UBUNTU: SAUCE: (lockdown) s390: Lock down the kernel when the IPL secure flag is set

Automatically lock down the kernel to LOCKDOWN_CONFIDENTIALITY_MAX if
the IPL secure flag is set.

Upstream Status: RHEL only
Suggested-by: Philipp Rudo <prudo@redhat.com>
Signed-off-by: Jeremy Cline <jcline@redhat.com>
(cherry picked from commit 2384646bf71d8c282cf49bb20321fdf802c61cce
https://gitlab.com/cki-project/kernel-ark)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>

arch/s390/include/asm/ipl.h

@@ -139,6 +139,7 @@ int ipl_report_add_component(struct ipl_report *report, struct kexec_buf *kbuf,
 			     unsigned char flags, unsigned short cert);
 int ipl_report_add_certificate(struct ipl_report *report, void *key,
 			       unsigned long addr, unsigned long len);
+bool ipl_get_secureboot(void);
 
 /*
  * DIAG 308 support

arch/s390/kernel/ipl.c

@@ -2520,3 +2520,8 @@ int ipl_report_free(struct ipl_report *report)
 }
 
 #endif
+
+bool ipl_get_secureboot(void)
+{
+	return !!ipl_secure_flag;
+}

arch/s390/kernel/setup.c

@@ -51,6 +51,7 @@
 #include <linux/start_kernel.h>
 #include <linux/hugetlb.h>
 #include <linux/kmemleak.h>
+#include <linux/security.h>
 
 #include <asm/archrandom.h>
 #include <asm/boot_data.h>
@@ -891,6 +892,9 @@ void __init setup_arch(char **cmdline_p)
 
 	log_component_list();
 
+	if (ipl_get_secureboot())
+		security_lock_kernel_down("Secure IPL mode", LOCKDOWN_INTEGRITY_MAX);
+
 	/* Have one command line that is parsed and saved in /proc/cmdline */
 	/* boot_command_line has been already set up in early.c */
 	*cmdline_p = boot_command_line;