UBUNTU: SAUCE: (lockdown) security: lockdown: Make CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOO...

s390 supports secure boot which is not based on EFI. Change the
config option to be more generic, and allow it to be enabled on
s390.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
(cherry picked from commit dd9548a9eb3f2a34ee7c60abce157f8e2868e7c7)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 31aac8c787cff95f30b4b500c85cfc912277c4f4..89f59bb67a5a049133b06eb623341ea81beaf841 100644 (file)
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -932,7 +932,7 @@ void __init setup_arch(char **cmdline_p)
 
        efi_set_secure_boot(boot_params.secure_boot);
 
-#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
+#ifdef CONFIG_LOCK_DOWN_IN_SECURE_BOOT
        if (efi_enabled(EFI_SECURE_BOOT))
                security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
 #endif

diff --git a/drivers/firmware/efi/efi-init.c b/drivers/firmware/efi/efi-init.c
index 54f8756201c5aba198e88d5f3fbe1028db564532..1d88e6362b506b6fc8ba06bc7137aebfa0da68c5 100644 (file)
--- a/drivers/firmware/efi/efi-init.c
+++ b/drivers/firmware/efi/efi-init.c
@@ -237,7 +237,7 @@ void __init efi_init(void)
 
        efi_set_secure_boot(efi_get__secure_boot());
 
-#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
+#ifdef CONFIG_LOCK_DOWN_IN_SECURE_BOOT
        if (efi_enabled(EFI_SECURE_BOOT))
                security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
 #endif

diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
index d0501353a4b95f15748bb2e8f06282756f476da3..e508c99a6607fdd3bcdddb57a0b7847f558509ae 100644 (file)
--- a/security/lockdown/Kconfig
+++ b/security/lockdown/Kconfig
@@ -16,18 +16,18 @@ config SECURITY_LOCKDOWN_LSM_EARLY
          subsystem is fully initialised. If enabled, lockdown will
          unconditionally be called before any other LSMs.
 
-config LOCK_DOWN_IN_EFI_SECURE_BOOT
-       bool "Lock down the kernel in EFI Secure Boot mode"
+config LOCK_DOWN_IN_SECURE_BOOT
+       bool "Lock down the kernel in Secure Boot mode"
        default n
-       depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY
+       depends on (EFI || S390) && SECURITY_LOCKDOWN_LSM_EARLY
        help
-         UEFI Secure Boot provides a mechanism for ensuring that the firmware
-         will only load signed bootloaders and kernels.  Secure boot mode may
-         be determined from EFI variables provided by the system firmware if
-         not indicated by the boot parameters.
+         Secure Boot provides a mechanism for ensuring that the firmware will
+         only load signed bootloaders and kernels.  Secure boot mode
+         determination is platform-specific; examples include EFI secure boot
+         and SIPL on s390.
 
          Enabling this option results in kernel lockdown being triggered if
-         EFI Secure Boot is set.
+         booted under secure boot.
 
 choice
        prompt "Kernel default lockdown mode"