efi: Lock down the kernel if booted in secure boot mode
UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also require that all kernel modules also be signed. Add a configuration option that to lock down the kernel - which includes requiring validly signed modules - if the kernel is secure-booted. Upstream Status: RHEL only Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Jeremy Cline <jcline@redhat.com>
This commit is contained in:
parent
2f8af1661a
commit
c521d05f5a
|
@ -20,6 +20,7 @@
|
|||
#include <linux/root_dev.h>
|
||||
#include <linux/hugetlb.h>
|
||||
#include <linux/tboot.h>
|
||||
#include <linux/security.h>
|
||||
#include <linux/usb/xhci-dbgp.h>
|
||||
#include <linux/static_call.h>
|
||||
#include <linux/swiotlb.h>
|
||||
|
@ -1055,6 +1056,13 @@ void __init setup_arch(char **cmdline_p)
|
|||
if (efi_enabled(EFI_BOOT))
|
||||
efi_init();
|
||||
|
||||
efi_set_secure_boot(boot_params.secure_boot);
|
||||
|
||||
#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
|
||||
if (efi_enabled(EFI_SECURE_BOOT))
|
||||
security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
|
||||
#endif
|
||||
|
||||
dmi_setup();
|
||||
|
||||
/*
|
||||
|
|
|
@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY
|
|||
subsystem is fully initialised. If enabled, lockdown will
|
||||
unconditionally be called before any other LSMs.
|
||||
|
||||
config LOCK_DOWN_IN_EFI_SECURE_BOOT
|
||||
bool "Lock down the kernel in EFI Secure Boot mode"
|
||||
default n
|
||||
depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY
|
||||
help
|
||||
UEFI Secure Boot provides a mechanism for ensuring that the firmware
|
||||
will only load signed bootloaders and kernels. Secure boot mode may
|
||||
be determined from EFI variables provided by the system firmware if
|
||||
not indicated by the boot parameters.
|
||||
|
||||
Enabling this option results in kernel lockdown being triggered if
|
||||
EFI Secure Boot is set.
|
||||
|
||||
choice
|
||||
prompt "Kernel default lockdown mode"
|
||||
default LOCK_DOWN_KERNEL_FORCE_NONE
|
||||
|
|
Loading…
Reference in New Issue