UBUNTU: [Config] Enable lockdown under secure boot
Set CONFIG_LOCK_DOWN_IN_SECURE_BOOT=y and
CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ=y to automatically enable
lockdown when booted under secure boot and to allow lifting of
lockdown via sysrq.
UBUNTU: SAUCE: (lockdown) arm64: Allow locking down the kernel under EFI secure boot
Add support to arm64 for the CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
option. When enabled the lockdown LSM will be enabled with
maximum confidentiality when booted under EFI secure boot.
1bf1398...
by
Robert Holmes <email address hidden>
UBUNTU: SAUCE: (lockdown) KEYS: Make use of platform keyring for module signature verify
This patch completes commit 278311e417be ("kexec, KEYS: Make use of
platform keyring for signature verify") which, while adding the
platform keyring for bzImage verification, neglected to also add
this keyring for module verification.
As such, kernel modules signed with keys from the MokList variable
were not successfully verified.
Signed-off-by: Robert Holmes <email address hidden>
Signed-off-by: Jeremy Cline <email address hidden>
(cherry picked from commit 8e2df2a3e5be1a5df79626d9f4ca48fd8f3d5dd1
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git)
Signed-off-by: Seth Forshee <email address hidden>
4cd8ae4...
by
Kyle McMartin <email address hidden>
UBUNTU: SAUCE: (lockdown) Add a SysRq option to lift kernel lockdown
Make an option to provide a sysrq key that will lift the kernel lockdown,
thereby allowing the running kernel image to be accessed and modified.
On x86 this is triggered with SysRq+x, but this key may not be available on
all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h.
Since this macro must be defined in an arch to be able to use this facility
for that arch, the Kconfig option is restricted to arches that support it.
UBUNTU: SAUCE: (lockdown) efi: Lock down the kernel if booted in secure boot mode
UEFI Secure Boot provides a mechanism for ensuring that the firmware
will only load signed bootloaders and kernels. Certain use cases may
also require that all kernel modules also be signed. Add a
configuration option that to lock down the kernel - which includes
requiring validly signed modules - if the kernel is secure-booted.
Signed-off-by: David Howells <email address hidden>
Signed-off-by: Jeremy Cline <email address hidden>
(cherry picked from commit bcb4411f59b479c8e1491f89bd3e07b5dc76b81b
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git)
Signed-off-by: Seth Forshee <email address hidden>
UBUNTU: SAUCE: (lockdown) efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT
flag that can be passed to efi_enabled() to find out whether secure boot is
enabled.
Move the switch-statement in x86's setup_arch() that inteprets the
secure_boot boot parameter to generic code and set the bit there.
Suggested-by: Ard Biesheuvel <email address hidden>
Signed-off-by: David Howells <email address hidden>
Reviewed-by: Ard Biesheuvel <email address hidden>
cc: <email address hidden>
[Rebased for context; efi_is_table_address was moved to arch/x86]
Signed-off-by: Jeremy Cline <email address hidden>
(cherry picked from commit 564c4c48f3da7be8bb4ecef034c35b93493f2fc4
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git)
Signed-off-by: Seth Forshee <email address hidden>