[linux] 01/04: [arm64] Update "add kernel config option to lock down when in Secure Boot mode" for 4.15
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sat Dec 30 16:23:32 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch master
in repository linux.
commit 20aa9b586e0982821f26d776d16e08d95367bc32
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sat Dec 30 16:00:46 2017 +0000
[arm64] Update "add kernel config option to lock down when in Secure Boot mode" for 4.15
---
debian/changelog | 7 ++++
...dd-kernel-config-option-to-lock-down-when.patch | 43 +++++-----------------
2 files changed, 17 insertions(+), 33 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 3692788..e426d9b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+linux (4.15~rc5-1~exp2) UNRELEASED; urgency=medium
+
+ * [arm64] Update "add kernel config option to lock down when in Secure Boot
+ mode" for 4.15
+
+ -- Ben Hutchings <ben at decadent.org.uk> Sat, 30 Dec 2017 16:00:15 +0000
+
linux (4.15~rc5-1~exp1) experimental; urgency=medium
* New upstream release candidate
diff --git a/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch b/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
index 2571e4c..aa667bf 100644
--- a/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
+++ b/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
@@ -14,8 +14,9 @@ kernel using the FDT.
Signed-off-by: Linn Crosetto <linn at hpe.com>
[bwh: Forward-ported to 4.10: adjust context]
[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
-[bwh: Forward-ported to 4.11 and lockdown patch set:
- - Convert result of efi_get_secureboot() to a boolean
+[bwh: Forward-ported to 4.15 and lockdown patch set:
+ - Pass result of efi_get_secureboot() in stub through to
+ efi_set_secure_boot() in main kernel
- Use lockdown API and naming]
---
arch/arm64/Kconfig | 13 +++++++++++++
@@ -27,27 +28,6 @@ Signed-off-by: Linn Crosetto <linn at hpe.com>
include/linux/efi.h | 1 +
7 files changed, 32 insertions(+), 2 deletions(-)
---- a/arch/arm64/Kconfig
-+++ b/arch/arm64/Kconfig
-@@ -1033,6 +1033,18 @@ config EFI
- allow the kernel to be booted as an EFI application. This
- is only useful on systems that have UEFI firmware.
-
-+config EFI_SECURE_BOOT_LOCK_DOWN
-+ def_bool n
-+ depends on EFI
-+ prompt "Lock down the kernel when UEFI Secure Boot is enabled"
-+ ---help---
-+ UEFI Secure Boot provides a mechanism for ensuring that the firmware
-+ will only load signed bootloaders and kernels. Certain use cases may
-+ also require that all kernel modules also be signed and that
-+ userspace is prevented from directly changing the running kernel
-+ image. Say Y here to automatically lock down the kernel when a
-+ system boots with UEFI Secure Boot enabled.
-+
- config DMI
- bool "Enable support for SMBIOS (DMI) tables"
- depends on EFI
--- a/drivers/firmware/efi/arm-init.c
+++ b/drivers/firmware/efi/arm-init.c
@@ -21,6 +21,7 @@
@@ -58,21 +38,19 @@ Signed-off-by: Linn Crosetto <linn at hpe.com>
#include <asm/efi.h>
-@@ -244,6 +245,11 @@ void __init efi_init(void)
+@@ -252,6 +253,9 @@ void __init efi_init(void)
"Unexpected EFI_MEMORY_DESCRIPTOR version %ld",
efi.memmap.desc_version);
-+#ifdef CONFIG_EFI_SECURE_BOOT_LOCK_DOWN
-+ if (params.secure_boot > 0)
-+ lock_kernel_down();
-+#endif
++ efi_set_secure_boot(boot_params.secure_boot);
++ init_lockdown();
+
if (uefi_init() < 0) {
efi_memmap_unmap();
return;
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
-@@ -613,7 +613,8 @@ static __initdata struct params fdt_para
+@@ -635,7 +635,8 @@ static __initdata struct params fdt_para
UEFI_PARAM("MemMap Address", "linux,uefi-mmap-start", mmap),
UEFI_PARAM("MemMap Size", "linux,uefi-mmap-size", mmap_size),
UEFI_PARAM("MemMap Desc. Size", "linux,uefi-mmap-desc-size", desc_size),
@@ -84,13 +62,12 @@ Signed-off-by: Linn Crosetto <linn at hpe.com>
static __initdata struct params xen_fdt_params[] = {
--- a/drivers/firmware/efi/libstub/fdt.c
+++ b/drivers/firmware/efi/libstub/fdt.c
-@@ -134,6 +134,14 @@ static efi_status_t update_fdt(efi_syste
+@@ -158,6 +158,13 @@ static efi_status_t update_fdt(efi_syste
return efi_status;
}
}
+
-+ fdt_val32 = cpu_to_fdt32(efi_get_secureboot(sys_table) !=
-+ efi_secureboot_mode_disabled);
++ fdt_val32 = cpu_to_fdt32(efi_get_secureboot(sys_table));
+ status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
+ &fdt_val32, sizeof(fdt_val32));
+ if (status)
@@ -101,7 +78,7 @@ Signed-off-by: Linn Crosetto <linn at hpe.com>
fdt_set_fail:
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
-@@ -736,6 +736,7 @@ struct efi_fdt_params {
+@@ -749,6 +749,7 @@ struct efi_fdt_params {
u32 mmap_size;
u32 desc_size;
u32 desc_ver;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list