| Message ID | 1466059295-19258-1-git-send-email-tim.gardner@canonical.com |
|---|---|
| State | New |
| Headers | show |
On 16/06/16 09:41, Tim Gardner wrote: > BugLink: http://bugs.launchpad.net/bugs/1593075 > > This is a better method for detecting the state of secure boot and > the MOKSBState override, as opposed to grepping status from the kernel log. > Both variables return 0 or 1. If secure_boot==0 then signed module > enforcement is not enabled. Likewise, if moksbstate_disabled==1 then > signed module enforcement is not enabled. The only conditions uder which > signed module enforcement is enabled is when secure_boot==1 and > moksbstate_disabled==0. > > /proc/sys/kernel/secure_boot > /proc/sys/kernel/moksbstate_disabled > > Signed-off-by: Tim Gardner <tim.gardner@canonical.com> > --- > > V2 - I checked other proc interfaces that set permissions to 0444. It appears > one does not need to protect against writes in that case (which simplifies the > code a bit). > > arch/x86/kernel/setup.c | 1 + > kernel/sysctl.c | 31 +++++++++++++++++++++++++++++++ > 2 files changed, 32 insertions(+) > > diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c > index be173c2..b815923 100644 > --- a/arch/x86/kernel/setup.c > +++ b/arch/x86/kernel/setup.c > @@ -1150,6 +1150,7 @@ void __init setup_arch(char **cmdline_p) > pr_info("Secure boot enabled\n"); > } > else if (boot_params.secure_boot == EFI_MOKSBSTATE_DISABLED) { > + set_bit(EFI_MOKSBSTATE_DISABLED, &efi.flags); > boot_params.secure_boot = 0; > pr_info("Secure boot MOKSBState disabled\n"); > } > diff --git a/kernel/sysctl.c b/kernel/sysctl.c > index 4a7683b..eaa7b21 100644 > --- a/kernel/sysctl.c > +++ b/kernel/sysctl.c > @@ -65,6 +65,7 @@ > #include <linux/sched/sysctl.h> > #include <linux/kexec.h> > #include <linux/bpf.h> > +#include <linux/efi.h> > > #include <asm/uaccess.h> > #include <asm/processor.h> > @@ -279,8 +280,38 @@ static int min_extfrag_threshold; > static int max_extfrag_threshold = 1000; > #endif > > +static unsigned int secure_boot_enabled; > +int secure_boot_proc_handler(struct ctl_table *table, int write, > + void __user *buffer, size_t *lenp, loff_t *ppos) > +{ > + secure_boot_enabled = efi_enabled(EFI_SECURE_BOOT); > + return proc_dointvec(table, write, buffer, lenp, ppos); > +} > + > +static unsigned int moksbstate_disabled; > +int moksbstate_disabled_proc_handler(struct ctl_table *table, int write, > + void __user *buffer, size_t *lenp, loff_t *ppos) > +{ > + moksbstate_disabled = efi_enabled(EFI_MOKSBSTATE_DISABLED); > + return proc_dointvec(table, write, buffer, lenp, ppos); > +} > + > static struct ctl_table kern_table[] = { > { > + .procname = "secure_boot", > + .data = &secure_boot_enabled, > + .maxlen = sizeof(unsigned int), > + .mode = 0444, > + .proc_handler = secure_boot_proc_handler, > + }, > + { > + .procname = "moksbstate_disabled", > + .data = &moksbstate_disabled, > + .maxlen = sizeof(unsigned int), > + .mode = 0444, > + .proc_handler = moksbstate_disabled_proc_handler, > + }, > + { > .procname = "sched_child_runs_first", > .data = &sysctl_sched_child_runs_first, > .maxlen = sizeof(unsigned int), > Exposes the state as required, looks OK to me. Acked-by: Colin Ian King <colin.king@canonical.com>
Applied to X. -Kamal
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c index be173c2..b815923 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -1150,6 +1150,7 @@ void __init setup_arch(char **cmdline_p) pr_info("Secure boot enabled\n"); } else if (boot_params.secure_boot == EFI_MOKSBSTATE_DISABLED) { + set_bit(EFI_MOKSBSTATE_DISABLED, &efi.flags); boot_params.secure_boot = 0; pr_info("Secure boot MOKSBState disabled\n"); } diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 4a7683b..eaa7b21 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -65,6 +65,7 @@ #include <linux/sched/sysctl.h> #include <linux/kexec.h> #include <linux/bpf.h> +#include <linux/efi.h> #include <asm/uaccess.h> #include <asm/processor.h> @@ -279,8 +280,38 @@ static int min_extfrag_threshold; static int max_extfrag_threshold = 1000; #endif +static unsigned int secure_boot_enabled; +int secure_boot_proc_handler(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) +{ + secure_boot_enabled = efi_enabled(EFI_SECURE_BOOT); + return proc_dointvec(table, write, buffer, lenp, ppos); +} + +static unsigned int moksbstate_disabled; +int moksbstate_disabled_proc_handler(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) +{ + moksbstate_disabled = efi_enabled(EFI_MOKSBSTATE_DISABLED); + return proc_dointvec(table, write, buffer, lenp, ppos); +} + static struct ctl_table kern_table[] = { { + .procname = "secure_boot", + .data = &secure_boot_enabled, + .maxlen = sizeof(unsigned int), + .mode = 0444, + .proc_handler = secure_boot_proc_handler, + }, + { + .procname = "moksbstate_disabled", + .data = &moksbstate_disabled, + .maxlen = sizeof(unsigned int), + .mode = 0444, + .proc_handler = moksbstate_disabled_proc_handler, + }, + { .procname = "sched_child_runs_first", .data = &sysctl_sched_child_runs_first, .maxlen = sizeof(unsigned int),
BugLink: http://bugs.launchpad.net/bugs/1593075 This is a better method for detecting the state of secure boot and the MOKSBState override, as opposed to grepping status from the kernel log. Both variables return 0 or 1. If secure_boot==0 then signed module enforcement is not enabled. Likewise, if moksbstate_disabled==1 then signed module enforcement is not enabled. The only conditions uder which signed module enforcement is enabled is when secure_boot==1 and moksbstate_disabled==0. /proc/sys/kernel/secure_boot /proc/sys/kernel/moksbstate_disabled Signed-off-by: Tim Gardner <tim.gardner@canonical.com> --- V2 - I checked other proc interfaces that set permissions to 0444. It appears one does not need to protect against writes in that case (which simplifies the code a bit). arch/x86/kernel/setup.c | 1 + kernel/sysctl.c | 31 +++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+)