aboutsummaryrefslogtreecommitdiff
path: root/SOURCES/0001-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
diff options
context:
space:
mode:
Diffstat (limited to 'SOURCES/0001-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch')
-rw-r--r--SOURCES/0001-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch72
1 files changed, 0 insertions, 72 deletions
diff --git a/SOURCES/0001-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/SOURCES/0001-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
deleted file mode 100644
index 0a3099d..0000000
--- a/SOURCES/0001-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 30 Sep 2019 21:28:16 +0000
-Subject: [PATCH] efi: Lock down the kernel if booted in secure boot mode
-
-UEFI Secure Boot provides a mechanism for ensuring that the firmware
-will only load signed bootloaders and kernels. Certain use cases may
-also require that all kernel modules also be signed. Add a
-configuration option that to lock down the kernel - which includes
-requiring validly signed modules - if the kernel is secure-booted.
-
-Upstream Status: RHEL only
-Signed-off-by: David Howells <dhowells@redhat.com>
-Signed-off-by: Jeremy Cline <jcline@redhat.com>
----
- arch/x86/kernel/setup.c | 8 ++++++++
- security/lockdown/Kconfig | 13 +++++++++++++
- 2 files changed, 21 insertions(+)
-
-diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index c9de4b36ca51..a1a012702915 100644
---- a/arch/x86/kernel/setup.c
-+++ b/arch/x86/kernel/setup.c
-@@ -18,6 +18,7 @@
- #include <linux/sfi.h>
- #include <linux/hugetlb.h>
- #include <linux/tboot.h>
-+#include <linux/security.h>
- #include <linux/usb/xhci-dbgp.h>
- #include <linux/static_call.h>
- #include <linux/swiotlb.h>
-@@ -1104,6 +1105,13 @@ void __init setup_arch(char **cmdline_p)
- if (efi_enabled(EFI_BOOT))
- efi_init();
-
-+ efi_set_secure_boot(boot_params.secure_boot);
-+
-+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
-+ if (efi_enabled(EFI_SECURE_BOOT))
-+ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
-+#endif
-+
- dmi_setup();
-
- /*
-diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
-index e84ddf484010..d0501353a4b9 100644
---- a/security/lockdown/Kconfig
-+++ b/security/lockdown/Kconfig
-@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY
- subsystem is fully initialised. If enabled, lockdown will
- unconditionally be called before any other LSMs.
-
-+config LOCK_DOWN_IN_EFI_SECURE_BOOT
-+ bool "Lock down the kernel in EFI Secure Boot mode"
-+ default n
-+ depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY
-+ help
-+ UEFI Secure Boot provides a mechanism for ensuring that the firmware
-+ will only load signed bootloaders and kernels. Secure boot mode may
-+ be determined from EFI variables provided by the system firmware if
-+ not indicated by the boot parameters.
-+
-+ Enabling this option results in kernel lockdown being triggered if
-+ EFI Secure Boot is set.
-+
- choice
- prompt "Kernel default lockdown mode"
- default LOCK_DOWN_KERNEL_FORCE_NONE
---
-2.28.0
-