summaryrefslogtreecommitdiffstats
path: root/efi-secureboot.patch
diff options
context:
space:
mode:
Diffstat (limited to 'efi-secureboot.patch')
-rw-r--r--efi-secureboot.patch334
1 files changed, 0 insertions, 334 deletions
diff --git a/efi-secureboot.patch b/efi-secureboot.patch
deleted file mode 100644
index de0495768..000000000
--- a/efi-secureboot.patch
+++ /dev/null
@@ -1,334 +0,0 @@
-From 478a0cff698409224330ea9e25eb332220b55dbb Mon Sep 17 00:00:00 2001
-From: Jeremy Cline <jcline@redhat.com>
-Date: Mon, 30 Sep 2019 21:22:47 +0000
-Subject: [PATCH 1/3] security: lockdown: expose a hook to lock the kernel down
-
-In order to automatically lock down kernels running on UEFI machines
-booted in Secure Boot mode, expose the lock_kernel_down() hook.
-
-Signed-off-by: Jeremy Cline <jcline@redhat.com>
----
- include/linux/lsm_hooks.h | 8 ++++++++
- include/linux/security.h | 5 +++++
- security/lockdown/lockdown.c | 1 +
- security/security.c | 6 ++++++
- 4 files changed, 20 insertions(+)
-
-diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
-index 9cd4455528e5..f79007bf439d 100644
---- a/include/linux/lsm_hook_defs.h
-+++ b/include/linux/lsm_hook_defs.h
-@@ -371,6 +371,8 @@ LSM_HOOK(void, LSM_RET_VOID, bpf_prog_free_security, struct bpf_prog_aux *aux)
- #endif /* CONFIG_BPF_SYSCALL */
-
- LSM_HOOK(int, 0, locked_down, enum lockdown_reason what)
-+LSM_HOOK(int, 0, lock_kernel_down, const char *where, enum lockdown_reason level)
-+
-
- #ifdef CONFIG_PERF_EVENTS
- LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type)
-diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
-index 988ca0df7824..4ed37b95417c 100644
---- a/include/linux/lsm_hooks.h
-+++ b/include/linux/lsm_hooks.h
-@@ -1476,6 +1476,12 @@
- *
- * @what: kernel feature being accessed
- *
-+ * @lock_kernel_down
-+ * Put the kernel into lock-down mode.
-+ *
-+ * @where: Where the lock-down is originating from (e.g. command line option)
-+ * @level: The lock-down level (can only increase)
-+ *
- * Security hooks for perf events
- *
- * @perf_event_open:
-diff --git a/include/linux/security.h b/include/linux/security.h
-index a8d59d612d27..467b9ccdf993 100644
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -442,6 +442,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
- int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
- int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
- int security_locked_down(enum lockdown_reason what);
-+int security_lock_kernel_down(const char *where, enum lockdown_reason level);
- #else /* CONFIG_SECURITY */
-
- static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
-@@ -1269,6 +1270,10 @@ static inline int security_locked_down(enum lockdown_reason what)
- {
- return 0;
- }
-+static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level)
-+{
-+ return 0;
-+}
- #endif /* CONFIG_SECURITY */
-
- #ifdef CONFIG_SECURITY_NETWORK
-diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
-index 8a10b43daf74..72a623075749 100644
---- a/security/lockdown/lockdown.c
-+++ b/security/lockdown/lockdown.c
-@@ -97,6 +97,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
-
- static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {
- LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
-+ LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down),
- };
-
- static int __init lockdown_lsm_init(void)
-diff --git a/security/security.c b/security/security.c
-index 1bc000f834e2..1506b95427cf 100644
---- a/security/security.c
-+++ b/security/security.c
-@@ -2404,6 +2404,12 @@ int security_locked_down(enum lockdown_reason what)
- return call_int_hook(locked_down, 0, what);
- }
- EXPORT_SYMBOL(security_locked_down);
-+
-+int security_lock_kernel_down(const char *where, enum lockdown_reason level)
-+{
-+ return call_int_hook(lock_kernel_down, 0, where, level);
-+}
-+EXPORT_SYMBOL(security_lock_kernel_down);
-
- #ifdef CONFIG_PERF_EVENTS
- int security_perf_event_open(struct perf_event_attr *attr, int type)
---
-2.21.0
-
-
-From b5123d0553f4ed5e734f6457696cdd30228d1eee Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Tue, 27 Feb 2018 10:04:55 +0000
-Subject: [PATCH 2/3] efi: Add an EFI_SECURE_BOOT flag to indicate secure
- boot mode
-
-UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT
-flag that can be passed to efi_enabled() to find out whether secure boot is
-enabled.
-
-Move the switch-statement in x86's setup_arch() that inteprets the
-secure_boot boot parameter to generic code and set the bit there.
-
-Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-cc: linux-efi@vger.kernel.org
-[Rebased for context; efi_is_table_address was moved to arch/x86]
-Signed-off-by: Jeremy Cline <jcline@redhat.com>
----
- arch/x86/kernel/setup.c | 14 +-----------
- drivers/firmware/efi/Makefile | 1 +
- drivers/firmware/efi/secureboot.c | 38 +++++++++++++++++++++++++++++++
- include/linux/efi.h | 18 ++++++++++-----
- 4 files changed, 52 insertions(+), 19 deletions(-)
- create mode 100644 drivers/firmware/efi/secureboot.c
-
-diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 2441b64d061f..1797623b0c3a 100644
---- a/arch/x86/kernel/setup.c
-+++ b/arch/x86/kernel/setup.c
-@@ -1126,19 +1126,7 @@ void __init setup_arch(char **cmdline_p)
- /* Allocate bigger log buffer */
- setup_log_buf(1);
-
-- if (efi_enabled(EFI_BOOT)) {
-- switch (boot_params.secure_boot) {
-- case efi_secureboot_mode_disabled:
-- pr_info("Secure boot disabled\n");
-- break;
-- case efi_secureboot_mode_enabled:
-- pr_info("Secure boot enabled\n");
-- break;
-- default:
-- pr_info("Secure boot could not be determined\n");
-- break;
-- }
-- }
-+ efi_set_secure_boot(boot_params.secure_boot);
-
- reserve_initrd();
-
-diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile
-index 554d795270d9..d2e17e26ac55 100644
---- a/drivers/firmware/efi/Makefile
-+++ b/drivers/firmware/efi/Makefile
-@@ -24,6 +24,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP) += fake_map.o
- obj-$(CONFIG_EFI_BOOTLOADER_CONTROL) += efibc.o
- obj-$(CONFIG_EFI_TEST) += test/
- obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o
-+obj-$(CONFIG_EFI) += secureboot.o
- obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o
- obj-$(CONFIG_EFI_RCI2_TABLE) += rci2-table.o
- obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE) += embedded-firmware.o
-diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
-new file mode 100644
-index 000000000000..de0a3714a5d4
---- /dev/null
-+++ b/drivers/firmware/efi/secureboot.c
-@@ -0,0 +1,38 @@
-+/* Core kernel secure boot support.
-+ *
-+ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
-+ * Written by David Howells (dhowells@redhat.com)
-+ *
-+ * This program is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU General Public Licence
-+ * as published by the Free Software Foundation; either version
-+ * 2 of the Licence, or (at your option) any later version.
-+ */
-+
-+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
-+
-+#include <linux/efi.h>
-+#include <linux/kernel.h>
-+#include <linux/printk.h>
-+
-+/*
-+ * Decide what to do when UEFI secure boot mode is enabled.
-+ */
-+void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
-+{
-+ if (efi_enabled(EFI_BOOT)) {
-+ switch (mode) {
-+ case efi_secureboot_mode_disabled:
-+ pr_info("Secure boot disabled\n");
-+ break;
-+ case efi_secureboot_mode_enabled:
-+ set_bit(EFI_SECURE_BOOT, &efi.flags);
-+ pr_info("Secure boot enabled\n");
-+ break;
-+ default:
-+ pr_warn("Secure boot could not be determined (mode %u)\n",
-+ mode);
-+ break;
-+ }
-+ }
-+}
-diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 5062683d4d08..6ae0e02f461e 100644
---- a/include/linux/efi.h
-+++ b/include/linux/efi.h
-@@ -1126,6 +1126,14 @@ extern int __init efi_setup_pcdp_console(char *);
- #define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
- #define EFI_MEM_NO_SOFT_RESERVE 11 /* Is the kernel configured to ignore soft reservations? */
- #define EFI_PRESERVE_BS_REGIONS 12 /* Are EFI boot-services memory segments available? */
-+#define EFI_SECURE_BOOT 13 /* Are we in Secure Boot mode? */
-+
-+enum efi_secureboot_mode {
-+ efi_secureboot_mode_unset,
-+ efi_secureboot_mode_unknown,
-+ efi_secureboot_mode_disabled,
-+ efi_secureboot_mode_enabled,
-+};
-
- #ifdef CONFIG_EFI
- /*
-@@ -1137,6 +1145,8 @@ static inline bool efi_enabled(int feature)
- }
- extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused);
-
-+extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode);
-+
- bool __pure __efi_soft_reserve_enabled(void);
-
- static inline bool __pure efi_soft_reserve_enabled(void)
-@@ -1158,6 +1168,8 @@ efi_capsule_pending(int *reset_type)
- return false;
- }
-
-+static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {}
-+
- static inline bool efi_soft_reserve_enabled(void)
- {
- return false;
-@@ -1541,12 +1553,6 @@ static inline bool efi_runtime_disabled(void) { return true; }
- extern void efi_call_virt_check_flags(unsigned long flags, const char *call);
- extern unsigned long efi_call_virt_save_flags(void);
-
--enum efi_secureboot_mode {
-- efi_secureboot_mode_unset,
-- efi_secureboot_mode_unknown,
-- efi_secureboot_mode_disabled,
-- efi_secureboot_mode_enabled,
--};
- enum efi_secureboot_mode efi_get_secureboot(void);
-
- #ifdef CONFIG_RESET_ATTACK_MITIGATION
---
-2.24.1
-
-
-From 15368f76d4997912318d35c52bfeb9041d85098e Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 30 Sep 2019 21:28:16 +0000
-Subject: [PATCH 3/3] efi: Lock down the kernel if booted in secure boot mode
-
-UEFI Secure Boot provides a mechanism for ensuring that the firmware
-will only load signed bootloaders and kernels. Certain use cases may
-also require that all kernel modules also be signed. Add a
-configuration option that to lock down the kernel - which includes
-requiring validly signed modules - if the kernel is secure-booted.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Signed-off-by: Jeremy Cline <jcline@redhat.com>
----
- arch/x86/kernel/setup.c | 8 ++++++++
- security/lockdown/Kconfig | 13 +++++++++++++
- 2 files changed, 21 insertions(+)
-
-diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 1797623b0c3a..fa8ac411bf6e 100644
---- a/arch/x86/kernel/setup.c
-+++ b/arch/x86/kernel/setup.c
-@@ -17,6 +17,7 @@
- #include <linux/sfi.h>
- #include <linux/hugetlb.h>
- #include <linux/tboot.h>
-+#include <linux/security.h>
- #include <linux/usb/xhci-dbgp.h>
-
- #include <uapi/linux/mount.h>
-@@ -975,6 +976,13 @@ void __init setup_arch(char **cmdline_p)
- if (efi_enabled(EFI_BOOT))
- efi_init();
-
-+ efi_set_secure_boot(boot_params.secure_boot);
-+
-+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
-+ if (efi_enabled(EFI_SECURE_BOOT))
-+ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
-+#endif
-+
- dmi_setup();
-
- /*
-diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
-index e84ddf484010..d0501353a4b9 100644
---- a/security/lockdown/Kconfig
-+++ b/security/lockdown/Kconfig
-@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY
- subsystem is fully initialised. If enabled, lockdown will
- unconditionally be called before any other LSMs.
-
-+config LOCK_DOWN_IN_EFI_SECURE_BOOT
-+ bool "Lock down the kernel in EFI Secure Boot mode"
-+ default n
-+ depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY
-+ help
-+ UEFI Secure Boot provides a mechanism for ensuring that the firmware
-+ will only load signed bootloaders and kernels. Secure boot mode may
-+ be determined from EFI variables provided by the system firmware if
-+ not indicated by the boot parameters.
-+
-+ Enabling this option results in kernel lockdown being triggered if
-+ EFI Secure Boot is set.
-+
- choice
- prompt "Kernel default lockdown mode"
- default LOCK_DOWN_KERNEL_FORCE_NONE
---
-2.24.1