yeahuh / rpms / kernel

Forked from rpms/kernel 2 years ago
Clone
Pablo Greco d6c4c4
From 478a0cff698409224330ea9e25eb332220b55dbb Mon Sep 17 00:00:00 2001
Pablo Greco d6c4c4
From: Jeremy Cline <jcline@redhat.com>
Pablo Greco d6c4c4
Date: Mon, 30 Sep 2019 21:22:47 +0000
Pablo Greco d6c4c4
Subject: [PATCH 1/3] security: lockdown: expose a hook to lock the kernel down
Pablo Greco d6c4c4
Pablo Greco d6c4c4
In order to automatically lock down kernels running on UEFI machines
Pablo Greco d6c4c4
booted in Secure Boot mode, expose the lock_kernel_down() hook.
Pablo Greco d6c4c4
Pablo Greco d6c4c4
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Pablo Greco d6c4c4
---
Pablo Greco d6c4c4
 include/linux/lsm_hooks.h    | 8 ++++++++
Pablo Greco d6c4c4
 include/linux/security.h     | 5 +++++
Pablo Greco d6c4c4
 security/lockdown/lockdown.c | 1 +
Pablo Greco d6c4c4
 security/security.c          | 6 ++++++
Pablo Greco d6c4c4
 4 files changed, 20 insertions(+)
Pablo Greco d6c4c4
Pablo Greco d6c4c4
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
Pablo Greco d6c4c4
index a3763247547c..8d76d1f153ed 100644
Pablo Greco d6c4c4
--- a/include/linux/lsm_hooks.h
Pablo Greco d6c4c4
+++ b/include/linux/lsm_hooks.h
Pablo Greco d6c4c4
@@ -1454,6 +1454,12 @@
Pablo Greco d6c4c4
  *     code execution in kernel space should be permitted.
Pablo Greco d6c4c4
  *
Pablo Greco d6c4c4
  *     @what: kernel feature being accessed
Pablo Greco d6c4c4
+ *
Pablo Greco d6c4c4
+ * @lock_kernel_down
Pablo Greco d6c4c4
+ *     Put the kernel into lock-down mode.
Pablo Greco d6c4c4
+ *
Pablo Greco d6c4c4
+ *     @where: Where the lock-down is originating from (e.g. command line option)
Pablo Greco d6c4c4
+ *     @level: The lock-down level (can only increase)
Pablo Greco d6c4c4
  */
Pablo Greco d6c4c4
 union security_list_options {
Pablo Greco d6c4c4
 	int (*binder_set_context_mgr)(struct task_struct *mgr);
Pablo Greco d6c4c4
@@ -1818,6 +1824,7 @@ union security_list_options {
Pablo Greco d6c4c4
 	void (*bpf_prog_free_security)(struct bpf_prog_aux *aux);
Pablo Greco d6c4c4
 #endif /* CONFIG_BPF_SYSCALL */
Pablo Greco d6c4c4
 	int (*locked_down)(enum lockdown_reason what);
Pablo Greco d6c4c4
+	int (*lock_kernel_down)(const char *where, enum lockdown_reason level);
Pablo Greco d6c4c4
 };
Pablo Greco d6c4c4
 
Pablo Greco d6c4c4
 struct security_hook_heads {
Pablo Greco d6c4c4
@@ -2060,6 +2067,7 @@ struct security_hook_heads {
Pablo Greco d6c4c4
 	struct hlist_head bpf_prog_free_security;
Pablo Greco d6c4c4
 #endif /* CONFIG_BPF_SYSCALL */
Pablo Greco d6c4c4
 	struct hlist_head locked_down;
Pablo Greco d6c4c4
+	struct hlist_head lock_kernel_down;
Pablo Greco d6c4c4
 } __randomize_layout;
Pablo Greco d6c4c4
 
Pablo Greco d6c4c4
 /*
Pablo Greco d6c4c4
diff --git a/include/linux/security.h b/include/linux/security.h
Pablo Greco d6c4c4
index a8d59d612d27..467b9ccdf993 100644
Pablo Greco d6c4c4
--- a/include/linux/security.h
Pablo Greco d6c4c4
+++ b/include/linux/security.h
Pablo Greco d6c4c4
@@ -442,6 +442,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
Pablo Greco d6c4c4
 int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
Pablo Greco d6c4c4
 int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
Pablo Greco d6c4c4
 int security_locked_down(enum lockdown_reason what);
Pablo Greco d6c4c4
+int security_lock_kernel_down(const char *where, enum lockdown_reason level);
Pablo Greco d6c4c4
 #else /* CONFIG_SECURITY */
Pablo Greco d6c4c4
 
Pablo Greco d6c4c4
 static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
Pablo Greco d6c4c4
@@ -1269,6 +1270,10 @@ static inline int security_locked_down(enum lockdown_reason what)
Pablo Greco d6c4c4
 {
Pablo Greco d6c4c4
 	return 0;
Pablo Greco d6c4c4
 }
Pablo Greco d6c4c4
+static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level)
Pablo Greco d6c4c4
+{
Pablo Greco d6c4c4
+	return 0;
Pablo Greco d6c4c4
+}
Pablo Greco d6c4c4
 #endif	/* CONFIG_SECURITY */
Pablo Greco d6c4c4
 
Pablo Greco d6c4c4
 #ifdef CONFIG_SECURITY_NETWORK
Pablo Greco d6c4c4
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
Pablo Greco d6c4c4
index 8a10b43daf74..72a623075749 100644
Pablo Greco d6c4c4
--- a/security/lockdown/lockdown.c
Pablo Greco d6c4c4
+++ b/security/lockdown/lockdown.c
Pablo Greco d6c4c4
@@ -97,6 +97,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
Pablo Greco d6c4c4
 
Pablo Greco d6c4c4
 static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {
Pablo Greco d6c4c4
 	LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
Pablo Greco d6c4c4
+	LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down),
Pablo Greco d6c4c4
 };
Pablo Greco d6c4c4
 
Pablo Greco d6c4c4
 static int __init lockdown_lsm_init(void)
Pablo Greco d6c4c4
diff --git a/security/security.c b/security/security.c
Pablo Greco d6c4c4
index 1bc000f834e2..1506b95427cf 100644
Pablo Greco d6c4c4
--- a/security/security.c
Pablo Greco d6c4c4
+++ b/security/security.c
Pablo Greco d6c4c4
@@ -2404,3 +2404,9 @@ int security_locked_down(enum lockdown_reason what)
Pablo Greco d6c4c4
 	return call_int_hook(locked_down, 0, what);
Pablo Greco d6c4c4
 }
Pablo Greco d6c4c4
 EXPORT_SYMBOL(security_locked_down);
Pablo Greco d6c4c4
+
Pablo Greco d6c4c4
+int security_lock_kernel_down(const char *where, enum lockdown_reason level)
Pablo Greco d6c4c4
+{
Pablo Greco d6c4c4
+	return call_int_hook(lock_kernel_down, 0, where, level);
Pablo Greco d6c4c4
+}
Pablo Greco d6c4c4
+EXPORT_SYMBOL(security_lock_kernel_down);
Pablo Greco d6c4c4
-- 
Pablo Greco d6c4c4
2.21.0
Pablo Greco d6c4c4
Pablo Greco d6c4c4
Pablo Greco d6c4c4
From b5123d0553f4ed5e734f6457696cdd30228d1eee Mon Sep 17 00:00:00 2001
Pablo Greco d6c4c4
From: David Howells <dhowells@redhat.com>
Pablo Greco d6c4c4
Date: Tue, 27 Feb 2018 10:04:55 +0000
Pablo Greco d6c4c4
Subject: [PATCH 2/3] efi: Add an EFI_SECURE_BOOT flag to indicate secure
Pablo Greco d6c4c4
 boot mode
Pablo Greco d6c4c4
Pablo Greco d6c4c4
UEFI machines can be booted in Secure Boot mode.  Add an EFI_SECURE_BOOT
Pablo Greco d6c4c4
flag that can be passed to efi_enabled() to find out whether secure boot is
Pablo Greco d6c4c4
enabled.
Pablo Greco d6c4c4
Pablo Greco d6c4c4
Move the switch-statement in x86's setup_arch() that inteprets the
Pablo Greco d6c4c4
secure_boot boot parameter to generic code and set the bit there.
Pablo Greco d6c4c4
Pablo Greco d6c4c4
Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Pablo Greco d6c4c4
Signed-off-by: David Howells <dhowells@redhat.com>
Pablo Greco d6c4c4
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Pablo Greco d6c4c4
cc: linux-efi@vger.kernel.org
Pablo Greco d6c4c4
[Rebased for context; efi_is_table_address was moved to arch/x86]
Pablo Greco d6c4c4
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Pablo Greco d6c4c4
---
Pablo Greco d6c4c4
 arch/x86/kernel/setup.c           | 14 +-----------
Pablo Greco d6c4c4
 drivers/firmware/efi/Makefile     |  1 +
Pablo Greco d6c4c4
 drivers/firmware/efi/secureboot.c | 38 +++++++++++++++++++++++++++++++
Pablo Greco d6c4c4
 include/linux/efi.h               | 18 ++++++++++-----
Pablo Greco d6c4c4
 4 files changed, 52 insertions(+), 19 deletions(-)
Pablo Greco d6c4c4
 create mode 100644 drivers/firmware/efi/secureboot.c
Pablo Greco d6c4c4
Pablo Greco d6c4c4
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
Pablo Greco d6c4c4
index bbe35bf879f5..7e528b6af86b 100644
Pablo Greco d6c4c4
--- a/arch/x86/kernel/setup.c
Pablo Greco d6c4c4
+++ b/arch/x86/kernel/setup.c
Pablo Greco d6c4c4
@@ -1179,19 +1179,7 @@ void __init setup_arch(char **cmdline_p)
Pablo Greco d6c4c4
 	/* Allocate bigger log buffer */
Pablo Greco d6c4c4
 	setup_log_buf(1);
Pablo Greco d6c4c4
 
Pablo Greco d6c4c4
-	if (efi_enabled(EFI_BOOT)) {
Pablo Greco d6c4c4
-		switch (boot_params.secure_boot) {
Pablo Greco d6c4c4
-		case efi_secureboot_mode_disabled:
Pablo Greco d6c4c4
-			pr_info("Secure boot disabled\n");
Pablo Greco d6c4c4
-			break;
Pablo Greco d6c4c4
-		case efi_secureboot_mode_enabled:
Pablo Greco d6c4c4
-			pr_info("Secure boot enabled\n");
Pablo Greco d6c4c4
-			break;
Pablo Greco d6c4c4
-		default:
Pablo Greco d6c4c4
-			pr_info("Secure boot could not be determined\n");
Pablo Greco d6c4c4
-			break;
Pablo Greco d6c4c4
-		}
Pablo Greco d6c4c4
-	}
Pablo Greco d6c4c4
+	efi_set_secure_boot(boot_params.secure_boot);
Pablo Greco d6c4c4
 
Pablo Greco d6c4c4
 	reserve_initrd();
Pablo Greco d6c4c4
 
Pablo Greco d6c4c4
diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile
Pablo Greco d6c4c4
index 4ac2de4dfa72..195b078a423c 100644
Pablo Greco d6c4c4
--- a/drivers/firmware/efi/Makefile
Pablo Greco d6c4c4
+++ b/drivers/firmware/efi/Makefile
Pablo Greco d6c4c4
@@ -24,6 +24,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP)		+= fake_mem.o
Pablo Greco d6c4c4
 obj-$(CONFIG_EFI_BOOTLOADER_CONTROL)	+= efibc.o
Pablo Greco d6c4c4
 obj-$(CONFIG_EFI_TEST)			+= test/
Pablo Greco d6c4c4
 obj-$(CONFIG_EFI_DEV_PATH_PARSER)	+= dev-path-parser.o
Pablo Greco d6c4c4
+obj-$(CONFIG_EFI)			+= secureboot.o
Pablo Greco d6c4c4
 obj-$(CONFIG_APPLE_PROPERTIES)		+= apple-properties.o
Pablo Greco d6c4c4
 obj-$(CONFIG_EFI_RCI2_TABLE)		+= rci2-table.o
Pablo Greco d6c4c4
 
Pablo Greco d6c4c4
diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
Pablo Greco d6c4c4
new file mode 100644
Pablo Greco d6c4c4
index 000000000000..9070055de0a1
Pablo Greco d6c4c4
--- /dev/null
Pablo Greco d6c4c4
+++ b/drivers/firmware/efi/secureboot.c
Pablo Greco d6c4c4
@@ -0,0 +1,38 @@
Pablo Greco d6c4c4
+/* Core kernel secure boot support.
Pablo Greco d6c4c4
+ *
Pablo Greco d6c4c4
+ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
Pablo Greco d6c4c4
+ * Written by David Howells (dhowells@redhat.com)
Pablo Greco d6c4c4
+ *
Pablo Greco d6c4c4
+ * This program is free software; you can redistribute it and/or
Pablo Greco d6c4c4
+ * modify it under the terms of the GNU General Public Licence
Pablo Greco d6c4c4
+ * as published by the Free Software Foundation; either version
Pablo Greco d6c4c4
+ * 2 of the Licence, or (at your option) any later version.
Pablo Greco d6c4c4
+ */
Pablo Greco d6c4c4
+
Pablo Greco d6c4c4
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
Pablo Greco d6c4c4
+
Pablo Greco d6c4c4
+#include <linux/efi.h>
Pablo Greco d6c4c4
+#include <linux/kernel.h>
Pablo Greco d6c4c4
+#include <linux/printk.h>
Pablo Greco d6c4c4
+
Pablo Greco d6c4c4
+/*
Pablo Greco d6c4c4
+ * Decide what to do when UEFI secure boot mode is enabled.
Pablo Greco d6c4c4
+ */
Pablo Greco d6c4c4
+void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
Pablo Greco d6c4c4
+{
Pablo Greco d6c4c4
+	if (efi_enabled(EFI_BOOT)) {
Pablo Greco d6c4c4
+		switch (mode) {
Pablo Greco d6c4c4
+		case efi_secureboot_mode_disabled:
Pablo Greco d6c4c4
+			pr_info("Secure boot disabled\n");
Pablo Greco d6c4c4
+			break;
Pablo Greco d6c4c4
+		case efi_secureboot_mode_enabled:
Pablo Greco d6c4c4
+			set_bit(EFI_SECURE_BOOT, &efi.flags);
Pablo Greco d6c4c4
+			pr_info("Secure boot enabled\n");
Pablo Greco d6c4c4
+			break;
Pablo Greco d6c4c4
+		default:
Pablo Greco d6c4c4
+			pr_warning("Secure boot could not be determined (mode %u)\n",
Pablo Greco d6c4c4
+				   mode);
Pablo Greco d6c4c4
+			break;
Pablo Greco d6c4c4
+		}
Pablo Greco d6c4c4
+	}
Pablo Greco d6c4c4
+}
Pablo Greco d6c4c4
diff --git a/include/linux/efi.h b/include/linux/efi.h
Pablo Greco d6c4c4
index 21d81021c1f4..758ec061d03b 100644
Pablo Greco d6c4c4
--- a/include/linux/efi.h
Pablo Greco d6c4c4
+++ b/include/linux/efi.h
Pablo Greco d6c4c4
@@ -1204,6 +1204,14 @@ extern int __init efi_setup_pcdp_console(char *);
Pablo Greco d6c4c4
 #define EFI_DBG			8	/* Print additional debug info at runtime */
Pablo Greco d6c4c4
 #define EFI_NX_PE_DATA		9	/* Can runtime data regions be mapped non-executable? */
Pablo Greco d6c4c4
 #define EFI_MEM_ATTR		10	/* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
Pablo Greco d6c4c4
+#define EFI_SECURE_BOOT		11	/* Are we in Secure Boot mode? */
Pablo Greco d6c4c4
+
Pablo Greco d6c4c4
+enum efi_secureboot_mode {
Pablo Greco d6c4c4
+	efi_secureboot_mode_unset,
Pablo Greco d6c4c4
+	efi_secureboot_mode_unknown,
Pablo Greco d6c4c4
+	efi_secureboot_mode_disabled,
Pablo Greco d6c4c4
+	efi_secureboot_mode_enabled,
Pablo Greco d6c4c4
+};
Pablo Greco d6c4c4
 
Pablo Greco d6c4c4
 #ifdef CONFIG_EFI
Pablo Greco d6c4c4
 /*
Pablo Greco d6c4c4
@@ -1214,6 +1222,8 @@ static inline bool efi_enabled(int feature)
Pablo Greco d6c4c4
 	return test_bit(feature, &efi.flags) != 0;
Pablo Greco d6c4c4
 }
Pablo Greco d6c4c4
 extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused);
Pablo Greco d6c4c4
+
Pablo Greco d6c4c4
+extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode);
Pablo Greco d6c4c4
 #else
Pablo Greco d6c4c4
 static inline bool efi_enabled(int feature)
Pablo Greco d6c4c4
 {
Pablo Greco d6c4c4
@@ -1227,6 +1237,8 @@ efi_capsule_pending(int *reset_type)
Pablo Greco d6c4c4
 {
Pablo Greco d6c4c4
 	return false;
Pablo Greco d6c4c4
 }
Pablo Greco d6c4c4
+
Pablo Greco d6c4c4
+static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {}
Pablo Greco d6c4c4
 #endif
Pablo Greco d6c4c4
 
Pablo Greco d6c4c4
 extern int efi_status_to_err(efi_status_t status);
Pablo Greco d6c4c4
@@ -1619,12 +1631,6 @@ static inline bool efi_runtime_disabled(void) { return true; }
Pablo Greco d6c4c4
 extern void efi_call_virt_check_flags(unsigned long flags, const char *call);
Pablo Greco d6c4c4
 extern unsigned long efi_call_virt_save_flags(void);
Pablo Greco d6c4c4
 
Pablo Greco d6c4c4
-enum efi_secureboot_mode {
Pablo Greco d6c4c4
-	efi_secureboot_mode_unset,
Pablo Greco d6c4c4
-	efi_secureboot_mode_unknown,
Pablo Greco d6c4c4
-	efi_secureboot_mode_disabled,
Pablo Greco d6c4c4
-	efi_secureboot_mode_enabled,
Pablo Greco d6c4c4
-};
Pablo Greco d6c4c4
 enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table);
Pablo Greco d6c4c4
 
Pablo Greco d6c4c4
 #ifdef CONFIG_RESET_ATTACK_MITIGATION
Pablo Greco d6c4c4
-- 
Pablo Greco d6c4c4
2.21.0
Pablo Greco d6c4c4
Pablo Greco d6c4c4
Pablo Greco d6c4c4
From 15368f76d4997912318d35c52bfeb9041d85098e Mon Sep 17 00:00:00 2001
Pablo Greco d6c4c4
From: David Howells <dhowells@redhat.com>
Pablo Greco d6c4c4
Date: Mon, 30 Sep 2019 21:28:16 +0000
Pablo Greco d6c4c4
Subject: [PATCH 3/3] efi: Lock down the kernel if booted in secure boot mode
Pablo Greco d6c4c4
Pablo Greco d6c4c4
UEFI Secure Boot provides a mechanism for ensuring that the firmware
Pablo Greco d6c4c4
will only load signed bootloaders and kernels.  Certain use cases may
Pablo Greco d6c4c4
also require that all kernel modules also be signed.  Add a
Pablo Greco d6c4c4
configuration option that to lock down the kernel - which includes
Pablo Greco d6c4c4
requiring validly signed modules - if the kernel is secure-booted.
Pablo Greco d6c4c4
Pablo Greco d6c4c4
Signed-off-by: David Howells <dhowells@redhat.com>
Pablo Greco d6c4c4
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Pablo Greco d6c4c4
---
Pablo Greco d6c4c4
 arch/x86/kernel/setup.c   |  8 ++++++++
Pablo Greco d6c4c4
 security/lockdown/Kconfig | 13 +++++++++++++
Pablo Greco d6c4c4
 2 files changed, 21 insertions(+)
Pablo Greco d6c4c4
Pablo Greco d6c4c4
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
Pablo Greco d6c4c4
index 77ea96b794bd..a119e1bc9623 100644
Pablo Greco d6c4c4
--- a/arch/x86/kernel/setup.c
Pablo Greco d6c4c4
+++ b/arch/x86/kernel/setup.c
Pablo Greco d6c4c4
@@ -73,6 +73,7 @@
Pablo Greco d6c4c4
 #include <linux/jiffies.h>
Pablo Greco d6c4c4
 #include <linux/mem_encrypt.h>
Pablo Greco d6c4c4
 #include <linux/sizes.h>
Pablo Greco d6c4c4
+#include <linux/security.h>
Pablo Greco d6c4c4
 
Pablo Greco d6c4c4
 #include <linux/usb/xhci-dbgp.h>
Pablo Greco d6c4c4
 #include <video/edid.h>
Pablo Greco d6c4c4
@@ -1027,6 +1028,13 @@ void __init setup_arch(char **cmdline_p)
Pablo Greco d6c4c4
 	if (efi_enabled(EFI_BOOT))
Pablo Greco d6c4c4
 		efi_init();
Pablo Greco d6c4c4
 
Pablo Greco d6c4c4
+	efi_set_secure_boot(boot_params.secure_boot);
Pablo Greco d6c4c4
+
Pablo Greco d6c4c4
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
Pablo Greco d6c4c4
+	if (efi_enabled(EFI_SECURE_BOOT))
Pablo Greco d6c4c4
+		security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_CONFIDENTIALITY_MAX);
Pablo Greco d6c4c4
+#endif
Pablo Greco d6c4c4
+
Pablo Greco d6c4c4
 	dmi_setup();
Pablo Greco d6c4c4
 
Pablo Greco d6c4c4
 	/*
Pablo Greco d6c4c4
diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
Pablo Greco d6c4c4
index e84ddf484010..d0501353a4b9 100644
Pablo Greco d6c4c4
--- a/security/lockdown/Kconfig
Pablo Greco d6c4c4
+++ b/security/lockdown/Kconfig
Pablo Greco d6c4c4
@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY
Pablo Greco d6c4c4
 	  subsystem is fully initialised. If enabled, lockdown will
Pablo Greco d6c4c4
 	  unconditionally be called before any other LSMs.
Pablo Greco d6c4c4
 
Pablo Greco d6c4c4
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
Pablo Greco d6c4c4
+	bool "Lock down the kernel in EFI Secure Boot mode"
Pablo Greco d6c4c4
+	default n
Pablo Greco d6c4c4
+	depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY
Pablo Greco d6c4c4
+	help
Pablo Greco d6c4c4
+	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
Pablo Greco d6c4c4
+	  will only load signed bootloaders and kernels.  Secure boot mode may
Pablo Greco d6c4c4
+	  be determined from EFI variables provided by the system firmware if
Pablo Greco d6c4c4
+	  not indicated by the boot parameters.
Pablo Greco d6c4c4
+
Pablo Greco d6c4c4
+	  Enabling this option results in kernel lockdown being triggered if
Pablo Greco d6c4c4
+	  EFI Secure Boot is set.
Pablo Greco d6c4c4
+
Pablo Greco d6c4c4
 choice
Pablo Greco d6c4c4
 	prompt "Kernel default lockdown mode"
Pablo Greco d6c4c4
 	default LOCK_DOWN_KERNEL_FORCE_NONE
Pablo Greco d6c4c4
-- 
Pablo Greco d6c4c4
2.21.0