summaryrefslogtreecommitdiffstats
path: root/efi-secureboot.patch
diff options
context:
space:
mode:
authorJeremy Cline <jcline@redhat.com>2019-04-15 11:10:59 -0400
committerJeremy Cline <jcline@redhat.com>2019-04-15 12:15:16 -0400
commit4b5e4234be6539e237a2eaf36decf1b4b41fdc22 (patch)
tree8ba72fb6d4ddd5378b105c67f1ac3c98cab75cce /efi-secureboot.patch
parent8495ba147ba20dc6887c9ec33285166c9a5915f7 (diff)
downloadkernel-4b5e4234be6539e237a2eaf36decf1b4b41fdc22.tar.gz
kernel-4b5e4234be6539e237a2eaf36decf1b4b41fdc22.tar.xz
kernel-4b5e4234be6539e237a2eaf36decf1b4b41fdc22.zip
Rebase the kernel lockdown patch set
Use the latest version of the kernel lockdown patch set. This includes a few configuration renames: CONFIG_KEXEC_VERIFY_SIG became CONFIG_KEXEC_SIG and CONFIG_KEXEC_SIG_FORCE was added. CONFIG_KEXEC_SIG_FORCE=n because the "kexec_file: Restrict at runtime if the kernel is locked down" patch enforces the signature requirement when the kernel is locked down. CONFIG_LOCK_DOWN_MANDATORY got renamed to CONFIG_LOCK_DOWN_KERNEL_FORCE and remains false as LOCK_DOWN_IN_EFI_SECURE_BOOT covers enabling it for EFI Secure Boot users. Finally, the SysRq patches got dropped for the present.
Diffstat (limited to 'efi-secureboot.patch')
-rw-r--r--efi-secureboot.patch94
1 files changed, 28 insertions, 66 deletions
diff --git a/efi-secureboot.patch b/efi-secureboot.patch
index eb7c23098..102da06af 100644
--- a/efi-secureboot.patch
+++ b/efi-secureboot.patch
@@ -1,43 +1,3 @@
-From b96ff1fd9e94772fde7b58fd69969d1a1c87eb6d Mon Sep 17 00:00:00 2001
-From: Dave Young <dyoung@redhat.com>
-Date: Tue, 27 Feb 2018 10:04:51 +0000
-Subject: [PATCH 07/31] Copy secure_boot flag in boot params across kexec
- reboot
-
-Kexec reboot in case secure boot being enabled does not keep the secure
-boot mode in new kernel, so later one can load unsigned kernel via legacy
-kexec_load. In this state, the system is missing the protections provided
-by secure boot.
-
-Adding a patch to fix this by retain the secure_boot flag in original
-kernel.
-
-secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
-stub. Fixing this issue by copying secure_boot flag across kexec reboot.
-
-Signed-off-by: Dave Young <dyoung@redhat.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
-cc: kexec@lists.infradead.org
----
- arch/x86/kernel/kexec-bzimage64.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
-index fb095ba0c02f..7d0fac5bcbbe 100644
---- a/arch/x86/kernel/kexec-bzimage64.c
-+++ b/arch/x86/kernel/kexec-bzimage64.c
-@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
- if (efi_enabled(EFI_OLD_MEMMAP))
- return 0;
-
-+ params->secure_boot = boot_params.secure_boot;
- ei->efi_loader_signature = current_ei->efi_loader_signature;
- ei->efi_systab = current_ei->efi_systab;
- ei->efi_systab_hi = current_ei->efi_systab_hi;
---
-2.14.3
-
From b5123d0553f4ed5e734f6457696cdd30228d1eee Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 27 Feb 2018 10:04:55 +0000
@@ -221,34 +181,36 @@ cc: linux-efi@vger.kernel.org
4 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index a7c240f00d78..1277d1857c5c 100644
+index adeee6329f55..27a54ec878bd 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
-@@ -64,6 +64,7 @@
+@@ -65,6 +65,7 @@
#include <linux/dma-mapping.h>
#include <linux/ctype.h>
#include <linux/uaccess.h>
+#include <linux/security.h>
-
+
#include <linux/percpu.h>
#include <linux/crash_dump.h>
-@@ -997,6 +998,8 @@ void __init setup_arch(char **cmdline_p)
+@@ -1005,6 +1006,10 @@ void __init setup_arch(char **cmdline_p)
if (efi_enabled(EFI_BOOT))
efi_init();
-
+
+ efi_set_secure_boot(boot_params.secure_boot);
+
- init_lockdown();
-
++ init_lockdown()
++
dmi_scan_machine();
-@@ -1150,8 +1154,6 @@ void __init setup_arch(char **cmdline_p)
+ dmi_memdev_walk();
+ dmi_set_dump_stack_arch_desc();
+@@ -1159,8 +1164,6 @@ void __init setup_arch(char **cmdline_p)
/* Allocate bigger log buffer */
setup_log_buf(1);
-
+
- efi_set_secure_boot(boot_params.secure_boot);
-
reserve_initrd();
-
+
acpi_table_upgrade();
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
index ce261e1765ff..7aff55b309a6 100644
@@ -264,13 +226,13 @@ index ce261e1765ff..7aff55b309a6 100644
return simple_setattr(dentry, ia);
}
diff --git a/security/Kconfig b/security/Kconfig
-index 461d5acc3616..13fdada1ffc2 100644
+index 9c343f262bdd..30788bc47863 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -248,6 +248,20 @@ config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
- Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
- combination on a wired keyboard. On x86, this is SysRq+x.
-
+@@ -244,6 +244,20 @@ config LOCK_DOWN_KERNEL_FORCE
+ help
+ Enable the kernel lock down functionality automatically at boot.
+
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
+ bool "Lock down the kernel in EFI Secure Boot mode"
+ default n
@@ -285,31 +247,31 @@ index 461d5acc3616..13fdada1ffc2 100644
+ Enabling this option turns on results in kernel lockdown being
+ triggered if EFI Secure Boot is set.
+
-
source "security/selinux/Kconfig"
source "security/smack/Kconfig"
+ source "security/tomoyo/Kconfig"
diff --git a/security/lock_down.c b/security/lock_down.c
-index 2c6b00f0c229..527f7e51dc8d 100644
+index ee00ca2677e7..bb4dc7838f3e 100644
--- a/security/lock_down.c
+++ b/security/lock_down.c
@@ -12,6 +12,7 @@
+
+ #include <linux/security.h>
#include <linux/export.h>
- #include <linux/sched.h>
- #include <linux/sysrq.h>
+#include <linux/efi.h>
- #include <asm/setup.h>
-
- #ifndef CONFIG_LOCK_DOWN_MANDATORY
-@@ -55,6 +55,10 @@ void __init init_lockdown(void)
- #ifdef CONFIG_LOCK_DOWN_MANDATORY
- pr_notice("Kernel is locked down from config; see man kernel_lockdown.7\n");
+
+ static __ro_after_init bool kernel_locked_down;
+
+@@ -44,6 +45,10 @@ void __init init_lockdown(void)
+ #ifdef CONFIG_LOCK_DOWN_FORCE
+ lock_kernel_down("Kernel configuration");
#endif
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
+ if (efi_enabled(EFI_SECURE_BOOT))
+ lock_kernel_down("EFI secure boot");
+#endif
}
-
+
/**
--
2.14.3