UBUNTU: SAUCE: (lockdown) powerpc: lock down kernel in secure boot mode

BugLink: https://bugs.launchpad.net/bugs/1855668
PowerNV has recently gained Secure Boot support. If it's enabled through
the firmware and bootloader stack, then lock down the kernel.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>

diff --git a/arch/powerpc/kernel/setup-common.c b/arch/powerpc/kernel/setup-common.c
index 25aaa390300091e310a81dfa28f9ccde7cc05a5f..6c111d4b15ca03dce15709e4bbfac720a0a3554c 100644 (file)
--- a/arch/powerpc/kernel/setup-common.c
+++ b/arch/powerpc/kernel/setup-common.c
@@ -31,6 +31,7 @@
 #include <linux/memblock.h>
 #include <linux/of_platform.h>
 #include <linux/hugetlb.h>
+#include <linux/security.h>
 #include <asm/debugfs.h>
 #include <asm/io.h>
 #include <asm/paca.h>
@@ -64,6 +65,7 @@
 #include <asm/mmu_context.h>
 #include <asm/cpu_has_feature.h>
 #include <asm/kasan.h>
+#include <asm/secure_boot.h>
 
 #include "setup.h"
 
@@ -855,6 +857,16 @@ void __init setup_arch(char **cmdline_p)
         */
        initialize_cache_info();
 
+       /*
+        * Lock down the kernel if booted in secure mode. This is required to
+        * maintain kernel integrity.
+        */
+       if (IS_ENABLED(CONFIG_LOCK_DOWN_IN_SECURE_BOOT)) {
+               if (is_ppc_secureboot_enabled())
+                       security_lock_kernel_down("PowerNV Secure Boot mode",
+                                                 LOCKDOWN_INTEGRITY_MAX);
+       }
+
        /* Initialize RTAS if available. */
        rtas_initialize();
 

diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
index e508c99a6607fdd3bcdddb57a0b7847f558509ae..a598a4f95ee8d8cbc452656cffdc78f5fb54c95f 100644 (file)
--- a/security/lockdown/Kconfig
+++ b/security/lockdown/Kconfig
@@ -19,7 +19,7 @@ config SECURITY_LOCKDOWN_LSM_EARLY
 config LOCK_DOWN_IN_SECURE_BOOT
        bool "Lock down the kernel in Secure Boot mode"
        default n
-       depends on (EFI || S390) && SECURITY_LOCKDOWN_LSM_EARLY
+       depends on (EFI || S390 || PPC) && SECURITY_LOCKDOWN_LSM_EARLY
        help
          Secure Boot provides a mechanism for ensuring that the firmware will
          only load signed bootloaders and kernels.  Secure boot mode