[linux] 01/01: [arm64] Add support for securelevel and Secure Boot
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sat Aug 27 21:23:38 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch master
in repository linux.
commit 0a8dfe2ccc5f34381a2fd37da330d0c424b45562
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sat Aug 27 22:17:30 2016 +0100
[arm64] Add support for securelevel and Secure Boot
Closes: #831827, thanks to Linn Crosetto
---
debian/changelog | 5 +
debian/config/arm64/config | 1 +
...ernel-config-option-to-set-securelevel-wh.patch | 124 +++++++++++++++++++++
...isable-secure-boot-if-shim-is-in-insecure.patch | 59 ++++++++++
debian/patches/series | 3 +
5 files changed, 192 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 1ae7a41..2bffc24 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -35,6 +35,11 @@ linux (4.7.2-1) UNRELEASED; urgency=medium
* fat: Mitigate the lack of UTF-8 case folding by enabling
FAT_DEFAULT_UTF8 and setting FAT_DEFAULT_IOCHARSET to "ascii"
(Closes: #833238)
+ * [arm64] Add support for securelevel and Secure Boot (Closes: #831827,
+ thanks to Linn Crosetto):
+ - efi: Disable secure boot if shim is in insecure mode
+ - Add kernel config option to set securelevel when in Secure Boot mode
+ - Enable EFI_SECURE_BOOT_SECURELEVEL
[ Martin Michlmayr ]
* [armhf] Enable MMC_SDHCI_IPROC and HW_RANDOM_BCM2835 for BCM2835.
diff --git a/debian/config/arm64/config b/debian/config/arm64/config
index 8be6392..db85225 100644
--- a/debian/config/arm64/config
+++ b/debian/config/arm64/config
@@ -10,6 +10,7 @@ CONFIG_SECCOMP=y
CONFIG_XEN=y
CONFIG_RANDOMIZE_BASE=y
CONFIG_RANDOMIZE_MODULE_REGION_FULL=y
+CONFIG_EFI_SECURE_BOOT_SECURELEVEL=y
CONFIG_COMPAT=y
##
diff --git a/debian/patches/features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.patch b/debian/patches/features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.patch
new file mode 100644
index 0000000..00dd660
--- /dev/null
+++ b/debian/patches/features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.patch
@@ -0,0 +1,124 @@
+From: Linn Crosetto <linn at hpe.com>
+Date: Mon, 22 Feb 2016 13:41:52 -0700
+Subject: arm64: add kernel config option to set securelevel when in Secure Boot mode
+
+Add a kernel configuration option to enable securelevel, to restrict
+userspace's ability to modify the running kernel when UEFI Secure Boot is
+enabled. Based on the x86 patch by Matthew Garrett.
+
+Determine the state of Secure Boot in the EFI stub and pass this to the
+kernel using the FDT.
+
+Signed-off-by: Linn Crosetto <linn at hpe.com>
+---
+ arch/arm64/Kconfig | 13 +++++++++++++
+ drivers/firmware/efi/arm-init.c | 7 +++++++
+ drivers/firmware/efi/efi.c | 3 ++-
+ drivers/firmware/efi/libstub/arm-stub.c | 2 +-
+ drivers/firmware/efi/libstub/efistub.h | 1 +
+ drivers/firmware/efi/libstub/fdt.c | 7 +++++++
+ include/linux/efi.h | 1 +
+ 7 files changed, 32 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -953,6 +953,19 @@ config EFI
+ allow the kernel to be booted as an EFI application. This
+ is only useful on systems that have UEFI firmware.
+
++config EFI_SECURE_BOOT_SECURELEVEL
++ def_bool n
++ depends on SECURITY_SECURELEVEL
++ depends on EFI
++ prompt "Automatically set securelevel when UEFI Secure Boot is enabled"
++ ---help---
++ UEFI Secure Boot provides a mechanism for ensuring that the
++ firmware will only load signed bootloaders and kernels. Certain
++ use cases may also require that the kernel restrict any userspace
++ mechanism that could insert untrusted code into the kernel.
++ Say Y here to automatically enable securelevel enforcement
++ when a system boots with UEFI Secure Boot enabled.
++
+ config DMI
+ bool "Enable support for SMBIOS (DMI) tables"
+ depends on EFI
+--- a/drivers/firmware/efi/arm-init.c
++++ b/drivers/firmware/efi/arm-init.c
+@@ -21,6 +21,7 @@
+ #include <linux/of_fdt.h>
+ #include <linux/platform_device.h>
+ #include <linux/screen_info.h>
++#include <linux/security.h>
+
+ #include <asm/efi.h>
+
+@@ -243,6 +244,12 @@ void __init efi_init(void)
+ "Unexpected EFI_MEMORY_DESCRIPTOR version %ld",
+ efi.memmap.desc_version);
+
++#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL
++ if (params.secure_boot > 0) {
++ set_securelevel(1);
++ }
++#endif
++
+ if (uefi_init() < 0)
+ return;
+
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -482,7 +482,8 @@ static __initdata struct {
+ UEFI_PARAM("MemMap Address", "linux,uefi-mmap-start", mmap),
+ UEFI_PARAM("MemMap Size", "linux,uefi-mmap-size", mmap_size),
+ UEFI_PARAM("MemMap Desc. Size", "linux,uefi-mmap-desc-size", desc_size),
+- UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver)
++ UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver),
++ UEFI_PARAM("Secure Boot Enabled", "linux,uefi-secure-boot", secure_boot)
+ };
+
+ struct param_info {
+--- a/drivers/firmware/efi/libstub/arm-stub.c
++++ b/drivers/firmware/efi/libstub/arm-stub.c
+@@ -20,7 +20,7 @@
+
+ bool __nokaslr;
+
+-static int efi_get_secureboot(efi_system_table_t *sys_table_arg)
++int efi_get_secureboot(efi_system_table_t *sys_table_arg)
+ {
+ static efi_char16_t const sb_var_name[] = {
+ 'S', 'e', 'c', 'u', 'r', 'e', 'B', 'o', 'o', 't', 0 };
+--- a/drivers/firmware/efi/libstub/efistub.h
++++ b/drivers/firmware/efi/libstub/efistub.h
+@@ -62,4 +62,5 @@ efi_status_t efi_random_alloc(efi_system
+
+ efi_status_t check_platform_features(efi_system_table_t *sys_table_arg);
+
++int efi_get_secureboot(efi_system_table_t *sys_table_arg);
+ #endif
+--- a/drivers/firmware/efi/libstub/fdt.c
++++ b/drivers/firmware/efi/libstub/fdt.c
+@@ -139,6 +139,13 @@ efi_status_t update_fdt(efi_system_table
+ return efi_status;
+ }
+ }
++
++ fdt_val32 = efi_get_secureboot(sys_table);
++ status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
++ &fdt_val32, sizeof(fdt_val32));
++ if (status)
++ goto fdt_set_fail;
++
+ return EFI_SUCCESS;
+
+ fdt_set_fail:
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -745,6 +745,7 @@ struct efi_fdt_params {
+ u32 mmap_size;
+ u32 desc_size;
+ u32 desc_ver;
++ u32 secure_boot;
+ };
+
+ typedef struct {
diff --git a/debian/patches/features/all/securelevel/arm64-efi-disable-secure-boot-if-shim-is-in-insecure.patch b/debian/patches/features/all/securelevel/arm64-efi-disable-secure-boot-if-shim-is-in-insecure.patch
new file mode 100644
index 0000000..59fd422
--- /dev/null
+++ b/debian/patches/features/all/securelevel/arm64-efi-disable-secure-boot-if-shim-is-in-insecure.patch
@@ -0,0 +1,59 @@
+From: Linn Crosetto <linn at hpe.com>
+Date: Mon, 22 Feb 2016 12:54:37 -0700
+Subject: arm64/efi: Disable secure boot if shim is in insecure mode
+
+Port to arm64 a patch originally written by Josh Boyer for the x86 EFI
+stub.
+
+A user can manually tell the shim boot loader to disable validation of
+images it loads. When a user does this, it creates a UEFI variable called
+MokSBState that does not have the runtime attribute set. Given that the
+user explicitly disabled validation, we can honor that and not enable
+secure boot mode if that variable is set.
+
+Signed-off-by: Linn Crosetto <linn at hpe.com>
+Cc: Josh Boyer <jwboyer at fedoraproject.org>
+---
+ drivers/firmware/efi/libstub/arm-stub.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/drivers/firmware/efi/libstub/arm-stub.c
++++ b/drivers/firmware/efi/libstub/arm-stub.c
+@@ -26,11 +26,14 @@ static int efi_get_secureboot(efi_system
+ 'S', 'e', 'c', 'u', 'r', 'e', 'B', 'o', 'o', 't', 0 };
+ static efi_char16_t const sm_var_name[] = {
+ 'S', 'e', 't', 'u', 'p', 'M', 'o', 'd', 'e', 0 };
++ static efi_char16_t const mk_var_name[] = {
++ 'M', 'o', 'k', 'S', 'B', 'S', 't', 'a', 't', 'e', 0 };
+
+ efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
+ efi_get_variable_t *f_getvar = sys_table_arg->runtime->get_variable;
+ u8 val;
+ unsigned long size = sizeof(val);
++ u32 attr;
+ efi_status_t status;
+
+ status = f_getvar((efi_char16_t *)sb_var_name, (efi_guid_t *)&var_guid,
+@@ -51,6 +54,22 @@ static int efi_get_secureboot(efi_system
+ if (val == 1)
+ return 0;
+
++ /* See if a user has put shim into insecure_mode. If so, and the variable
++ * doesn't have the runtime attribute set, we might as well honor that.
++ */
++ var_guid = EFI_SHIM_LOCK_GUID;
++ status = f_getvar((efi_char16_t *)mk_var_name, (efi_guid_t *)&var_guid,
++ &attr, &size, &val);
++
++ /* If it fails, we don't care why. Default to secure */
++ if (status != EFI_SUCCESS)
++ return 1;
++
++ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
++ if (val == 1)
++ return 0;
++ }
++
+ return 1;
+
+ out_efi_err:
diff --git a/debian/patches/series b/debian/patches/series
index 7e0f0d8..f9fdb5d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -104,6 +104,9 @@ features/all/securelevel/acpi-disable-acpi-table-override-if-securelevel-is-s.pa
features/all/securelevel/acpi-disable-apei-error-injection-if-securelevel-is-.patch
features/all/securelevel/enable-cold-boot-attack-mitigation.patch
features/all/securelevel/mtd-disable-slram-and-phram-when-securelevel-is-enabled.patch
+# same for arm64
+features/all/securelevel/arm64-efi-disable-secure-boot-if-shim-is-in-insecure.patch
+features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.patch
# Security fixes
bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list