed by upstream and signed by Microsoft. So we need to lockdown kernel on x86_64 and arm64 because EFI secure boot. - We disable CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT in other architectures. --- diff --git a/config/arm64/default b/config/arm64/default index 71659f3..8aafee6 100644 --- a/config/arm64/default +++ b/config/arm64/default @@ -12194,6 +12194,7 @@ CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set diff --git a/config/armv6hl/default b/config/armv6hl/default index d6936a3..4490e1a 100644 --- a/config/armv6hl/default +++ b/config/armv6hl/default @@ -8371,6 +8371,7 @@ CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set diff --git a/config/armv7hl/default b/config/armv7hl/default index af50cd0..afab7be 100644 --- a/config/armv7hl/default +++ b/config/armv7hl/default @@ -11765,6 +11765,7 @@ CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set diff --git a/config/riscv64/default b/config/riscv64/default index 7a2f8f6..e990e08 100644 --- a/config/riscv64/default +++ b/config/riscv64/default @@ -9201,6 +9201,7 @@ CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set diff --git a/config/x86_64/default b/config/x86_64/default index 072210d..a81e993 100644 --- a/config/x86_64/default +++ b/config/x86_64/default @@ -10280,6 +10280,7 @@ CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set diff --git a/patches.suse/0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.patch b/patches.suse/0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.patch new file mode 100644 index 0000000..7c9a7ef --- /dev/null +++ b/patches.suse/0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.patch @@ -0,0 +1,67 @@ +From 15368f76d4997912318d35c52bfeb9041d85098e Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Mon, 30 Sep 2019 21:28:16 +0000 +Subject: [PATCH 3/3] efi: Lock down the kernel if booted in secure boot mode +Patch-mainline: Never, Fedora Core 32 +References: jsc#SLE-9870 + +UEFI Secure Boot provides a mechanism for ensuring that the firmware +will only load signed bootloaders and kernels. Certain use cases may +also require that all kernel modules also be signed. Add a +configuration option that to lock down the kernel - which includes +requiring validly signed modules - if the kernel is secure-booted. + +Signed-off-by: David Howells +Signed-off-by: Jeremy Cline +Acked-by: Lee, Chun-Yi +--- + arch/x86/kernel/setup.c | 8 ++++++++ + security/lockdown/Kconfig | 13 +++++++++++++ + 2 files changed, 21 insertions(+) + +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + #include + +@@ -1036,6 +1037,13 @@ void __init setup_arch(char **cmdline_p) + if (efi_enabled(EFI_BOOT)) + efi_init(); + ++ efi_set_secure_boot(boot_params.secure_boot); ++ ++#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT ++ if (efi_enabled(EFI_SECURE_BOOT)) ++ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_CONFIDENTIALITY_MAX); ++#endif ++ + dmi_setup(); + + /* +--- a/security/lockdown/Kconfig ++++ b/security/lockdown/Kconfig +@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY + subsystem is fully initialised. If enabled, lockdown will + unconditionally be called before any other LSMs. + ++config LOCK_DOWN_IN_EFI_SECURE_BOOT ++ bool "Lock down the kernel in EFI Secure Boot mode" ++ default n ++ depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY ++ help ++ UEFI Secure Boot provides a mechanism for ensuring that the firmware ++ will only load signed bootloaders and kernels. Secure boot mode may ++ be determined from EFI variables provided by the system firmware if ++ not indicated by the boot parameters. ++ ++ Enabling this option results in kernel lockdown being triggered if ++ EFI Secure Boot is set. ++ + choice + prompt "Kernel default lockdown mode" + default LOCK_DOWN_KERNEL_FORCE_NONE diff --git a/series.conf b/series.conf index 7e7329f..d5ed178 100644 --- a/series.conf +++ b/series.conf @@ -151,6 +151,7 @@ # Lock down functions for secure boot patches.suse/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-down.patch patches.suse/0002-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-boot-mode.patch + patches.suse/0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.patch # crypto