arm64: add kernel config option to lock down when in Secure Boot mode

author Linn Crosetto <linn@hpe.com>

Tue, 30 Aug 2016 17:54:38 +0000 (11:54 -0600)

committer Ben Hutchings <benh@debian.org>

Wed, 15 Apr 2020 02:37:48 +0000 (03:37 +0100)
author Linn Crosetto <linn@hpe.com>
Tue, 30 Aug 2016 17:54:38 +0000 (11:54 -0600)
committer Ben Hutchings <benh@debian.org>
Wed, 15 Apr 2020 02:37:48 +0000 (03:37 +0100)
diff --git a/drivers/firmware/efi/arm-init.c b/drivers/firmware/efi/arm-init.c

index d99f5b0c8a09059de5061ffb3ef444751de6b9a9..97e3f896776547ea78e855e9887e61a5dd27c8b8 100644 (file)
--- a/drivers/firmware/efi/arm-init.c
+++ b/drivers/firmware/efi/arm-init.c
@@ -19,6 +19,7 @@
  #include <linux/of_fdt.h>
  #include <linux/platform_device.h>
  #include <linux/screen_info.h>
+#include <linux/security.h>
  
  #include <asm/efi.h>
  
@@ -264,6 +265,8 @@ void __init efi_init(void)
                 return;
         }
  
+       efi_set_secure_boot(params.secure_boot);
+
         reserve_regions();
         efi_esrt_init();
  
diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c

index a9778591341bbade76e37f511cc2a28c323c073d..8b325ed352e50c58195003994ff6c9c6d282589a 100644 (file)
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -696,7 +696,8 @@ static __initdata struct params fdt_params[] = {
         UEFI_PARAM("MemMap Address", "linux,uefi-mmap-start", mmap),
         UEFI_PARAM("MemMap Size", "linux,uefi-mmap-size", mmap_size),
         UEFI_PARAM("MemMap Desc. Size", "linux,uefi-mmap-desc-size", desc_size),
-       UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver)
+       UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver),
+       UEFI_PARAM("Secure Boot Enabled", "linux,uefi-secure-boot", secure_boot)
  };
  
  static __initdata struct params xen_fdt_params[] = {
diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c

index 0bf0190917e08ebdb6bcae20969a6354c6634347..b5249cdc7d70fb7fd4c7f040a4e667a60ad0525a 100644 (file)
--- a/drivers/firmware/efi/libstub/fdt.c
+++ b/drivers/firmware/efi/libstub/fdt.c
@@ -151,6 +151,12 @@ static efi_status_t update_fdt(efi_system_table_t *sys_table, void *orig_fdt,
                 }
         }
  
+       fdt_val32 = cpu_to_fdt32(efi_get_secureboot(sys_table));
+       status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
+                            &fdt_val32, sizeof(fdt_val32));
+       if (status)
+               goto fdt_set_fail;
+
         /* Shrink the FDT back to its minimum size: */
         fdt_pack(fdt);
  
diff --git a/include/linux/efi.h b/include/linux/efi.h

index 130af51d102c9866d1dbdeb9b3248af13ba52064..ef340af1514ecacecba3e2a4fa8f52f9a3598557 100644 (file)
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -809,6 +809,7 @@ struct efi_fdt_params {
         u32 mmap_size;
         u32 desc_size;
         u32 desc_ver;
+       u32 secure_boot;
  };
  
  typedef struct {
author	Linn Crosetto <linn@hpe.com>
	Tue, 30 Aug 2016 17:54:38 +0000 (11:54 -0600)
committer	Ben Hutchings <benh@debian.org>
	Wed, 15 Apr 2020 02:37:48 +0000 (03:37 +0100)
drivers/firmware/efi/arm-init.c		patch \| blob \| history
drivers/firmware/efi/efi.c		patch \| blob \| history
drivers/firmware/efi/libstub/fdt.c		patch \| blob \| history
include/linux/efi.h		patch \| blob \| history