2024-10-23 12:12:30 +03:00
|
|
|
From: Ben Hutchings <ben@decadent.org.uk>
|
|
|
|
Date: Tue, 10 Sep 2019 11:54:28 +0100
|
|
|
|
Subject: efi: Lock down the kernel if booted in secure boot mode
|
|
|
|
|
|
|
|
Based on an earlier patch by David Howells, who wrote the following
|
|
|
|
description:
|
|
|
|
|
|
|
|
> UEFI Secure Boot provides a mechanism for ensuring that the firmware will
|
|
|
|
> only load signed bootloaders and kernels. Certain use cases may also
|
|
|
|
> require that all kernel modules also be signed. Add a configuration option
|
|
|
|
> that to lock down the kernel - which includes requiring validly signed
|
|
|
|
> modules - if the kernel is secure-booted.
|
|
|
|
|
|
|
|
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
|
|
[Salvatore Bonaccorso: After fixing https://bugs.debian.org/956197 the
|
|
|
|
help text for LOCK_DOWN_IN_EFI_SECURE_BOOT was adjusted to mention that
|
|
|
|
lockdown is triggered in integrity mode (https://bugs.debian.org/1025417)]
|
|
|
|
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
|
|
|
---
|
|
|
|
arch/x86/kernel/setup.c | 4 ++--
|
|
|
|
drivers/firmware/efi/secureboot.c | 3 +++
|
|
|
|
include/linux/security.h | 6 ++++++
|
|
|
|
security/lockdown/Kconfig | 15 +++++++++++++++
|
|
|
|
security/lockdown/lockdown.c | 2 +-
|
|
|
|
5 files changed, 27 insertions(+), 3 deletions(-)
|
|
|
|
|
|
|
|
--- a/arch/x86/kernel/setup.c
|
|
|
|
+++ b/arch/x86/kernel/setup.c
|
2024-10-29 05:12:06 +03:00
|
|
|
@@ -904,6 +904,8 @@ void __init setup_arch(char **cmdline_p)
|
2024-10-23 12:12:30 +03:00
|
|
|
if (efi_enabled(EFI_BOOT))
|
|
|
|
efi_init();
|
|
|
|
|
|
|
|
+ efi_set_secure_boot(boot_params.secure_boot);
|
|
|
|
+
|
|
|
|
reserve_ibft_region();
|
|
|
|
x86_init.resources.dmi_setup();
|
|
|
|
|
2024-12-10 06:44:25 +03:00
|
|
|
@@ -1070,8 +1072,6 @@ void __init setup_arch(char **cmdline_p)
|
2024-10-23 12:12:30 +03:00
|
|
|
/* Allocate bigger log buffer */
|
|
|
|
setup_log_buf(1);
|
|
|
|
|
|
|
|
- efi_set_secure_boot(boot_params.secure_boot);
|
|
|
|
-
|
|
|
|
reserve_initrd();
|
|
|
|
|
|
|
|
acpi_table_upgrade();
|
|
|
|
--- a/drivers/firmware/efi/secureboot.c
|
|
|
|
+++ b/drivers/firmware/efi/secureboot.c
|
|
|
|
@@ -15,6 +15,7 @@
|
|
|
|
#include <linux/efi.h>
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
#include <linux/printk.h>
|
|
|
|
+#include <linux/security.h>
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Decide what to do when UEFI secure boot mode is enabled.
|
|
|
|
@@ -28,6 +29,10 @@ void __init efi_set_secure_boot(enum efi
|
|
|
|
break;
|
|
|
|
case efi_secureboot_mode_enabled:
|
|
|
|
set_bit(EFI_SECURE_BOOT, &efi.flags);
|
|
|
|
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
|
|
|
|
+ lock_kernel_down("EFI Secure Boot",
|
|
|
|
+ LOCKDOWN_INTEGRITY_MAX);
|
|
|
|
+#endif
|
|
|
|
pr_info("Secure boot enabled\n");
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
--- a/include/linux/security.h
|
|
|
|
+++ b/include/linux/security.h
|
2024-12-10 06:44:25 +03:00
|
|
|
@@ -522,6 +522,7 @@ int security_inode_notifysecctx(struct i
|
|
|
|
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
|
|
|
|
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
|
2024-10-23 12:12:30 +03:00
|
|
|
int security_locked_down(enum lockdown_reason what);
|
2024-12-10 06:44:25 +03:00
|
|
|
+int lock_kernel_down(const char *where, enum lockdown_reason level);
|
2024-10-23 12:12:30 +03:00
|
|
|
int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,
|
|
|
|
void *val, size_t val_len, u64 id, u64 flags);
|
2024-12-10 06:44:25 +03:00
|
|
|
int security_bdev_alloc(struct block_device *bdev);
|
|
|
|
@@ -1504,6 +1505,11 @@ static inline int security_locked_down(e
|
2024-10-23 12:12:30 +03:00
|
|
|
{
|
2024-12-10 06:44:25 +03:00
|
|
|
return 0;
|
2024-10-23 12:12:30 +03:00
|
|
|
}
|
|
|
|
+static inline int
|
|
|
|
+lock_kernel_down(const char *where, enum lockdown_reason level)
|
|
|
|
+{
|
|
|
|
+ return -EOPNOTSUPP;
|
|
|
|
+}
|
2024-12-10 06:44:25 +03:00
|
|
|
static inline int lsm_fill_user_ctx(struct lsm_ctx __user *uctx,
|
|
|
|
u32 *uctx_len, void *val, size_t val_len,
|
|
|
|
u64 id, u64 flags)
|
2024-10-23 12:12:30 +03:00
|
|
|
--- a/security/lockdown/Kconfig
|
|
|
|
+++ b/security/lockdown/Kconfig
|
|
|
|
@@ -45,3 +45,18 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTI
|
|
|
|
disabled.
|
|
|
|
|
|
|
|
endchoice
|
|
|
|
+
|
|
|
|
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
|
|
|
|
+ bool "Lock down the kernel in EFI Secure Boot mode"
|
|
|
|
+ default n
|
|
|
|
+ depends on SECURITY_LOCKDOWN_LSM
|
|
|
|
+ depends on EFI
|
|
|
|
+ select SECURITY_LOCKDOWN_LSM_EARLY
|
|
|
|
+ help
|
|
|
|
+ UEFI Secure Boot provides a mechanism for ensuring that the firmware
|
|
|
|
+ will only load signed bootloaders and kernels. Secure boot mode may
|
|
|
|
+ be determined from EFI variables provided by the system firmware if
|
|
|
|
+ not indicated by the boot parameters.
|
|
|
|
+
|
|
|
|
+ Enabling this option results in kernel lockdown being
|
|
|
|
+ triggered in integrity mode if EFI Secure Boot is set.
|
|
|
|
--- a/security/lockdown/lockdown.c
|
|
|
|
+++ b/security/lockdown/lockdown.c
|
|
|
|
@@ -24,7 +24,7 @@ static const enum lockdown_reason lockdo
|
|
|
|
/*
|
|
|
|
* Put the kernel into lock-down mode.
|
|
|
|
*/
|
|
|
|
-static int lock_kernel_down(const char *where, enum lockdown_reason level)
|
|
|
|
+int lock_kernel_down(const char *where, enum lockdown_reason level)
|
|
|
|
{
|
|
|
|
if (kernel_locked_down >= level)
|
|
|
|
return -EPERM;
|