[mirror_ubuntu-eoan-kernel.git] / security / lock_down.c

// SPDX-License-Identifier: GPL-2.0
/* Lock down the kernel
 *
 * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
 * Written by David Howells (dhowells@redhat.com)
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public Licence
 * as published by the Free Software Foundation; either version
 * 2 of the Licence, or (at your option) any later version.
 */

#include <linux/security.h>
#include <linux/export.h>
#include <linux/efi.h>
#ifdef CONFIG_S390
#include <asm/ipl.h>
#endif

static __ro_after_init bool kernel_locked_down;

/*
 * Put the kernel into lock-down mode.
 */
static void __init lock_kernel_down(const char *where)
{
	if (!kernel_locked_down) {
		kernel_locked_down = true;
		pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",
			  where);
	}
}

static int __init lockdown_param(char *ignored)
{
	lock_kernel_down("command line");
	return 0;
}

early_param("lockdown", lockdown_param);

/*
 * Lock the kernel down from very early in the arch setup.  This must happen
 * prior to things like ACPI being initialised.
 */
void __init init_lockdown(void)
{
#ifdef CONFIG_LOCK_DOWN_FORCE
	lock_kernel_down("Kernel configuration");
#endif
#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
	if (efi_enabled(EFI_SECURE_BOOT))
		lock_kernel_down("EFI secure boot");
#endif
#ifdef CONFIG_S390
	if (ipl_get_secureboot())
		lock_kernel_down("Secure IPL");
#endif
}

/**
 * kernel_is_locked_down - Find out if the kernel is locked down
 * @what: Tag to use in notice generated if lockdown is in effect
 */
bool __kernel_is_locked_down(const char *what, bool first)
{
	if (what && first && kernel_locked_down)
		pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
			  current->comm, what);
	return kernel_locked_down;
}
EXPORT_SYMBOL(__kernel_is_locked_down);
Commit	Line	Data
0a8dc8c9 DH	1	// SPDX-License-Identifier: GPL-2.0
	2	/* Lock down the kernel
	3	*
	4	* Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
	5	* Written by David Howells (dhowells@redhat.com)
	6	*
	7	* This program is free software; you can redistribute it and/or
	8	* modify it under the terms of the GNU General Public Licence
	9	* as published by the Free Software Foundation; either version
	10	* 2 of the Licence, or (at your option) any later version.
	11	*/
	12
	13	#include <linux/security.h>
	14	#include <linux/export.h>
d0f57fef	15	#include <linux/efi.h>
bb33f9c1 PR	16	#ifdef CONFIG_S390
	17	#include <asm/ipl.h>
	18	#endif
0a8dc8c9 DH	19
	20	static __ro_after_init bool kernel_locked_down;
	21
	22	/*
	23	* Put the kernel into lock-down mode.
	24	*/
	25	static void __init lock_kernel_down(const char *where)
	26	{
	27	if (!kernel_locked_down) {
	28	kernel_locked_down = true;
	29	pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",
	30	where);
	31	}
	32	}
	33
	34	static int __init lockdown_param(char *ignored)
	35	{
	36	lock_kernel_down("command line");
	37	return 0;
	38	}
	39
	40	early_param("lockdown", lockdown_param);
	41
	42	/*
	43	* Lock the kernel down from very early in the arch setup. This must happen
	44	* prior to things like ACPI being initialised.
	45	*/
	46	void __init init_lockdown(void)
	47	{
	48	#ifdef CONFIG_LOCK_DOWN_FORCE
	49	lock_kernel_down("Kernel configuration");
	50	#endif
d0f57fef DH	51	#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
	52	if (efi_enabled(EFI_SECURE_BOOT))
	53	lock_kernel_down("EFI secure boot");
	54	#endif
bb33f9c1 PR	55	#ifdef CONFIG_S390
	56	if (ipl_get_secureboot())
	57	lock_kernel_down("Secure IPL");
	58	#endif
0a8dc8c9 DH	59	}
	60
	61	/**
	62	* kernel_is_locked_down - Find out if the kernel is locked down
	63	* @what: Tag to use in notice generated if lockdown is in effect
	64	*/
	65	bool __kernel_is_locked_down(const char *what, bool first)
	66	{
	67	if (what && first && kernel_locked_down)
f127f150 DH	68	pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
f127f150 DH	69	current->comm, what);
0a8dc8c9 DH	70	return kernel_locked_down;
	71	}
	72	EXPORT_SYMBOL(__kernel_is_locked_down);