diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c index aebba6163353..6b46f55220e0 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -906,7 +906,7 @@ void __init setup_arch(char **cmdline_p) efi_set_secure_boot(boot_params.secure_boot); -#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT +#ifdef CONFIG_LOCK_DOWN_IN_SECURE_BOOT if (efi_enabled(EFI_SECURE_BOOT)) security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX); #endif diff --git a/drivers/firmware/efi/efi-init.c b/drivers/firmware/efi/efi-init.c index 2f05aab95640..7ee342a73e23 100644 --- a/drivers/firmware/efi/efi-init.c +++ b/drivers/firmware/efi/efi-init.c @@ -240,7 +240,7 @@ void __init efi_init(void) efi_set_secure_boot(efi_get__secure_boot()); -#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT +#ifdef CONFIG_LOCK_DOWN_IN_SECURE_BOOT if (efi_enabled(EFI_SECURE_BOOT)) security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX); #endif diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig index d0501353a4b9..e508c99a6607 100644 --- a/security/lockdown/Kconfig +++ b/security/lockdown/Kconfig @@ -16,18 +16,18 @@ config SECURITY_LOCKDOWN_LSM_EARLY subsystem is fully initialised. If enabled, lockdown will unconditionally be called before any other LSMs. -config LOCK_DOWN_IN_EFI_SECURE_BOOT - bool "Lock down the kernel in EFI Secure Boot mode" +config LOCK_DOWN_IN_SECURE_BOOT + bool "Lock down the kernel in Secure Boot mode" default n - depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY + depends on (EFI || S390) && SECURITY_LOCKDOWN_LSM_EARLY help - UEFI Secure Boot provides a mechanism for ensuring that the firmware - will only load signed bootloaders and kernels. Secure boot mode may - be determined from EFI variables provided by the system firmware if - not indicated by the boot parameters. + Secure Boot provides a mechanism for ensuring that the firmware will + only load signed bootloaders and kernels. Secure boot mode + determination is platform-specific; examples include EFI secure boot + and SIPL on s390. Enabling this option results in kernel lockdown being triggered if - EFI Secure Boot is set. + booted under secure boot. choice prompt "Kernel default lockdown mode"