From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: Egor Ignatov To: devel-kernel@lists.altlinux.org Date: Wed, 6 May 2026 20:37:20 +0300 Message-ID: <20260506173722.1012394-5-egori@altlinux.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260506173722.1012394-1-egori@altlinux.org> References: <20260506173722.1012394-1-egori@altlinux.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [d-kernel] [PATCH 4/6] efi: Lock down the kernel if booted in secure boot mode X-BeenThere: devel-kernel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux kernel packages development List-Id: ALT Linux kernel packages development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 May 2026 17:37:46 -0000 Archived-At: List-Archive: List-Post: From: David Howells UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also require that all kernel modules also be signed. Add a configuration option that to lock down the kernel - which includes requiring validly signed modules - if the kernel is secure-booted. Signed-off-by: David Howells Signed-off-by: Jeremy Cline [egori: merged Fedora and Debian downstream patches] Signed-off-by: Egor Ignatov --- arch/x86/kernel/setup.c | 4 ++-- drivers/firmware/efi/secureboot.c | 3 +++ security/lockdown/Kconfig | 15 +++++++++++++++ 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c index b67b87af6f..7605f3372a 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -995,6 +995,8 @@ void __init setup_arch(char **cmdline_p) if (efi_enabled(EFI_BOOT)) efi_init(); + efi_set_secure_boot(boot_params.secure_boot); + reserve_ibft_region(); x86_init.resources.dmi_setup(); @@ -1156,8 +1158,6 @@ void __init setup_arch(char **cmdline_p) /* Allocate bigger log buffer */ setup_log_buf(1); - efi_set_secure_boot(boot_params.secure_boot); - reserve_initrd(); acpi_table_upgrade(); diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c index 5cdeb3b6e7..673e2d1b6c 100644 --- a/drivers/firmware/efi/secureboot.c +++ b/drivers/firmware/efi/secureboot.c @@ -29,6 +29,9 @@ void __init efi_set_secure_boot(enum efi_secureboot_mode mode) case efi_secureboot_mode_enabled: set_bit(EFI_SECURE_BOOT, &efi.flags); pr_info("Secure boot enabled\n"); + if (IS_ENABLED(CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT)) + security_lock_kernel_down("EFI Secure Boot mode", + LOCKDOWN_INTEGRITY_MAX); break; default: pr_warn("Secure boot could not be determined (mode %u)\n", diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig index e84ddf4840..f789e07849 100644 --- a/security/lockdown/Kconfig +++ b/security/lockdown/Kconfig @@ -16,6 +16,21 @@ config SECURITY_LOCKDOWN_LSM_EARLY subsystem is fully initialised. If enabled, lockdown will unconditionally be called before any other LSMs. +config LOCK_DOWN_IN_EFI_SECURE_BOOT + bool "Lock down the kernel in EFI Secure Boot mode" + default n + depends on SECURITY_LOCKDOWN_LSM + depends on EFI + select SECURITY_LOCKDOWN_LSM_EARLY + help + UEFI Secure Boot provides a mechanism for ensuring that the firmware + will only load signed bootloaders and kernels. Secure boot mode may + be determined from EFI variables provided by the system firmware if + not indicated by the boot parameters. + + Enabling this option results in kernel lockdown being + triggered in integrity mode if EFI Secure Boot is set. + choice prompt "Kernel default lockdown mode" default LOCK_DOWN_KERNEL_FORCE_NONE -- 2.50.1