From: Egor Ignatov <egori@altlinux.org>
To: devel-kernel@lists.altlinux.org
Subject: [d-kernel] [PATCH v2 4/6] efi: Lock down the kernel if booted in secure boot mode
Date: Wed, 27 May 2026 11:25:37 +0300
Message-ID: <20260527082539.2000966-5-egori@altlinux.org> (raw)
In-Reply-To: <20260527082539.2000966-1-egori@altlinux.org>
From: David Howells <dhowells@redhat.com>
UEFI Secure Boot provides a mechanism for ensuring that the firmware
will only load signed bootloaders and kernels. Certain use cases may
also require that all kernel modules also be signed. Add a
configuration option that to lock down the kernel - which includes
requiring validly signed modules - if the kernel is secure-booted.
Signed-off-by: David Howells <dhowells@redhat.com>
[egori: updated the original patch with changes from the Debian patch
efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch]
Signed-off-by: Egor Ignatov <egori@altlinux.org>
---
arch/x86/kernel/setup.c | 4 ++--
drivers/firmware/efi/secureboot.c | 3 +++
security/lockdown/Kconfig | 15 +++++++++++++++
3 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index e4f8b4f6aa..1f9e3a09ae 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -995,6 +995,8 @@ void __init setup_arch(char **cmdline_p)
if (efi_enabled(EFI_BOOT))
efi_init();
+ efi_set_secure_boot(boot_params.secure_boot);
+
reserve_ibft_region();
x86_init.resources.dmi_setup();
@@ -1156,8 +1158,6 @@ void __init setup_arch(char **cmdline_p)
/* Allocate bigger log buffer */
setup_log_buf(1);
- efi_set_secure_boot(boot_params.secure_boot);
-
reserve_initrd();
acpi_table_upgrade();
diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
index 5cdeb3b6e7..673e2d1b6c 100644
--- a/drivers/firmware/efi/secureboot.c
+++ b/drivers/firmware/efi/secureboot.c
@@ -29,6 +29,9 @@ void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
case efi_secureboot_mode_enabled:
set_bit(EFI_SECURE_BOOT, &efi.flags);
pr_info("Secure boot enabled\n");
+ if (IS_ENABLED(CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT))
+ security_lock_kernel_down("EFI Secure Boot mode",
+ LOCKDOWN_INTEGRITY_MAX);
break;
default:
pr_warn("Secure boot could not be determined (mode %u)\n",
diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
index e84ddf4840..f789e07849 100644
--- a/security/lockdown/Kconfig
+++ b/security/lockdown/Kconfig
@@ -16,6 +16,21 @@ config SECURITY_LOCKDOWN_LSM_EARLY
subsystem is fully initialised. If enabled, lockdown will
unconditionally be called before any other LSMs.
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
+ bool "Lock down the kernel in EFI Secure Boot mode"
+ default n
+ depends on SECURITY_LOCKDOWN_LSM
+ depends on EFI
+ select SECURITY_LOCKDOWN_LSM_EARLY
+ help
+ UEFI Secure Boot provides a mechanism for ensuring that the firmware
+ will only load signed bootloaders and kernels. Secure boot mode may
+ be determined from EFI variables provided by the system firmware if
+ not indicated by the boot parameters.
+
+ Enabling this option results in kernel lockdown being
+ triggered in integrity mode if EFI Secure Boot is set.
+
choice
prompt "Kernel default lockdown mode"
default LOCK_DOWN_KERNEL_FORCE_NONE
--
2.50.1
next prev parent reply other threads:[~2026-05-27 8:25 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-27 8:25 [d-kernel] [PATCH v2 0/6] Lock down the kernel if booted in Secure Boot mode Egor Ignatov
2026-05-27 8:25 ` [d-kernel] [PATCH v2 1/6] mtd: slram: Add the kernel lock down check Egor Ignatov
2026-05-27 8:25 ` [d-kernel] [PATCH v2 2/6] security: lockdown: expose security_lock_kernel_down function Egor Ignatov
2026-05-27 8:25 ` [d-kernel] [PATCH v2 3/6] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode Egor Ignatov
2026-05-27 8:25 ` Egor Ignatov [this message]
2026-05-27 8:25 ` [d-kernel] [PATCH v2 5/6] efi: determine and pass Secure Boot state via FDT Egor Ignatov
2026-05-27 8:25 ` [d-kernel] [PATCH v2 6/6] config: Enable LOCK_DOWN_IN_EFI_SECURE_BOOT Egor Ignatov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260527082539.2000966-5-egori@altlinux.org \
--to=egori@altlinux.org \
--cc=devel-kernel@lists.altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux kernel packages development
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel-kernel/0 devel-kernel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel-kernel devel-kernel/ http://lore.altlinux.org/devel-kernel \
devel-kernel@altlinux.org devel-kernel@altlinux.ru devel-kernel@altlinux.com
public-inbox-index devel-kernel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel-kernel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git