dgit.raspbian.org Git - linux.git/commit

author	Ben Hutchings <ben@decadent.org.uk>
	Tue, 10 Sep 2019 10:54:28 +0000 (11:54 +0100)
committer	Salvatore Bonaccorso <carnil@debian.org>
	Sat, 13 Jul 2024 15:45:02 +0000 (17:45 +0200)
commit	8fdd2fb8d118bba27c773340bc8f386d0e76ec5e
tree	15673088d0127543780adcb8dcdf9b6f607cb817	tree \| snapshot
parent	c36c7db3f58e9c05faeff72bd097a2b3eef3c450	commit \| diff

efi: Lock down the kernel if booted in secure boot mode

Based on an earlier patch by David Howells, who wrote the following
description:

> UEFI Secure Boot provides a mechanism for ensuring that the firmware will
> only load signed bootloaders and kernels. Certain use cases may also
> require that all kernel modules also be signed. Add a configuration option
> that to lock down the kernel - which includes requiring validly signed
> modules - if the kernel is secure-booted.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
[Salvatore Bonaccorso: After fixing https://bugs.debian.org/956197 the
help text for LOCK_DOWN_IN_EFI_SECURE_BOOT was adjusted to mention that
lockdown is triggered in integrity mode (https://bugs.debian.org/1025417)]
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
Gbp-Pq: Topic features/all/lockdown
Gbp-Pq: Name efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch

arch/x86/kernel/setup.c		diff \| blob \| history
drivers/firmware/efi/secureboot.c		diff \| blob \| history
include/linux/security.h		diff \| blob \| history
security/lockdown/Kconfig		diff \| blob \| history
security/lockdown/lockdown.c		diff \| blob \| history