Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750862AbdDFMuo (ORCPT ); Thu, 6 Apr 2017 08:50:44 -0400 Received: from mx1.redhat.com ([209.132.183.28]:37472 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757012AbdDFMuX (ORCPT ); Thu, 6 Apr 2017 08:50:23 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 48ED3C065845 Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=dhowells@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 48ED3C065845 Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [PATCH 4/5] efi: Lock down the kernel if booted in secure boot mode From: David Howells To: ard.biesheuvel@linaro.org Cc: dhowells@redhat.com, matthew.garrett@nebula.com, linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org Date: Thu, 06 Apr 2017 13:50:20 +0100 Message-ID: <149148302052.3427.16543191336748545619.stgit@warthog.procyon.org.uk> In-Reply-To: <149148299794.3427.549144000807596903.stgit@warthog.procyon.org.uk> References: <149148299794.3427.549144000807596903.stgit@warthog.procyon.org.uk> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Thu, 06 Apr 2017 12:50:22 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2064 Lines: 57 UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also require that all kernel modules also be signed. Add a configuration option that to lock down the kernel - which includes requiring validly signed modules - if the kernel is secure-booted. Signed-off-by: David Howells cc: linux-efi@vger.kernel.org --- drivers/firmware/efi/Kconfig | 1 + drivers/firmware/efi/secure_boot.c | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/firmware/efi/Kconfig b/drivers/firmware/efi/Kconfig index 4b902ffbfcf4..6da8345d8c49 100644 --- a/drivers/firmware/efi/Kconfig +++ b/drivers/firmware/efi/Kconfig @@ -87,6 +87,7 @@ config EFI_RUNTIME_WRAPPERS config EFI_SECURE_BOOT bool "Support UEFI Secure Boot and lock down the kernel in secure boot mode" default n + select LOCK_DOWN_KERNEL help UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Secure boot mode may diff --git a/drivers/firmware/efi/secure_boot.c b/drivers/firmware/efi/secure_boot.c index 730518061a14..7292a3b832e3 100644 --- a/drivers/firmware/efi/secure_boot.c +++ b/drivers/firmware/efi/secure_boot.c @@ -12,6 +12,7 @@ #include #include #include +#include /* * Decide what to do when UEFI secure boot mode is enabled. @@ -23,10 +24,17 @@ void __init efi_set_secure_boot(enum efi_secureboot_mode mode) case efi_secureboot_mode_disabled: pr_info("Secure boot disabled\n"); break; + case efi_secureboot_mode_enabled: set_bit(EFI_SECURE_BOOT, &efi.flags); - pr_info("Secure boot enabled\n"); + if (IS_ENABLED(CONFIG_LOCK_DOWN_KERNEL)) { + lock_kernel_down(); + pr_info("Secure boot enabled and kernel locked down\n"); + } else { + pr_info("Secure boot enabled\n"); + } break; + default: pr_info("Secure boot could not be determined\n"); break;