[d-kernel] [PATCH 0/6] [7.0, 7.1] Lock down the kernel if booted in Secure Boot mode

[d-kernel] [PATCH 0/6] [7.0, 7.1] Lock down the kernel if booted in Secure Boot mode

[Egor Ignatov]

Данный набор патчей включает механизм kernel lockdown при загрузке
системы в режиме Secure Boot. При обнаружении активного Secure Boot
ядро автоматически переводится в режим lockdown.

В основу серии положен изначальный патчсет "security, efi: Add kernel
lockdown" за авторством David Howells. Использованы более актуальные
варианты соответствующих патчей, поддерживаемые в ядрах Fedora и Debian.

Серия предназначена для веток 7.0 и 7.1.

Ben Hutchings (1):
  mtd: phram,slram: Disable when the kernel is locked down

David Howells (2):
  efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
  efi: Lock down the kernel if booted in secure boot mode

Egor Ignatov (1):
  config: Enable LOCK_DOWN_IN_EFI_SECURE_BOOT

Jeremy Cline (1):
  security: lockdown: expose security_lock_kernel_down function

Linn Crosetto (1):
  efi: determine and pass Secure Boot state via FDT

 arch/x86/kernel/setup.c            | 16 ++----------
 config                             |  1 +
 drivers/firmware/efi/Makefile      |  1 +
 drivers/firmware/efi/efi-init.c    |  5 +++-
 drivers/firmware/efi/fdtparams.c   | 12 ++++++++-
 drivers/firmware/efi/libstub/fdt.c |  6 +++++
 drivers/firmware/efi/secureboot.c  | 42 ++++++++++++++++++++++++++++++
 drivers/mtd/devices/phram.c        |  6 ++++-
 drivers/mtd/devices/slram.c        |  9 ++++++-
 include/linux/efi.h                | 22 ++++++++++------
 include/linux/security.h           |  9 +++++++
 security/lockdown/Kconfig          | 15 +++++++++++
 security/lockdown/lockdown.c       | 11 ++++++++
 13 files changed, 129 insertions(+), 26 deletions(-)
 create mode 100644 drivers/firmware/efi/secureboot.c

-- 
2.50.1

[d-kernel] [PATCH 1/6] mtd: phram, slram: Disable when the kernel is locked down

[Egor Ignatov]

From: Ben Hutchings <ben@decadent.org.uk>

These drivers allow mapping arbitrary memory ranges as MTD devices.
This should be disabled to preserve the kernel's integrity when it is
locked down.

* Add the HWPARAM flag to the module parameters
* When slram is built-in, it uses __setup() to read kernel parameters,
  so add an explicit check security_locked_down() check

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Matthew Garrett <mjg59@google.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Joern Engel <joern@lazybastard.org>
Cc: linux-mtd@lists.infradead.org
[egori: imported from Debian linux package, patch
lockdown/mtd-disable-slram-and-phram-when-locked-down.patch]
Signed-off-by: Egor Ignatov <egori@altlinux.org>
---
 drivers/mtd/devices/phram.c | 6 +++++-
 drivers/mtd/devices/slram.c | 9 ++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/drivers/mtd/devices/phram.c b/drivers/mtd/devices/phram.c
index b42cadcd76..42ccabf24d 100644
--- a/drivers/mtd/devices/phram.c
+++ b/drivers/mtd/devices/phram.c
@@ -365,7 +365,11 @@ static int phram_param_call(const char *val, const struct kernel_param *kp)
 #endif
 }
 
-module_param_call(phram, phram_param_call, NULL, NULL, 0200);
+static const struct kernel_param_ops phram_param_ops = {
+	.set = phram_param_call
+};
+__module_param_call(MODULE_PARAM_PREFIX, phram, &phram_param_ops, NULL,
+		    0200, -1, KERNEL_PARAM_FL_HWPARAM | hwparam_iomem);
 MODULE_PARM_DESC(phram, "Memory region to map. \"phram=<name>,<start>,<length>[,<erasesize>]\"");
 
 #ifdef CONFIG_OF
diff --git a/drivers/mtd/devices/slram.c b/drivers/mtd/devices/slram.c
index 69cb63d99f..1330b47af0 100644
--- a/drivers/mtd/devices/slram.c
+++ b/drivers/mtd/devices/slram.c
@@ -43,6 +43,7 @@
 #include <linux/ioctl.h>
 #include <linux/init.h>
 #include <linux/io.h>
+#include <linux/security.h>
 
 #include <linux/mtd/mtd.h>
 
@@ -65,7 +66,7 @@ typedef struct slram_mtd_list {
 #ifdef MODULE
 static char *map[SLRAM_MAX_DEVICES_PARAMS];
 
-module_param_array(map, charp, NULL, 0);
+module_param_hw_array(map, charp, iomem, NULL, 0);
 MODULE_PARM_DESC(map, "List of memory regions to map. \"map=<name>, <start>, <length / end>\"");
 #else
 static char *map;
@@ -281,11 +282,17 @@ static int __init init_slram(void)
 #ifndef MODULE
 	char *devstart;
 	char *devlength;
+	int ret;
 
 	if (!map) {
 		E("slram: not enough parameters.\n");
 		return(-EINVAL);
 	}
+
+	ret = security_locked_down(LOCKDOWN_MODULE_PARAMETERS);
+	if (ret)
+		return ret;
+
 	while (map) {
 		devname = devstart = devlength = NULL;
 
-- 
2.50.1

Re: [d-kernel] [PATCH 1/6] mtd: phram, slram: Disable when the kernel is locked down

[Vitaly Chikunov]

On Wed, May 06, 2026 at 08:37:17PM +0300, Egor Ignatov wrote:
> From: Ben Hutchings <ben@decadent.org.uk>
> 
> These drivers allow mapping arbitrary memory ranges as MTD devices.
> This should be disabled to preserve the kernel's integrity when it is
> locked down.
> 
> * Add the HWPARAM flag to the module parameters
> * When slram is built-in, it uses __setup() to read kernel parameters,
>   so add an explicit check security_locked_down() check
> 
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> Cc: Matthew Garrett <mjg59@google.com>
> Cc: David Howells <dhowells@redhat.com>
> Cc: Joern Engel <joern@lazybastard.org>
> Cc: linux-mtd@lists.infradead.org
> [egori: imported from Debian linux package, patch
> lockdown/mtd-disable-slram-and-phram-when-locked-down.patch]
> Signed-off-by: Egor Ignatov <egori@altlinux.org>

Этот патч отсылался в апстрим ревьювился, ACKался но в итоге его так и не приняли
по неуказанной причине.

  https://lore.kernel.org/all/20190830154720.eekfjt6c4jzvlbfz@decadent.org.uk/


> ---
>  drivers/mtd/devices/phram.c | 6 +++++-
>  drivers/mtd/devices/slram.c | 9 ++++++++-
>  2 files changed, 13 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/mtd/devices/phram.c b/drivers/mtd/devices/phram.c
> index b42cadcd76..42ccabf24d 100644
> --- a/drivers/mtd/devices/phram.c
> +++ b/drivers/mtd/devices/phram.c
> @@ -365,7 +365,11 @@ static int phram_param_call(const char *val, const struct kernel_param *kp)
>  #endif
>  }
>  
> -module_param_call(phram, phram_param_call, NULL, NULL, 0200);
> +static const struct kernel_param_ops phram_param_ops = {
> +	.set = phram_param_call
> +};
> +__module_param_call(MODULE_PARAM_PREFIX, phram, &phram_param_ops, NULL,
> +		    0200, -1, KERNEL_PARAM_FL_HWPARAM | hwparam_iomem);

1. Тут ошибка, должно быть `| hwparam_iomem & 0`, так как этот атрибут
только документирующий, а без `& 0` он начинает ошибочно устанавливать
лишний флаг (KERNEL_PARAM_FL_UNSAFE).

2. В Fedora этого патча нет.
3. В SUSE этого патча нет.
4. В апстриме есть коммит b3c782868eceb ("mtd: phram: Add the kernel
lock down check"), делающий изменения в phram.c не нужными. Но он не
затрагивает slram.c, но может быть это и не нужно.

Таким образом этот патч - наполовину хлам.

5. В Fedora эти модули не собираются

  redhat/kernel-ark | redhat/configs/common/generic/CONFIG_MTD_PHRAM:# CONFIG_MTD_PHRAM is not set
  redhat/kernel-ark | redhat/configs/common/generic/CONFIG_MTD_SLRAM:# CONFIG_MTD_SLRAM is not set

Возможно, поэтому этого патча и нет в Fedora.

От патча нужна только част относящаяся к slram.c:init_slram

>  MODULE_PARM_DESC(phram, "Memory region to map. \"phram=<name>,<start>,<length>[,<erasesize>]\"");
>  
>  #ifdef CONFIG_OF
> diff --git a/drivers/mtd/devices/slram.c b/drivers/mtd/devices/slram.c
> index 69cb63d99f..1330b47af0 100644
> --- a/drivers/mtd/devices/slram.c
> +++ b/drivers/mtd/devices/slram.c
> @@ -43,6 +43,7 @@
>  #include <linux/ioctl.h>
>  #include <linux/init.h>
>  #include <linux/io.h>
> +#include <linux/security.h>
>  
>  #include <linux/mtd/mtd.h>
>  
> @@ -65,7 +66,7 @@ typedef struct slram_mtd_list {
>  #ifdef MODULE
>  static char *map[SLRAM_MAX_DEVICES_PARAMS];
>  
> -module_param_array(map, charp, NULL, 0);
> +module_param_hw_array(map, charp, iomem, NULL, 0);
>  MODULE_PARM_DESC(map, "List of memory regions to map. \"map=<name>, <start>, <length / end>\"");
>  #else
>  static char *map;
> @@ -281,11 +282,17 @@ static int __init init_slram(void)
>  #ifndef MODULE
>  	char *devstart;
>  	char *devlength;
> +	int ret;
>  
>  	if (!map) {
>  		E("slram: not enough parameters.\n");
>  		return(-EINVAL);
>  	}
> +
> +	ret = security_locked_down(LOCKDOWN_MODULE_PARAMETERS);

Должно быть LOCKDOWN_DEV_MEM, по аналогии с b3c782868eceb.


> +	if (ret)
> +		return ret;
> +
>  	while (map) {
>  		devname = devstart = devlength = NULL;
>  
> -- 
> 2.50.1
> 
> _______________________________________________
> devel-kernel mailing list
> devel-kernel@lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel-kernel

[d-kernel] [PATCH 2/6] security: lockdown: expose security_lock_kernel_down function

[Egor Ignatov]

From: Jeremy Cline <jcline@redhat.com>

In order to automatically lock down kernels running on UEFI machines
booted in Secure Boot mode, expose the security_lock_kernel_down() function.

Based on Fedora patches:
- security: lockdown: expose a hook to lock the kernel down
- efi,lockdown: fix kernel lockdown on Secure Boot

Signed-off-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Egor Ignatov <egori@altlinux.org>
---
 include/linux/security.h     |  9 +++++++++
 security/lockdown/lockdown.c | 11 +++++++++++
 2 files changed, 20 insertions(+)

diff --git a/include/linux/security.h b/include/linux/security.h
index ee88dd2d2d..5c816f0b8b 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -2405,4 +2405,13 @@ static inline void security_initramfs_populated(void)
 }
 #endif /* CONFIG_SECURITY */
 
+#ifdef CONFIG_SECURITY_LOCKDOWN_LSM
+extern int security_lock_kernel_down(const char *where, enum lockdown_reason level);
+#else
+static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level)
+{
+	return 0;
+}
+#endif /* CONFIG_SECURITY_LOCKDOWN_LSM */
+
 #endif /* ! __LINUX_SECURITY_H */
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 8d46886d2c..14a9cdff94 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -72,6 +72,17 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
 	return 0;
 }
 
+/**
+ * security_lock_kernel_down() - Put the kernel into lock-down mode.
+ *
+ * @where: Where the lock-down is originating from (e.g. command line option)
+ * @level: The lock-down level (can only increase)
+ */
+int security_lock_kernel_down(const char *where, enum lockdown_reason level)
+{
+	return lock_kernel_down(where, level);
+}
+
 static struct security_hook_list lockdown_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
 };
-- 
2.50.1

Re: [d-kernel] [PATCH 2/6] security: lockdown: expose security_lock_kernel_down function

[Vitaly Chikunov]

On Wed, May 06, 2026 at 08:37:18PM +0300, Egor Ignatov wrote:
> From: Jeremy Cline <jcline@redhat.com>
> 
> In order to automatically lock down kernels running on UEFI machines
> booted in Secure Boot mode, expose the security_lock_kernel_down() function.
> 
> Based on Fedora patches:
> - security: lockdown: expose a hook to lock the kernel down
> - efi,lockdown: fix kernel lockdown on Secure Boot

Но, у второго патча автор Ondrej Mosnacek, а мы скорее берем его
изменения, а не из первого патча.

Кроме того, тэг `Signed-off-by` не укатает на авторство.

Может лучше указать во From себя, но добавить:

  Based-on-a-patch-by: Jeremy Cline <jcline@redhat.com>
  Based-on-a-patch-by: Ondrej Mosnacek <omosnace@redhat.com>

Такое есть в ядре, хоть и редко.

> 
> Signed-off-by: Jeremy Cline <jcline@redhat.com>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> Signed-off-by: Egor Ignatov <egori@altlinux.org>
> ---
>  include/linux/security.h     |  9 +++++++++
>  security/lockdown/lockdown.c | 11 +++++++++++
>  2 files changed, 20 insertions(+)
> 
> diff --git a/include/linux/security.h b/include/linux/security.h
> index ee88dd2d2d..5c816f0b8b 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -2405,4 +2405,13 @@ static inline void security_initramfs_populated(void)
>  }
>  #endif /* CONFIG_SECURITY */
>  
> +#ifdef CONFIG_SECURITY_LOCKDOWN_LSM
> +extern int security_lock_kernel_down(const char *where, enum lockdown_reason level);
> +#else
> +static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level)
> +{
> +	return 0;
> +}
> +#endif /* CONFIG_SECURITY_LOCKDOWN_LSM */
> +
>  #endif /* ! __LINUX_SECURITY_H */
> diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
> index 8d46886d2c..14a9cdff94 100644
> --- a/security/lockdown/lockdown.c
> +++ b/security/lockdown/lockdown.c
> @@ -72,6 +72,17 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
>  	return 0;
>  }
>  
> +/**
> + * security_lock_kernel_down() - Put the kernel into lock-down mode.
> + *
> + * @where: Where the lock-down is originating from (e.g. command line option)
> + * @level: The lock-down level (can only increase)
> + */
> +int security_lock_kernel_down(const char *where, enum lockdown_reason level)
> +{
> +	return lock_kernel_down(where, level);
> +}
> +
>  static struct security_hook_list lockdown_hooks[] __ro_after_init = {
>  	LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
>  };
> -- 
> 2.50.1
> 
> _______________________________________________
> devel-kernel mailing list
> devel-kernel@lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel-kernel

[d-kernel] [PATCH 3/6] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode

[Egor Ignatov]

From: David Howells <dhowells@redhat.com>

UEFI machines can be booted in Secure Boot mode.  Add an EFI_SECURE_BOOT
flag that can be passed to efi_enabled() to find out whether secure boot is
enabled.

Move the switch-statement in x86's setup_arch() that inteprets the
secure_boot boot parameter to generic code and set the bit there.

Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
cc: linux-efi@vger.kernel.org
[egori: imported from Fedora]
Signed-off-by: Egor Ignatov <egori@altlinux.org>
---
 arch/x86/kernel/setup.c           | 14 +----------
 drivers/firmware/efi/Makefile     |  1 +
 drivers/firmware/efi/secureboot.c | 39 +++++++++++++++++++++++++++++++
 include/linux/efi.h               | 19 +++++++++------
 4 files changed, 53 insertions(+), 20 deletions(-)
 create mode 100644 drivers/firmware/efi/secureboot.c

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index eebcc9db1a..b67b87af6f 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1156,19 +1156,7 @@ void __init setup_arch(char **cmdline_p)
 	/* Allocate bigger log buffer */
 	setup_log_buf(1);
 
-	if (efi_enabled(EFI_BOOT)) {
-		switch (boot_params.secure_boot) {
-		case efi_secureboot_mode_disabled:
-			pr_info("Secure boot disabled\n");
-			break;
-		case efi_secureboot_mode_enabled:
-			pr_info("Secure boot enabled\n");
-			break;
-		default:
-			pr_info("Secure boot could not be determined\n");
-			break;
-		}
-	}
+	efi_set_secure_boot(boot_params.secure_boot);
 
 	reserve_initrd();
 
diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile
index 8efbcf699e..96d5a1ca98 100644
--- a/drivers/firmware/efi/Makefile
+++ b/drivers/firmware/efi/Makefile
@@ -25,6 +25,7 @@ subdir-$(CONFIG_EFI_STUB)		+= libstub
 obj-$(CONFIG_EFI_BOOTLOADER_CONTROL)	+= efibc.o
 obj-$(CONFIG_EFI_TEST)			+= test/
 obj-$(CONFIG_EFI_DEV_PATH_PARSER)	+= dev-path-parser.o
+obj-$(CONFIG_EFI)			+= secureboot.o
 obj-$(CONFIG_APPLE_PROPERTIES)		+= apple-properties.o
 obj-$(CONFIG_EFI_RCI2_TABLE)		+= rci2-table.o
 obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE)	+= embedded-firmware.o
diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
new file mode 100644
index 0000000000..5cdeb3b6e7
--- /dev/null
+++ b/drivers/firmware/efi/secureboot.c
@@ -0,0 +1,39 @@
+/* Core kernel secure boot support.
+ *
+ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/efi.h>
+#include <linux/kernel.h>
+#include <linux/printk.h>
+#include <linux/security.h>
+
+/*
+ * Decide what to do when UEFI secure boot mode is enabled.
+ */
+void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
+{
+	if (efi_enabled(EFI_BOOT)) {
+		switch (mode) {
+		case efi_secureboot_mode_disabled:
+			pr_info("Secure boot disabled\n");
+			break;
+		case efi_secureboot_mode_enabled:
+			set_bit(EFI_SECURE_BOOT, &efi.flags);
+			pr_info("Secure boot enabled\n");
+			break;
+		default:
+			pr_warn("Secure boot could not be determined (mode %u)\n",
+				   mode);
+			break;
+		}
+	}
+}
diff --git a/include/linux/efi.h b/include/linux/efi.h
index 664898d09f..4419ae4eae 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -868,6 +868,14 @@ static inline int efi_range_is_wc(unsigned long start, unsigned long len)
 #define EFI_MEM_ATTR		9	/* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
 #define EFI_MEM_NO_SOFT_RESERVE	10	/* Is the kernel configured to ignore soft reservations? */
 #define EFI_PRESERVE_BS_REGIONS	11	/* Are EFI boot-services memory segments available? */
+#define EFI_SECURE_BOOT		12	/* Are we in Secure Boot mode? */
+
+enum efi_secureboot_mode {
+	efi_secureboot_mode_unset,
+	efi_secureboot_mode_unknown,
+	efi_secureboot_mode_disabled,
+	efi_secureboot_mode_enabled,
+};
 
 #ifdef CONFIG_EFI
 /*
@@ -879,6 +887,8 @@ static inline bool efi_enabled(int feature)
 }
 extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused);
 
+extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode);
+
 bool __pure __efi_soft_reserve_enabled(void);
 
 static inline bool __pure efi_soft_reserve_enabled(void)
@@ -900,6 +910,8 @@ static inline bool efi_enabled(int feature)
 static inline void
 efi_reboot(enum reboot_mode reboot_mode, const char *__unused) {}
 
+static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {}
+
 static inline bool efi_soft_reserve_enabled(void)
 {
 	return false;
@@ -1131,13 +1143,6 @@ extern unsigned long efi_call_virt_save_flags(void);
 
 void efi_runtime_assert_lock_held(void);
 
-enum efi_secureboot_mode {
-	efi_secureboot_mode_unset,
-	efi_secureboot_mode_unknown,
-	efi_secureboot_mode_disabled,
-	efi_secureboot_mode_enabled,
-};
-
 static inline
 enum efi_secureboot_mode efi_get_secureboot_mode(efi_get_variable_t *get_var)
 {
-- 
2.50.1

[d-kernel] [PATCH 4/6] efi: Lock down the kernel if booted in secure boot mode

[Egor Ignatov]

From: David Howells <dhowells@redhat.com>

UEFI Secure Boot provides a mechanism for ensuring that the firmware
will only load signed bootloaders and kernels.  Certain use cases may
also require that all kernel modules also be signed.  Add a
configuration option that to lock down the kernel - which includes
requiring validly signed modules - if the kernel is secure-booted.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Jeremy Cline <jcline@redhat.com>
[egori: merged Fedora and Debian downstream patches]
Signed-off-by: Egor Ignatov <egori@altlinux.org>
---
 arch/x86/kernel/setup.c           |  4 ++--
 drivers/firmware/efi/secureboot.c |  3 +++
 security/lockdown/Kconfig         | 15 +++++++++++++++
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index b67b87af6f..7605f3372a 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -995,6 +995,8 @@ void __init setup_arch(char **cmdline_p)
 	if (efi_enabled(EFI_BOOT))
 		efi_init();
 
+	efi_set_secure_boot(boot_params.secure_boot);
+
 	reserve_ibft_region();
 	x86_init.resources.dmi_setup();
 
@@ -1156,8 +1158,6 @@ void __init setup_arch(char **cmdline_p)
 	/* Allocate bigger log buffer */
 	setup_log_buf(1);
 
-	efi_set_secure_boot(boot_params.secure_boot);
-
 	reserve_initrd();
 
 	acpi_table_upgrade();
diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
index 5cdeb3b6e7..673e2d1b6c 100644
--- a/drivers/firmware/efi/secureboot.c
+++ b/drivers/firmware/efi/secureboot.c
@@ -29,6 +29,9 @@ void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
 		case efi_secureboot_mode_enabled:
 			set_bit(EFI_SECURE_BOOT, &efi.flags);
 			pr_info("Secure boot enabled\n");
+			if (IS_ENABLED(CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT))
+				security_lock_kernel_down("EFI Secure Boot mode",
+							  LOCKDOWN_INTEGRITY_MAX);
 			break;
 		default:
 			pr_warn("Secure boot could not be determined (mode %u)\n",
diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
index e84ddf4840..f789e07849 100644
--- a/security/lockdown/Kconfig
+++ b/security/lockdown/Kconfig
@@ -16,6 +16,21 @@ config SECURITY_LOCKDOWN_LSM_EARLY
 	  subsystem is fully initialised. If enabled, lockdown will
 	  unconditionally be called before any other LSMs.
 
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
+	bool "Lock down the kernel in EFI Secure Boot mode"
+	default n
+	depends on SECURITY_LOCKDOWN_LSM
+	depends on EFI
+	select SECURITY_LOCKDOWN_LSM_EARLY
+	help
+	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
+	  will only load signed bootloaders and kernels.  Secure boot mode may
+	  be determined from EFI variables provided by the system firmware if
+	  not indicated by the boot parameters.
+
+	  Enabling this option results in kernel lockdown being
+	  triggered in integrity mode if EFI Secure Boot is set.
+
 choice
 	prompt "Kernel default lockdown mode"
 	default LOCK_DOWN_KERNEL_FORCE_NONE
-- 
2.50.1

Re: [d-kernel] [PATCH 4/6] efi: Lock down the kernel if booted in secure boot mode

[Vitaly Chikunov]

On Wed, May 06, 2026 at 08:37:20PM +0300, Egor Ignatov wrote:
> From: David Howells <dhowells@redhat.com>
> 
> UEFI Secure Boot provides a mechanism for ensuring that the firmware
> will only load signed bootloaders and kernels.  Certain use cases may
> also require that all kernel modules also be signed.  Add a
> configuration option that to lock down the kernel - which includes
> requiring validly signed modules - if the kernel is secure-booted.
> 
> Signed-off-by: David Howells <dhowells@redhat.com>
> Signed-off-by: Jeremy Cline <jcline@redhat.com>
> [egori: merged Fedora and Debian downstream patches]

Допустим возник merge conflict, что здесь смержено? Да и зачем?

Если мерж не зачем-то важен, то лучше оставить не смерженые патчи чтоб
потом можно было понять что к чему относится и посмотреть апстримную
версию.

> Signed-off-by: Egor Ignatov <egori@altlinux.org>
> ---
>  arch/x86/kernel/setup.c           |  4 ++--
>  drivers/firmware/efi/secureboot.c |  3 +++
>  security/lockdown/Kconfig         | 15 +++++++++++++++
>  3 files changed, 20 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
> index b67b87af6f..7605f3372a 100644
> --- a/arch/x86/kernel/setup.c
> +++ b/arch/x86/kernel/setup.c
> @@ -995,6 +995,8 @@ void __init setup_arch(char **cmdline_p)
>  	if (efi_enabled(EFI_BOOT))
>  		efi_init();
>  
> +	efi_set_secure_boot(boot_params.secure_boot);
> +
>  	reserve_ibft_region();
>  	x86_init.resources.dmi_setup();
>  
> @@ -1156,8 +1158,6 @@ void __init setup_arch(char **cmdline_p)
>  	/* Allocate bigger log buffer */
>  	setup_log_buf(1);
>  
> -	efi_set_secure_boot(boot_params.secure_boot);
> -
>  	reserve_initrd();
>  
>  	acpi_table_upgrade();
> diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
> index 5cdeb3b6e7..673e2d1b6c 100644
> --- a/drivers/firmware/efi/secureboot.c
> +++ b/drivers/firmware/efi/secureboot.c
> @@ -29,6 +29,9 @@ void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
>  		case efi_secureboot_mode_enabled:
>  			set_bit(EFI_SECURE_BOOT, &efi.flags);
>  			pr_info("Secure boot enabled\n");
> +			if (IS_ENABLED(CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT))
> +				security_lock_kernel_down("EFI Secure Boot mode",
> +							  LOCKDOWN_INTEGRITY_MAX);
>  			break;
>  		default:
>  			pr_warn("Secure boot could not be determined (mode %u)\n",
> diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
> index e84ddf4840..f789e07849 100644
> --- a/security/lockdown/Kconfig
> +++ b/security/lockdown/Kconfig
> @@ -16,6 +16,21 @@ config SECURITY_LOCKDOWN_LSM_EARLY
>  	  subsystem is fully initialised. If enabled, lockdown will
>  	  unconditionally be called before any other LSMs.
>  
> +config LOCK_DOWN_IN_EFI_SECURE_BOOT
> +	bool "Lock down the kernel in EFI Secure Boot mode"
> +	default n
> +	depends on SECURITY_LOCKDOWN_LSM
> +	depends on EFI
> +	select SECURITY_LOCKDOWN_LSM_EARLY
> +	help
> +	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
> +	  will only load signed bootloaders and kernels.  Secure boot mode may
> +	  be determined from EFI variables provided by the system firmware if
> +	  not indicated by the boot parameters.
> +
> +	  Enabling this option results in kernel lockdown being
> +	  triggered in integrity mode if EFI Secure Boot is set.
> +
>  choice
>  	prompt "Kernel default lockdown mode"
>  	default LOCK_DOWN_KERNEL_FORCE_NONE
> -- 
> 2.50.1
> 
> _______________________________________________
> devel-kernel mailing list
> devel-kernel@lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel-kernel

[d-kernel] [PATCH 5/6] efi: determine and pass Secure Boot state via FDT

[Egor Ignatov]

From: Linn Crosetto <linn@hpe.com>

Determine the state of UEFI Secure Boot in the EFI stub on platforms
that use FDT-based EFI parameter passing (ARM, arm64, RISC-V), and
forward it to the kernel through a new "linux,uefi-secure-boot" FDT
property. The early init path then calls efi_set_secure_boot(), which
on kernels with CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT triggers kernel
lockdown — analogous to how x86 already does it via boot_params.

Based on the Debian patch
"arm64-add-kernel-config-option-to-lock-down-when-in-Secure-Boot-mode.patch"
by Linn Crosetto. The original subject incorrectly implied an arm64-only
change; the patch in fact only touches generic drivers/firmware/efi/ code
that is shared by all FDT-based EFI architectures (ARM, arm64, RISC-V).
Re-titled and re-described accordingly; the code is unchanged.

Original commit message:

  arm64: add kernel config option to lock down when in Secure Boot mode
  Add a kernel configuration option to lock down the kernel, to restrict
  userspace's ability to modify the running kernel when UEFI Secure Boot
  is enabled. Based on the x86 patch by Matthew Garrett.
  Determine the state of Secure Boot in the EFI stub and pass this to the
  kernel using the FDT.

  Signed-off-by: Linn Crosetto <linn@hpe.com>

Signed-off-by: Linn Crosetto <linn@hpe.com>
[egori: re-titled and rewrote commit message; no code changes]
Signed-off-by: Egor Ignatov <egori@altlinux.org>
---
 drivers/firmware/efi/efi-init.c    |  5 ++++-
 drivers/firmware/efi/fdtparams.c   | 12 +++++++++++-
 drivers/firmware/efi/libstub/fdt.c |  6 ++++++
 include/linux/efi.h                |  3 ++-
 4 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/drivers/firmware/efi/efi-init.c b/drivers/firmware/efi/efi-init.c
index 6103b1a082..dea8d67c71 100644
--- a/drivers/firmware/efi/efi-init.c
+++ b/drivers/firmware/efi/efi-init.c
@@ -234,9 +234,10 @@ void __init efi_init(void)
 {
 	struct efi_memory_map_data data;
 	u64 efi_system_table;
+	u32 secure_boot;
 
 	/* Grab UEFI information placed in FDT by stub */
-	efi_system_table = efi_get_fdt_params(&data);
+	efi_system_table = efi_get_fdt_params(&data, &secure_boot);
 	if (!efi_system_table)
 		return;
 
@@ -258,6 +259,8 @@ void __init efi_init(void)
 		return;
 	}
 
+	efi_set_secure_boot(secure_boot);
+
 	reserve_regions();
 	/*
 	 * For memblock manipulation, the cap should come after the memblock_add().
diff --git a/drivers/firmware/efi/fdtparams.c b/drivers/firmware/efi/fdtparams.c
index b815d2a754..6f05b73c14 100644
--- a/drivers/firmware/efi/fdtparams.c
+++ b/drivers/firmware/efi/fdtparams.c
@@ -16,6 +16,7 @@ enum {
 	MMSIZE,
 	DCSIZE,
 	DCVERS,
+	SBMODE,
 
 	PARAMCOUNT
 };
@@ -26,6 +27,7 @@ static __initconst const char name[][22] = {
 	[MMSIZE] = "MemMap Size          ",
 	[DCSIZE] = "MemMap Desc. Size    ",
 	[DCVERS] = "MemMap Desc. Version ",
+	[SBMODE] = "Secure Boot Enabled  ",
 };
 
 static __initconst const struct {
@@ -43,6 +45,7 @@ static __initconst const struct {
 			[MMSIZE] = "xen,uefi-mmap-size",
 			[DCSIZE] = "xen,uefi-mmap-desc-size",
 			[DCVERS] = "xen,uefi-mmap-desc-ver",
+			[SBMODE] = "",
 		}
 	}, {
 #endif
@@ -53,6 +56,7 @@ static __initconst const struct {
 			[MMSIZE] = "linux,uefi-mmap-size",
 			[DCSIZE] = "linux,uefi-mmap-desc-size",
 			[DCVERS] = "linux,uefi-mmap-desc-ver",
+			[SBMODE] = "linux,uefi-secure-boot",
 		}
 	}
 };
@@ -64,6 +68,11 @@ static int __init efi_get_fdt_prop(const void *fdt, int node, const char *pname,
 	int len;
 	u64 val;
 
+	if (!pname[0]) {
+		memset(var, 0, size);
+		return 0;
+	}
+
 	prop = fdt_getprop(fdt, node, pname, &len);
 	if (!prop)
 		return 1;
@@ -81,7 +90,7 @@ static int __init efi_get_fdt_prop(const void *fdt, int node, const char *pname,
 	return 0;
 }
 
-u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm)
+u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm, u32 *secure_boot)
 {
 	const void *fdt = initial_boot_params;
 	unsigned long systab;
@@ -95,6 +104,7 @@ u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm)
 		[MMSIZE] = { &mm->size,		sizeof(mm->size) },
 		[DCSIZE] = { &mm->desc_size,	sizeof(mm->desc_size) },
 		[DCVERS] = { &mm->desc_version,	sizeof(mm->desc_version) },
+		[SBMODE] = { secure_boot,		sizeof(*secure_boot) },
 	};
 
 	BUILD_BUG_ON(ARRAY_SIZE(target) != ARRAY_SIZE(name));
diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c
index 6a337f1f87..6c679da644 100644
--- a/drivers/firmware/efi/libstub/fdt.c
+++ b/drivers/firmware/efi/libstub/fdt.c
@@ -132,6 +132,12 @@ static efi_status_t update_fdt(void *orig_fdt, unsigned long orig_fdt_size,
 		}
 	}
 
+	fdt_val32 = cpu_to_fdt32(efi_get_secureboot());
+	status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
+			     &fdt_val32, sizeof(fdt_val32));
+	if (status)
+		goto fdt_set_fail;
+
 	/* Shrink the FDT back to its minimum size: */
 	fdt_pack(fdt);
 
diff --git a/include/linux/efi.h b/include/linux/efi.h
index 4419ae4eae..d3d4533468 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -758,7 +758,8 @@ extern int efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md);
 extern int __efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md);
 extern void efi_mem_reserve(phys_addr_t addr, u64 size);
 extern int efi_mem_reserve_persistent(phys_addr_t addr, u64 size);
-extern u64 efi_get_fdt_params(struct efi_memory_map_data *data);
+extern u64 efi_get_fdt_params(struct efi_memory_map_data *data,
+			      u32 *secure_boot);
 extern struct kobject *efi_kobj;
 
 extern int efi_reboot_quirk_mode;
-- 
2.50.1

Re: [d-kernel] [PATCH 5/6] efi: determine and pass Secure Boot state via FDT

[Vitaly Chikunov]

On Wed, May 06, 2026 at 08:37:21PM +0300, Egor Ignatov wrote:
> From: Linn Crosetto <linn@hpe.com>
> 
> Determine the state of UEFI Secure Boot in the EFI stub on platforms
> that use FDT-based EFI parameter passing (ARM, arm64, RISC-V), and

Вроде бы у нас нет pesign для arm - так зачем нам патч для arm?

> forward it to the kernel through a new "linux,uefi-secure-boot" FDT
> property. The early init path then calls efi_set_secure_boot(), which
> on kernels with CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT triggers kernel
> lockdown — analogous to how x86 already does it via boot_params.
> 
> Based on the Debian patch
> "arm64-add-kernel-config-option-to-lock-down-when-in-Secure-Boot-mode.patch"
> by Linn Crosetto. The original subject incorrectly implied an arm64-only
> change; the patch in fact only touches generic drivers/firmware/efi/ code
> that is shared by all FDT-based EFI architectures (ARM, arm64, RISC-V).
> Re-titled and re-described accordingly; the code is unchanged.
> 
> Original commit message:
> 
>   arm64: add kernel config option to lock down when in Secure Boot mode
>   Add a kernel configuration option to lock down the kernel, to restrict
>   userspace's ability to modify the running kernel when UEFI Secure Boot
>   is enabled. Based on the x86 patch by Matthew Garrett.
>   Determine the state of Secure Boot in the EFI stub and pass this to the
>   kernel using the FDT.
> 
>   Signed-off-by: Linn Crosetto <linn@hpe.com>
> 
> Signed-off-by: Linn Crosetto <linn@hpe.com>
> [egori: re-titled and rewrote commit message; no code changes]
> Signed-off-by: Egor Ignatov <egori@altlinux.org>

В SUSE и Fedora этого патча нет - зачем он нам нужен? Обязателен ли он для
shim?

> ---
>  drivers/firmware/efi/efi-init.c    |  5 ++++-
>  drivers/firmware/efi/fdtparams.c   | 12 +++++++++++-
>  drivers/firmware/efi/libstub/fdt.c |  6 ++++++
>  include/linux/efi.h                |  3 ++-
>  4 files changed, 23 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/firmware/efi/efi-init.c b/drivers/firmware/efi/efi-init.c
> index 6103b1a082..dea8d67c71 100644
> --- a/drivers/firmware/efi/efi-init.c
> +++ b/drivers/firmware/efi/efi-init.c
> @@ -234,9 +234,10 @@ void __init efi_init(void)
>  {
>  	struct efi_memory_map_data data;
>  	u64 efi_system_table;
> +	u32 secure_boot;
>  
>  	/* Grab UEFI information placed in FDT by stub */
> -	efi_system_table = efi_get_fdt_params(&data);
> +	efi_system_table = efi_get_fdt_params(&data, &secure_boot);
>  	if (!efi_system_table)
>  		return;
>  
> @@ -258,6 +259,8 @@ void __init efi_init(void)
>  		return;
>  	}
>  
> +	efi_set_secure_boot(secure_boot);
> +
>  	reserve_regions();
>  	/*
>  	 * For memblock manipulation, the cap should come after the memblock_add().
> diff --git a/drivers/firmware/efi/fdtparams.c b/drivers/firmware/efi/fdtparams.c
> index b815d2a754..6f05b73c14 100644
> --- a/drivers/firmware/efi/fdtparams.c
> +++ b/drivers/firmware/efi/fdtparams.c
> @@ -16,6 +16,7 @@ enum {
>  	MMSIZE,
>  	DCSIZE,
>  	DCVERS,
> +	SBMODE,
>  
>  	PARAMCOUNT
>  };
> @@ -26,6 +27,7 @@ static __initconst const char name[][22] = {
>  	[MMSIZE] = "MemMap Size          ",
>  	[DCSIZE] = "MemMap Desc. Size    ",
>  	[DCVERS] = "MemMap Desc. Version ",
> +	[SBMODE] = "Secure Boot Enabled  ",
>  };
>  
>  static __initconst const struct {
> @@ -43,6 +45,7 @@ static __initconst const struct {
>  			[MMSIZE] = "xen,uefi-mmap-size",
>  			[DCSIZE] = "xen,uefi-mmap-desc-size",
>  			[DCVERS] = "xen,uefi-mmap-desc-ver",
> +			[SBMODE] = "",
>  		}
>  	}, {
>  #endif
> @@ -53,6 +56,7 @@ static __initconst const struct {
>  			[MMSIZE] = "linux,uefi-mmap-size",
>  			[DCSIZE] = "linux,uefi-mmap-desc-size",
>  			[DCVERS] = "linux,uefi-mmap-desc-ver",
> +			[SBMODE] = "linux,uefi-secure-boot",
>  		}
>  	}
>  };
> @@ -64,6 +68,11 @@ static int __init efi_get_fdt_prop(const void *fdt, int node, const char *pname,
>  	int len;
>  	u64 val;
>  
> +	if (!pname[0]) {
> +		memset(var, 0, size);
> +		return 0;
> +	}
> +
>  	prop = fdt_getprop(fdt, node, pname, &len);
>  	if (!prop)
>  		return 1;
> @@ -81,7 +90,7 @@ static int __init efi_get_fdt_prop(const void *fdt, int node, const char *pname,
>  	return 0;
>  }
>  
> -u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm)
> +u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm, u32 *secure_boot)
>  {
>  	const void *fdt = initial_boot_params;
>  	unsigned long systab;
> @@ -95,6 +104,7 @@ u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm)
>  		[MMSIZE] = { &mm->size,		sizeof(mm->size) },
>  		[DCSIZE] = { &mm->desc_size,	sizeof(mm->desc_size) },
>  		[DCVERS] = { &mm->desc_version,	sizeof(mm->desc_version) },
> +		[SBMODE] = { secure_boot,		sizeof(*secure_boot) },
>  	};
>  
>  	BUILD_BUG_ON(ARRAY_SIZE(target) != ARRAY_SIZE(name));
> diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c
> index 6a337f1f87..6c679da644 100644
> --- a/drivers/firmware/efi/libstub/fdt.c
> +++ b/drivers/firmware/efi/libstub/fdt.c
> @@ -132,6 +132,12 @@ static efi_status_t update_fdt(void *orig_fdt, unsigned long orig_fdt_size,
>  		}
>  	}
>  
> +	fdt_val32 = cpu_to_fdt32(efi_get_secureboot());
> +	status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
> +			     &fdt_val32, sizeof(fdt_val32));
> +	if (status)
> +		goto fdt_set_fail;
> +
>  	/* Shrink the FDT back to its minimum size: */
>  	fdt_pack(fdt);
>  
> diff --git a/include/linux/efi.h b/include/linux/efi.h
> index 4419ae4eae..d3d4533468 100644
> --- a/include/linux/efi.h
> +++ b/include/linux/efi.h
> @@ -758,7 +758,8 @@ extern int efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md);
>  extern int __efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md);
>  extern void efi_mem_reserve(phys_addr_t addr, u64 size);
>  extern int efi_mem_reserve_persistent(phys_addr_t addr, u64 size);
> -extern u64 efi_get_fdt_params(struct efi_memory_map_data *data);
> +extern u64 efi_get_fdt_params(struct efi_memory_map_data *data,
> +			      u32 *secure_boot);
>  extern struct kobject *efi_kobj;
>  
>  extern int efi_reboot_quirk_mode;
> -- 
> 2.50.1
> 
> _______________________________________________
> devel-kernel mailing list
> devel-kernel@lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel-kernel

[d-kernel] [PATCH 6/6] config: Enable LOCK_DOWN_IN_EFI_SECURE_BOOT

[Egor Ignatov]

Signed-off-by: Egor Ignatov <egori@altlinux.org>
---
 config | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config b/config
index 9aaf07ae98..596785caa3 100644
--- a/config
+++ b/config
@@ -10132,6 +10132,7 @@ CONFIG_SECURITY_YAMA=y
 CONFIG_SECURITY_SAFESETID=y
 CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
 CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
 # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
-- 
2.50.1

Re: [d-kernel] [PATCH 6/6] config: Enable LOCK_DOWN_IN_EFI_SECURE_BOOT

[Vitaly Chikunov]

On Wed, May 06, 2026 at 08:37:22PM +0300, Egor Ignatov wrote:
> Signed-off-by: Egor Ignatov <egori@altlinux.org>

Было бы неплохо в этом патче иметь небольшое обоснование, что это
обязательно для прохождения shim-review для подписи shim для Secure
Boot, со ссылкой:

  Link: https://github.com/rhboot/shim-review#how-does-your-signed-kernel-enforce-lockdown-when-your-system-runs-with-secure-boot-enabled

> ---
>  config | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/config b/config
> index 9aaf07ae98..596785caa3 100644
> --- a/config
> +++ b/config
> @@ -10132,6 +10132,7 @@ CONFIG_SECURITY_YAMA=y
>  CONFIG_SECURITY_SAFESETID=y
>  CONFIG_SECURITY_LOCKDOWN_LSM=y
>  CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
> +CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
>  CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
>  # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
>  # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
> -- 
> 2.50.1
> 
> _______________________________________________
> devel-kernel mailing list
> devel-kernel@lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel-kernel

Re: [d-kernel] [PATCH 0/6] [7.0, 7.1] Lock down the kernel if booted in Secure Boot mode

[Vitaly Chikunov]

Egor,

On Wed, May 06, 2026 at 08:37:16PM +0300, Egor Ignatov wrote:
> Данный набор патчей включает механизм kernel lockdown при загрузке
> системы в режиме Secure Boot. При обнаружении активного Secure Boot
> ядро автоматически переводится в режим lockdown.
> 
> В основу серии положен изначальный патчсет "security, efi: Add kernel
> lockdown" за авторством David Howells. Использованы более актуальные
> варианты соответствующих патчей, поддерживаемые в ядрах Fedora и Debian.

Большой патчсет, полагаю, было бы неплохо знать где находится апстрим этого
всего с "более актуальные варианты соответствующих патчей", на случай когда
возникновения merge conflicts.
А так же причина почему выбран конкретный пачт, ведь не во всех
указанных дистрибутивах они есть (плюс еще OpenSUSE).

Я поискал:

1. В Fedora патчи в kernel-ark без указания какие относятся как
необходимые для "Lock down the kernel if booted in Secure Boot".

2. https://github.com/SUSE/kernel-source/tree/master/patches.suse
  У них больше патчей, но, полагаю, не все они нужны.
  Из нашего списка там эти:

   [PATCH 1/3] security: lockdown: expose a hook to lock the kernel down
   [PATCH 2/3] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
   [PATCH 3/3] efi: Lock down the kernel if booted in secure boot mode
   [PATCH] lockdown: fix kernel lockdown enforcement issue when secure

Может стоит ограничиться этими изменениями?

3. https://salsa.debian.org/kernel-team/linux/-/tree/debian/latest/debian/patches/features/all/lockdown

  arm64-add-kernel-config-option-to-lock-down-when.patch
  efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch
  efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
  mtd-disable-slram-and-phram-when-locked-down.patch

Может стоит выбрать минимальный набор патчей удовлетворяющий shim?

> 
> Серия предназначена для веток 7.0 и 7.1.
> 
> Ben Hutchings (1):
>   mtd: phram,slram: Disable when the kernel is locked down
> 
> David Howells (2):
>   efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
>   efi: Lock down the kernel if booted in secure boot mode
> 
> Egor Ignatov (1):
>   config: Enable LOCK_DOWN_IN_EFI_SECURE_BOOT
> 
> Jeremy Cline (1):
>   security: lockdown: expose security_lock_kernel_down function
> 
> Linn Crosetto (1):
>   efi: determine and pass Secure Boot state via FDT
> 
>  arch/x86/kernel/setup.c            | 16 ++----------
>  config                             |  1 +
>  drivers/firmware/efi/Makefile      |  1 +
>  drivers/firmware/efi/efi-init.c    |  5 +++-
>  drivers/firmware/efi/fdtparams.c   | 12 ++++++++-
>  drivers/firmware/efi/libstub/fdt.c |  6 +++++
>  drivers/firmware/efi/secureboot.c  | 42 ++++++++++++++++++++++++++++++
>  drivers/mtd/devices/phram.c        |  6 ++++-
>  drivers/mtd/devices/slram.c        |  9 ++++++-
>  include/linux/efi.h                | 22 ++++++++++------
>  include/linux/security.h           |  9 +++++++
>  security/lockdown/Kconfig          | 15 +++++++++++
>  security/lockdown/lockdown.c       | 11 ++++++++
>  13 files changed, 129 insertions(+), 26 deletions(-)


>  create mode 100644 drivers/firmware/efi/secureboot.c
> 
> -- 
> 2.50.1
> 
> _______________________________________________
> devel-kernel mailing list
> devel-kernel@lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel-kernel