[1/1,Unstable,Disco] UBUNTU: SAUCE: arm64: add kernel config option to lock down when in Secure Boot mode
diff mbox series

Message ID 20190220154823.23952-2-dann.frazier@canonical.com
State New
Headers show
Series
  • lockdown for arm64
Related show

Commit Message

dann frazier Feb. 20, 2019, 3:48 p.m. UTC
From: Linn Crosetto <linn@hpe.com>

Add a kernel configuration option to lock down the kernel, to restrict
userspace's ability to modify the running kernel when UEFI Secure Boot is
enabled. Based on the x86 patch by Matthew Garrett.

Determine the state of Secure Boot in the EFI stub and pass this to the
kernel using the FDT.

Signed-off-by: Linn Crosetto <linn@hpe.com>
[bwh: Forward-ported to 4.10: adjust context]
[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
[bwh: Forward-ported to 4.15 and lockdown patch set:
 - Pass result of efi_get_secureboot() in stub through to
   efi_set_secure_boot() in main kernel
 - Use lockdown API and naming]
[bwh: Forward-ported to 4.19.3: adjust context in update_fdt()]
[dannf: Moved init_lockdown() call after uefi_init(), fixing SB detection]
(from https://salsa.debian.org/kernel-team/linux/blob/4c4f3e03fdaaa674275c7197cae156e606dfaa4b/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch)
Signed-off-by: dann frazier <dann.frazier@canonical.com>
---
 drivers/firmware/efi/arm-init.c    | 4 ++++
 drivers/firmware/efi/efi.c         | 3 ++-
 drivers/firmware/efi/libstub/fdt.c | 6 ++++++
 include/linux/efi.h                | 1 +
 4 files changed, 13 insertions(+), 1 deletion(-)

Patch
diff mbox series

diff --git a/drivers/firmware/efi/arm-init.c b/drivers/firmware/efi/arm-init.c
index 1a6a77df8a5e8..04d9e8fa9a0f7 100644
--- a/drivers/firmware/efi/arm-init.c
+++ b/drivers/firmware/efi/arm-init.c
@@ -21,6 +21,7 @@ 
 #include <linux/of_fdt.h>
 #include <linux/platform_device.h>
 #include <linux/screen_info.h>
+#include <linux/security.h>
 
 #include <asm/efi.h>
 
@@ -257,6 +258,9 @@  void __init efi_init(void)
 		return;
 	}
 
+	efi_set_secure_boot(params.secure_boot);
+	init_lockdown();
+
 	reserve_regions();
 	efi_esrt_init();
 
diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
index 8a1696f46f38b..235387ea4deb4 100644
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -687,7 +687,8 @@  static __initdata struct params fdt_params[] = {
 	UEFI_PARAM("MemMap Address", "linux,uefi-mmap-start", mmap),
 	UEFI_PARAM("MemMap Size", "linux,uefi-mmap-size", mmap_size),
 	UEFI_PARAM("MemMap Desc. Size", "linux,uefi-mmap-desc-size", desc_size),
-	UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver)
+	UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver),
+	UEFI_PARAM("Secure Boot Enabled", "linux,uefi-secure-boot", secure_boot)
 };
 
 static __initdata struct params xen_fdt_params[] = {
diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c
index 0c0d2312f4a8a..3dae6e668c2f3 100644
--- a/drivers/firmware/efi/libstub/fdt.c
+++ b/drivers/firmware/efi/libstub/fdt.c
@@ -159,6 +159,12 @@  static efi_status_t update_fdt(efi_system_table_t *sys_table, void *orig_fdt,
 		}
 	}
 
+	fdt_val32 = cpu_to_fdt32(efi_get_secureboot(sys_table));
+	status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
+			     &fdt_val32, sizeof(fdt_val32));
+	if (status)
+		goto fdt_set_fail;
+
 	/* shrink the FDT back to its minimum size */
 	fdt_pack(fdt);
 
diff --git a/include/linux/efi.h b/include/linux/efi.h
index e044522db183e..6bd0998444580 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -793,6 +793,7 @@  struct efi_fdt_params {
 	u32 mmap_size;
 	u32 desc_size;
 	u32 desc_ver;
+	u32 secure_boot;
 };
 
 typedef struct {