arm64: add kernel config option to lock down when in Secure Boot mode

author Linn Crosetto <linn@hpe.com>

Tue, 30 Aug 2016 17:54:38 +0000 (11:54 -0600)

committer Bastian Blank <waldi@debian.org>

Fri, 22 Jun 2018 09:50:22 +0000 (10:50 +0100)
author Linn Crosetto <linn@hpe.com>
Tue, 30 Aug 2016 17:54:38 +0000 (11:54 -0600)
committer Bastian Blank <waldi@debian.org>
Fri, 22 Jun 2018 09:50:22 +0000 (10:50 +0100)
diff --git a/drivers/firmware/efi/arm-init.c b/drivers/firmware/efi/arm-init.c

index 80d1a885def5c2dd8bd15591bcc7c62d9b2e3b8c..56ee44ebac30a57cb87946860e046155590ce79f 100644 (file)
--- a/drivers/firmware/efi/arm-init.c
+++ b/drivers/firmware/efi/arm-init.c
@@ -21,6 +21,7 @@
  #include <linux/of_fdt.h>
  #include <linux/platform_device.h>
  #include <linux/screen_info.h>
+#include <linux/security.h>
  
  #include <asm/efi.h>
  
@@ -252,6 +253,9 @@ void __init efi_init(void)
              "Unexpected EFI_MEMORY_DESCRIPTOR version %ld",
               efi.memmap.desc_version);
  
+       efi_set_secure_boot(params.secure_boot);
+       init_lockdown();
+
         if (uefi_init() < 0) {
                 efi_memmap_unmap();
                 return;
diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c

index cd42f66a7c85a70801b2322ded2359fc22859ca6..af066b0f2b8f56f91dad6b6c656ce9659788202d 100644 (file)
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -639,7 +639,8 @@ static __initdata struct params fdt_params[] = {
         UEFI_PARAM("MemMap Address", "linux,uefi-mmap-start", mmap),
         UEFI_PARAM("MemMap Size", "linux,uefi-mmap-size", mmap_size),
         UEFI_PARAM("MemMap Desc. Size", "linux,uefi-mmap-desc-size", desc_size),
-       UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver)
+       UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver),
+       UEFI_PARAM("Secure Boot Enabled", "linux,uefi-secure-boot", secure_boot)
  };
  
  static __initdata struct params xen_fdt_params[] = {
diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c

index 8830fa601e45d9a1b1094419cd1ec66f41a25e49..532b02fbc5d6cbbf5fb7ef826b2dd7903e77b064 100644 (file)
--- a/drivers/firmware/efi/libstub/fdt.c
+++ b/drivers/firmware/efi/libstub/fdt.c
@@ -158,6 +158,13 @@ static efi_status_t update_fdt(efi_system_table_t *sys_table, void *orig_fdt,
                         return efi_status;
                 }
         }
+
+       fdt_val32 = cpu_to_fdt32(efi_get_secureboot(sys_table));
+       status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
+                            &fdt_val32, sizeof(fdt_val32));
+       if (status)
+               goto fdt_set_fail;
+
         return EFI_SUCCESS;
  
  fdt_set_fail:
diff --git a/include/linux/efi.h b/include/linux/efi.h

index 72e595768b2e1ec9b987f4a56fd41bd07c9484ca..292baeaa0462d083c3563e19b4fc73f9aa95f031 100644 (file)
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -786,6 +786,7 @@ struct efi_fdt_params {
         u32 mmap_size;
         u32 desc_size;
         u32 desc_ver;
+       u32 secure_boot;
  };
  
  typedef struct {
author	Linn Crosetto <linn@hpe.com>
	Tue, 30 Aug 2016 17:54:38 +0000 (11:54 -0600)
committer	Bastian Blank <waldi@debian.org>
	Fri, 22 Jun 2018 09:50:22 +0000 (10:50 +0100)
drivers/firmware/efi/arm-init.c		patch \| blob \| history
drivers/firmware/efi/efi.c		patch \| blob \| history
drivers/firmware/efi/libstub/fdt.c		patch \| blob \| history
include/linux/efi.h		patch \| blob \| history