83 lines
2.6 KiB
Diff
83 lines
2.6 KiB
Diff
From: Matthew Garrett <mjg59@srcf.ucam.org>
|
|
Date: Fri, 9 Aug 2013 18:36:30 -0400
|
|
Subject: [12/18] Add option to automatically set securelevel when in Secure
|
|
Boot mode
|
|
Origin: https://github.com/mjg59/linux/commit/e324de2d053295670f3ba8ef67289835d663aae5
|
|
|
|
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
|
|
only load signed bootloaders and kernels. Certain use cases may also
|
|
require that the kernel prevent userspace from inserting untrusted kernel
|
|
code at runtime. Add a configuration option that enforces this automatically
|
|
when enabled.
|
|
|
|
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
|
|
---
|
|
arch/x86/Kconfig | 13 +++++++++++++
|
|
arch/x86/kernel/setup.c | 7 +++++++
|
|
5 files changed, 60 insertions(+), 1 deletion(-)
|
|
|
|
--- a/arch/x86/Kconfig
|
|
+++ b/arch/x86/Kconfig
|
|
@@ -1754,6 +1754,19 @@ config EFI_MIXED
|
|
|
|
If unsure, say N.
|
|
|
|
+config EFI_SECURE_BOOT_SECURELEVEL
|
|
+ def_bool n
|
|
+ depends on SECURITY_SECURELEVEL
|
|
+ depends on EFI
|
|
+ prompt "Automatically set securelevel when UEFI Secure Boot is enabled"
|
|
+ ---help---
|
|
+ UEFI Secure Boot provides a mechanism for ensuring that the
|
|
+ firmware will only load signed bootloaders and kernels. Certain
|
|
+ use cases may also require that the kernel restrict any userspace
|
|
+ mechanism that could insert untrusted code into the kernel.
|
|
+ Say Y here to automatically enable securelevel enforcement
|
|
+ when a system boots with UEFI Secure Boot enabled.
|
|
+
|
|
config SECCOMP
|
|
def_bool y
|
|
prompt "Enable seccomp to safely compute untrusted bytecode"
|
|
--- a/arch/x86/boot/compressed/eboot.c
|
|
+++ b/arch/x86/boot/compressed/eboot.c
|
|
@@ -12,6 +12,7 @@
|
|
#include <asm/efi.h>
|
|
#include <asm/setup.h>
|
|
#include <asm/desc.h>
|
|
+#include <asm/bootparam_utils.h>
|
|
|
|
#include "../string.h"
|
|
#include "eboot.h"
|
|
@@ -1432,6 +1464,8 @@ struct boot_params *efi_main(struct efi_
|
|
else
|
|
setup_boot_services32(efi_early);
|
|
|
|
+ sanitize_boot_params(boot_params);
|
|
+
|
|
/*
|
|
* If the boot loader gave us a value for secure_boot then we use that,
|
|
* otherwise we ask the BIOS.
|
|
--- a/arch/x86/kernel/setup.c
|
|
+++ b/arch/x86/kernel/setup.c
|
|
@@ -50,6 +50,7 @@
|
|
#include <linux/init_ohci1394_dma.h>
|
|
#include <linux/kvm_para.h>
|
|
#include <linux/dma-contiguous.h>
|
|
+#include <linux/security.h>
|
|
|
|
#include <linux/errno.h>
|
|
#include <linux/kernel.h>
|
|
@@ -1145,6 +1146,12 @@ void __init setup_arch(char **cmdline_p)
|
|
|
|
io_delay_init();
|
|
|
|
+#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
|
|
+ if (boot_params.secure_boot == efi_secureboot_mode_enabled) {
|
|
+ set_securelevel(1);
|
|
+ }
|
|
+#endif
|
|
+
|
|
/*
|
|
* Parse the ACPI tables for possible boot-time SMP configuration.
|
|
*/
|