efi_set_secure_boot(boot_params.secure_boot);
-#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
+#ifdef CONFIG_LOCK_DOWN_IN_SECURE_BOOT
if (efi_enabled(EFI_SECURE_BOOT))
security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
#endif
efi_set_secure_boot(efi_get__secure_boot());
-#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
+#ifdef CONFIG_LOCK_DOWN_IN_SECURE_BOOT
if (efi_enabled(EFI_SECURE_BOOT))
security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
#endif
subsystem is fully initialised. If enabled, lockdown will
unconditionally be called before any other LSMs.
-config LOCK_DOWN_IN_EFI_SECURE_BOOT
- bool "Lock down the kernel in EFI Secure Boot mode"
+config LOCK_DOWN_IN_SECURE_BOOT
+ bool "Lock down the kernel in Secure Boot mode"
default n
- depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY
+ depends on (EFI || S390) && SECURITY_LOCKDOWN_LSM_EARLY
help
- UEFI Secure Boot provides a mechanism for ensuring that the firmware
- will only load signed bootloaders and kernels. Secure boot mode may
- be determined from EFI variables provided by the system firmware if
- not indicated by the boot parameters.
+ Secure Boot provides a mechanism for ensuring that the firmware will
+ only load signed bootloaders and kernels. Secure boot mode
+ determination is platform-specific; examples include EFI secure boot
+ and SIPL on s390.
Enabling this option results in kernel lockdown being triggered if
- EFI Secure Boot is set.
+ booted under secure boot.
choice
prompt "Kernel default lockdown mode"