[PATCH Xenial SRU] UBUNTU: SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
Colin Ian King
colin.king at canonical.com
Thu Jun 16 06:23:57 UTC 2016
On 16/06/16 09:05, Tim Gardner wrote:
> BugLink: http://bugs.launchpad.net/bugs/1593075
>
> This is a better method for detecting the state of secure boot and
> the MOKSBState override, as opposed to grepping status from the kernel log.
> Both variables return 0 or 1. If secure_boot==0 then signed module enforcement
> is not enabled. Likewise, if moksbstate_disabled==1 then signed module
> enforcement is not enabled. The only conditions uder which signed module
> enforcement is enabled is when secure_boot==1 and moksbstate_disabled==0.
>
> /proc/sys/kernel/secure_boot
> /proc/sys/kernel/moksbstate_disabled
>
> Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
> ---
> arch/x86/kernel/setup.c | 1 +
> kernel/sysctl.c | 39 +++++++++++++++++++++++++++++++++++++++
> 2 files changed, 40 insertions(+)
>
> diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
> index be173c2..b815923 100644
> --- a/arch/x86/kernel/setup.c
> +++ b/arch/x86/kernel/setup.c
> @@ -1150,6 +1150,7 @@ void __init setup_arch(char **cmdline_p)
> pr_info("Secure boot enabled\n");
> }
> else if (boot_params.secure_boot == EFI_MOKSBSTATE_DISABLED) {
> + set_bit(EFI_MOKSBSTATE_DISABLED, &efi.flags);
> boot_params.secure_boot = 0;
> pr_info("Secure boot MOKSBState disabled\n");
> }
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index 4a7683b..61c2fbc 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -65,6 +65,7 @@
> #include <linux/sched/sysctl.h>
> #include <linux/kexec.h>
> #include <linux/bpf.h>
> +#include <linux/efi.h>
>
> #include <asm/uaccess.h>
> #include <asm/processor.h>
> @@ -279,8 +280,46 @@ static int min_extfrag_threshold;
> static int max_extfrag_threshold = 1000;
> #endif
>
> +static unsigned int secure_boot_enabled;
> +int secure_boot_proc_handler(struct ctl_table *table, int write,
> + void __user *buffer, size_t *lenp, loff_t *ppos)
> +{
> + int error = -1;
> +
> + if (write) return error;
> + secure_boot_enabled = efi_enabled(EFI_SECURE_BOOT);
> + error = proc_dointvec(table, write, buffer, lenp, ppos);
> + return error;
> +}
> +
> +static unsigned int moksbstate_disabled;
> +int moksbstate_disabled_proc_handler(struct ctl_table *table, int write,
> + void __user *buffer, size_t *lenp, loff_t *ppos)
> +{
> + int error = -1;
> +
> + if (write) return error;
> + moksbstate_disabled = efi_enabled(EFI_MOKSBSTATE_DISABLED);
> + error = proc_dointvec(table, write, buffer, lenp, ppos);
> + return error;
> +}
> +
> static struct ctl_table kern_table[] = {
> {
> + .procname = "secure_boot",
> + .data = &secure_boot_enabled,
> + .maxlen = sizeof(unsigned int),
> + .mode = 0444,
> + .proc_handler = secure_boot_proc_handler,
> + },
> + {
> + .procname = "moksbstate_disabled",
> + .data = &moksbstate_disabled,
> + .maxlen = sizeof(unsigned int),
> + .mode = 0444,
> + .proc_handler = moksbstate_disabled_proc_handler,
> + },
> + {
> .procname = "sched_child_runs_first",
> .data = &sysctl_sched_child_runs_first,
> .maxlen = sizeof(unsigned int),
>
checkpatch complains about style:
ERROR: trailing statements should be on next line
#138: FILE: kernel/sysctl.c:289:
+ if (write) return error;
ERROR: trailing statements should be on next line
#150: FILE: kernel/sysctl.c:301:
+ if (write) return error;
More information about the kernel-team
mailing list