efi: Lock down the kernel if booted in secure boot mode

UEFI Secure Boot provides a mechanism for ensuring that the firmware will
only load signed bootloaders and kernels.  Certain use cases may also
require that all kernel modules also be signed.  Add a configuration option
that to lock down the kernel - which includes requiring validly signed
modules - if the kernel is secure-booted.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
cc: linux-efi@vger.kernel.org

Gbp-Pq: Topic features/all/lockdown
Gbp-Pq: Name 0029-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 76e8602c551eabb4af029b6cde45560521f472e5..56095b3b33f9489c459f6a720f6a5644f1180a74 100644 (file)
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -66,6 +66,7 @@
 #include <linux/dma-mapping.h>
 #include <linux/ctype.h>
 #include <linux/uaccess.h>
+#include <linux/security.h>
 
 #include <linux/percpu.h>
 #include <linux/crash_dump.h>
@@ -1012,6 +1013,9 @@ void __init setup_arch(char **cmdline_p)
        if (efi_enabled(EFI_BOOT))
                efi_init();
 
+       efi_set_secure_boot(boot_params.secure_boot);
+       init_lockdown();
+
        dmi_setup();
 
        /*
@@ -1164,8 +1168,6 @@ void __init setup_arch(char **cmdline_p)
        /* Allocate bigger log buffer */
        setup_log_buf(1);
 
-       efi_set_secure_boot(boot_params.secure_boot);
-
        reserve_initrd();
 
        acpi_table_upgrade();

diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
index 6a1d90c80889fb9b43f9388e3e6ece449a6790eb..77af4256ff59acba9dd8433cb285ba9487ba8226 100644 (file)
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -40,7 +40,7 @@ static bool debugfs_registered;
 static int debugfs_setattr(struct dentry *dentry, struct iattr *ia)
 {
        if ((ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) &&
-           kernel_is_locked_down("debugfs"))
+           kernel_is_locked_down("changing perms in debugfs"))
                return -EPERM;
        return simple_setattr(dentry, ia);
 }

diff --git a/security/Kconfig b/security/Kconfig
index 6428f7d1ed6afb04d84a19e24bd57ca57f45641b..c3f9907d98a85fef2c73445fde4d3cdd9b90e7c7 100644 (file)
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -256,6 +256,20 @@ config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
          Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
          combination on a wired keyboard.
 
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
+       bool "Lock down the kernel in EFI Secure Boot mode"
+       default n
+       select LOCK_DOWN_KERNEL
+       depends on EFI
+       help
+         UEFI Secure Boot provides a mechanism for ensuring that the firmware
+         will only load signed bootloaders and kernels.  Secure boot mode may
+         be determined from EFI variables provided by the system firmware if
+         not indicated by the boot parameters.
+
+         Enabling this option turns on results in kernel lockdown being
+         triggered if EFI Secure Boot is set.
+
 source "security/selinux/Kconfig"
 source "security/smack/Kconfig"
 source "security/tomoyo/Kconfig"

diff --git a/security/lock_down.c b/security/lock_down.c
index 2c6b00f0c229e411e093f93dad7b98a1331ef398..527f7e51dc8de092d33be4085cbfbc6193129a29 100644 (file)
--- a/security/lock_down.c
+++ b/security/lock_down.c
@@ -12,6 +12,7 @@
 #include <linux/security.h>
 #include <linux/export.h>
 #include <linux/sysrq.h>
+#include <linux/efi.h>
 #include <asm/setup.h>
 
 #ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ