Re: [d-kernel] [PATCH 4/6] efi: Lock down the kernel if booted in secure boot mode

From: Vitaly Chikunov <vt@altlinux.org>
To: ALT Linux kernel packages development <devel-kernel@lists.altlinux.org>
Subject: Re: [d-kernel] [PATCH 4/6] efi: Lock down the kernel if booted in secure boot mode
Date: Sat, 9 May 2026 03:24:53 +0300
Message-ID: <af5-CgzbJ1XAGqQx@altlinux.org> (raw)
In-Reply-To: <20260506173722.1012394-5-egori@altlinux.org>

On Wed, May 06, 2026 at 08:37:20PM +0300, Egor Ignatov wrote:
> From: David Howells <dhowells@redhat.com>
> 
> UEFI Secure Boot provides a mechanism for ensuring that the firmware
> will only load signed bootloaders and kernels.  Certain use cases may
> also require that all kernel modules also be signed.  Add a
> configuration option that to lock down the kernel - which includes
> requiring validly signed modules - if the kernel is secure-booted.
> 
> Signed-off-by: David Howells <dhowells@redhat.com>
> Signed-off-by: Jeremy Cline <jcline@redhat.com>
> [egori: merged Fedora and Debian downstream patches]

Допустим возник merge conflict, что здесь смержено? Да и зачем?

Если мерж не зачем-то важен, то лучше оставить не смерженые патчи чтоб
потом можно было понять что к чему относится и посмотреть апстримную
версию.

> Signed-off-by: Egor Ignatov <egori@altlinux.org>
> ---
>  arch/x86/kernel/setup.c           |  4 ++--
>  drivers/firmware/efi/secureboot.c |  3 +++
>  security/lockdown/Kconfig         | 15 +++++++++++++++
>  3 files changed, 20 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
> index b67b87af6f..7605f3372a 100644
> --- a/arch/x86/kernel/setup.c
> +++ b/arch/x86/kernel/setup.c
> @@ -995,6 +995,8 @@ void __init setup_arch(char **cmdline_p)
>  	if (efi_enabled(EFI_BOOT))
>  		efi_init();
>  
> +	efi_set_secure_boot(boot_params.secure_boot);
> +
>  	reserve_ibft_region();
>  	x86_init.resources.dmi_setup();
>  
> @@ -1156,8 +1158,6 @@ void __init setup_arch(char **cmdline_p)
>  	/* Allocate bigger log buffer */
>  	setup_log_buf(1);
>  
> -	efi_set_secure_boot(boot_params.secure_boot);
> -
>  	reserve_initrd();
>  
>  	acpi_table_upgrade();
> diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
> index 5cdeb3b6e7..673e2d1b6c 100644
> --- a/drivers/firmware/efi/secureboot.c
> +++ b/drivers/firmware/efi/secureboot.c
> @@ -29,6 +29,9 @@ void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
>  		case efi_secureboot_mode_enabled:
>  			set_bit(EFI_SECURE_BOOT, &efi.flags);
>  			pr_info("Secure boot enabled\n");
> +			if (IS_ENABLED(CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT))
> +				security_lock_kernel_down("EFI Secure Boot mode",
> +							  LOCKDOWN_INTEGRITY_MAX);
>  			break;
>  		default:
>  			pr_warn("Secure boot could not be determined (mode %u)\n",
> diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
> index e84ddf4840..f789e07849 100644
> --- a/security/lockdown/Kconfig
> +++ b/security/lockdown/Kconfig
> @@ -16,6 +16,21 @@ config SECURITY_LOCKDOWN_LSM_EARLY
>  	  subsystem is fully initialised. If enabled, lockdown will
>  	  unconditionally be called before any other LSMs.
>  
> +config LOCK_DOWN_IN_EFI_SECURE_BOOT
> +	bool "Lock down the kernel in EFI Secure Boot mode"
> +	default n
> +	depends on SECURITY_LOCKDOWN_LSM
> +	depends on EFI
> +	select SECURITY_LOCKDOWN_LSM_EARLY
> +	help
> +	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
> +	  will only load signed bootloaders and kernels.  Secure boot mode may
> +	  be determined from EFI variables provided by the system firmware if
> +	  not indicated by the boot parameters.
> +
> +	  Enabling this option results in kernel lockdown being
> +	  triggered in integrity mode if EFI Secure Boot is set.
> +
>  choice
>  	prompt "Kernel default lockdown mode"
>  	default LOCK_DOWN_KERNEL_FORCE_NONE
> -- 
> 2.50.1
> 
> _______________________________________________
> devel-kernel mailing list
> devel-kernel@lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel-kernel