diff options
Diffstat (limited to 'efi-secureboot.patch')
-rw-r--r-- | efi-secureboot.patch | 334 |
1 files changed, 0 insertions, 334 deletions
diff --git a/efi-secureboot.patch b/efi-secureboot.patch deleted file mode 100644 index de0495768..000000000 --- a/efi-secureboot.patch +++ /dev/null @@ -1,334 +0,0 @@ -From 478a0cff698409224330ea9e25eb332220b55dbb Mon Sep 17 00:00:00 2001 -From: Jeremy Cline <jcline@redhat.com> -Date: Mon, 30 Sep 2019 21:22:47 +0000 -Subject: [PATCH 1/3] security: lockdown: expose a hook to lock the kernel down - -In order to automatically lock down kernels running on UEFI machines -booted in Secure Boot mode, expose the lock_kernel_down() hook. - -Signed-off-by: Jeremy Cline <jcline@redhat.com> ---- - include/linux/lsm_hooks.h | 8 ++++++++ - include/linux/security.h | 5 +++++ - security/lockdown/lockdown.c | 1 + - security/security.c | 6 ++++++ - 4 files changed, 20 insertions(+) - -diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h -index 9cd4455528e5..f79007bf439d 100644 ---- a/include/linux/lsm_hook_defs.h -+++ b/include/linux/lsm_hook_defs.h -@@ -371,6 +371,8 @@ LSM_HOOK(void, LSM_RET_VOID, bpf_prog_free_security, struct bpf_prog_aux *aux) - #endif /* CONFIG_BPF_SYSCALL */ - - LSM_HOOK(int, 0, locked_down, enum lockdown_reason what) -+LSM_HOOK(int, 0, lock_kernel_down, const char *where, enum lockdown_reason level) -+ - - #ifdef CONFIG_PERF_EVENTS - LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type) -diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h -index 988ca0df7824..4ed37b95417c 100644 ---- a/include/linux/lsm_hooks.h -+++ b/include/linux/lsm_hooks.h -@@ -1476,6 +1476,12 @@ - * - * @what: kernel feature being accessed - * -+ * @lock_kernel_down -+ * Put the kernel into lock-down mode. -+ * -+ * @where: Where the lock-down is originating from (e.g. command line option) -+ * @level: The lock-down level (can only increase) -+ * - * Security hooks for perf events - * - * @perf_event_open: -diff --git a/include/linux/security.h b/include/linux/security.h -index a8d59d612d27..467b9ccdf993 100644 ---- a/include/linux/security.h -+++ b/include/linux/security.h -@@ -442,6 +442,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); - int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); - int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); - int security_locked_down(enum lockdown_reason what); -+int security_lock_kernel_down(const char *where, enum lockdown_reason level); - #else /* CONFIG_SECURITY */ - - static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) -@@ -1269,6 +1270,10 @@ static inline int security_locked_down(enum lockdown_reason what) - { - return 0; - } -+static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level) -+{ -+ return 0; -+} - #endif /* CONFIG_SECURITY */ - - #ifdef CONFIG_SECURITY_NETWORK -diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c -index 8a10b43daf74..72a623075749 100644 ---- a/security/lockdown/lockdown.c -+++ b/security/lockdown/lockdown.c -@@ -97,6 +97,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what) - - static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = { - LSM_HOOK_INIT(locked_down, lockdown_is_locked_down), -+ LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down), - }; - - static int __init lockdown_lsm_init(void) -diff --git a/security/security.c b/security/security.c -index 1bc000f834e2..1506b95427cf 100644 ---- a/security/security.c -+++ b/security/security.c -@@ -2404,6 +2404,12 @@ int security_locked_down(enum lockdown_reason what) - return call_int_hook(locked_down, 0, what); - } - EXPORT_SYMBOL(security_locked_down); -+ -+int security_lock_kernel_down(const char *where, enum lockdown_reason level) -+{ -+ return call_int_hook(lock_kernel_down, 0, where, level); -+} -+EXPORT_SYMBOL(security_lock_kernel_down); - - #ifdef CONFIG_PERF_EVENTS - int security_perf_event_open(struct perf_event_attr *attr, int type) --- -2.21.0 - - -From b5123d0553f4ed5e734f6457696cdd30228d1eee Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Tue, 27 Feb 2018 10:04:55 +0000 -Subject: [PATCH 2/3] efi: Add an EFI_SECURE_BOOT flag to indicate secure - boot mode - -UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT -flag that can be passed to efi_enabled() to find out whether secure boot is -enabled. - -Move the switch-statement in x86's setup_arch() that inteprets the -secure_boot boot parameter to generic code and set the bit there. - -Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> -cc: linux-efi@vger.kernel.org -[Rebased for context; efi_is_table_address was moved to arch/x86] -Signed-off-by: Jeremy Cline <jcline@redhat.com> ---- - arch/x86/kernel/setup.c | 14 +----------- - drivers/firmware/efi/Makefile | 1 + - drivers/firmware/efi/secureboot.c | 38 +++++++++++++++++++++++++++++++ - include/linux/efi.h | 18 ++++++++++----- - 4 files changed, 52 insertions(+), 19 deletions(-) - create mode 100644 drivers/firmware/efi/secureboot.c - -diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 2441b64d061f..1797623b0c3a 100644 ---- a/arch/x86/kernel/setup.c -+++ b/arch/x86/kernel/setup.c -@@ -1126,19 +1126,7 @@ void __init setup_arch(char **cmdline_p) - /* Allocate bigger log buffer */ - setup_log_buf(1); - -- if (efi_enabled(EFI_BOOT)) { -- switch (boot_params.secure_boot) { -- case efi_secureboot_mode_disabled: -- pr_info("Secure boot disabled\n"); -- break; -- case efi_secureboot_mode_enabled: -- pr_info("Secure boot enabled\n"); -- break; -- default: -- pr_info("Secure boot could not be determined\n"); -- break; -- } -- } -+ efi_set_secure_boot(boot_params.secure_boot); - - reserve_initrd(); - -diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile -index 554d795270d9..d2e17e26ac55 100644 ---- a/drivers/firmware/efi/Makefile -+++ b/drivers/firmware/efi/Makefile -@@ -24,6 +24,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP) += fake_map.o - obj-$(CONFIG_EFI_BOOTLOADER_CONTROL) += efibc.o - obj-$(CONFIG_EFI_TEST) += test/ - obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o -+obj-$(CONFIG_EFI) += secureboot.o - obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o - obj-$(CONFIG_EFI_RCI2_TABLE) += rci2-table.o - obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE) += embedded-firmware.o -diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c -new file mode 100644 -index 000000000000..de0a3714a5d4 ---- /dev/null -+++ b/drivers/firmware/efi/secureboot.c -@@ -0,0 +1,38 @@ -+/* Core kernel secure boot support. -+ * -+ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved. -+ * Written by David Howells (dhowells@redhat.com) -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public Licence -+ * as published by the Free Software Foundation; either version -+ * 2 of the Licence, or (at your option) any later version. -+ */ -+ -+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt -+ -+#include <linux/efi.h> -+#include <linux/kernel.h> -+#include <linux/printk.h> -+ -+/* -+ * Decide what to do when UEFI secure boot mode is enabled. -+ */ -+void __init efi_set_secure_boot(enum efi_secureboot_mode mode) -+{ -+ if (efi_enabled(EFI_BOOT)) { -+ switch (mode) { -+ case efi_secureboot_mode_disabled: -+ pr_info("Secure boot disabled\n"); -+ break; -+ case efi_secureboot_mode_enabled: -+ set_bit(EFI_SECURE_BOOT, &efi.flags); -+ pr_info("Secure boot enabled\n"); -+ break; -+ default: -+ pr_warn("Secure boot could not be determined (mode %u)\n", -+ mode); -+ break; -+ } -+ } -+} -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 5062683d4d08..6ae0e02f461e 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -1126,6 +1126,14 @@ extern int __init efi_setup_pcdp_console(char *); - #define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */ - #define EFI_MEM_NO_SOFT_RESERVE 11 /* Is the kernel configured to ignore soft reservations? */ - #define EFI_PRESERVE_BS_REGIONS 12 /* Are EFI boot-services memory segments available? */ -+#define EFI_SECURE_BOOT 13 /* Are we in Secure Boot mode? */ -+ -+enum efi_secureboot_mode { -+ efi_secureboot_mode_unset, -+ efi_secureboot_mode_unknown, -+ efi_secureboot_mode_disabled, -+ efi_secureboot_mode_enabled, -+}; - - #ifdef CONFIG_EFI - /* -@@ -1137,6 +1145,8 @@ static inline bool efi_enabled(int feature) - } - extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused); - -+extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode); -+ - bool __pure __efi_soft_reserve_enabled(void); - - static inline bool __pure efi_soft_reserve_enabled(void) -@@ -1158,6 +1168,8 @@ efi_capsule_pending(int *reset_type) - return false; - } - -+static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {} -+ - static inline bool efi_soft_reserve_enabled(void) - { - return false; -@@ -1541,12 +1553,6 @@ static inline bool efi_runtime_disabled(void) { return true; } - extern void efi_call_virt_check_flags(unsigned long flags, const char *call); - extern unsigned long efi_call_virt_save_flags(void); - --enum efi_secureboot_mode { -- efi_secureboot_mode_unset, -- efi_secureboot_mode_unknown, -- efi_secureboot_mode_disabled, -- efi_secureboot_mode_enabled, --}; - enum efi_secureboot_mode efi_get_secureboot(void); - - #ifdef CONFIG_RESET_ATTACK_MITIGATION --- -2.24.1 - - -From 15368f76d4997912318d35c52bfeb9041d85098e Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Mon, 30 Sep 2019 21:28:16 +0000 -Subject: [PATCH 3/3] efi: Lock down the kernel if booted in secure boot mode - -UEFI Secure Boot provides a mechanism for ensuring that the firmware -will only load signed bootloaders and kernels. Certain use cases may -also require that all kernel modules also be signed. Add a -configuration option that to lock down the kernel - which includes -requiring validly signed modules - if the kernel is secure-booted. - -Signed-off-by: David Howells <dhowells@redhat.com> -Signed-off-by: Jeremy Cline <jcline@redhat.com> ---- - arch/x86/kernel/setup.c | 8 ++++++++ - security/lockdown/Kconfig | 13 +++++++++++++ - 2 files changed, 21 insertions(+) - -diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 1797623b0c3a..fa8ac411bf6e 100644 ---- a/arch/x86/kernel/setup.c -+++ b/arch/x86/kernel/setup.c -@@ -17,6 +17,7 @@ - #include <linux/sfi.h> - #include <linux/hugetlb.h> - #include <linux/tboot.h> -+#include <linux/security.h> - #include <linux/usb/xhci-dbgp.h> - - #include <uapi/linux/mount.h> -@@ -975,6 +976,13 @@ void __init setup_arch(char **cmdline_p) - if (efi_enabled(EFI_BOOT)) - efi_init(); - -+ efi_set_secure_boot(boot_params.secure_boot); -+ -+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT -+ if (efi_enabled(EFI_SECURE_BOOT)) -+ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX); -+#endif -+ - dmi_setup(); - - /* -diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig -index e84ddf484010..d0501353a4b9 100644 ---- a/security/lockdown/Kconfig -+++ b/security/lockdown/Kconfig -@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY - subsystem is fully initialised. If enabled, lockdown will - unconditionally be called before any other LSMs. - -+config LOCK_DOWN_IN_EFI_SECURE_BOOT -+ bool "Lock down the kernel in EFI Secure Boot mode" -+ default n -+ depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY -+ help -+ UEFI Secure Boot provides a mechanism for ensuring that the firmware -+ will only load signed bootloaders and kernels. Secure boot mode may -+ be determined from EFI variables provided by the system firmware if -+ not indicated by the boot parameters. -+ -+ Enabling this option results in kernel lockdown being triggered if -+ EFI Secure Boot is set. -+ - choice - prompt "Kernel default lockdown mode" - default LOCK_DOWN_KERNEL_FORCE_NONE --- -2.24.1 |