tmakin/tegra-linux-noble
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

UBUNTU: SAUCE: (lockdown) efi: Lock down the kernel if booted in secure boot mode

Browse Source 
UEFI Secure Boot provides a mechanism for ensuring that the firmware
will only load signed bootloaders and kernels.  Certain use cases may
also require that all kernel modules also be signed.  Add a
configuration option that to lock down the kernel - which includes
requiring validly signed modules - if the kernel is secure-booted.

Upstream Status: RHEL only
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Jeremy Cline <jcline@redhat.com>
(cherry picked from commit 5850c93175b9d2e1081873f4bbe08dead202cb08
from https://gitlab.com/cki-project/kernel-ark)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
[ arighi: context adjustment in arch/x86/kernel/setup.c ]
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
This commit is contained in:
David Howells
2019-09-30 21:28:16 +00:00
committed by Paolo Pisati
parent fc077423b8
commit 1fbcfa2e26
2 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
arch/x86/kernel/setup.c
+9
View File
@@ -21,6 +21,7 @@
#include <linux/root_dev.h>
#include <linux/hugetlb.h>
#include <linux/tboot.h>
#include <linux/security.h>
#include <linux/usb/xhci-dbgp.h>
#include <linux/static_call.h>
#include <linux/swiotlb.h>
@@ -902,6 +903,14 @@ void __init setup_arch(char **cmdline_p)
efi_init();
reserve_ibft_region();
efi_set_secure_boot(boot_params.secure_boot);
#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
if (efi_enabled(EFI_SECURE_BOOT))
security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
#endif
dmi_setup();
/*
security/lockdown/Kconfig
+13
View File
@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY
subsystem is fully initialised. If enabled, lockdown will
unconditionally be called before any other LSMs.
config LOCK_DOWN_IN_EFI_SECURE_BOOT
bool "Lock down the kernel in EFI Secure Boot mode"
default n
depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY
help
UEFI Secure Boot provides a mechanism for ensuring that the firmware
will only load signed bootloaders and kernels. Secure boot mode may
be determined from EFI variables provided by the system firmware if
not indicated by the boot parameters.
Enabling this option results in kernel lockdown being triggered if
EFI Secure Boot is set.
choice
prompt "Kernel default lockdown mode"
default LOCK_DOWN_KERNEL_FORCE_NONE