arm64: add kernel config option to lock down when in Secure Boot mode

author Linn Crosetto <linn@hpe.com>

Tue, 30 Aug 2016 17:54:38 +0000 (11:54 -0600)

committer Salvatore Bonaccorso <carnil@debian.org>

Sun, 30 Dec 2018 09:04:03 +0000 (09:04 +0000)
author Linn Crosetto <linn@hpe.com>
Tue, 30 Aug 2016 17:54:38 +0000 (11:54 -0600)
committer Salvatore Bonaccorso <carnil@debian.org>
Sun, 30 Dec 2018 09:04:03 +0000 (09:04 +0000)
diff --git a/drivers/firmware/efi/arm-init.c b/drivers/firmware/efi/arm-init.c

index 1a6a77df8a5e8aea45f3cbc2bac9c5d0883b0edb..b975290e8bfca8ddd1e5d8c96eda34c6c5148ecc 100644 (file)
--- a/drivers/firmware/efi/arm-init.c
+++ b/drivers/firmware/efi/arm-init.c
@@ -21,6 +21,7 @@
  #include <linux/of_fdt.h>
  #include <linux/platform_device.h>
  #include <linux/screen_info.h>
+#include <linux/security.h>
  
  #include <asm/efi.h>
  
@@ -252,6 +253,9 @@ void __init efi_init(void)
              "Unexpected EFI_MEMORY_DESCRIPTOR version %ld",
               efi.memmap.desc_version);
  
+       efi_set_secure_boot(params.secure_boot);
+       init_lockdown();
+
         if (uefi_init() < 0) {
                 efi_memmap_unmap();
                 return;
diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c

index 2a29dd9c986d4e2df7663aa1305df8adbaa59739..7bebfa7ab83188b6650477c7fefa39a424e15d78 100644 (file)
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -657,7 +657,8 @@ static __initdata struct params fdt_params[] = {
         UEFI_PARAM("MemMap Address", "linux,uefi-mmap-start", mmap),
         UEFI_PARAM("MemMap Size", "linux,uefi-mmap-size", mmap_size),
         UEFI_PARAM("MemMap Desc. Size", "linux,uefi-mmap-desc-size", desc_size),
-       UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver)
+       UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver),
+       UEFI_PARAM("Secure Boot Enabled", "linux,uefi-secure-boot", secure_boot)
  };
  
  static __initdata struct params xen_fdt_params[] = {
diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c

index 0c0d2312f4a8ad27f6e852bc82d5f2b6c0124e64..3dae6e668c2f3b7d950422c8c2e33fe7bc7539d7 100644 (file)
--- a/drivers/firmware/efi/libstub/fdt.c
+++ b/drivers/firmware/efi/libstub/fdt.c
@@ -159,6 +159,12 @@ static efi_status_t update_fdt(efi_system_table_t *sys_table, void *orig_fdt,
                 }
         }
  
+       fdt_val32 = cpu_to_fdt32(efi_get_secureboot(sys_table));
+       status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
+                            &fdt_val32, sizeof(fdt_val32));
+       if (status)
+               goto fdt_set_fail;
+
         /* shrink the FDT back to its minimum size */
         fdt_pack(fdt);
  
diff --git a/include/linux/efi.h b/include/linux/efi.h

index a2f5498775f2abca11f97f06ff4f7e5c9195820d..11cdbdd9c475b81e652c02c0baace3c82bda3239 100644 (file)
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -786,6 +786,7 @@ struct efi_fdt_params {
         u32 mmap_size;
         u32 desc_size;
         u32 desc_ver;
+       u32 secure_boot;
  };
  
  typedef struct {
author	Linn Crosetto <linn@hpe.com>
	Tue, 30 Aug 2016 17:54:38 +0000 (11:54 -0600)
committer	Salvatore Bonaccorso <carnil@debian.org>
	Sun, 30 Dec 2018 09:04:03 +0000 (09:04 +0000)
drivers/firmware/efi/arm-init.c		patch \| blob \| history
drivers/firmware/efi/efi.c		patch \| blob \| history
drivers/firmware/efi/libstub/fdt.c		patch \| blob \| history
include/linux/efi.h		patch \| blob \| history