tmakin/tegra-linux-noble
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

UBUNTU: SAUCE: (lockdown) security: lockdown: Make CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT more generic

Browse Source 
s390 supports secure boot which is not based on EFI. Change the
config option to be more generic, and allow it to be enabled on
s390.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
(cherry picked from commit dd9548a9eb3f2a34ee7c60abce157f8e2868e7c7)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
This commit is contained in:
Seth Forshee
2019-10-10 11:19:32 -05:00
committed by Paolo Pisati
parent 9ee8c089e1
commit f3f0fc193f
3 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
arch/x86/kernel/setup.c
+1 -1
View File
@@ -906,7 +906,7 @@ void __init setup_arch(char **cmdline_p)
efi_set_secure_boot(boot_params.secure_boot);
#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
#ifdef CONFIG_LOCK_DOWN_IN_SECURE_BOOT
if (efi_enabled(EFI_SECURE_BOOT))
security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
#endif
drivers/firmware/efi/efi-init.c
+1 -1
View File
@@ -240,7 +240,7 @@ void __init efi_init(void)
efi_set_secure_boot(efi_get__secure_boot());
#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
#ifdef CONFIG_LOCK_DOWN_IN_SECURE_BOOT
if (efi_enabled(EFI_SECURE_BOOT))
security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
#endif
security/lockdown/Kconfig
+8 -8
View File
@@ -16,18 +16,18 @@ config SECURITY_LOCKDOWN_LSM_EARLY
subsystem is fully initialised. If enabled, lockdown will
unconditionally be called before any other LSMs.
config LOCK_DOWN_IN_EFI_SECURE_BOOT
bool "Lock down the kernel in EFI Secure Boot mode"
config LOCK_DOWN_IN_SECURE_BOOT
bool "Lock down the kernel in Secure Boot mode"
default n
depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY
depends on (EFI || S390) && SECURITY_LOCKDOWN_LSM_EARLY
help
UEFI Secure Boot provides a mechanism for ensuring that the firmware
will only load signed bootloaders and kernels. Secure boot mode may
be determined from EFI variables provided by the system firmware if
not indicated by the boot parameters.
Secure Boot provides a mechanism for ensuring that the firmware will
only load signed bootloaders and kernels. Secure boot mode
determination is platform-specific; examples include EFI secure boot
and SIPL on s390.
Enabling this option results in kernel lockdown being triggered if
EFI Secure Boot is set.
booted under secure boot.
choice
prompt "Kernel default lockdown mode"