[PATCH 1/1][Unstable][Disco] UBUNTU: SAUCE: arm64: add kernel config option to lock down when in Secure Boot mode

Wed Feb 20 15:48:23 UTC 2019

From: Linn Crosetto <linn at hpe.com>

Add a kernel configuration option to lock down the kernel, to restrict
userspace's ability to modify the running kernel when UEFI Secure Boot is
enabled. Based on the x86 patch by Matthew Garrett.

Determine the state of Secure Boot in the EFI stub and pass this to the
kernel using the FDT.

Signed-off-by: Linn Crosetto <linn at hpe.com>
[bwh: Forward-ported to 4.10: adjust context]
[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
[bwh: Forward-ported to 4.15 and lockdown patch set:
 - Pass result of efi_get_secureboot() in stub through to
   efi_set_secure_boot() in main kernel
 - Use lockdown API and naming]
[bwh: Forward-ported to 4.19.3: adjust context in update_fdt()]
[dannf: Moved init_lockdown() call after uefi_init(), fixing SB detection]
(from https://salsa.debian.org/kernel-team/linux/blob/4c4f3e03fdaaa674275c7197cae156e606dfaa4b/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch)
Signed-off-by: dann frazier <dann.frazier at canonical.com>
---
 drivers/firmware/efi/arm-init.c    | 4 ++++
 drivers/firmware/efi/efi.c         | 3 ++-
 drivers/firmware/efi/libstub/fdt.c | 6 ++++++
 include/linux/efi.h                | 1 +
 4 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/drivers/firmware/efi/arm-init.c b/drivers/firmware/efi/arm-init.c
index 1a6a77df8a5e8..04d9e8fa9a0f7 100644
--- a/drivers/firmware/efi/arm-init.c
+++ b/drivers/firmware/efi/arm-init.c
@@ -21,6 +21,7 @@
 #include <linux/of_fdt.h>
 #include <linux/platform_device.h>
 #include <linux/screen_info.h>
+#include <linux/security.h>
 
 #include <asm/efi.h>
 
@@ -257,6 +258,9 @@ void __init efi_init(void)
 		return;
 	}
 
+	efi_set_secure_boot(params.secure_boot);
+	init_lockdown();
+
 	reserve_regions();
 	efi_esrt_init();
 
diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
index 8a1696f46f38b..235387ea4deb4 100644
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -687,7 +687,8 @@ static __initdata struct params fdt_params[] = {
 	UEFI_PARAM("MemMap Address", "linux,uefi-mmap-start", mmap),
 	UEFI_PARAM("MemMap Size", "linux,uefi-mmap-size", mmap_size),
 	UEFI_PARAM("MemMap Desc. Size", "linux,uefi-mmap-desc-size", desc_size),
-	UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver)
+	UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver),
+	UEFI_PARAM("Secure Boot Enabled", "linux,uefi-secure-boot", secure_boot)
 };
 
 static __initdata struct params xen_fdt_params[] = {
diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c
index 0c0d2312f4a8a..3dae6e668c2f3 100644
--- a/drivers/firmware/efi/libstub/fdt.c
+++ b/drivers/firmware/efi/libstub/fdt.c
@@ -159,6 +159,12 @@ static efi_status_t update_fdt(efi_system_table_t *sys_table, void *orig_fdt,
 		}
 	}
 
+	fdt_val32 = cpu_to_fdt32(efi_get_secureboot(sys_table));
+	status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
+			     &fdt_val32, sizeof(fdt_val32));
+	if (status)
+		goto fdt_set_fail;
+
 	/* shrink the FDT back to its minimum size */
 	fdt_pack(fdt);
 
diff --git a/include/linux/efi.h b/include/linux/efi.h
index e044522db183e..6bd0998444580 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -793,6 +793,7 @@ struct efi_fdt_params {
 	u32 mmap_size;
 	u32 desc_size;
 	u32 desc_ver;
+	u32 secure_boot;
 };
 
 typedef struct {
-- 
2.20.1


