From: Egor Ignatov <egori@altlinux.org>
To: devel-kernel@lists.altlinux.org
Subject: Re: [d-kernel] [PATCH 4/6] efi: Lock down the kernel if booted in secure boot mode
Date: Wed, 20 May 2026 15:28:51 +0300
Message-ID: <d3f4926f-514d-4940-af4c-1c430d4a64cd@altlinux.org> (raw)
In-Reply-To: <af5-CgzbJ1XAGqQx@altlinux.org>
On 5/9/26 3:24 AM, Vitaly Chikunov wrote:
> On Wed, May 06, 2026 at 08:37:20PM +0300, Egor Ignatov wrote:
>> From: David Howells <dhowells@redhat.com>
>>
>> UEFI Secure Boot provides a mechanism for ensuring that the firmware
>> will only load signed bootloaders and kernels. Certain use cases may
>> also require that all kernel modules also be signed. Add a
>> configuration option that to lock down the kernel - which includes
>> requiring validly signed modules - if the kernel is secure-booted.
>>
>> Signed-off-by: David Howells <dhowells@redhat.com>
>> Signed-off-by: Jeremy Cline <jcline@redhat.com>
>> [egori: merged Fedora and Debian downstream patches]
>
> Допустим возник merge conflict, что здесь смержено? Да и зачем?
>
> Если мерж не зачем-то важен, то лучше оставить не смерженые патчи чтоб
> потом можно было понять что к чему относится и посмотреть апстримную
> версию.
Возможно не совсем верно с моей стороны было написать "merged". Дело в
том, что в Fedora, как и в оригинальной серии имеется 2 коммита:
- security: lockdown: expose a hook to lock the kernel down
- efi: Lock down the kernel if booted in secure boot mode
А в Debian изменения обоих этих коммитов содержатся в одном патче:
efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch.
Мне показалось правильнее и понятнее сохранить оригинальный набор
коммитов, при этом взять более качественную реализацию для 'security:
lockdown: expose a hook to lock the kernel down' на основе патчей из
Fedora (см PATCH 2/6). И подход Debian для 'efi: Lock down the kernel if
booted in secure boot mode', где вызов security_lock_kernel_down
происходит внутри efi_set_secure_boot, что необходимо для последующего
патча (PATCH 5/6).
По итогу, от Fedora в этом коммите только название. Заменю запись на:
[egori: based on
efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch Debian patch]
>> Signed-off-by: Egor Ignatov <egori@altlinux.org>
>> ---
>> arch/x86/kernel/setup.c | 4 ++--
>> drivers/firmware/efi/secureboot.c | 3 +++
>> security/lockdown/Kconfig | 15 +++++++++++++++
>> 3 files changed, 20 insertions(+), 2 deletions(-)
>>
>> diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
>> index b67b87af6f..7605f3372a 100644
>> --- a/arch/x86/kernel/setup.c
>> +++ b/arch/x86/kernel/setup.c
>> @@ -995,6 +995,8 @@ void __init setup_arch(char **cmdline_p)
>> if (efi_enabled(EFI_BOOT))
>> efi_init();
>>
>> + efi_set_secure_boot(boot_params.secure_boot);
>> +
>> reserve_ibft_region();
>> x86_init.resources.dmi_setup();
>>
>> @@ -1156,8 +1158,6 @@ void __init setup_arch(char **cmdline_p)
>> /* Allocate bigger log buffer */
>> setup_log_buf(1);
>>
>> - efi_set_secure_boot(boot_params.secure_boot);
>> -
>> reserve_initrd();
>>
>> acpi_table_upgrade();
>> diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
>> index 5cdeb3b6e7..673e2d1b6c 100644
>> --- a/drivers/firmware/efi/secureboot.c
>> +++ b/drivers/firmware/efi/secureboot.c
>> @@ -29,6 +29,9 @@ void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
>> case efi_secureboot_mode_enabled:
>> set_bit(EFI_SECURE_BOOT, &efi.flags);
>> pr_info("Secure boot enabled\n");
>> + if (IS_ENABLED(CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT))
>> + security_lock_kernel_down("EFI Secure Boot mode",
>> + LOCKDOWN_INTEGRITY_MAX);
>> break;
>> default:
>> pr_warn("Secure boot could not be determined (mode %u)\n",
>> diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
>> index e84ddf4840..f789e07849 100644
>> --- a/security/lockdown/Kconfig
>> +++ b/security/lockdown/Kconfig
>> @@ -16,6 +16,21 @@ config SECURITY_LOCKDOWN_LSM_EARLY
>> subsystem is fully initialised. If enabled, lockdown will
>> unconditionally be called before any other LSMs.
>>
>> +config LOCK_DOWN_IN_EFI_SECURE_BOOT
>> + bool "Lock down the kernel in EFI Secure Boot mode"
>> + default n
>> + depends on SECURITY_LOCKDOWN_LSM
>> + depends on EFI
>> + select SECURITY_LOCKDOWN_LSM_EARLY
>> + help
>> + UEFI Secure Boot provides a mechanism for ensuring that the firmware
>> + will only load signed bootloaders and kernels. Secure boot mode may
>> + be determined from EFI variables provided by the system firmware if
>> + not indicated by the boot parameters.
>> +
>> + Enabling this option results in kernel lockdown being
>> + triggered in integrity mode if EFI Secure Boot is set.
>> +
>> choice
>> prompt "Kernel default lockdown mode"
>> default LOCK_DOWN_KERNEL_FORCE_NONE
>> --
>> 2.50.1
>>
>> _______________________________________________
>> devel-kernel mailing list
>> devel-kernel@lists.altlinux.org
>> https://lists.altlinux.org/mailman/listinfo/devel-kernel
> _______________________________________________
> devel-kernel mailing list
> devel-kernel@lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel-kernel
--
Egor Ignatov
ALT Linux Team
next prev parent reply other threads:[~2026-05-20 12:28 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-06 17:37 [d-kernel] [PATCH 0/6] [7.0, 7.1] Lock down the kernel if booted in Secure Boot mode Egor Ignatov
2026-05-06 17:37 ` [d-kernel] [PATCH 1/6] mtd: phram, slram: Disable when the kernel is locked down Egor Ignatov
2026-05-08 23:43 ` Vitaly Chikunov
2026-05-06 17:37 ` [d-kernel] [PATCH 2/6] security: lockdown: expose security_lock_kernel_down function Egor Ignatov
2026-05-09 0:20 ` Vitaly Chikunov
2026-05-20 12:25 ` Egor Ignatov
2026-05-06 17:37 ` [d-kernel] [PATCH 3/6] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode Egor Ignatov
2026-05-06 17:37 ` [d-kernel] [PATCH 4/6] efi: Lock down the kernel if booted in " Egor Ignatov
2026-05-09 0:24 ` Vitaly Chikunov
2026-05-20 12:28 ` Egor Ignatov [this message]
2026-05-06 17:37 ` [d-kernel] [PATCH 5/6] efi: determine and pass Secure Boot state via FDT Egor Ignatov
2026-05-09 0:28 ` Vitaly Chikunov
2026-05-20 12:29 ` Egor Ignatov
2026-05-06 17:37 ` [d-kernel] [PATCH 6/6] config: Enable LOCK_DOWN_IN_EFI_SECURE_BOOT Egor Ignatov
2026-05-09 0:34 ` Vitaly Chikunov
2026-05-20 12:29 ` Egor Ignatov
2026-05-08 23:01 ` [d-kernel] [PATCH 0/6] [7.0, 7.1] Lock down the kernel if booted in Secure Boot mode Vitaly Chikunov
2026-05-20 12:29 ` Egor Ignatov
2026-05-20 16:32 ` Vitaly Chikunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d3f4926f-514d-4940-af4c-1c430d4a64cd@altlinux.org \
--to=egori@altlinux.org \
--cc=devel-kernel@lists.altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux kernel packages development
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel-kernel/0 devel-kernel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel-kernel devel-kernel/ http://lore.altlinux.org/devel-kernel \
devel-kernel@altlinux.org devel-kernel@altlinux.ru devel-kernel@altlinux.com
public-inbox-index devel-kernel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel-kernel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git