Pablo Greco 7b2c62
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
Pablo Greco 7b2c62
From: David Howells <dhowells@redhat.com>
Pablo Greco 7b2c62
Date: Mon, 30 Sep 2019 21:28:16 +0000
Pablo Greco 7b2c62
Subject: [PATCH] efi: Lock down the kernel if booted in secure boot mode
Pablo Greco 7b2c62
Pablo Greco 7b2c62
UEFI Secure Boot provides a mechanism for ensuring that the firmware
Pablo Greco 7b2c62
will only load signed bootloaders and kernels.  Certain use cases may
Pablo Greco 7b2c62
also require that all kernel modules also be signed.  Add a
Pablo Greco 7b2c62
configuration option that to lock down the kernel - which includes
Pablo Greco 7b2c62
requiring validly signed modules - if the kernel is secure-booted.
Pablo Greco 7b2c62
Pablo Greco 7b2c62
Upstream Status: RHEL only
Pablo Greco 7b2c62
Signed-off-by: David Howells <dhowells@redhat.com>
Pablo Greco 7b2c62
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Pablo Greco 7b2c62
---
Pablo Greco 7b2c62
 arch/x86/kernel/setup.c   |  8 ++++++++
Pablo Greco 7b2c62
 security/lockdown/Kconfig | 13 +++++++++++++
Pablo Greco 7b2c62
 2 files changed, 21 insertions(+)
Pablo Greco 7b2c62
Pablo Greco 7b2c62
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
Pablo Greco 7b2c62
index c9de4b36ca51..a1a012702915 100644
Pablo Greco 7b2c62
--- a/arch/x86/kernel/setup.c
Pablo Greco 7b2c62
+++ b/arch/x86/kernel/setup.c
Pablo Greco 7b2c62
@@ -18,6 +18,7 @@
Pablo Greco 7b2c62
 #include <linux/sfi.h>
Pablo Greco 7b2c62
 #include <linux/hugetlb.h>
Pablo Greco 7b2c62
 #include <linux/tboot.h>
Pablo Greco 7b2c62
+#include <linux/security.h>
Pablo Greco 7b2c62
 #include <linux/usb/xhci-dbgp.h>
Pablo Greco 7b2c62
 #include <linux/static_call.h>
Pablo Greco 7b2c62
 #include <linux/swiotlb.h>
Pablo Greco 7b2c62
@@ -1104,6 +1105,13 @@ void __init setup_arch(char **cmdline_p)
Pablo Greco 7b2c62
 	if (efi_enabled(EFI_BOOT))
Pablo Greco 7b2c62
 		efi_init();
Pablo Greco 7b2c62
Pablo Greco 7b2c62
+	efi_set_secure_boot(boot_params.secure_boot);
Pablo Greco 7b2c62
+
Pablo Greco 7b2c62
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
Pablo Greco 7b2c62
+	if (efi_enabled(EFI_SECURE_BOOT))
Pablo Greco 7b2c62
+		security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
Pablo Greco 7b2c62
+#endif
Pablo Greco 7b2c62
+
Pablo Greco 7b2c62
 	dmi_setup();
Pablo Greco 7b2c62
Pablo Greco 7b2c62
 	/*
Pablo Greco 7b2c62
diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
Pablo Greco 7b2c62
index e84ddf484010..d0501353a4b9 100644
Pablo Greco 7b2c62
--- a/security/lockdown/Kconfig
Pablo Greco 7b2c62
+++ b/security/lockdown/Kconfig
Pablo Greco 7b2c62
@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY
Pablo Greco 7b2c62
 	  subsystem is fully initialised. If enabled, lockdown will
Pablo Greco 7b2c62
 	  unconditionally be called before any other LSMs.
Pablo Greco 7b2c62
Pablo Greco 7b2c62
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
Pablo Greco 7b2c62
+	bool "Lock down the kernel in EFI Secure Boot mode"
Pablo Greco 7b2c62
+	default n
Pablo Greco 7b2c62
+	depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY
Pablo Greco 7b2c62
+	help
Pablo Greco 7b2c62
+	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
Pablo Greco 7b2c62
+	  will only load signed bootloaders and kernels.  Secure boot mode may
Pablo Greco 7b2c62
+	  be determined from EFI variables provided by the system firmware if
Pablo Greco 7b2c62
+	  not indicated by the boot parameters.
Pablo Greco 7b2c62
+
Pablo Greco 7b2c62
+	  Enabling this option results in kernel lockdown being triggered if
Pablo Greco 7b2c62
+	  EFI Secure Boot is set.
Pablo Greco 7b2c62
+
Pablo Greco 7b2c62
 choice
Pablo Greco 7b2c62
 	prompt "Kernel default lockdown mode"
Pablo Greco 7b2c62
 	default LOCK_DOWN_KERNEL_FORCE_NONE
Pablo Greco 7b2c62
-- 
Pablo Greco 7b2c62
2.28.0
Pablo Greco 7b2c62