lib/security: hard_lockdown flag to stop runtime disable of signed boot

Return-Path: <petitboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 413qHw3sJDz9rxs
	for <incoming@patchwork.ozlabs.org>;
	Mon, 11 Jun 2018 07:37:48 +1000 (AEST)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=opengear.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=opengear.com header.i=@opengear.com
	header.b="kpdYJ4IG"; dkim-atps=neutral
Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])
	by lists.ozlabs.org (Postfix) with ESMTP id 413qHw1tP2zF32X
	for <incoming@patchwork.ozlabs.org>;
	Mon, 11 Jun 2018 07:37:48 +1000 (AEST)
Authentication-Results: lists.ozlabs.org; dmarc=pass (p=none dis=none)
	header.from=opengear.com
Authentication-Results: lists.ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=opengear.com header.i=@opengear.com
	header.b="kpdYJ4IG"; dkim-atps=neutral
X-Original-To: petitboot@lists.ozlabs.org
Delivered-To: petitboot@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=opengear.com
	(client-ip=104.47.40.88;
	helo=nam03-co1-obe.outbound.protection.outlook.com; 
	envelope-from=brett.grandbois@opengear.com; receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=opengear.com
Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key;
	unprotected) header.d=opengear.com header.i=@opengear.com
	header.b="kpdYJ4IG"; dkim-atps=neutral
Received: from NAM03-CO1-obe.outbound.protection.outlook.com
	(mail-co1nam03on0088.outbound.protection.outlook.com [104.47.40.88])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by lists.ozlabs.org (Postfix) with ESMTPS id 413qHj66GKzF32X
	for <petitboot@lists.ozlabs.org>;
	Mon, 11 Jun 2018 07:37:35 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=opengear.com;
	s=selector1;
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
	bh=KOfwNYzvgn9Q7q5UazDG/w7rYorkFGXjL/WX79y5fhk=;
	b=kpdYJ4IGsdb6BSW6Frl5vHOh6F+YN+Io4QTnYzv0y0SwQ2tVaUic6/4ytEWg8pDwh7ZZOHfB28XPdPDRE3/1J0jZol1P5kIo3Egc2E9VMmUKNiRRXfeYnS9iI+lSQkS8XwP28Wb9qHyBdTMpad71rSsDad+akwgygwXQMicXmak=
Authentication-Results: spf=none (sender IP is )
	smtp.mailfrom=brett.grandbois@opengear.com; 
Received: from opengear.com (59.167.150.161) by
	SN6PR1501MB2063.namprd15.prod.outlook.com (2603:10b6:805:f::11) with
	Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.841.14;
	Sun, 10 Jun 2018 21:37:29 +0000
From: Brett Grandbois <brett.grandbois@opengear.com>
To: petitboot@lists.ozlabs.org
Subject: [PATCH] lib/security: hard_lockdown flag to stop runtime disable of
	signed boot
Date: Mon, 11 Jun 2018 07:36:58 +1000
Message-Id: <1528666618-29496-1-git-send-email-brett.grandbois@opengear.com>
X-Mailer: git-send-email 2.7.4
MIME-Version: 1.0
X-Originating-IP: [59.167.150.161]
X-ClientProxiedBy: ME2PR01CA0075.ausprd01.prod.outlook.com
	(2603:10c6:201:2d::15) To SN6PR1501MB2063.namprd15.prod.outlook.com
	(2603:10b6:805:f::11)
X-MS-PublicTrafficType: Email
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0;
	RULEID:(7020095)(4652020)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020);
	SRVR:SN6PR1501MB2063; 
X-Microsoft-Exchange-Diagnostics: 1; SN6PR1501MB2063;
	3:cUUFJ6r8LemmrnDXuV7EixXpQG/waZ72qEZwEd9MFzKA8Ztj38SjwrS4N/D6LUXJ/k/iVq6JB6jJkB5Mgu6vne6egj57+iX/orHqv0W4Lc4/pDGCC0ng/4ZI+WbISMX8wYHX1XzGbbyYKnD0mOzHRrAAL4F/6wD6z4mIcxbJHozzqM29UHF3WDO6c9zmJUR6sJTMZh39Qk/0N1JQiPIPQJch8dqDsk5o6oZgHu75MkR8XarSuMUQlicyAxpZVdyK;
	25:psC3u4Z7knelac4+Iy6T/Oa1mhX+sHcRxuNkz3CTmv5FklmwVQtX1cPFmrIWJ5rC0O6Wl1GboYtt+81uXUXukx7LXDXqskHvege0s72w7ViNTgZv4D3zlm3zbvOG3x/yeH2N63pJekLL1rqIgrQ6HOfdG0y/dxi6NOg4xacMFqZVWdHd+qtrL3YkI20S3z1IttJkFJFZ+zSEjmwfAoAwmBV7fWHry2NGWEppSxwajVf/ANDQfThkhZFKBo4nevR0OBawfKnEMZds5aVK3C3QXMShI+Yi/z93VaY1QI5Nik9oF2jGrEres94WWBaNyEhJCPwPMz+lNp0gjNsPuhLniw==;
	31:34Y/VsV922LE3kU4seZDPI7cueNUIR6blJKnaeV+jOhyjbV/DfPa+TDYMvkWu+CvI2l/YY4UdW1pdU2fcV/vuY5vK+ZkZIssGr2dwUihS8N63Uv5HiKDUal2MBL+QR/M8FJmuCFdYBIPHY2xnUzaJ0k5dDwsMuo74AMTb7D2CcDwbL0s2YtGgiMaNIAprVmLmBjkdacPyUifaErCCQnBFv0ElENuRsHnlT/Ozb1PofA=
X-MS-TrafficTypeDiagnostic: SN6PR1501MB2063:
X-Microsoft-Exchange-Diagnostics: 1; SN6PR1501MB2063;
	20:X/qzOltvqQu4A3Bk3sSi3ebcn+9jHWjq8q5ko/8nUBL4BE8sYmXSGjWkIBUNnwpKgFPcT5/Afl5WKLXLv5tZIisF4dbDcui5nHl4fktEHkqlQ/5gA+l/dLQAZFC+cK3n5wGkbW3XPbfe7Hech05N4pE+XND9VprV76G0yTMs6po=;
	4:V6H/SVnIGXuDVxJtaWgvzdB2ZgP8vrltfRgMUuawkMD7MumxQV3GnlGhXiJZ833tT5qygfhgQ8bPpuiMELj+UZhvWDM9C0hP6N4rHmC/tX8fqdBEYL8oi86UokduliSz1wTVez6lBin/pJ5nkfV0k0fLyVaUO7votWGvNbrLM4hH0viaENuvjsesi5O8Hc7Prl4Z5BWfK2uAAlQ9Xr5ryx6ixIVC4UGvXqf4i7bY+0JUNqwuBTez8iLhs0/zmC6f8KUZy9iv7BGHBlRHlCahJCs+YYb4ESLelK4CDLe1PRzeQ+rHW/QG1oJsBkgbb51R
X-Microsoft-Antispam-PRVS: <SN6PR1501MB2063B073FAC9EA16B617147382790@SN6PR1501MB2063.namprd15.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(192374486261705);
X-MS-Exchange-SenderADCheck: 1
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0;
	RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3002001)(3231254)(944501410)(52105095)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123558120)(20161123564045)(6072148)(201708071742011)(7699016);
	SRVR:SN6PR1501MB2063; BCL:0; PCL:0; RULEID:; SRVR:SN6PR1501MB2063; 
X-Forefront-PRVS: 0699FCD394
X-Forefront-Antispam-Report: SFV:NSPM;
	SFS:(10009020)(346002)(376002)(39380400002)(39830400003)(396003)(366004)(189003)(199004)(8676002)(81166006)(81156014)(66066001)(25786009)(316002)(6666003)(2906002)(6916009)(8936002)(16586007)(55016002)(6116002)(305945005)(36756003)(7736002)(3846002)(21086003)(44832011)(47776003)(478600001)(956004)(2616005)(476003)(26005)(106356001)(86362001)(52116002)(486006)(51416003)(186003)(16526019)(2361001)(7696005)(59450400001)(5660300001)(2351001)(105586002)(53936002)(97736004)(69596002)(68736007)(50466002)(15650500001)(50226002)(1857600001)(386003)(33026002)(48376002);
	DIR:OUT; SFP:1101; SCL:1; SRVR:SN6PR1501MB2063; H:opengear.com; FPR:;
	SPF:None; 
	LANG:en; PTR:InfoNoRecords; MX:1; A:1; 
Received-SPF: None (protection.outlook.com: opengear.com does not designate
	permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; SN6PR1501MB2063;
	23:MQy4dW4Ak5QTIc+XtlpHjMfsVxFmJIRUwiIVoR0?=
	O6PD2nYp450h0vJmCatiG4VA9USLbtkK8VSFqHDzKI5pciNJzspU1AeJH7VwK+vPZ/z2hdPvXrXMKwrlKOUNqYpTtFd4IuI1SDW4CzB270TTtD44ky7RJ78o7QhFwlCp9oDYKk7OLlYYy/7I1O/dfwyVme2/fkHI+uw8vMUffyVuYpIX36Tma33GhBo4tQV8UVsQ3g1dC+8KDB8gfBi1kGnC8sKBj3uWFTRd+VkJ6aETP2Ey/OsK4xs85CCHurVtMuHb6T2t+9OrqYFKj5dsm9DNUkZDYTHE13gIrePYHNYIWu2nRlIcfxllxZYQkc49zEBxiIpprAhfZR5HSfRA3NPzHD8RS4spdBEjHL4XL/PmtKr03aSjfjWPXoku7jfi46zhsgSreyK+6PUaXJYUoRAx49tYeqAICO7QenKhGdF6ZjBUjrb/U6B3Gh4tLbP4tuUtFMg3UMcDROQ0utbM8pAg8OOa4XyYfgiYzk8V1XG+1kVLnU2vcHMhkw4o49P49ts8+sWyK2pDnR3G1ZGINgjqiz1WL4HU81F33snP6J/7CFsBwyYUojyC1Z6GpfWg7du4wnqnONxb8OEjQy9HgMdKLyWQfpp/9mYX3HFtD7cNh3OlieNzlNZowoigeTm0+6hhH0UaAP6J3N2HhGRFw6+FW1+7VwKrBlBrDGcspJPoZ11NYxvJWUgjh7fQiR4JCBkYKwgR22CrneUdA9tZjo2cUT62LgoVwPrqNLveXgPK7YVJCxIbXBau48nYpHFWdbnL0r9fs8mPWqi4AfE5chzw7wQVIYpvxSmjG/G5vWSSSEplyLrmhzE4DJWZtxnJZAJyJi+Qg5psbwxyfoRTiur2LqJV06SL/3ScEp6d2z2kBBweH64RlinK6qmuYB2EQs7Q7C3HEQmMDlBwY74dlpl0P/Dn+Flpq36R7h7MAd988VRyXO2qxDwH5GV/Rw7HqUc1g+UvbYnnU4+F9wCnFyH5Osr1d4imgcNB1n7+2uQY45B592SND4aREJtcgPaktKBlfqaf12nDp/5TOhbJTn6vsnfEFmrQOAnrA43IuuRPK72j9O8mH/G37SRvoiefo5TwytX6YetxIFKHeAh6SAkgyNpGaW05teNogMwSijlDTzLIhfZjBJQLibvzmuZrLtLnKZZAstlA/vT4AfZI5mTmcOrlDzPBb+4m0XPWU5capSv8PrY2fFW1MsTQ2NdDcdC8VfpaVProUGeCzKqKg8AnflC4cCUTvZlEm+gy8r/DjWw==
X-Microsoft-Antispam-Message-Info: NYz8jfsoLypHi7EUbO2qstDsBlq5hJjAokyeiG6M+SUh9rnLncE3lfZQy8GBIsDLzH9X7ahOMPHL+uQt74/4mqhl9o3gTRhsU7J6+sZaxMkl+e3FRbiSCk7JDdwvqXa1DnWcsGoMlH9RrOeJA2dIAp0Vlk/o6dqAXh0K964OPfBKhLiig3evd9Wmt7rxXiLk
X-Microsoft-Exchange-Diagnostics: 1; SN6PR1501MB2063;
	6:Gkv109c+thWhv9iAfn7cxr04NSLDr3eh20GVHz1QT75dVQt2pOcCd1SaZQeBN+68XUCBWgbZsECDAZztGhvmzo8YzwtgjadoDeRW+RmsL7IE/AyH0e8qP+gYGku9xK3XwIB8q5i1q1FVcJPH4QkYebDOjdOg4/y0bPac6xJoTBo9kEKWgSNOxCiQW2n7Tl91H51oIZoNRMQe3+lm+NFXl9j3g7faDFS26AAXpQXD3bj/S+qeZ5NZf/tuZUSccfaebNKjd8KeiXFnN2S/0wowPuuwgP53wgBt4jugo/m1VvdP7Im7CErHEE6m472c1dDftXyd52oskJWKWUXwzVSkPgDP3Bc8Prq7fNFnqgFkBmk2r0aSORJNZnnF7ndIqNh9aGN4l5bBscAYp83gaXcD0w8iX4xqa5wC9GwZGCEg05p8CB4ea0/bN6DzOls3fShNWh5Cq1Nn3M77GNVb4GXCnQ==;
	5:X/cz7aAm9QO1g0nMHb6afCE8mbTdbgpsKF1jNKnubNV3iQQacZHAyqjA7V8V/7UyqlPQfOFqN+bYmLDdPUfJUDR4q0C9wMGyreLjEHTAFZsTK3yRigSVJwmrc/VjL5taFLTf7ewXQoB86nyl8nodYrt526pxbzxE+b/ffd/s61A=;
	24:I+POdhTTxJngNXx2bKs2nC6gX6zp9uRZLPBNre0uHOAU1l9Nt3jZrvVNCn56ZDEektlDtQR+xl3Jr+4jZgzlKnTi1bDaMisIABYarmKjRwk=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; SN6PR1501MB2063;
	7:hXMhef5ocIqghwa7uaRRq6mMRzUa98DHJGgyvqnNdbB+Z1rMfDafIsMesMO6WpQYl5XWGCJELIsv6YOsxDBgbVbquaP88jAQsQ5jhkD1etT15obiAN+TZAR/0ktXRFhG7MFZQleXwCXwvJ5D75So5R0q0/kSenn22ecrkBLNTLLTFQVwCLEeSpvqUA933tqcp1C/ccem0+gXFITIzjmOiqMRvEiqqL3foGNbwVW96sYvDLFw1P4OGB9lBRfj7JEb
X-MS-Office365-Filtering-Correlation-Id: 7783982b-1943-4896-5ff9-08d5cf1a5e72
X-OriginatorOrg: opengear.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jun 2018 21:37:29.7342
	(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 7783982b-1943-4896-5ff9-08d5cf1a5e72
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: a6251c26-d21f-4164-a225-1f4eaebf5f9a
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR1501MB2063
X-BeenThere: petitboot@lists.ozlabs.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Petitboot bootloader development <petitboot.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/petitboot>,
	<mailto:petitboot-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/petitboot/>
List-Post: <mailto:petitboot@lists.ozlabs.org>
List-Help: <mailto:petitboot-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/petitboot>,
	<mailto:petitboot-request@lists.ozlabs.org?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: petitboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Petitboot"
	<petitboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>