From patchwork Thu Jun 16 06:05:21 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tim Gardner <tim.gardner@canonical.com>
X-Patchwork-Id: 636210
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3rVXtT1Qp0z9t17;
	Thu, 16 Jun 2016 16:05:37 +1000 (AEST)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=canonical-com.20150623.gappssmtp.com
	header.i=@canonical-com.20150623.gappssmtp.com
	header.b=C8ebk+1q; dkim-atps=neutral
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1bDQQi-0008Ed-Ns; Thu, 16 Jun 2016 06:05:28 +0000
Received: from mail-wm0-f41.google.com ([74.125.82.41])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <tim.gardner@canonical.com>)
	id 1bDQQe-0008EF-Ay
	for kernel-team@lists.ubuntu.com; Thu, 16 Jun 2016 06:05:24 +0000
Received: by mail-wm0-f41.google.com with SMTP id m124so53063250wme.1
	for <kernel-team@lists.ubuntu.com>;
	Wed, 15 Jun 2016 23:05:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=canonical-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:subject:date:message-id;
	bh=dwKdykKWyuW3cp5PNldlHJ3QBPXM2Ajyh6CB9HQzo2U=;
	b=C8ebk+1qVZoQmvwKYPyLgF8L+KTunQo+u7uY4FQOqYw8ZNmbDtLw+NtvY1VCFTvuhc
	lZgqYIKSH1fpg9SSeaxgusq5orZktjXC9RgROkPxIU4n3XoTk2vLa97RnbIao3zK+ez3
	xXe6J8AQ8gAknjkrORQkfF2TnNb6l6ZXcZmr2ffHLCrr9EwZMrpC4+h44GEmgGBRHHkd
	cwVjvakX61kxe+p6ftVljn1vRv1tBVFn7TdCitAr+oSW+JdEr7Z2t7WP5EQjsZFwI0Hh
	kb8w2exBlJf0r4sjbgQQbZDOFwwX6hJ2EDpEKC+M/IGY1Da25OI/AbJPTBZr1MuyfpGa
	2jtg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:subject:date:message-id;
	bh=dwKdykKWyuW3cp5PNldlHJ3QBPXM2Ajyh6CB9HQzo2U=;
	b=ANBwsgcv+fE/CNK8xWsYwV92ru7ly9dIh/Yj94mj2ZsJldXlNRiRcWefkkvRqYp4dI
	oCqAnr1QI6bFlO5dnb/+aYlPjqY5Z6tNcJ3OdJHr0wTKh9HQ40A2dOau6oWRqQAtHPDu
	aJ5j6L8GwpZ4UR9SWQomn8xIJpivgjICbz0MQ3lx0t1uA36sm27PNZ5LUG/GOP9UqYLy
	65vyNKVFlEyg75fkIvEOMBbxJNBQjvkKeSFlzfHKBC/O2tGfHEBWOlTkCqTYGn0xAVdz
	UHqlRYT4muL5Otyy8cg0zapVTLWvwYQo0857GI+Tlm2sSfq38++5YwkdFkxJK73k02+9
	12Fw==
X-Gm-Message-State: 
 ALyK8tLyaJD55knwxfIPghqzNvuXHo2kiAai4trVphSL8nZ4npI74uu4cj+80ZSd6KInu6JA
X-Received: by 10.194.239.232 with SMTP id vv8mr2047629wjc.166.1466057123831;
	Wed, 15 Jun 2016 23:05:23 -0700 (PDT)
Received: from localhost.localdomain ([193.92.114.66])
	by smtp.gmail.com with ESMTPSA id
	q69sm662325wmd.4.2016.06.15.23.05.22
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 15 Jun 2016 23:05:23 -0700 (PDT)
From: Tim Gardner <tim.gardner@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH Xenial SRU] UBUNTU: SAUCE: UEFI: Add secure boot and MOK SB
	State disabled sysctl
Date: Thu, 16 Jun 2016 09:05:21 +0300
Message-Id: <1466057121-17416-1-git-send-email-tim.gardner@canonical.com>
X-Mailer: git-send-email 2.7.4
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: kernel-team-bounces@lists.ubuntu.com

BugLink: http://bugs.launchpad.net/bugs/1593075

This is a better method for detecting the state of secure boot and
the MOKSBState override, as opposed to grepping status from the kernel log.
Both variables return 0 or 1. If secure_boot==0 then signed module enforcement
is not enabled. Likewise, if moksbstate_disabled==1 then signed module
enforcement is not enabled. The only conditions uder which signed module
enforcement is enabled is when secure_boot==1 and moksbstate_disabled==0.

/proc/sys/kernel/secure_boot
/proc/sys/kernel/moksbstate_disabled

Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
 arch/x86/kernel/setup.c |  1 +
 kernel/sysctl.c         | 39 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index be173c2..b815923 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1150,6 +1150,7 @@ void __init setup_arch(char **cmdline_p)
 		pr_info("Secure boot enabled\n");
 	}
 	else if (boot_params.secure_boot == EFI_MOKSBSTATE_DISABLED) {
+		set_bit(EFI_MOKSBSTATE_DISABLED, &efi.flags);
 		boot_params.secure_boot = 0;
 		pr_info("Secure boot MOKSBState disabled\n");
     }
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 4a7683b..61c2fbc 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -65,6 +65,7 @@
 #include <linux/sched/sysctl.h>
 #include <linux/kexec.h>
 #include <linux/bpf.h>
+#include <linux/efi.h>
 
 #include <asm/uaccess.h>
 #include <asm/processor.h>
@@ -279,8 +280,46 @@ static int min_extfrag_threshold;
 static int max_extfrag_threshold = 1000;
 #endif
 
+static unsigned int secure_boot_enabled;
+int secure_boot_proc_handler(struct ctl_table *table, int write,
+	void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+	int error = -1;
+
+	if (write) return error;
+	secure_boot_enabled = efi_enabled(EFI_SECURE_BOOT);
+	error = proc_dointvec(table, write, buffer, lenp, ppos);
+	return error;
+}
+
+static unsigned int moksbstate_disabled;
+int moksbstate_disabled_proc_handler(struct ctl_table *table, int write,
+	void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+	int error = -1;
+
+	if (write) return error;
+	moksbstate_disabled = efi_enabled(EFI_MOKSBSTATE_DISABLED);
+	error = proc_dointvec(table, write, buffer, lenp, ppos);
+	return error;
+}
+
 static struct ctl_table kern_table[] = {
 	{
+		.procname   = "secure_boot",
+		.data       = &secure_boot_enabled,
+		.maxlen     = sizeof(unsigned int),
+		.mode       = 0444,
+		.proc_handler   = secure_boot_proc_handler,
+	},
+	{
+		.procname   = "moksbstate_disabled",
+		.data       = &moksbstate_disabled,
+		.maxlen     = sizeof(unsigned int),
+		.mode       = 0444,
+		.proc_handler   = moksbstate_disabled_proc_handler,
+	},
+	{
 		.procname	= "sched_child_runs_first",
 		.data		= &sysctl_sched_child_runs_first,
 		.maxlen		= sizeof(unsigned int),