diff --git a/patches.suse/arm64-lock-down-kernel-in-secure-boot-mode.patch b/patches.suse/arm64-lock-down-kernel-in-secure-boot-mode.patch new file mode 100644 index 0000000..645dc26 --- /dev/null +++ b/patches.suse/arm64-lock-down-kernel-in-secure-boot-mode.patch @@ -0,0 +1,47 @@ +From: Chester Lin +Date: Fri, 20 Nov 2020 14:08:38 +0800 +Subject: arm64: lock down kernel in secure boot mode +References: jsc#SLE-15020 +Patch-mainline: never, only for SLE + +This kernel lockdown feature on ARM64 depends on IMA and EFI to query +secure boot mode. Because aarch64 initiates the EFI subsystem late so +the lockdown check must be put off until the EFI subsystem has been +initialized. + +Signed-off-by: Chester Lin +--- + drivers/firmware/efi/secureboot.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/firmware/efi/secureboot.c ++++ b/drivers/firmware/efi/secureboot.c +@@ -14,6 +14,8 @@ + #include + #include + #include ++#include ++#include + + /* + * Decide what to do when UEFI secure boot mode is enabled. +@@ -36,3 +38,19 @@ void __init efi_set_secure_boot(enum efi + } + } + } ++ ++#if defined(CONFIG_ARM64) && defined(CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT) ++/* ++ * The arm64_kernel_lockdown() must run after efisubsys_init() because the ++ * the secure boot mode query relies on efi_rts_wq to call EFI_GET_VARIABLE. ++ */ ++static int __init arm64_kernel_lockdown(void) ++{ ++ if (arch_ima_get_secureboot()) ++ security_lock_kernel_down("EFI Secure Boot mode", ++ LOCKDOWN_INTEGRITY_MAX); ++ return 0; ++} ++ ++subsys_initcall(arm64_kernel_lockdown); ++#endif diff --git a/series.conf b/series.conf index 976790b..1c4964b 100644 --- a/series.conf +++ b/series.conf @@ -153,6 +153,7 @@ patches.suse/0002-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-boot-mode.patch patches.suse/0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.patch patches.suse/0004-efi-Lock-down-the-kernel-at-the-integrity-level-if-b.patch + patches.suse/arm64-lock-down-kernel-in-secure-boot-mode.patch # crypto