[arm64] Update "add kernel config option to lock down when in Secure Boot mode" for 4.15
This commit is contained in:
parent
5635aaadec
commit
20aa9b586e
|
@ -1,3 +1,10 @@
|
||||||
|
linux (4.15~rc5-1~exp2) UNRELEASED; urgency=medium
|
||||||
|
|
||||||
|
* [arm64] Update "add kernel config option to lock down when in Secure Boot
|
||||||
|
mode" for 4.15
|
||||||
|
|
||||||
|
-- Ben Hutchings <ben@decadent.org.uk> Sat, 30 Dec 2017 16:00:15 +0000
|
||||||
|
|
||||||
linux (4.15~rc5-1~exp1) experimental; urgency=medium
|
linux (4.15~rc5-1~exp1) experimental; urgency=medium
|
||||||
|
|
||||||
* New upstream release candidate
|
* New upstream release candidate
|
||||||
|
|
|
@ -14,8 +14,9 @@ kernel using the FDT.
|
||||||
Signed-off-by: Linn Crosetto <linn@hpe.com>
|
Signed-off-by: Linn Crosetto <linn@hpe.com>
|
||||||
[bwh: Forward-ported to 4.10: adjust context]
|
[bwh: Forward-ported to 4.10: adjust context]
|
||||||
[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
|
[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
|
||||||
[bwh: Forward-ported to 4.11 and lockdown patch set:
|
[bwh: Forward-ported to 4.15 and lockdown patch set:
|
||||||
- Convert result of efi_get_secureboot() to a boolean
|
- Pass result of efi_get_secureboot() in stub through to
|
||||||
|
efi_set_secure_boot() in main kernel
|
||||||
- Use lockdown API and naming]
|
- Use lockdown API and naming]
|
||||||
---
|
---
|
||||||
arch/arm64/Kconfig | 13 +++++++++++++
|
arch/arm64/Kconfig | 13 +++++++++++++
|
||||||
|
@ -27,27 +28,6 @@ Signed-off-by: Linn Crosetto <linn@hpe.com>
|
||||||
include/linux/efi.h | 1 +
|
include/linux/efi.h | 1 +
|
||||||
7 files changed, 32 insertions(+), 2 deletions(-)
|
7 files changed, 32 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
--- a/arch/arm64/Kconfig
|
|
||||||
+++ b/arch/arm64/Kconfig
|
|
||||||
@@ -1033,6 +1033,18 @@ config EFI
|
|
||||||
allow the kernel to be booted as an EFI application. This
|
|
||||||
is only useful on systems that have UEFI firmware.
|
|
||||||
|
|
||||||
+config EFI_SECURE_BOOT_LOCK_DOWN
|
|
||||||
+ def_bool n
|
|
||||||
+ depends on EFI
|
|
||||||
+ prompt "Lock down the kernel when UEFI Secure Boot is enabled"
|
|
||||||
+ ---help---
|
|
||||||
+ UEFI Secure Boot provides a mechanism for ensuring that the firmware
|
|
||||||
+ will only load signed bootloaders and kernels. Certain use cases may
|
|
||||||
+ also require that all kernel modules also be signed and that
|
|
||||||
+ userspace is prevented from directly changing the running kernel
|
|
||||||
+ image. Say Y here to automatically lock down the kernel when a
|
|
||||||
+ system boots with UEFI Secure Boot enabled.
|
|
||||||
+
|
|
||||||
config DMI
|
|
||||||
bool "Enable support for SMBIOS (DMI) tables"
|
|
||||||
depends on EFI
|
|
||||||
--- a/drivers/firmware/efi/arm-init.c
|
--- a/drivers/firmware/efi/arm-init.c
|
||||||
+++ b/drivers/firmware/efi/arm-init.c
|
+++ b/drivers/firmware/efi/arm-init.c
|
||||||
@@ -21,6 +21,7 @@
|
@@ -21,6 +21,7 @@
|
||||||
|
@ -58,21 +38,19 @@ Signed-off-by: Linn Crosetto <linn@hpe.com>
|
||||||
|
|
||||||
#include <asm/efi.h>
|
#include <asm/efi.h>
|
||||||
|
|
||||||
@@ -244,6 +245,11 @@ void __init efi_init(void)
|
@@ -252,6 +253,9 @@ void __init efi_init(void)
|
||||||
"Unexpected EFI_MEMORY_DESCRIPTOR version %ld",
|
"Unexpected EFI_MEMORY_DESCRIPTOR version %ld",
|
||||||
efi.memmap.desc_version);
|
efi.memmap.desc_version);
|
||||||
|
|
||||||
+#ifdef CONFIG_EFI_SECURE_BOOT_LOCK_DOWN
|
+ efi_set_secure_boot(boot_params.secure_boot);
|
||||||
+ if (params.secure_boot > 0)
|
+ init_lockdown();
|
||||||
+ lock_kernel_down();
|
|
||||||
+#endif
|
|
||||||
+
|
+
|
||||||
if (uefi_init() < 0) {
|
if (uefi_init() < 0) {
|
||||||
efi_memmap_unmap();
|
efi_memmap_unmap();
|
||||||
return;
|
return;
|
||||||
--- a/drivers/firmware/efi/efi.c
|
--- a/drivers/firmware/efi/efi.c
|
||||||
+++ b/drivers/firmware/efi/efi.c
|
+++ b/drivers/firmware/efi/efi.c
|
||||||
@@ -613,7 +613,8 @@ static __initdata struct params fdt_para
|
@@ -635,7 +635,8 @@ static __initdata struct params fdt_para
|
||||||
UEFI_PARAM("MemMap Address", "linux,uefi-mmap-start", mmap),
|
UEFI_PARAM("MemMap Address", "linux,uefi-mmap-start", mmap),
|
||||||
UEFI_PARAM("MemMap Size", "linux,uefi-mmap-size", mmap_size),
|
UEFI_PARAM("MemMap Size", "linux,uefi-mmap-size", mmap_size),
|
||||||
UEFI_PARAM("MemMap Desc. Size", "linux,uefi-mmap-desc-size", desc_size),
|
UEFI_PARAM("MemMap Desc. Size", "linux,uefi-mmap-desc-size", desc_size),
|
||||||
|
@ -84,13 +62,12 @@ Signed-off-by: Linn Crosetto <linn@hpe.com>
|
||||||
static __initdata struct params xen_fdt_params[] = {
|
static __initdata struct params xen_fdt_params[] = {
|
||||||
--- a/drivers/firmware/efi/libstub/fdt.c
|
--- a/drivers/firmware/efi/libstub/fdt.c
|
||||||
+++ b/drivers/firmware/efi/libstub/fdt.c
|
+++ b/drivers/firmware/efi/libstub/fdt.c
|
||||||
@@ -134,6 +134,14 @@ static efi_status_t update_fdt(efi_syste
|
@@ -158,6 +158,13 @@ static efi_status_t update_fdt(efi_syste
|
||||||
return efi_status;
|
return efi_status;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
+
|
+
|
||||||
+ fdt_val32 = cpu_to_fdt32(efi_get_secureboot(sys_table) !=
|
+ fdt_val32 = cpu_to_fdt32(efi_get_secureboot(sys_table));
|
||||||
+ efi_secureboot_mode_disabled);
|
|
||||||
+ status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
|
+ status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
|
||||||
+ &fdt_val32, sizeof(fdt_val32));
|
+ &fdt_val32, sizeof(fdt_val32));
|
||||||
+ if (status)
|
+ if (status)
|
||||||
|
@ -101,7 +78,7 @@ Signed-off-by: Linn Crosetto <linn@hpe.com>
|
||||||
fdt_set_fail:
|
fdt_set_fail:
|
||||||
--- a/include/linux/efi.h
|
--- a/include/linux/efi.h
|
||||||
+++ b/include/linux/efi.h
|
+++ b/include/linux/efi.h
|
||||||
@@ -736,6 +736,7 @@ struct efi_fdt_params {
|
@@ -749,6 +749,7 @@ struct efi_fdt_params {
|
||||||
u32 mmap_size;
|
u32 mmap_size;
|
||||||
u32 desc_size;
|
u32 desc_size;
|
||||||
u32 desc_ver;
|
u32 desc_ver;
|
||||||
|
|
Loading…
Reference in New Issue