On Thu, Sep 20, 2012 at 05:32:37PM +0100, Greg KH wrote: > On Thu, Sep 20, 2012 at 10:41:02AM -0400, Matthew Garrett wrote: > > From: Josh Boyer <jwboyer@xxxxxxxxxx> > > > > This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset > > in the init_cred struct, which everything else inherits from. This works on > > any machine and can be used to develop even if the box doesn't have UEFI. > > > > Signed-off-by: Josh Boyer <jwboyer@xxxxxxxxxx> > > --- > > kernel/cred.c | 17 +++++++++++++++++ > > 1 file changed, 17 insertions(+) > > > > diff --git a/kernel/cred.c b/kernel/cred.c > > index de728ac..7e6e83f 100644 > > --- a/kernel/cred.c > > +++ b/kernel/cred.c > > @@ -623,6 +623,23 @@ void __init cred_init(void) > > 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); > > } > > > > +void __init secureboot_enable() > > +{ > > + pr_info("Secure boot enabled\n"); > > + cap_lower((&init_cred)->cap_bset, CAP_COMPROMISE_KERNEL); > > + cap_lower((&init_cred)->cap_permitted, CAP_COMPROMISE_KERNEL); > > +} > > + > > +/* Dummy Secure Boot enable option to fake out UEFI SB=1 */ > > +static int __init secureboot_enable_opt(char *str) > > +{ > > + int sb_enable = !!simple_strtol(str, NULL, 0); > > + if (sb_enable) > > + secureboot_enable(); > > + return 1; > > +} > > +__setup("secureboot_enable=", secureboot_enable_opt); > > Document this please in the bootparams file. Oops, yes. Will do. Thanks for pointing it out. josh -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html