diff mbox series

UBUNTU: [Config] CONFIG_EFI=y on armhf, reconcile secureboot EFI settings

Message ID 20180306122958.3583-1-xnox@ubuntu.com
State New
Headers show
Series UBUNTU: [Config] CONFIG_EFI=y on armhf, reconcile secureboot EFI settings | expand

Commit Message

Dimitri John Ledkov March 6, 2018, 12:29 p.m. UTC 
Enable EFI stub on armhf, also improve Secureboot config options on
arm64/armhf to be in line with x86.

BugLink: http://bugs.launchpad.net/bugs/1726362

Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
---
 debian.master/config/amd64/config.common.amd64 |  2 --
 debian.master/config/annotations               | 26 +++++++++++++-------------
 debian.master/config/arm64/config.common.arm64 |  4 +---
 debian.master/config/armhf/config.common.armhf |  4 ++--
 debian.master/config/config.common.ubuntu      |  2 ++
 debian.master/config/i386/config.common.i386   |  2 --
 6 files changed, 18 insertions(+), 22 deletions(-)

Comments

Seth Forshee March 6, 2018, 1:32 p.m. UTC | #1 
On Tue, Mar 06, 2018 at 12:29:58PM +0000, Dimitri John Ledkov wrote:
> Enable EFI stub on armhf, also improve Secureboot config options on
> arm64/armhf to be in line with x86.

I'm curious, why enable secure boot options for arm given that we aren't
producing signed kernels?
Seth Forshee March 8, 2018, 7:33 a.m. UTC | #2 
On Tue, Mar 06, 2018 at 12:29:58PM +0000, Dimitri John Ledkov wrote:
> Enable EFI stub on armhf, also improve Secureboot config options on
> arm64/armhf to be in line with x86.
> 
> BugLink: http://bugs.launchpad.net/bugs/1726362
> 
> Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>

Applied to bionic/master-next, with some modifications. I had to turn off 
CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ for arm64 and armhf, and I also
added additional updates to the annotations file. Thanks!
diff mbox series

Patch

diff --git a/debian.master/config/amd64/config.common.amd64 b/debian.master/config/amd64/config.common.amd64
index 7dfe3033f16b..0e5b80324b74 100644
--- a/debian.master/config/amd64/config.common.amd64
+++ b/debian.master/config/amd64/config.common.amd64
@@ -93,7 +93,6 @@  CONFIG_DUMMY_IRQ=m
 CONFIG_DW_WATCHDOG=m
 CONFIG_ECHO=m
 CONFIG_EEPROM_93CX6=m
-CONFIG_EFI=y
 CONFIG_EFI_CAPSULE_LOADER=m
 CONFIG_EFI_DEV_PATH_PARSER=y
 CONFIG_EFS_FS=m
@@ -188,7 +187,6 @@  CONFIG_LAPB=m
 CONFIG_LDM_PARTITION=y
 CONFIG_LIBNVDIMM=y
 CONFIG_LLC2=m
-CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
 CONFIG_LOCK_DOWN_KERNEL=y
 CONFIG_LOG_BUF_SHIFT=18
 CONFIG_LPC_ICH=m
diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index ee1a91bc2b1c..516d845c54f5 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -481,8 +481,8 @@  CONFIG_X509_CERTIFICATE_PARSER                  note<module signing>
 CONFIG_MODULE_SIG_KEY                           policy<{'amd64': '"certs/signing_key.pem"', 'arm64': '"certs/signing_key.pem"', 'armhf': '"certs/signing_key.pem"', 'i386': '"certs/signing_key.pem"', 'ppc64el': '"certs/signing_key.pem"', 's390x': '"certs/signing_key.pem"'}>
 CONFIG_SYSTEM_BLACKLIST_KEYRING                 policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_SYSTEM_BLACKLIST_HASH_LIST               policy<{'amd64': '""', 'arm64': '""', 'armhf': '""', 'i386': '""', 'ppc64el': '""', 's390x': '""'}>
-CONFIG_EFI_SIGNATURE_LIST_PARSER                policy<{'amd64': 'y', 'arm64': 'y', 'i386': 'y'}>
-CONFIG_LOAD_UEFI_KEYS                           policy<{'amd64': 'y', 'arm64': 'y', 'i386': 'y'}>
+CONFIG_EFI_SIGNATURE_LIST_PARSER                policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y'}>
+CONFIG_LOAD_UEFI_KEYS                           policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y'}>
 #
 CONFIG_EFI_SIGNATURE_LIST_PARSER                mark<ENFORCED>
 CONFIG_LOAD_UEFI_KEYS                           mark<ENFORCED>
@@ -9156,17 +9156,17 @@  CONFIG_FW_CFG_SYSFS_CMDLINE                     policy<{'amd64': 'n', 'arm64': '
 CONFIG_QCOM_SCM_DOWNLOAD_MODE_DEFAULT           policy<{'arm64': 'n', 'armhf': 'n'}>
 
 # Menu: Firmware Drivers >> EFI (Extensible Firmware Interface) Support
-CONFIG_EFI_VARS                                 policy<{'amd64': 'y', 'arm64': 'y', 'i386': 'y'}>
-CONFIG_EFI_VARS_PSTORE                          policy<{'amd64': 'm', 'arm64': 'm', 'i386': 'm'}>
-CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE          policy<{'amd64': 'n', 'arm64': 'n', 'i386': 'n'}>
+CONFIG_EFI_VARS                                 policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y'}>
+CONFIG_EFI_VARS_PSTORE                          policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'i386': 'm'}>
+CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE          policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n'}>
 CONFIG_EFI_RUNTIME_MAP                          policy<{'amd64': 'y', 'i386': 'y'}>
 CONFIG_EFI_FAKE_MEMMAP                          policy<{'amd64': 'n', 'i386': 'n'}>
-CONFIG_EFI_BOOTLOADER_CONTROL                   policy<{'amd64': 'm', 'arm64': 'm', 'i386': 'm'}>
-CONFIG_EFI_CAPSULE_LOADER                       policy<{'amd64': 'm', 'arm64': 'm', 'i386': 'y'}>
+CONFIG_EFI_BOOTLOADER_CONTROL                   policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'i386': 'm'}>
+CONFIG_EFI_CAPSULE_LOADER                       policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'i386': 'y'}>
 CONFIG_EFI_CAPSULE_QUIRK_QUARK_CSH              policy<{'i386': 'y'}>
-CONFIG_EFI_TEST                                 policy<{'amd64': 'm', 'arm64': 'm', 'i386': 'm'}>
+CONFIG_EFI_TEST                                 policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'i386': 'm'}>
 CONFIG_APPLE_PROPERTIES                         policy<{'amd64': 'y', 'i386': 'y'}>
-CONFIG_RESET_ATTACK_MITIGATION                  policy<{'amd64': 'y', 'arm64': 'y', 'i386': 'y'}>
+CONFIG_RESET_ATTACK_MITIGATION                  policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y'}>
 #
 CONFIG_EFI_VARS                                 mark<ENFORCED> note<EFI boot requirement (d-i) LP:#837332>
 
@@ -11248,7 +11248,7 @@  CONFIG_X86_SMAP                                 policy<{'amd64': 'y', 'i386': 'y
 CONFIG_X86_INTEL_UMIP                           policy<{'amd64': 'y', 'i386': 'y'}>
 CONFIG_X86_INTEL_MPX                            policy<{'amd64': 'y'}>
 CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS         policy<{'amd64': 'y'}>
-CONFIG_EFI_STUB                                 policy<{'amd64': 'y', 'arm64': 'y', 'i386': 'y'}>
+CONFIG_EFI_STUB                                 policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y'}>
 CONFIG_EFI_MIXED                                policy<{'amd64': 'y'}>
 CONFIG_KEXEC_VERIFY_SIG                         policy<{'amd64': 'y'}>
 CONFIG_KEXEC_BZIMAGE_VERIFY_SIG                 policy<{'amd64': 'y'}>
@@ -11503,9 +11503,9 @@  CONFIG_HARDENED_USERCOPY                        policy<{'amd64': 'y', 'arm64': '
 CONFIG_HARDENED_USERCOPY_PAGESPAN               policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_FORTIFY_SOURCE                           policy<{'amd64': 'y', 'arm64': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_STATIC_USERMODEHELPER                    policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
-CONFIG_LOCK_DOWN_KERNEL                         policy<{'amd64': 'y', 'arm64': 'n', 'armhf': 'n', 'i386': 'y', 'ppc64el': 'n', 's390x': 'n'}>
-CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ             policy<{'amd64': 'y', 'i386': 'y'}>
-CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT             policy<{'amd64': 'y', 'arm64': 'n', 'i386': 'y'}>
+CONFIG_LOCK_DOWN_KERNEL                         policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'n', 's390x': 'n'}>
+CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ             policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y'}>
+CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT             policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y'}>
 #
 CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT             mark<ENFORCED>
 CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ             mark<ENFORCED>
diff --git a/debian.master/config/arm64/config.common.arm64 b/debian.master/config/arm64/config.common.arm64
index 9d20f17f6aaf..57b75fd36c91 100644
--- a/debian.master/config/arm64/config.common.arm64
+++ b/debian.master/config/arm64/config.common.arm64
@@ -104,7 +104,6 @@  CONFIG_DUMMY_IRQ=m
 CONFIG_DW_WATCHDOG=m
 CONFIG_ECHO=m
 CONFIG_EEPROM_93CX6=m
-CONFIG_EFI=y
 CONFIG_EFI_CAPSULE_LOADER=m
 # CONFIG_EFI_DEV_PATH_PARSER is not set
 CONFIG_EFS_FS=m
@@ -206,8 +205,7 @@  CONFIG_LAPB=m
 CONFIG_LDM_PARTITION=y
 CONFIG_LIBNVDIMM=y
 CONFIG_LLC2=m
-# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
-# CONFIG_LOCK_DOWN_KERNEL is not set
+CONFIG_LOCK_DOWN_KERNEL=y
 CONFIG_LOG_BUF_SHIFT=14
 CONFIG_LPC_ICH=m
 CONFIG_LPC_SCH=m
diff --git a/debian.master/config/armhf/config.common.armhf b/debian.master/config/armhf/config.common.armhf
index 4b01fabaffa6..1ef3f0602a20 100644
--- a/debian.master/config/armhf/config.common.armhf
+++ b/debian.master/config/armhf/config.common.armhf
@@ -91,7 +91,7 @@  CONFIG_DUMMY_IRQ=m
 CONFIG_DW_WATCHDOG=m
 CONFIG_ECHO=m
 CONFIG_EEPROM_93CX6=m
-# CONFIG_EFI is not set
+CONFIG_EFI_CAPSULE_LOADER=m
 CONFIG_EFS_FS=m
 CONFIG_EM_TIMER_STI=y
 CONFIG_ENCLOSURE_SERVICES=m
@@ -184,7 +184,7 @@  CONFIG_LAPB=m
 CONFIG_LDM_PARTITION=y
 CONFIG_LIBNVDIMM=y
 CONFIG_LLC2=m
-# CONFIG_LOCK_DOWN_KERNEL is not set
+CONFIG_LOCK_DOWN_KERNEL=y
 CONFIG_LOG_BUF_SHIFT=17
 CONFIG_LPC_ICH=m
 CONFIG_LPC_SCH=m
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 84b117bc0312..7e45eca1fff2 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -2664,6 +2664,7 @@  CONFIG_EEPROM_AT25=m
 CONFIG_EEPROM_IDT_89HPESX=m
 CONFIG_EEPROM_LEGACY=m
 CONFIG_EEPROM_MAX6875=m
+CONFIG_EFI=y
 CONFIG_EFIVAR_FS=y
 CONFIG_EFI_ARMSTUB=y
 CONFIG_EFI_BOOTLOADER_CONTROL=m
@@ -4865,6 +4866,7 @@  CONFIG_LOCKD=m
 CONFIG_LOCKDEP_SUPPORT=y
 CONFIG_LOCKD_V4=y
 CONFIG_LOCKUP_DETECTOR=y
+CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
 CONFIG_LOCK_SPIN_ON_OWNER=y
 # CONFIG_LOCK_STAT is not set
 # CONFIG_LOCK_TORTURE_TEST is not set
diff --git a/debian.master/config/i386/config.common.i386 b/debian.master/config/i386/config.common.i386
index cd5a7508f3f2..99cc3060abb0 100644
--- a/debian.master/config/i386/config.common.i386
+++ b/debian.master/config/i386/config.common.i386
@@ -89,7 +89,6 @@  CONFIG_DUMMY_IRQ=m
 CONFIG_DW_WATCHDOG=m
 CONFIG_ECHO=m
 CONFIG_EEPROM_93CX6=m
-CONFIG_EFI=y
 CONFIG_EFI_CAPSULE_LOADER=y
 CONFIG_EFI_DEV_PATH_PARSER=y
 CONFIG_EFS_FS=m
@@ -184,7 +183,6 @@  CONFIG_LAPB=m
 CONFIG_LDM_PARTITION=y
 CONFIG_LIBNVDIMM=y
 CONFIG_LLC2=m
-CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
 CONFIG_LOCK_DOWN_KERNEL=y
 CONFIG_LOG_BUF_SHIFT=17
 CONFIG_LPC_ICH=m