projects / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: b2d1506) | patch
arm64: add kernel config option to lock down when in Secure Boot mode
authorLinn Crosetto <linn@hpe.com>
Tue, 30 Aug 2016 17:54:38 +0000 (11:54 -0600)
committerBen Hutchings <ben@decadent.org.uk>
Mon, 17 Jul 2017 02:01:21 +0000 (03:01 +0100)
commit5b12008e1521e29d3b9206a33511dbd72c047ff6
tree6bdc47b242cd1354e297c2b61d461a6807bff368tree | snapshot
parentb2d15060084a6db00e661fe6c08319b88351560bcommit | diff
arm64: add kernel config option to lock down when in Secure Boot mode

Add a kernel configuration option to lock down the kernel, to restrict
userspace's ability to modify the running kernel when UEFI Secure Boot is
enabled. Based on the x86 patch by Matthew Garrett.

Determine the state of Secure Boot in the EFI stub and pass this to the
kernel using the FDT.

Signed-off-by: Linn Crosetto <linn@hpe.com>
[bwh: Forward-ported to 4.10: adjust context]
[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
[bwh: Forward-ported to 4.11 and lockdown patch set:
 - Convert result of efi_get_secureboot() to a boolean
 - Use lockdown API and naming]

Gbp-Pq: Topic features/all/lockdown
Gbp-Pq: Name arm64-add-kernel-config-option-to-lock-down-when.patch
arch/arm64/Kconfig diff | blob | history
drivers/firmware/efi/arm-init.c diff | blob | history
drivers/firmware/efi/efi.c diff | blob | history
drivers/firmware/efi/libstub/fdt.c diff | blob | history
include/linux/efi.h diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.