| From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
| From: David Howells <dhowells@redhat.com> |
| Date: Mon, 30 Sep 2019 21:28:16 +0000 |
| Subject: [PATCH] efi: Lock down the kernel if booted in secure boot mode |
| |
| UEFI Secure Boot provides a mechanism for ensuring that the firmware |
| will only load signed bootloaders and kernels. Certain use cases may |
| also require that all kernel modules also be signed. Add a |
| configuration option that to lock down the kernel - which includes |
| requiring validly signed modules - if the kernel is secure-booted. |
| |
| Upstream Status: RHEL only |
| Signed-off-by: David Howells <dhowells@redhat.com> |
| Signed-off-by: Jeremy Cline <jcline@redhat.com> |
| |
| arch/x86/kernel/setup.c | 8 ++++++++ |
| security/lockdown/Kconfig | 13 +++++++++++++ |
| 2 files changed, 21 insertions(+) |
| |
| diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c |
| index c9de4b36ca51..a1a012702915 100644 |
| |
| |
| @@ -18,6 +18,7 @@ |
| #include <linux/sfi.h> |
| #include <linux/hugetlb.h> |
| #include <linux/tboot.h> |
| +#include <linux/security.h> |
| #include <linux/usb/xhci-dbgp.h> |
| #include <linux/static_call.h> |
| #include <linux/swiotlb.h> |
| @@ -1104,6 +1105,13 @@ void __init setup_arch(char **cmdline_p) |
| if (efi_enabled(EFI_BOOT)) |
| efi_init(); |
| |
| + efi_set_secure_boot(boot_params.secure_boot); |
| + |
| +#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT |
| + if (efi_enabled(EFI_SECURE_BOOT)) |
| + security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX); |
| +#endif |
| + |
| dmi_setup(); |
| |
| /* |
| diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig |
| index e84ddf484010..d0501353a4b9 100644 |
| |
| |
| @@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY |
| subsystem is fully initialised. If enabled, lockdown will |
| unconditionally be called before any other LSMs. |
| |
| +config LOCK_DOWN_IN_EFI_SECURE_BOOT |
| + bool "Lock down the kernel in EFI Secure Boot mode" |
| + default n |
| + depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY |
| + help |
| + UEFI Secure Boot provides a mechanism for ensuring that the firmware |
| + will only load signed bootloaders and kernels. Secure boot mode may |
| + be determined from EFI variables provided by the system firmware if |
| + not indicated by the boot parameters. |
| + |
| + Enabling this option results in kernel lockdown being triggered if |
| + EFI Secure Boot is set. |
| + |
| choice |
| prompt "Kernel default lockdown mode" |
| default LOCK_DOWN_KERNEL_FORCE_NONE |
| -- |
| 2.28.0 |
| |