[d-kernel] [PATCH v2 0/6] Lock down the kernel if booted in Secure Boot mode

[d-kernel] [PATCH v2 0/6] Lock down the kernel if booted in Secure Boot mode

[Egor Ignatov]

Данный набор патчей включает механизм kernel lockdown при загрузке
системы в режиме Secure Boot. При обнаружении активного Secure Boot
ядро автоматически переводится в режим lockdown.

В основу серии положен изначальный патчсет "security, efi: Add kernel
lockdown" за авторством David Howells. Использованы более актуальные
варианты соответствующих патчей, поддерживаемые в ядрах Fedora и Debian.

Список актуальных патчей из разных дистрибутивов доступен по ссылке
https://lore.altlinux.org/devel-kernel/b14cf8af-c95c-4733-8f89-155c0a5f11dd@altlinux.org/

Серия предназначена для веток 7.0 и 7.1.

David Howells (2):
  efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
  efi: Lock down the kernel if booted in secure boot mode

Egor Ignatov (3):
  mtd: slram: Add the kernel lock down check
  security: lockdown: expose security_lock_kernel_down function
  config: Enable LOCK_DOWN_IN_EFI_SECURE_BOOT

Linn Crosetto (1):
  efi: determine and pass Secure Boot state via FDT

 arch/x86/kernel/setup.c            | 16 ++----------
 config                             |  1 +
 drivers/firmware/efi/Makefile      |  1 +
 drivers/firmware/efi/efi-init.c    |  5 +++-
 drivers/firmware/efi/fdtparams.c   | 12 ++++++++-
 drivers/firmware/efi/libstub/fdt.c |  6 +++++
 drivers/firmware/efi/secureboot.c  | 42 ++++++++++++++++++++++++++++++
 drivers/mtd/devices/slram.c        |  6 +++++
 include/linux/efi.h                | 22 ++++++++++------
 include/linux/security.h           |  9 +++++++
 security/lockdown/Kconfig          | 15 +++++++++++
 security/lockdown/lockdown.c       | 11 ++++++++
 12 files changed, 122 insertions(+), 24 deletions(-)
 create mode 100644 drivers/firmware/efi/secureboot.c

-- 
2.50.1

[d-kernel] [PATCH v2 1/6] mtd: slram: Add the kernel lock down check

[Egor Ignatov]

The slram MTD driver may map any memory pages no matter whether it's
reserved or whatever used for systems, which basically allows user
bypassing the lock down.

Add the check and abort the probe if the kernel is locked down for
LOCKDOWN_DEV_MEM.

Based on commit b3c782868ece ("mtd: phram: Add the kernel lock down check")

Suggested-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Egor Ignatov <egori@altlinux.org>
---
 drivers/mtd/devices/slram.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/mtd/devices/slram.c b/drivers/mtd/devices/slram.c
index 69cb63d99f..2928d12343 100644
--- a/drivers/mtd/devices/slram.c
+++ b/drivers/mtd/devices/slram.c
@@ -43,6 +43,7 @@
 #include <linux/ioctl.h>
 #include <linux/init.h>
 #include <linux/io.h>
+#include <linux/security.h>
 
 #include <linux/mtd/mtd.h>
 
@@ -277,6 +278,11 @@ __setup("slram=", mtd_slram_setup);
 static int __init init_slram(void)
 {
 	char *devname;
+	int ret;
+
+	ret = security_locked_down(LOCKDOWN_DEV_MEM);
+	if (ret)
+		return ret;
 
 #ifndef MODULE
 	char *devstart;
-- 
2.50.1

[d-kernel] [PATCH v2 2/6] security: lockdown: expose security_lock_kernel_down function

[Egor Ignatov]

In order to automatically lock down kernels running on UEFI machines
booted in Secure Boot mode, expose the security_lock_kernel_down() function.

Based on Fedora patches:
- security: lockdown: expose a hook to lock the kernel down
- efi,lockdown: fix kernel lockdown on Secure Boot

Based-on-a-patch-by: Jeremy Cline <jcline@redhat.com>
Based-on-a-patch-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Egor Ignatov <egori@altlinux.org>
---
 include/linux/security.h     |  9 +++++++++
 security/lockdown/lockdown.c | 11 +++++++++++
 2 files changed, 20 insertions(+)

diff --git a/include/linux/security.h b/include/linux/security.h
index 41d7367cf4..ad6f69c6fc 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -2438,4 +2438,13 @@ static inline void security_initramfs_populated(void)
 }
 #endif /* CONFIG_SECURITY */
 
+#ifdef CONFIG_SECURITY_LOCKDOWN_LSM
+extern int security_lock_kernel_down(const char *where, enum lockdown_reason level);
+#else
+static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level)
+{
+	return 0;
+}
+#endif /* CONFIG_SECURITY_LOCKDOWN_LSM */
+
 #endif /* ! __LINUX_SECURITY_H */
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 8d46886d2c..14a9cdff94 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -72,6 +72,17 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
 	return 0;
 }
 
+/**
+ * security_lock_kernel_down() - Put the kernel into lock-down mode.
+ *
+ * @where: Where the lock-down is originating from (e.g. command line option)
+ * @level: The lock-down level (can only increase)
+ */
+int security_lock_kernel_down(const char *where, enum lockdown_reason level)
+{
+	return lock_kernel_down(where, level);
+}
+
 static struct security_hook_list lockdown_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
 };
-- 
2.50.1

[d-kernel] [PATCH v2 3/6] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode

[Egor Ignatov]

From: David Howells <dhowells@redhat.com>

UEFI machines can be booted in Secure Boot mode.  Add an EFI_SECURE_BOOT
flag that can be passed to efi_enabled() to find out whether secure boot is
enabled.

Move the switch-statement in x86's setup_arch() that inteprets the
secure_boot boot parameter to generic code and set the bit there.

Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
cc: linux-efi@vger.kernel.org
[egori: imported from Fedora]
Signed-off-by: Egor Ignatov <egori@altlinux.org>
---
 arch/x86/kernel/setup.c           | 14 +----------
 drivers/firmware/efi/Makefile     |  1 +
 drivers/firmware/efi/secureboot.c | 39 +++++++++++++++++++++++++++++++
 include/linux/efi.h               | 19 +++++++++------
 4 files changed, 53 insertions(+), 20 deletions(-)
 create mode 100644 drivers/firmware/efi/secureboot.c

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 46882ce79c..e4f8b4f6aa 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1156,19 +1156,7 @@ void __init setup_arch(char **cmdline_p)
 	/* Allocate bigger log buffer */
 	setup_log_buf(1);
 
-	if (efi_enabled(EFI_BOOT)) {
-		switch (boot_params.secure_boot) {
-		case efi_secureboot_mode_disabled:
-			pr_info("Secure boot disabled\n");
-			break;
-		case efi_secureboot_mode_enabled:
-			pr_info("Secure boot enabled\n");
-			break;
-		default:
-			pr_info("Secure boot could not be determined\n");
-			break;
-		}
-	}
+	efi_set_secure_boot(boot_params.secure_boot);
 
 	reserve_initrd();
 
diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile
index 8efbcf699e..96d5a1ca98 100644
--- a/drivers/firmware/efi/Makefile
+++ b/drivers/firmware/efi/Makefile
@@ -25,6 +25,7 @@ subdir-$(CONFIG_EFI_STUB)		+= libstub
 obj-$(CONFIG_EFI_BOOTLOADER_CONTROL)	+= efibc.o
 obj-$(CONFIG_EFI_TEST)			+= test/
 obj-$(CONFIG_EFI_DEV_PATH_PARSER)	+= dev-path-parser.o
+obj-$(CONFIG_EFI)			+= secureboot.o
 obj-$(CONFIG_APPLE_PROPERTIES)		+= apple-properties.o
 obj-$(CONFIG_EFI_RCI2_TABLE)		+= rci2-table.o
 obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE)	+= embedded-firmware.o
diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
new file mode 100644
index 0000000000..5cdeb3b6e7
--- /dev/null
+++ b/drivers/firmware/efi/secureboot.c
@@ -0,0 +1,39 @@
+/* Core kernel secure boot support.
+ *
+ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/efi.h>
+#include <linux/kernel.h>
+#include <linux/printk.h>
+#include <linux/security.h>
+
+/*
+ * Decide what to do when UEFI secure boot mode is enabled.
+ */
+void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
+{
+	if (efi_enabled(EFI_BOOT)) {
+		switch (mode) {
+		case efi_secureboot_mode_disabled:
+			pr_info("Secure boot disabled\n");
+			break;
+		case efi_secureboot_mode_enabled:
+			set_bit(EFI_SECURE_BOOT, &efi.flags);
+			pr_info("Secure boot enabled\n");
+			break;
+		default:
+			pr_warn("Secure boot could not be determined (mode %u)\n",
+				   mode);
+			break;
+		}
+	}
+}
diff --git a/include/linux/efi.h b/include/linux/efi.h
index 72e76ec546..7eed6dcb70 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -847,6 +847,14 @@ extern int __init parse_efi_signature_list(
 #define EFI_MEM_ATTR		9	/* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
 #define EFI_MEM_NO_SOFT_RESERVE	10	/* Is the kernel configured to ignore soft reservations? */
 #define EFI_PRESERVE_BS_REGIONS	11	/* Are EFI boot-services memory segments available? */
+#define EFI_SECURE_BOOT		12	/* Are we in Secure Boot mode? */
+
+enum efi_secureboot_mode {
+	efi_secureboot_mode_unset,
+	efi_secureboot_mode_unknown,
+	efi_secureboot_mode_disabled,
+	efi_secureboot_mode_enabled,
+};
 
 #ifdef CONFIG_EFI
 /*
@@ -858,6 +866,8 @@ static inline bool efi_enabled(int feature)
 }
 extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused);
 
+extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode);
+
 bool __pure __efi_soft_reserve_enabled(void);
 
 static inline bool __pure efi_soft_reserve_enabled(void)
@@ -879,6 +889,8 @@ static inline bool efi_enabled(int feature)
 static inline void
 efi_reboot(enum reboot_mode reboot_mode, const char *__unused) {}
 
+static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {}
+
 static inline bool efi_soft_reserve_enabled(void)
 {
 	return false;
@@ -1110,13 +1122,6 @@ extern unsigned long efi_call_virt_save_flags(void);
 
 void efi_runtime_assert_lock_held(void);
 
-enum efi_secureboot_mode {
-	efi_secureboot_mode_unset,
-	efi_secureboot_mode_unknown,
-	efi_secureboot_mode_disabled,
-	efi_secureboot_mode_enabled,
-};
-
 static inline
 enum efi_secureboot_mode efi_get_secureboot_mode(efi_get_variable_t *get_var)
 {
-- 
2.50.1

[d-kernel] [PATCH v2 4/6] efi: Lock down the kernel if booted in secure boot mode

[Egor Ignatov]

From: David Howells <dhowells@redhat.com>

UEFI Secure Boot provides a mechanism for ensuring that the firmware
will only load signed bootloaders and kernels.  Certain use cases may
also require that all kernel modules also be signed.  Add a
configuration option that to lock down the kernel - which includes
requiring validly signed modules - if the kernel is secure-booted.

Signed-off-by: David Howells <dhowells@redhat.com>
[egori: updated the original patch with changes from the Debian patch
 efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch]
Signed-off-by: Egor Ignatov <egori@altlinux.org>
---
 arch/x86/kernel/setup.c           |  4 ++--
 drivers/firmware/efi/secureboot.c |  3 +++
 security/lockdown/Kconfig         | 15 +++++++++++++++
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index e4f8b4f6aa..1f9e3a09ae 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -995,6 +995,8 @@ void __init setup_arch(char **cmdline_p)
 	if (efi_enabled(EFI_BOOT))
 		efi_init();
 
+	efi_set_secure_boot(boot_params.secure_boot);
+
 	reserve_ibft_region();
 	x86_init.resources.dmi_setup();
 
@@ -1156,8 +1158,6 @@ void __init setup_arch(char **cmdline_p)
 	/* Allocate bigger log buffer */
 	setup_log_buf(1);
 
-	efi_set_secure_boot(boot_params.secure_boot);
-
 	reserve_initrd();
 
 	acpi_table_upgrade();
diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
index 5cdeb3b6e7..673e2d1b6c 100644
--- a/drivers/firmware/efi/secureboot.c
+++ b/drivers/firmware/efi/secureboot.c
@@ -29,6 +29,9 @@ void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
 		case efi_secureboot_mode_enabled:
 			set_bit(EFI_SECURE_BOOT, &efi.flags);
 			pr_info("Secure boot enabled\n");
+			if (IS_ENABLED(CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT))
+				security_lock_kernel_down("EFI Secure Boot mode",
+							  LOCKDOWN_INTEGRITY_MAX);
 			break;
 		default:
 			pr_warn("Secure boot could not be determined (mode %u)\n",
diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
index e84ddf4840..f789e07849 100644
--- a/security/lockdown/Kconfig
+++ b/security/lockdown/Kconfig
@@ -16,6 +16,21 @@ config SECURITY_LOCKDOWN_LSM_EARLY
 	  subsystem is fully initialised. If enabled, lockdown will
 	  unconditionally be called before any other LSMs.
 
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
+	bool "Lock down the kernel in EFI Secure Boot mode"
+	default n
+	depends on SECURITY_LOCKDOWN_LSM
+	depends on EFI
+	select SECURITY_LOCKDOWN_LSM_EARLY
+	help
+	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
+	  will only load signed bootloaders and kernels.  Secure boot mode may
+	  be determined from EFI variables provided by the system firmware if
+	  not indicated by the boot parameters.
+
+	  Enabling this option results in kernel lockdown being
+	  triggered in integrity mode if EFI Secure Boot is set.
+
 choice
 	prompt "Kernel default lockdown mode"
 	default LOCK_DOWN_KERNEL_FORCE_NONE
-- 
2.50.1

[d-kernel] [PATCH v2 5/6] efi: determine and pass Secure Boot state via FDT

[Egor Ignatov]

From: Linn Crosetto <linn@hpe.com>

Determine the state of UEFI Secure Boot in the EFI stub on platforms
that use FDT-based EFI parameter passing (ARM, arm64, RISC-V), and
forward it to the kernel through a new "linux,uefi-secure-boot" FDT
property. The early init path then calls efi_set_secure_boot(), which
on kernels with CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT triggers kernel
lockdown — analogous to how x86 already does it via boot_params.

Based on the Debian patch
"arm64-add-kernel-config-option-to-lock-down-when-in-Secure-Boot-mode.patch"
by Linn Crosetto. The original subject incorrectly implied an arm64-only
change; the patch in fact only touches generic drivers/firmware/efi/ code
that is shared by all FDT-based EFI architectures (ARM, arm64, RISC-V).
Re-titled and re-described accordingly; the code is unchanged.

Original commit message:

  arm64: add kernel config option to lock down when in Secure Boot mode
  Add a kernel configuration option to lock down the kernel, to restrict
  userspace's ability to modify the running kernel when UEFI Secure Boot
  is enabled. Based on the x86 patch by Matthew Garrett.
  Determine the state of Secure Boot in the EFI stub and pass this to the
  kernel using the FDT.

  Signed-off-by: Linn Crosetto <linn@hpe.com>

Signed-off-by: Linn Crosetto <linn@hpe.com>
[egori: re-titled and rewrote commit message; no code changes]
Signed-off-by: Egor Ignatov <egori@altlinux.org>
---
 drivers/firmware/efi/efi-init.c    |  5 ++++-
 drivers/firmware/efi/fdtparams.c   | 12 +++++++++++-
 drivers/firmware/efi/libstub/fdt.c |  6 ++++++
 include/linux/efi.h                |  3 ++-
 4 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/drivers/firmware/efi/efi-init.c b/drivers/firmware/efi/efi-init.c
index 6103b1a082..dea8d67c71 100644
--- a/drivers/firmware/efi/efi-init.c
+++ b/drivers/firmware/efi/efi-init.c
@@ -234,9 +234,10 @@ void __init efi_init(void)
 {
 	struct efi_memory_map_data data;
 	u64 efi_system_table;
+	u32 secure_boot;
 
 	/* Grab UEFI information placed in FDT by stub */
-	efi_system_table = efi_get_fdt_params(&data);
+	efi_system_table = efi_get_fdt_params(&data, &secure_boot);
 	if (!efi_system_table)
 		return;
 
@@ -258,6 +259,8 @@ void __init efi_init(void)
 		return;
 	}
 
+	efi_set_secure_boot(secure_boot);
+
 	reserve_regions();
 	/*
 	 * For memblock manipulation, the cap should come after the memblock_add().
diff --git a/drivers/firmware/efi/fdtparams.c b/drivers/firmware/efi/fdtparams.c
index b815d2a754..6f05b73c14 100644
--- a/drivers/firmware/efi/fdtparams.c
+++ b/drivers/firmware/efi/fdtparams.c
@@ -16,6 +16,7 @@ enum {
 	MMSIZE,
 	DCSIZE,
 	DCVERS,
+	SBMODE,
 
 	PARAMCOUNT
 };
@@ -26,6 +27,7 @@ static __initconst const char name[][22] = {
 	[MMSIZE] = "MemMap Size          ",
 	[DCSIZE] = "MemMap Desc. Size    ",
 	[DCVERS] = "MemMap Desc. Version ",
+	[SBMODE] = "Secure Boot Enabled  ",
 };
 
 static __initconst const struct {
@@ -43,6 +45,7 @@ static __initconst const struct {
 			[MMSIZE] = "xen,uefi-mmap-size",
 			[DCSIZE] = "xen,uefi-mmap-desc-size",
 			[DCVERS] = "xen,uefi-mmap-desc-ver",
+			[SBMODE] = "",
 		}
 	}, {
 #endif
@@ -53,6 +56,7 @@ static __initconst const struct {
 			[MMSIZE] = "linux,uefi-mmap-size",
 			[DCSIZE] = "linux,uefi-mmap-desc-size",
 			[DCVERS] = "linux,uefi-mmap-desc-ver",
+			[SBMODE] = "linux,uefi-secure-boot",
 		}
 	}
 };
@@ -64,6 +68,11 @@ static int __init efi_get_fdt_prop(const void *fdt, int node, const char *pname,
 	int len;
 	u64 val;
 
+	if (!pname[0]) {
+		memset(var, 0, size);
+		return 0;
+	}
+
 	prop = fdt_getprop(fdt, node, pname, &len);
 	if (!prop)
 		return 1;
@@ -81,7 +90,7 @@ static int __init efi_get_fdt_prop(const void *fdt, int node, const char *pname,
 	return 0;
 }
 
-u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm)
+u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm, u32 *secure_boot)
 {
 	const void *fdt = initial_boot_params;
 	unsigned long systab;
@@ -95,6 +104,7 @@ u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm)
 		[MMSIZE] = { &mm->size,		sizeof(mm->size) },
 		[DCSIZE] = { &mm->desc_size,	sizeof(mm->desc_size) },
 		[DCVERS] = { &mm->desc_version,	sizeof(mm->desc_version) },
+		[SBMODE] = { secure_boot,		sizeof(*secure_boot) },
 	};
 
 	BUILD_BUG_ON(ARRAY_SIZE(target) != ARRAY_SIZE(name));
diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c
index 23b3543d30..d4fea86bd3 100644
--- a/drivers/firmware/efi/libstub/fdt.c
+++ b/drivers/firmware/efi/libstub/fdt.c
@@ -132,6 +132,12 @@ static efi_status_t update_fdt(void *orig_fdt, unsigned long orig_fdt_size,
 		}
 	}
 
+	fdt_val32 = cpu_to_fdt32(efi_get_secureboot());
+	status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
+			     &fdt_val32, sizeof(fdt_val32));
+	if (status)
+		goto fdt_set_fail;
+
 	/* Shrink the FDT back to its minimum size: */
 	fdt_pack(fdt);
 
diff --git a/include/linux/efi.h b/include/linux/efi.h
index 7eed6dcb70..9d2d81313a 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -758,7 +758,8 @@ extern int efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md);
 extern int __efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md);
 extern void efi_mem_reserve(phys_addr_t addr, u64 size);
 extern int efi_mem_reserve_persistent(phys_addr_t addr, u64 size);
-extern u64 efi_get_fdt_params(struct efi_memory_map_data *data);
+extern u64 efi_get_fdt_params(struct efi_memory_map_data *data,
+			      u32 *secure_boot);
 extern struct kobject *efi_kobj;
 
 extern int efi_reboot_quirk_mode;
-- 
2.50.1

[d-kernel] [PATCH v2 6/6] config: Enable LOCK_DOWN_IN_EFI_SECURE_BOOT

[Egor Ignatov]

Enable automatic kernel lockdown when booted in UEFI Secure Boot mode.
This is required by the shim-review process, which asks how the signed
kernel enforces lockdown under Secure Boot and will not sign the shim
otherwise.

Link: https://github.com/rhboot/shim-review#how-does-your-signed-kernel-enforce-lockdown-when-your-system-runs-with-secure-boot-enabled
Signed-off-by: Egor Ignatov <egori@altlinux.org>
---
 config | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config b/config
index 9aaf07ae98..596785caa3 100644
--- a/config
+++ b/config
@@ -10132,6 +10132,7 @@ CONFIG_SECURITY_YAMA=y
 CONFIG_SECURITY_SAFESETID=y
 CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
 CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
 # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
-- 
2.50.1