diff mbox series

[UNSTABLE,1/2] UBUNTU: SAUCE: (lockdown) s390/ipl: lockdown kernel when booted secure

Message ID 20190809144929.17651-2-xnox@ubuntu.com
State New
Headers show
Series [UNSTABLE,1/2] UBUNTU: SAUCE: (lockdown) s390/ipl: lockdown kernel when booted secure | expand

Commit Message

Dimitri John Ledkov Aug. 9, 2019, 2:49 p.m. UTC 
From: Philipp Rudo <prudo@linux.ibm.com>

BugLink: https://bugs.launchpad.net/bugs/1839622
Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
---
 arch/s390/include/asm/ipl.h | 1 +
 arch/s390/kernel/ipl.c      | 5 +++++
 security/lock_down.c        | 7 +++++++
 3 files changed, 13 insertions(+)
diff mbox series

Patch

diff --git a/arch/s390/include/asm/ipl.h b/arch/s390/include/asm/ipl.h
index 084e71b7272a..1d1b5ec7357b 100644
--- a/arch/s390/include/asm/ipl.h
+++ b/arch/s390/include/asm/ipl.h
@@ -109,6 +109,7 @@  int ipl_report_add_component(struct ipl_report *report, struct kexec_buf *kbuf,
 			     unsigned char flags, unsigned short cert);
 int ipl_report_add_certificate(struct ipl_report *report, void *key,
 			       unsigned long addr, unsigned long len);
+bool ipl_get_secureboot(void);
 
 /*
  * DIAG 308 support
diff --git a/arch/s390/kernel/ipl.c b/arch/s390/kernel/ipl.c
index 2c0a515428d6..db491b068061 100644
--- a/arch/s390/kernel/ipl.c
+++ b/arch/s390/kernel/ipl.c
@@ -1851,3 +1851,8 @@  int ipl_report_free(struct ipl_report *report)
 }
 
 #endif
+
+bool ipl_get_secureboot(void)
+{
+	return !!ipl_secure_flag;
+}
diff --git a/security/lock_down.c b/security/lock_down.c
index b66b3bac8d79..973118384a0c 100644
--- a/security/lock_down.c
+++ b/security/lock_down.c
@@ -15,6 +15,9 @@ 
 #include <linux/efi.h>
 #include <linux/sysrq.h>
 #include <asm/setup.h>
+#ifdef CONFIG_S390
+#include <asm/ipl.h>
+#endif
 
 #ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
 static __read_mostly bool kernel_locked_down;
@@ -55,6 +58,10 @@  void __init init_lockdown(void)
 	if (efi_enabled(EFI_SECURE_BOOT))
 		lock_kernel_down("EFI secure boot");
 #endif
+#ifdef CONFIG_S390
+	if (ipl_get_secureboot())
+		lock_kernel_down("Secure IPL");
+#endif
 }
 
 /**