UBUNTU: SAUCE: (lockdown) arm64: Allow locking down the kernel under EFI secure boot

Add support to arm64 for the CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
option. When enabled the lockdown LSM will be enabled with
maximum confidentiality when booted under EFI secure boot.

Based on an earlier patch by Linn Crosetto.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>

[v2: ported to 5.7-rc1 and adapted to the new fdt parsing mechanism]
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
(cherry picked from commit fb9c9645d977e23e9b494ce008d31507d872ffef)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>

drivers/firmware/efi/efi-init.c

@@ -19,6 +19,7 @@
 #include <linux/of_fdt.h>
 #include <linux/platform_device.h>
 #include <linux/screen_info.h>
+#include <linux/security.h>
 
 #include <asm/efi.h>
 
@@ -237,6 +238,13 @@ void __init efi_init(void)
 		return;
 	}
 
+	efi_set_secure_boot(efi_get__secure_boot());
+
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
+	if (efi_enabled(EFI_SECURE_BOOT))
+		security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
+#endif
+
 	reserve_regions();
 	/*
 	 * For memblock manipulation, the cap should come after the memblock_add().

drivers/firmware/efi/fdtparams.c

@@ -16,16 +16,24 @@ enum {
 	MMSIZE,
 	DCSIZE,
 	DCVERS,
+	SCBOOT,
 
 	PARAMCOUNT
 };
 
+static u32 __secure_boot __initdata = efi_secureboot_mode_unset;
+u32 __init efi_get__secure_boot(void)
+{
+	return __secure_boot;
+}
+
 static __initconst const char name[][22] = {
 	[SYSTAB] = "System Table         ",
 	[MMBASE] = "MemMap Address       ",
 	[MMSIZE] = "MemMap Size          ",
 	[DCSIZE] = "MemMap Desc. Size    ",
 	[DCVERS] = "MemMap Desc. Version ",
+	[SCBOOT] = "Secure Boot Enabled  ",
 };
 
 static __initconst const struct {
@@ -53,6 +61,7 @@ static __initconst const struct {
 			[MMSIZE] = "linux,uefi-mmap-size",
 			[DCSIZE] = "linux,uefi-mmap-desc-size",
 			[DCVERS] = "linux,uefi-mmap-desc-ver",
+			[SCBOOT] = "linux,uefi-secure-boot",
 		}
 	}
 };
@@ -95,6 +104,7 @@ u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm)
 		[MMSIZE] = { &mm->size,		sizeof(mm->size) },
 		[DCSIZE] = { &mm->desc_size,	sizeof(mm->desc_size) },
 		[DCVERS] = { &mm->desc_version,	sizeof(mm->desc_version) },
+		[SCBOOT] = { &__secure_boot,	sizeof(__secure_boot) },
 	};
 
 	BUILD_BUG_ON(ARRAY_SIZE(target) != ARRAY_SIZE(name));

drivers/firmware/efi/libstub/fdt.c

@@ -132,6 +132,12 @@ static efi_status_t update_fdt(void *orig_fdt, unsigned long orig_fdt_size,
 		}
 	}
 
+	fdt_val32 = cpu_to_fdt32(efi_get_secureboot());
+	status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
+			     &fdt_val32, sizeof(fdt_val32));
+	if (status)
+		goto fdt_set_fail;
+
 	/* Shrink the FDT back to its minimum size: */
 	fdt_pack(fdt);
 

include/linux/efi.h

@@ -876,6 +876,15 @@ enum efi_secureboot_mode {
 	efi_secureboot_mode_enabled,
 };
 
+#ifdef CONFIG_EFI_PARAMS_FROM_FDT
+u32 __init efi_get__secure_boot(void);
+#else
+static inline u32 efi_get__secure_boot(void)
+{
+	return efi_secureboot_mode_unset;
+};
+#endif
+
 #ifdef CONFIG_EFI
 /*
  * Test whether the above EFI_* bits are enabled.