arm64: add kernel config option to lock down when in Secure Boot mode

author Linn Crosetto <linn@hpe.com>

Tue, 30 Aug 2016 17:54:38 +0000 (11:54 -0600)

committer Salvatore Bonaccorso <carnil@debian.org>

Thu, 26 Sep 2019 12:19:06 +0000 (13:19 +0100)
author Linn Crosetto <linn@hpe.com>
Tue, 30 Aug 2016 17:54:38 +0000 (11:54 -0600)
committer Salvatore Bonaccorso <carnil@debian.org>
Thu, 26 Sep 2019 12:19:06 +0000 (13:19 +0100)
diff --git a/drivers/firmware/efi/arm-init.c b/drivers/firmware/efi/arm-init.c

index 311cd349a8628bbe1e8b8441f5be32dc9ac71204..e2a822271c206fdee0c8484df0dd19ab50ec7acd 100644 (file)
--- a/drivers/firmware/efi/arm-init.c
+++ b/drivers/firmware/efi/arm-init.c
@@ -17,6 +17,7 @@
  #include <linux/of_fdt.h>
  #include <linux/platform_device.h>
  #include <linux/screen_info.h>
+#include <linux/security.h>
  
  #include <asm/efi.h>
  
@@ -253,6 +254,9 @@ void __init efi_init(void)
                 return;
         }
  
+       efi_set_secure_boot(params.secure_boot);
+       init_lockdown();
+
         reserve_regions();
         efi_esrt_init();
  
diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c

index 8fc1c04a0414249ed653282bd50665556e0680b6..5c340b82811a99a3783e1e5569772993b2c605d2 100644 (file)
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -700,7 +700,8 @@ static __initdata struct params fdt_params[] = {
         UEFI_PARAM("MemMap Address", "linux,uefi-mmap-start", mmap),
         UEFI_PARAM("MemMap Size", "linux,uefi-mmap-size", mmap_size),
         UEFI_PARAM("MemMap Desc. Size", "linux,uefi-mmap-desc-size", desc_size),
-       UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver)
+       UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver),
+       UEFI_PARAM("Secure Boot Enabled", "linux,uefi-secure-boot", secure_boot)
  };
  
  static __initdata struct params xen_fdt_params[] = {
diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c

index 5440ba17a1c577dd85cb7a656a1c93aa7fd1d6ed..95e4002cd1a1b2d7a1fd55dc2707b68f537370a2 100644 (file)
--- a/drivers/firmware/efi/libstub/fdt.c
+++ b/drivers/firmware/efi/libstub/fdt.c
@@ -151,6 +151,12 @@ static efi_status_t update_fdt(efi_system_table_t *sys_table, void *orig_fdt,
                 }
         }
  
+       fdt_val32 = cpu_to_fdt32(efi_get_secureboot(sys_table));
+       status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
+                            &fdt_val32, sizeof(fdt_val32));
+       if (status)
+               goto fdt_set_fail;
+
         /* Shrink the FDT back to its minimum size: */
         fdt_pack(fdt);
  
diff --git a/include/linux/efi.h b/include/linux/efi.h

index fb4b143c1f293dfa2fb8c309900b8afc7970387f..bb5d45d0bb1fd516be4d31a04164e0655554a551 100644 (file)
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -804,6 +804,7 @@ struct efi_fdt_params {
         u32 mmap_size;
         u32 desc_size;
         u32 desc_ver;
+       u32 secure_boot;
  };
  
  typedef struct {
author	Linn Crosetto <linn@hpe.com>
	Tue, 30 Aug 2016 17:54:38 +0000 (11:54 -0600)
committer	Salvatore Bonaccorso <carnil@debian.org>
	Thu, 26 Sep 2019 12:19:06 +0000 (13:19 +0100)
drivers/firmware/efi/arm-init.c		patch \| blob \| history
drivers/firmware/efi/efi.c		patch \| blob \| history
drivers/firmware/efi/libstub/fdt.c		patch \| blob \| history
include/linux/efi.h		patch \| blob \| history