f7a3bf6547
* Thu Aug 13 2020 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.9.0-0.rc0.20200813gitdc06fe51d26e.1]
- dc06fe51d26e rebase
- More mismatches ("Justin M. Forbes")
- Fedora config change due to deps ("Justin M. Forbes")
- CONFIG_SND_SOC_MAX98390 is now selected by SND_SOC_INTEL_DA7219_MAX98357A_GENERIC ("Justin M. Forbes")
- Config change required for build part 2 ("Justin M. Forbes")
- Config change required for build ("Justin M. Forbes")
- Fedora config update ("Justin M. Forbes")
- Revert "Merge branch 'make_configs_fix' into 'os-build'" (Justin Forbes)
- redhat/configs/process_configs.sh: Remove *.config.orig files (Prarit Bhargava)
- redhat/configs/process_configs.sh: Add process_configs_known_broken flag (Prarit Bhargava)
- redhat/Makefile: Fix '*-configs' targets (Prarit Bhargava)
- Updated changelog for the release based on v5.8 (Fedora Kernel Team)
- Add ability to sync upstream through Makefile (Don Zickus)
- Add master merge check (Don Zickus)
- Replace hardcoded values 'os-build' and project id with variables (Don Zickus)
- gitattributes: Remove unnecesary export restrictions (Prarit Bhargava)
- redhat/Makefile.common: Fix MARKER (Prarit Bhargava)
Resolves: rhbz#
Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
73 lines
2.4 KiB
Diff
73 lines
2.4 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: David Howells <dhowells@redhat.com>
|
|
Date: Mon, 30 Sep 2019 21:28:16 +0000
|
|
Subject: [PATCH] efi: Lock down the kernel if booted in secure boot mode
|
|
|
|
UEFI Secure Boot provides a mechanism for ensuring that the firmware
|
|
will only load signed bootloaders and kernels. Certain use cases may
|
|
also require that all kernel modules also be signed. Add a
|
|
configuration option that to lock down the kernel - which includes
|
|
requiring validly signed modules - if the kernel is secure-booted.
|
|
|
|
Upstream Status: RHEL only
|
|
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
Signed-off-by: Jeremy Cline <jcline@redhat.com>
|
|
---
|
|
arch/x86/kernel/setup.c | 8 ++++++++
|
|
security/lockdown/Kconfig | 13 +++++++++++++
|
|
2 files changed, 21 insertions(+)
|
|
|
|
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
|
index c9de4b36ca51..a1a012702915 100644
|
|
--- a/arch/x86/kernel/setup.c
|
|
+++ b/arch/x86/kernel/setup.c
|
|
@@ -18,6 +18,7 @@
|
|
#include <linux/sfi.h>
|
|
#include <linux/hugetlb.h>
|
|
#include <linux/tboot.h>
|
|
+#include <linux/security.h>
|
|
#include <linux/usb/xhci-dbgp.h>
|
|
|
|
#include <uapi/linux/mount.h>
|
|
@@ -1104,6 +1105,13 @@ void __init setup_arch(char **cmdline_p)
|
|
if (efi_enabled(EFI_BOOT))
|
|
efi_init();
|
|
|
|
+ efi_set_secure_boot(boot_params.secure_boot);
|
|
+
|
|
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
|
|
+ if (efi_enabled(EFI_SECURE_BOOT))
|
|
+ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
|
|
+#endif
|
|
+
|
|
dmi_setup();
|
|
|
|
/*
|
|
diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
|
|
index e84ddf484010..d0501353a4b9 100644
|
|
--- a/security/lockdown/Kconfig
|
|
+++ b/security/lockdown/Kconfig
|
|
@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY
|
|
subsystem is fully initialised. If enabled, lockdown will
|
|
unconditionally be called before any other LSMs.
|
|
|
|
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
|
|
+ bool "Lock down the kernel in EFI Secure Boot mode"
|
|
+ default n
|
|
+ depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY
|
|
+ help
|
|
+ UEFI Secure Boot provides a mechanism for ensuring that the firmware
|
|
+ will only load signed bootloaders and kernels. Secure boot mode may
|
|
+ be determined from EFI variables provided by the system firmware if
|
|
+ not indicated by the boot parameters.
|
|
+
|
|
+ Enabling this option results in kernel lockdown being triggered if
|
|
+ EFI Secure Boot is set.
|
|
+
|
|
choice
|
|
prompt "Kernel default lockdown mode"
|
|
default LOCK_DOWN_KERNEL_FORCE_NONE
|
|
--
|
|
2.26.2
|
|
|