dgit.raspbian.org Git - linux.git/commit

author	Ben Hutchings <ben@decadent.org.uk>
	Tue, 10 Sep 2019 10:54:28 +0000 (11:54 +0100)
committer	Salvatore Bonaccorso <carnil@debian.org>
	Fri, 21 Oct 2022 20:24:21 +0000 (21:24 +0100)
commit	85ffdc289bd94890df8cb15cf2979e700a563359
tree	7ea65bb53a866d6cec01af157c657ce60c04c9ad	tree \| snapshot
parent	f12ba05608a4f576d527600da052330de319ac3d	commit \| diff

efi: Lock down the kernel if booted in secure boot mode

Based on an earlier patch by David Howells, who wrote the following
description:

> UEFI Secure Boot provides a mechanism for ensuring that the firmware will
> only load signed bootloaders and kernels. Certain use cases may also
> require that all kernel modules also be signed. Add a configuration option
> that to lock down the kernel - which includes requiring validly signed
> modules - if the kernel is secure-booted.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic features/all/lockdown
Gbp-Pq: Name efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch

arch/x86/kernel/setup.c		diff \| blob \| history
drivers/firmware/efi/secureboot.c		diff \| blob \| history
include/linux/security.h		diff \| blob \| history
security/lockdown/Kconfig		diff \| blob \| history
security/lockdown/lockdown.c		diff \| blob \| history