On Wed, May 24, 2017 at 03:45:56PM +0100, David Howells wrote:
> UEFI Secure Boot provides a mechanism for ensuring that the firmware will
> only load signed bootloaders and kernels. Certain use cases may also
> require that all kernel modules also be signed. Add a configuration option
> that to lock down the kernel - which includes requiring validly signed
> modules - if the kernel is secure-booted.
>
> Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
> cc: linux-efi@xxxxxxxxxxxxxxx
Reviewed-by: Joey Lee <jlee@xxxxxxxx>
Regards
Joey Lee
> ---
>
> drivers/firmware/efi/Kconfig | 1 +
> drivers/firmware/efi/secureboot.c | 10 +++++++++-
> 2 files changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/firmware/efi/Kconfig b/drivers/firmware/efi/Kconfig
> index c40fdeaf9a45..d03af2d5f52f 100644
> --- a/drivers/firmware/efi/Kconfig
> +++ b/drivers/firmware/efi/Kconfig
> @@ -87,6 +87,7 @@ config EFI_RUNTIME_WRAPPERS
> config EFI_SECURE_BOOT
> bool "Support UEFI Secure Boot and lock down the kernel in secure boot mode"
> default n
> + select LOCK_DOWN_KERNEL
> help
> UEFI Secure Boot provides a mechanism for ensuring that the firmware
> will only load signed bootloaders and kernels. Secure boot mode may
> diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
> index 730518061a14..7292a3b832e3 100644
> --- a/drivers/firmware/efi/secureboot.c
> +++ b/drivers/firmware/efi/secureboot.c
> @@ -12,6 +12,7 @@
> #include <linux/efi.h>
> #include <linux/kernel.h>
> #include <linux/printk.h>
> +#include <linux/security.h>
>
> /*
> * Decide what to do when UEFI secure boot mode is enabled.
> @@ -23,10 +24,17 @@ void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
> case efi_secureboot_mode_disabled:
> pr_info("Secure boot disabled\n");
> break;
> +
> case efi_secureboot_mode_enabled:
> set_bit(EFI_SECURE_BOOT, &efi.flags);
> - pr_info("Secure boot enabled\n");
> + if (IS_ENABLED(CONFIG_LOCK_DOWN_KERNEL)) {
> + lock_kernel_down();
> + pr_info("Secure boot enabled and kernel locked down\n");
> + } else {
> + pr_info("Secure boot enabled\n");
> + }
> break;
> +
> default:
> pr_info("Secure boot could not be determined\n");
> break;
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-efi" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
