diff options
| author | Jeremy Cline <jcline@redhat.com> | 2020-03-20 17:56:53 -0400 |
|---|---|---|
| committer | Jeremy Cline <jcline@redhat.com> | 2020-03-20 18:02:59 -0400 |
| commit | c5fe8f96488ec3ad2da21e5c0480cbb2de0f562e (patch) | |
| tree | 25960759d0ee9f9bf7bce678f30a37e13501f616 | |
| parent | a723b3453a36386100c9d297aa9f402f8c08a526 (diff) | |
| download | kernel-c5fe8f96488ec3ad2da21e5c0480cbb2de0f562e.tar.gz kernel-c5fe8f96488ec3ad2da21e5c0480cbb2de0f562e.tar.xz kernel-c5fe8f96488ec3ad2da21e5c0480cbb2de0f562e.zip | |
Switch Secure Boot to lock down in integrity mode (rhbz 1815571)
| -rw-r--r-- | efi-secureboot.patch | 2 | ||||
| -rw-r--r-- | kernel.spec | 3 | ||||
| -rw-r--r-- | s390-Lock-down-the-kernel-when-the-IPL-secure-flag-i.patch | 4 |
3 files changed, 6 insertions, 3 deletions
diff --git a/efi-secureboot.patch b/efi-secureboot.patch index cda57a471..227805e8c 100644 --- a/efi-secureboot.patch +++ b/efi-secureboot.patch @@ -303,7 +303,7 @@ index 77ea96b794bd..a119e1bc9623 100644 + +#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT + if (efi_enabled(EFI_SECURE_BOOT)) -+ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_CONFIDENTIALITY_MAX); ++ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX); +#endif + dmi_setup(); diff --git a/kernel.spec b/kernel.spec index ed7152983..ef52871b9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2899,6 +2899,9 @@ fi # # %changelog +* Fri Mar 20 2020 Jeremy Cline <jcline@redhat.com> +- Switch Secure Boot to lock down to integrity mode (rhbz 1815571) + * Fri Mar 20 2020 Justin M. Forbes <jforbes@fedoraproject.org> - Fix CVE-2019-19769 (rhbz 1786174 1786175) diff --git a/s390-Lock-down-the-kernel-when-the-IPL-secure-flag-i.patch b/s390-Lock-down-the-kernel-when-the-IPL-secure-flag-i.patch index 0779418b4..70e3f76a8 100644 --- a/s390-Lock-down-the-kernel-when-the-IPL-secure-flag-i.patch +++ b/s390-Lock-down-the-kernel-when-the-IPL-secure-flag-i.patch @@ -3,7 +3,7 @@ From: Jeremy Cline <jcline@redhat.com> Date: Wed, 30 Oct 2019 14:37:49 +0000 Subject: [PATCH] s390: Lock down the kernel when the IPL secure flag is set -Automatically lock down the kernel to LOCKDOWN_CONFIDENTIALITY_MAX if +Automatically lock down the kernel to LOCKDOWN_INTEGRITY_MAX if the IPL secure flag is set. Suggested-by: Philipp Rudo <prudo@redhat.com> @@ -56,7 +56,7 @@ index 9cbf490fd162..0510ecdfc3f6 100644 log_component_list(); + if (ipl_get_secureboot()) -+ security_lock_kernel_down("Secure IPL mode", LOCKDOWN_CONFIDENTIALITY_MAX); ++ security_lock_kernel_down("Secure IPL mode", LOCKDOWN_INTEGRITY_MAX); + /* Have one command line that is parsed and saved in /proc/cmdline */ /* boot_command_line has been already set up in early.c */ |