#include <linux/memblock.h>
#include <linux/of_platform.h>
#include <linux/hugetlb.h>
+#include <linux/security.h>
#include <asm/debugfs.h>
#include <asm/io.h>
#include <asm/paca.h>
#include <asm/mmu_context.h>
#include <asm/cpu_has_feature.h>
#include <asm/kasan.h>
+#include <asm/secure_boot.h>
#include "setup.h"
*/
initialize_cache_info();
+ /*
+ * Lock down the kernel if booted in secure mode. This is required to
+ * maintain kernel integrity.
+ */
+ if (IS_ENABLED(CONFIG_LOCK_DOWN_IN_SECURE_BOOT)) {
+ if (is_ppc_secureboot_enabled())
+ security_lock_kernel_down("PowerNV Secure Boot mode",
+ LOCKDOWN_INTEGRITY_MAX);
+ }
+
/* Initialize RTAS if available. */
rtas_initialize();
config LOCK_DOWN_IN_SECURE_BOOT
bool "Lock down the kernel in Secure Boot mode"
default n
- depends on (EFI || S390) && SECURITY_LOCKDOWN_LSM_EARLY
+ depends on (EFI || S390 || PPC) && SECURITY_LOCKDOWN_LSM_EARLY
help
Secure Boot provides a mechanism for ensuring that the firmware will
only load signed bootloaders and kernels. Secure boot mode