projects / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f3613c2) | patch
arm64: add kernel config option to lock down when in Secure Boot mode
authorLinn Crosetto <linn@hpe.com>
Tue, 30 Aug 2016 17:54:38 +0000 (11:54 -0600)
committerBen Hutchings <ben@decadent.org.uk>
Tue, 19 Sep 2017 00:59:17 +0000 (01:59 +0100)
commitdd847a1fae9e5b69680f491452a9556ca77310bc
tree5ca17c9d40b1a92f0ee935d7a2f47af13836c4abtree | snapshot
parentf3613c2277eabc106cd3bbccaa368a366b02730ecommit | diff
arm64: add kernel config option to lock down when in Secure Boot mode

Add a kernel configuration option to lock down the kernel, to restrict
userspace's ability to modify the running kernel when UEFI Secure Boot is
enabled. Based on the x86 patch by Matthew Garrett.

Determine the state of Secure Boot in the EFI stub and pass this to the
kernel using the FDT.

Signed-off-by: Linn Crosetto <linn@hpe.com>
[bwh: Forward-ported to 4.10: adjust context]
[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
[bwh: Forward-ported to 4.11 and lockdown patch set:
 - Convert result of efi_get_secureboot() to a boolean
 - Use lockdown API and naming]

Gbp-Pq: Topic features/all/lockdown
Gbp-Pq: Name arm64-add-kernel-config-option-to-lock-down-when.patch
arch/arm64/Kconfig diff | blob | history
drivers/firmware/efi/arm-init.c diff | blob | history
drivers/firmware/efi/efi.c diff | blob | history
drivers/firmware/efi/libstub/fdt.c diff | blob | history
include/linux/efi.h diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.