Switch Secure Boot to lock down in integrity mode (rhbz 1815571)
This commit is contained in:
Jeremy Cline
parent
f6d71673bd
commit
aca1c25ebf
|
|
@ -303,7 +303,7 @@ index 1797623b0c3a..fa8ac411bf6e 100644
|
||||||
+
|
+
|
||||||
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
|
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
|
||||||
+ if (efi_enabled(EFI_SECURE_BOOT))
|
+ if (efi_enabled(EFI_SECURE_BOOT))
|
||||||
+ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_CONFIDENTIALITY_MAX);
|
+ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
dmi_setup();
|
dmi_setup();
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,7 @@ From: Jeremy Cline <jcline@redhat.com>
|
||||||
Date: Wed, 30 Oct 2019 14:37:49 +0000
|
Date: Wed, 30 Oct 2019 14:37:49 +0000
|
||||||
Subject: [PATCH] s390: Lock down the kernel when the IPL secure flag is set
|
Subject: [PATCH] s390: Lock down the kernel when the IPL secure flag is set
|
||||||
|
|
||||||
Automatically lock down the kernel to LOCKDOWN_CONFIDENTIALITY_MAX if
|
Automatically lock down the kernel to LOCKDOWN_INTEGRITY_MAX if
|
||||||
the IPL secure flag is set.
|
the IPL secure flag is set.
|
||||||
|
|
||||||
Suggested-by: Philipp Rudo <prudo@redhat.com>
|
Suggested-by: Philipp Rudo <prudo@redhat.com>
|
||||||
|
|
@ -56,7 +56,7 @@ index 9cbf490fd162..0510ecdfc3f6 100644
|
||||||
log_component_list();
|
log_component_list();
|
||||||
|
|
||||||
+ if (ipl_get_secureboot())
|
+ if (ipl_get_secureboot())
|
||||||
+ security_lock_kernel_down("Secure IPL mode", LOCKDOWN_CONFIDENTIALITY_MAX);
|
+ security_lock_kernel_down("Secure IPL mode", LOCKDOWN_INTEGRITY_MAX);
|
||||||
+
|
+
|
||||||
/* Have one command line that is parsed and saved in /proc/cmdline */
|
/* Have one command line that is parsed and saved in /proc/cmdline */
|
||||||
/* boot_command_line has been already set up in early.c */
|
/* boot_command_line has been already set up in early.c */
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue