On Tue, 03 Sep, at 07:50:18PM, Matthew Garrett wrote: > UEFI Secure Boot provides a mechanism for ensuring that the firmware will > only load signed bootloaders and kernels. Certain use cases may also > require that all kernel modules also be signed. Add a configuration option > that enforces this automatically when enabled. > > Signed-off-by: Matthew Garrett <matthew.garrett@xxxxxxxxxx> > --- > Documentation/x86/zero-page.txt | 2 ++ > arch/x86/Kconfig | 10 ++++++++++ > arch/x86/boot/compressed/eboot.c | 36 +++++++++++++++++++++++++++++++++++ > arch/x86/include/uapi/asm/bootparam.h | 3 ++- > arch/x86/kernel/setup.c | 6 ++++++ > include/linux/module.h | 6 ++++++ > kernel/module.c | 7 +++++++ > 7 files changed, 69 insertions(+), 1 deletion(-) [...] > @@ -1129,6 +1129,12 @@ void __init setup_arch(char **cmdline_p) > > io_delay_init(); > > +#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE > + if (boot_params.secure_boot) { > + enforce_signed_modules(); > + } > +#endif > + I'd advise checking efi_enabled(EFI_BOOT) along with .secure_boot to guard against garbage values in boot_params. -- Matt Fleming, Intel Open Source Technology Center -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html