[d-kernel] [PATCH 4/6] efi: Lock down the kernel if booted in secure boot mode

[Egor Ignatov]

From: David Howells <dhowells at redhat.com>

UEFI Secure Boot provides a mechanism for ensuring that the firmware
will only load signed bootloaders and kernels.  Certain use cases may
also require that all kernel modules also be signed.  Add a
configuration option that to lock down the kernel - which includes
requiring validly signed modules - if the kernel is secure-booted.

Signed-off-by: David Howells <dhowells at redhat.com>
Signed-off-by: Jeremy Cline <jcline at redhat.com>
[egori: merged Fedora and Debian downstream patches]
Signed-off-by: Egor Ignatov <egori at altlinux.org>
---
 arch/x86/kernel/setup.c           |  4 ++--
 drivers/firmware/efi/secureboot.c |  3 +++
 security/lockdown/Kconfig         | 15 +++++++++++++++
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index b67b87af6f..7605f3372a 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -995,6 +995,8 @@ void __init setup_arch(char **cmdline_p)
 	if (efi_enabled(EFI_BOOT))
 		efi_init();
 
+	efi_set_secure_boot(boot_params.secure_boot);
+
 	reserve_ibft_region();
 	x86_init.resources.dmi_setup();
 
@@ -1156,8 +1158,6 @@ void __init setup_arch(char **cmdline_p)
 	/* Allocate bigger log buffer */
 	setup_log_buf(1);
 
-	efi_set_secure_boot(boot_params.secure_boot);
-
 	reserve_initrd();
 
 	acpi_table_upgrade();
diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
index 5cdeb3b6e7..673e2d1b6c 100644
--- a/drivers/firmware/efi/secureboot.c
+++ b/drivers/firmware/efi/secureboot.c
@@ -29,6 +29,9 @@ void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
 		case efi_secureboot_mode_enabled:
 			set_bit(EFI_SECURE_BOOT, &efi.flags);
 			pr_info("Secure boot enabled\n");
+			if (IS_ENABLED(CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT))
+				security_lock_kernel_down("EFI Secure Boot mode",
+							  LOCKDOWN_INTEGRITY_MAX);
 			break;
 		default:
 			pr_warn("Secure boot could not be determined (mode %u)\n",
diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
index e84ddf4840..f789e07849 100644
--- a/security/lockdown/Kconfig
+++ b/security/lockdown/Kconfig
@@ -16,6 +16,21 @@ config SECURITY_LOCKDOWN_LSM_EARLY
 	  subsystem is fully initialised. If enabled, lockdown will
 	  unconditionally be called before any other LSMs.
 
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
+	bool "Lock down the kernel in EFI Secure Boot mode"
+	default n
+	depends on SECURITY_LOCKDOWN_LSM
+	depends on EFI
+	select SECURITY_LOCKDOWN_LSM_EARLY
+	help
+	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
+	  will only load signed bootloaders and kernels.  Secure boot mode may
+	  be determined from EFI variables provided by the system firmware if
+	  not indicated by the boot parameters.
+
+	  Enabling this option results in kernel lockdown being
+	  triggered in integrity mode if EFI Secure Boot is set.
+
 choice
 	prompt "Kernel default lockdown mode"
 	default LOCK_DOWN_KERNEL_FORCE_NONE
-- 
2.50.1