From d1b6f8c7af0eb9a0a44b2d4723e58dde5eafa236 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Thu, 23 Apr 2020 16:47:21 -0400 Subject: kernel-5.7.0-0.rc2.20200423git7adc4b399952.1 * Thu Apr 23 2020 CKI@GitLab [5.7.0-0.rc2.20200423git7adc4b399952.1] - 7adc4b399952 rebase - Match template format in kernel.spec.template ("Justin M. Forbes") - Break out the Patches into individual files for dist-git ("Justin M. Forbes") - Break the Red Hat patch into individual commits (Jeremy Cline) - Adjust module filtering so CONFIG_DRM_DP_CEC can be set (Jeremy Cline) - Add a script to generate release tags and branches (Jeremy Cline) - Set CONFIG_VDPA for fedora ("Justin M. Forbes") - Provide defaults in ark-rebase-patches.sh (Jeremy Cline) - Default ark-rebase-patches.sh to not report issues (Jeremy Cline) Resolves: rhbz# Signed-off-by: Jeremy Cline --- ...wn-the-kernel-if-booted-in-secure-boot-mo.patch | 72 ++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 0001-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch (limited to '0001-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch') diff --git a/0001-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/0001-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch new file mode 100644 index 000000000..4d3d56713 --- /dev/null +++ b/0001-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch @@ -0,0 +1,72 @@ +From f8b4469d9bd35b145296f904130218afe52982e4 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Mon, 30 Sep 2019 21:28:16 +0000 +Subject: [PATCH] efi: Lock down the kernel if booted in secure boot mode + +UEFI Secure Boot provides a mechanism for ensuring that the firmware +will only load signed bootloaders and kernels. Certain use cases may +also require that all kernel modules also be signed. Add a +configuration option that to lock down the kernel - which includes +requiring validly signed modules - if the kernel is secure-booted. + +Upstream Status: RHEL only +Signed-off-by: David Howells +Signed-off-by: Jeremy Cline +--- + arch/x86/kernel/setup.c | 8 ++++++++ + security/lockdown/Kconfig | 13 +++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index 08e9f5fc26a8..b6f5510f3d91 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -1099,6 +1100,13 @@ void __init setup_arch(char **cmdline_p) + if (efi_enabled(EFI_BOOT)) + efi_init(); + ++ efi_set_secure_boot(boot_params.secure_boot); ++ ++#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT ++ if (efi_enabled(EFI_SECURE_BOOT)) ++ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX); ++#endif ++ + dmi_setup(); + + /* +diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig +index e84ddf484010..d0501353a4b9 100644 +--- a/security/lockdown/Kconfig ++++ b/security/lockdown/Kconfig +@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY + subsystem is fully initialised. If enabled, lockdown will + unconditionally be called before any other LSMs. + ++config LOCK_DOWN_IN_EFI_SECURE_BOOT ++ bool "Lock down the kernel in EFI Secure Boot mode" ++ default n ++ depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY ++ help ++ UEFI Secure Boot provides a mechanism for ensuring that the firmware ++ will only load signed bootloaders and kernels. Secure boot mode may ++ be determined from EFI variables provided by the system firmware if ++ not indicated by the boot parameters. ++ ++ Enabling this option results in kernel lockdown being triggered if ++ EFI Secure Boot is set. ++ + choice + prompt "Kernel default lockdown mode" + default LOCK_DOWN_KERNEL_FORCE_NONE +-- +2.26.0 + -- cgit