From: Linn Crosetto Date: Tue, 30 Aug 2016 17:54:38 +0000 (-0600) Subject: arm64: add kernel config option to lock down when in Secure Boot mode X-Git-Tag: archive/raspbian/5.7.6-1+rpi1^2^2~41 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=197cec36119d061bd6296dda8c3cf5c30621262e;p=linux.git arm64: add kernel config option to lock down when in Secure Boot mode Bug-Debian: https://bugs.debian.org/831827 Forwarded: no Add a kernel configuration option to lock down the kernel, to restrict userspace's ability to modify the running kernel when UEFI Secure Boot is enabled. Based on the x86 patch by Matthew Garrett. Determine the state of Secure Boot in the EFI stub and pass this to the kernel using the FDT. Signed-off-by: Linn Crosetto [bwh: Forward-ported to 4.10: adjust context] [Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream] [bwh: Forward-ported to 4.15 and lockdown patch set: - Pass result of efi_get_secureboot() in stub through to efi_set_secure_boot() in main kernel - Use lockdown API and naming] [bwh: Forward-ported to 4.19.3: adjust context in update_fdt()] [dannf: Moved init_lockdown() call after uefi_init(), fixing SB detection] [bwh: Drop call to init_lockdown(), as efi_set_secure_boot() now calls this] [bwh: Forward-ported to 5.6: efi_get_secureboot() no longer takes a sys_table parameter] Gbp-Pq: Topic features/all/lockdown Gbp-Pq: Name arm64-add-kernel-config-option-to-lock-down-when.patch --- diff --git a/drivers/firmware/efi/arm-init.c b/drivers/firmware/efi/arm-init.c index d99f5b0c8a0..97e3f896776 100644 --- a/drivers/firmware/efi/arm-init.c +++ b/drivers/firmware/efi/arm-init.c @@ -19,6 +19,7 @@ #include #include #include +#include #include @@ -264,6 +265,8 @@ void __init efi_init(void) return; } + efi_set_secure_boot(params.secure_boot); + reserve_regions(); efi_esrt_init(); diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 77cb95f70ed..a32b0e0d792 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -696,7 +696,8 @@ static __initdata struct params fdt_params[] = { UEFI_PARAM("MemMap Address", "linux,uefi-mmap-start", mmap), UEFI_PARAM("MemMap Size", "linux,uefi-mmap-size", mmap_size), UEFI_PARAM("MemMap Desc. Size", "linux,uefi-mmap-desc-size", desc_size), - UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver) + UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver), + UEFI_PARAM("Secure Boot Enabled", "linux,uefi-secure-boot", secure_boot) }; static __initdata struct params xen_fdt_params[] = { diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c index 0a91e523212..4a2297a1e9d 100644 --- a/drivers/firmware/efi/libstub/fdt.c +++ b/drivers/firmware/efi/libstub/fdt.c @@ -150,6 +150,12 @@ static efi_status_t update_fdt(void *orig_fdt, unsigned long orig_fdt_size, } } + fdt_val32 = cpu_to_fdt32(efi_get_secureboot()); + status = fdt_setprop(fdt, node, "linux,uefi-secure-boot", + &fdt_val32, sizeof(fdt_val32)); + if (status) + goto fdt_set_fail; + /* Shrink the FDT back to its minimum size: */ fdt_pack(fdt); diff --git a/include/linux/efi.h b/include/linux/efi.h index 3f73b7316f3..05f6972bc29 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -794,6 +794,7 @@ struct efi_fdt_params { u32 mmap_size; u32 desc_size; u32 desc_ver; + u32 secure_boot; }; typedef struct {