From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <egori@altlinux.org>
From: Egor Ignatov <egori@altlinux.org>
To: devel-kernel@lists.altlinux.org
Date: Wed, 27 May 2026 11:25:33 +0300
Message-ID: <20260527082539.2000966-1-egori@altlinux.org>
X-Mailer: git-send-email 2.50.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Subject: [d-kernel] [PATCH v2 0/6] Lock down the kernel if booted in Secure
	Boot mode
X-BeenThere: devel-kernel@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ALT Linux kernel packages development
 <devel-kernel@lists.altlinux.org>
List-Id: ALT Linux kernel packages development
 <devel-kernel.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/devel-kernel>,
 <mailto:devel-kernel-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/devel-kernel>
List-Post: <mailto:devel-kernel@lists.altlinux.org>
List-Help: <mailto:devel-kernel-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/devel-kernel>,
 <mailto:devel-kernel-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2026 08:25:41 -0000
Archived-At: <http://lore.altlinux.org/devel-kernel/20260527082539.2000966-1-egori@altlinux.org/>
List-Archive: <http://lore.altlinux.org/devel-kernel/>
List-Post: <mailto:devel-kernel@altlinux.org>

Данный набор патчей включает механизм kernel lockdown при загрузке
системы в режиме Secure Boot. При обнаружении активного Secure Boot
ядро автоматически переводится в режим lockdown.

В основу серии положен изначальный патчсет "security, efi: Add kernel
lockdown" за авторством David Howells. Использованы более актуальные
варианты соответствующих патчей, поддерживаемые в ядрах Fedora и Debian.

Список актуальных патчей из разных дистрибутивов доступен по ссылке
https://lore.altlinux.org/devel-kernel/b14cf8af-c95c-4733-8f89-155c0a5f11dd@altlinux.org/

Серия предназначена для веток 7.0 и 7.1.

David Howells (2):
  efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
  efi: Lock down the kernel if booted in secure boot mode

Egor Ignatov (3):
  mtd: slram: Add the kernel lock down check
  security: lockdown: expose security_lock_kernel_down function
  config: Enable LOCK_DOWN_IN_EFI_SECURE_BOOT

Linn Crosetto (1):
  efi: determine and pass Secure Boot state via FDT

 arch/x86/kernel/setup.c            | 16 ++----------
 config                             |  1 +
 drivers/firmware/efi/Makefile      |  1 +
 drivers/firmware/efi/efi-init.c    |  5 +++-
 drivers/firmware/efi/fdtparams.c   | 12 ++++++++-
 drivers/firmware/efi/libstub/fdt.c |  6 +++++
 drivers/firmware/efi/secureboot.c  | 42 ++++++++++++++++++++++++++++++
 drivers/mtd/devices/slram.c        |  6 +++++
 include/linux/efi.h                | 22 ++++++++++------
 include/linux/security.h           |  9 +++++++
 security/lockdown/Kconfig          | 15 +++++++++++
 security/lockdown/lockdown.c       | 11 ++++++++
 12 files changed, 122 insertions(+), 24 deletions(-)
 create mode 100644 drivers/firmware/efi/secureboot.c

-- 
2.50.1