From: David Howells Date: Wed, 5 Apr 2017 16:40:29 +0000 (+0100) Subject: efi: Lock down the kernel if booted in secure boot mode X-Git-Tag: archive/raspbian/4.15.4-1+rpi1~1^2^2~69 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=b260cec752b881839074a310a0dcc8c20a6ff18d;p=linux.git efi: Lock down the kernel if booted in secure boot mode UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also require that all kernel modules also be signed. Add a configuration option that to lock down the kernel - which includes requiring validly signed modules - if the kernel is secure-booted. Signed-off-by: David Howells Gbp-Pq: Topic features/all/lockdown Gbp-Pq: Name 0040-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch --- diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 77f6df85d30..ae59d95aab3 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1887,6 +1887,18 @@ config EFI_MIXED If unsure, say N. +config EFI_SECURE_BOOT_LOCK_DOWN + def_bool n + depends on EFI + prompt "Lock down the kernel when UEFI Secure Boot is enabled" + ---help--- + UEFI Secure Boot provides a mechanism for ensuring that the firmware + will only load signed bootloaders and kernels. Certain use cases may + also require that all kernel modules also be signed and that + userspace is prevented from directly changing the running kernel + image. Say Y here to automatically lock down the kernel when a + system boots with UEFI Secure Boot enabled. + config SECCOMP def_bool y prompt "Enable seccomp to safely compute untrusted bytecode" diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c index b3f8350b34f..e6a2155651c 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -70,6 +70,7 @@ #include #include #include +#include #include #include