allow the kernel to be booted as an EFI application. This
is only useful on systems that have UEFI firmware.
+config EFI_SECURE_BOOT_LOCK_DOWN
+ def_bool n
+ depends on EFI
+ prompt "Lock down the kernel when UEFI Secure Boot is enabled"
+ ---help---
+ UEFI Secure Boot provides a mechanism for ensuring that the firmware
+ will only load signed bootloaders and kernels. Certain use cases may
+ also require that all kernel modules also be signed and that
+ userspace is prevented from directly changing the running kernel
+ image. Say Y here to automatically lock down the kernel when a
+ system boots with UEFI Secure Boot enabled.
+
config DMI
bool "Enable support for SMBIOS (DMI) tables"
depends on EFI
#include <linux/of_fdt.h>
#include <linux/platform_device.h>
#include <linux/screen_info.h>
+#include <linux/security.h>
#include <asm/efi.h>
"Unexpected EFI_MEMORY_DESCRIPTOR version %ld",
efi.memmap.desc_version);
+#ifdef CONFIG_EFI_SECURE_BOOT_LOCK_DOWN
+ if (params.secure_boot > 0)
+ lock_kernel_down();
+#endif
+
if (uefi_init() < 0) {
efi_memmap_unmap();
return;
UEFI_PARAM("MemMap Address", "linux,uefi-mmap-start", mmap),
UEFI_PARAM("MemMap Size", "linux,uefi-mmap-size", mmap_size),
UEFI_PARAM("MemMap Desc. Size", "linux,uefi-mmap-desc-size", desc_size),
- UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver)
+ UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver),
+ UEFI_PARAM("Secure Boot Enabled", "linux,uefi-secure-boot", secure_boot)
};
static __initdata struct params xen_fdt_params[] = {
return efi_status;
}
}
+
+ fdt_val32 = cpu_to_fdt32(efi_get_secureboot(sys_table) !=
+ efi_secureboot_mode_disabled);
+ status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
+ &fdt_val32, sizeof(fdt_val32));
+ if (status)
+ goto fdt_set_fail;
+
return EFI_SUCCESS;
fdt_set_fail:
u32 mmap_size;
u32 desc_size;
u32 desc_ver;
+ u32 secure_boot;
};
typedef struct {
projects / linux.git / commitdiff