#include <linux/security.h>
#include <linux/export.h>
+#include <linux/sysrq.h>
+#include <linux/efi.h>
+#include <asm/setup.h>
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
+static __read_mostly bool kernel_locked_down;
+#else
static __ro_after_init bool kernel_locked_down;
+#endif
/*
* Put the kernel into lock-down mode.
return kernel_locked_down;
}
EXPORT_SYMBOL(__kernel_is_locked_down);
+
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
+
+/*
+ * Take the kernel out of lockdown mode.
+ */
+static void lift_kernel_lockdown(void)
+{
+ pr_notice("Lifting lockdown\n");
+ kernel_locked_down = false;
+}
+
+/*
+ * Allow lockdown to be lifted by pressing something like SysRq+x (and not by
+ * echoing the appropriate letter into the sysrq-trigger file).
+ */
+static void sysrq_handle_lockdown_lift(int key)
+{
+ if (kernel_locked_down)
+ lift_kernel_lockdown();
+}
+
+static struct sysrq_key_op lockdown_lift_sysrq_op = {
+ .handler = sysrq_handle_lockdown_lift,
+ .help_msg = "unSB(x)",
+ .action_msg = "Disabling Secure Boot restrictions",
+ .enable_mask = SYSRQ_DISABLE_USERSPACE,
+};
+
+static int __init lockdown_lift_sysrq(void)
+{
+ if (kernel_locked_down) {
+ lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;
+ register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);
+ }
+ return 0;
+}
+
+late_initcall(lockdown_lift_sysrq);
+
+#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */
projects / mirror_ubuntu-bionic-kernel.git / blobdiff