projects / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 4791380) | patch
arm64: add kernel config option to lock down when in Secure Boot mode
authorLinn Crosetto <linn@hpe.com>
Tue, 30 Aug 2016 17:54:38 +0000 (11:54 -0600)
committerBen Hutchings <ben@decadent.org.uk>
Thu, 6 Sep 2018 14:32:14 +0000 (15:32 +0100)
commit2cc0444b96b0def4d619c7ca5f59452757eb3f55
tree7e8f15f49236f84218e1b50c7e9289870f84d6e0tree | snapshot
parent4791380ac79220e0e247750c8ff81be8e571a9accommit | diff
arm64: add kernel config option to lock down when in Secure Boot mode

Add a kernel configuration option to lock down the kernel, to restrict
userspace's ability to modify the running kernel when UEFI Secure Boot is
enabled. Based on the x86 patch by Matthew Garrett.

Determine the state of Secure Boot in the EFI stub and pass this to the
kernel using the FDT.

Signed-off-by: Linn Crosetto <linn@hpe.com>
[bwh: Forward-ported to 4.10: adjust context]
[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
[bwh: Forward-ported to 4.15 and lockdown patch set:
 - Pass result of efi_get_secureboot() in stub through to
   efi_set_secure_boot() in main kernel
 - Use lockdown API and naming]

Gbp-Pq: Topic features/all/lockdown
Gbp-Pq: Name arm64-add-kernel-config-option-to-lock-down-when.patch
drivers/firmware/efi/arm-init.c diff | blob | history
drivers/firmware/efi/efi.c diff | blob | history
drivers/firmware/efi/libstub/fdt.c diff | blob | history
include/linux/efi.h diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.