git.proxmox.com Git - mirror_ubuntu-eoan-kernel.git/commit

author	Linn Crosetto <linn@hpe.com>
	Wed, 20 Feb 2019 15:48:23 +0000 (16:48 +0100)
committer	Paolo Pisati <paolo.pisati@canonical.com>
	Mon, 16 Sep 2019 13:06:46 +0000 (15:06 +0200)
commit	8aef68257ba120a7616099451e1c16d06498bbc1
tree	6dc97dffa8f63cc1c027359f94256993041ff88c	tree
parent	7b8cb51f14e57e93233a59405043e19976045273	commit \| diff

UBUNTU: SAUCE: (efi-lockdown) arm64: add kernel config option to lock down when in Secure Boot mode

Add a kernel configuration option to lock down the kernel, to restrict
userspace's ability to modify the running kernel when UEFI Secure Boot is
enabled. Based on the x86 patch by Matthew Garrett.

Determine the state of Secure Boot in the EFI stub and pass this to the
kernel using the FDT.

Signed-off-by: Linn Crosetto <linn@hpe.com>
[bwh: Forward-ported to 4.10: adjust context]
[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
[bwh: Forward-ported to 4.15 and lockdown patch set:
- Pass result of efi_get_secureboot() in stub through to
efi_set_secure_boot() in main kernel
- Use lockdown API and naming]
[bwh: Forward-ported to 4.19.3: adjust context in update_fdt()]
[dannf: Moved init_lockdown() call after uefi_init(), fixing SB detection]
(from https://salsa.debian.org/kernel-team/linux/blob/4c4f3e03fdaaa674275c7197cae156e606dfaa4b/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch)
Signed-off-by: dann frazier <dann.frazier@canonical.com>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>

drivers/firmware/efi/arm-init.c		diff \| blob \| blame \| history
drivers/firmware/efi/efi.c		diff \| blob \| blame \| history
drivers/firmware/efi/libstub/fdt.c		diff \| blob \| blame \| history
include/linux/efi.h		diff \| blob \| blame \| history