potatogim / rpms / kernel

Forked from rpms/kernel 3 years ago
Clone
Justin Vreeland 794d92
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
Justin Vreeland 794d92
From: David Howells <dhowells@redhat.com>
Justin Vreeland 794d92
Date: Mon, 30 Sep 2019 21:28:16 +0000
Justin Vreeland 794d92
Subject: [PATCH] efi: Lock down the kernel if booted in secure boot mode
Justin Vreeland 794d92
Justin Vreeland 794d92
UEFI Secure Boot provides a mechanism for ensuring that the firmware
Justin Vreeland 794d92
will only load signed bootloaders and kernels.  Certain use cases may
Justin Vreeland 794d92
also require that all kernel modules also be signed.  Add a
Justin Vreeland 794d92
configuration option that to lock down the kernel - which includes
Justin Vreeland 794d92
requiring validly signed modules - if the kernel is secure-booted.
Justin Vreeland 794d92
Justin Vreeland 794d92
Upstream Status: RHEL only
Justin Vreeland 794d92
Signed-off-by: David Howells <dhowells@redhat.com>
Justin Vreeland 794d92
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Justin Vreeland 794d92
---
Justin Vreeland 794d92
 arch/x86/kernel/setup.c   |  8 ++++++++
Justin Vreeland 794d92
 security/lockdown/Kconfig | 13 +++++++++++++
Justin Vreeland 794d92
 2 files changed, 21 insertions(+)
Justin Vreeland 794d92
Justin Vreeland 794d92
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
Justin Vreeland 794d92
index c9de4b36ca51..a1a012702915 100644
Justin Vreeland 794d92
--- a/arch/x86/kernel/setup.c
Justin Vreeland 794d92
+++ b/arch/x86/kernel/setup.c
Justin Vreeland 794d92
@@ -18,6 +18,7 @@
Justin Vreeland 794d92
 #include <linux/sfi.h>
Justin Vreeland 794d92
 #include <linux/hugetlb.h>
Justin Vreeland 794d92
 #include <linux/tboot.h>
Justin Vreeland 794d92
+#include <linux/security.h>
Justin Vreeland 794d92
 #include <linux/usb/xhci-dbgp.h>
Justin Vreeland 794d92
 #include <linux/static_call.h>
Justin Vreeland 794d92
 #include <linux/swiotlb.h>
Justin Vreeland 794d92
@@ -1104,6 +1105,13 @@ void __init setup_arch(char **cmdline_p)
Justin Vreeland 794d92
 	if (efi_enabled(EFI_BOOT))
Justin Vreeland 794d92
 		efi_init();
Justin Vreeland 794d92
Justin Vreeland 794d92
+	efi_set_secure_boot(boot_params.secure_boot);
Justin Vreeland 794d92
+
Justin Vreeland 794d92
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
Justin Vreeland 794d92
+	if (efi_enabled(EFI_SECURE_BOOT))
Justin Vreeland 794d92
+		security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
Justin Vreeland 794d92
+#endif
Justin Vreeland 794d92
+
Justin Vreeland 794d92
 	dmi_setup();
Justin Vreeland 794d92
Justin Vreeland 794d92
 	/*
Justin Vreeland 794d92
diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
Justin Vreeland 794d92
index e84ddf484010..d0501353a4b9 100644
Justin Vreeland 794d92
--- a/security/lockdown/Kconfig
Justin Vreeland 794d92
+++ b/security/lockdown/Kconfig
Justin Vreeland 794d92
@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY
Justin Vreeland 794d92
 	  subsystem is fully initialised. If enabled, lockdown will
Justin Vreeland 794d92
 	  unconditionally be called before any other LSMs.
Justin Vreeland 794d92
Justin Vreeland 794d92
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
Justin Vreeland 794d92
+	bool "Lock down the kernel in EFI Secure Boot mode"
Justin Vreeland 794d92
+	default n
Justin Vreeland 794d92
+	depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY
Justin Vreeland 794d92
+	help
Justin Vreeland 794d92
+	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
Justin Vreeland 794d92
+	  will only load signed bootloaders and kernels.  Secure boot mode may
Justin Vreeland 794d92
+	  be determined from EFI variables provided by the system firmware if
Justin Vreeland 794d92
+	  not indicated by the boot parameters.
Justin Vreeland 794d92
+
Justin Vreeland 794d92
+	  Enabling this option results in kernel lockdown being triggered if
Justin Vreeland 794d92
+	  EFI Secure Boot is set.
Justin Vreeland 794d92
+
Justin Vreeland 794d92
 choice
Justin Vreeland 794d92
 	prompt "Kernel default lockdown mode"
Justin Vreeland 794d92
 	default LOCK_DOWN_KERNEL_FORCE_NONE
Justin Vreeland 794d92
-- 
Justin Vreeland 794d92
2.28.0
Justin Vreeland 794d92