於 二,2013-09-03 於 19:50 -0400,Matthew Garrett 提到: > UEFI Secure Boot provides a mechanism for ensuring that the firmware will > only load signed bootloaders and kernels. Certain use cases may also > require that all kernel modules also be signed. Add a configuration option > that enforces this automatically when enabled. > > Signed-off-by: Matthew Garrett <matthew.garrett@xxxxxxxxxx> > --- > Documentation/x86/zero-page.txt | 2 ++ > arch/x86/Kconfig | 10 ++++++++++ > arch/x86/boot/compressed/eboot.c | 36 +++++++++++++++++++++++++++++++++++ > arch/x86/include/uapi/asm/bootparam.h | 3 ++- > arch/x86/kernel/setup.c | 6 ++++++ > include/linux/module.h | 6 ++++++ > kernel/module.c | 7 +++++++ > 7 files changed, 69 insertions(+), 1 deletion(-) > > diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt > index 199f453..ec38acf 100644 > --- a/Documentation/x86/zero-page.txt > +++ b/Documentation/x86/zero-page.txt > @@ -30,6 +30,8 @@ Offset Proto Name Meaning > 1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below) > 1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer > (below) > +1EB/001 ALL kbd_status Numlock is enabled > +1EC/001 ALL secure_boot Secure boot is enabled in the firmware > 1EF/001 ALL sentinel Used to detect broken bootloaders > 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures > 2D0/A00 ALL e820_map E820 memory map table > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > index b32ebf9..6a6c19b 100644 > --- a/arch/x86/Kconfig > +++ b/arch/x86/Kconfig > @@ -1581,6 +1581,16 @@ config EFI_STUB > > See Documentation/x86/efi-stub.txt for more information. > > +config EFI_SECURE_BOOT_SIG_ENFORCE > + def_bool n Maybe need add "select MODULE_SIG" to here for auto enable kernel module signature check when user select this option? > + prompt "Force module signing when UEFI Secure Boot is enabled" > + ---help--- > + UEFI Secure Boot provides a mechanism for ensuring that the > + firmware will only load signed bootloaders and kernels. Certain > + use cases may also require that all kernel modules also be signed. > + Say Y here to automatically enable module signature enforcement > + when a system boots with UEFI Secure Boot enabled. Thanks a lot! Joey Lee -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html