From: Egor Ignatov <egori@altlinux.org>
To: devel-kernel@lists.altlinux.org
Subject: [d-kernel] [PATCH v2 0/6] Lock down the kernel if booted in Secure Boot mode
Date: Wed, 27 May 2026 11:25:33 +0300
Message-ID: <20260527082539.2000966-1-egori@altlinux.org> (raw)
Данный набор патчей включает механизм kernel lockdown при загрузке
системы в режиме Secure Boot. При обнаружении активного Secure Boot
ядро автоматически переводится в режим lockdown.
В основу серии положен изначальный патчсет "security, efi: Add kernel
lockdown" за авторством David Howells. Использованы более актуальные
варианты соответствующих патчей, поддерживаемые в ядрах Fedora и Debian.
Список актуальных патчей из разных дистрибутивов доступен по ссылке
https://lore.altlinux.org/devel-kernel/b14cf8af-c95c-4733-8f89-155c0a5f11dd@altlinux.org/
Серия предназначена для веток 7.0 и 7.1.
David Howells (2):
efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
efi: Lock down the kernel if booted in secure boot mode
Egor Ignatov (3):
mtd: slram: Add the kernel lock down check
security: lockdown: expose security_lock_kernel_down function
config: Enable LOCK_DOWN_IN_EFI_SECURE_BOOT
Linn Crosetto (1):
efi: determine and pass Secure Boot state via FDT
arch/x86/kernel/setup.c | 16 ++----------
config | 1 +
drivers/firmware/efi/Makefile | 1 +
drivers/firmware/efi/efi-init.c | 5 +++-
drivers/firmware/efi/fdtparams.c | 12 ++++++++-
drivers/firmware/efi/libstub/fdt.c | 6 +++++
drivers/firmware/efi/secureboot.c | 42 ++++++++++++++++++++++++++++++
drivers/mtd/devices/slram.c | 6 +++++
include/linux/efi.h | 22 ++++++++++------
include/linux/security.h | 9 +++++++
security/lockdown/Kconfig | 15 +++++++++++
security/lockdown/lockdown.c | 11 ++++++++
12 files changed, 122 insertions(+), 24 deletions(-)
create mode 100644 drivers/firmware/efi/secureboot.c
--
2.50.1
next reply other threads:[~2026-05-27 8:25 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-27 8:25 Egor Ignatov [this message]
2026-05-27 8:25 ` [d-kernel] [PATCH v2 1/6] mtd: slram: Add the kernel lock down check Egor Ignatov
2026-05-27 8:25 ` [d-kernel] [PATCH v2 2/6] security: lockdown: expose security_lock_kernel_down function Egor Ignatov
2026-05-27 8:25 ` [d-kernel] [PATCH v2 3/6] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode Egor Ignatov
2026-05-27 8:25 ` [d-kernel] [PATCH v2 4/6] efi: Lock down the kernel if booted in " Egor Ignatov
2026-05-27 8:25 ` [d-kernel] [PATCH v2 5/6] efi: determine and pass Secure Boot state via FDT Egor Ignatov
2026-05-27 8:25 ` [d-kernel] [PATCH v2 6/6] config: Enable LOCK_DOWN_IN_EFI_SECURE_BOOT Egor Ignatov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260527082539.2000966-1-egori@altlinux.org \
--to=egori@altlinux.org \
--cc=devel-kernel@lists.altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux kernel packages development
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel-kernel/0 devel-kernel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel-kernel devel-kernel/ http://lore.altlinux.org/devel-kernel \
devel-kernel@altlinux.org devel-kernel@altlinux.ru devel-kernel@altlinux.com
public-inbox-index devel-kernel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel-kernel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git