From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Message-ID: Date: Wed, 20 May 2026 15:28:51 +0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: devel-kernel@lists.altlinux.org References: <20260506173722.1012394-1-egori@altlinux.org> <20260506173722.1012394-5-egori@altlinux.org> Content-Language: en-US, ru From: Egor Ignatov In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [d-kernel] [PATCH 4/6] efi: Lock down the kernel if booted in secure boot mode X-BeenThere: devel-kernel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux kernel packages development List-Id: ALT Linux kernel packages development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 May 2026 12:28:52 -0000 Archived-At: List-Archive: List-Post: On 5/9/26 3:24 AM, Vitaly Chikunov wrote: > On Wed, May 06, 2026 at 08:37:20PM +0300, Egor Ignatov wrote: >> From: David Howells >> >> UEFI Secure Boot provides a mechanism for ensuring that the firmware >> will only load signed bootloaders and kernels. Certain use cases may >> also require that all kernel modules also be signed. Add a >> configuration option that to lock down the kernel - which includes >> requiring validly signed modules - if the kernel is secure-booted. >> >> Signed-off-by: David Howells >> Signed-off-by: Jeremy Cline >> [egori: merged Fedora and Debian downstream patches] > > Допустим возник merge conflict, что здесь смержено? Да и зачем? > > Если мерж не зачем-то важен, то лучше оставить не смерженые патчи чтоб > потом можно было понять что к чему относится и посмотреть апстримную > версию. Возможно не совсем верно с моей стороны было написать "merged". Дело в том, что в Fedora, как и в оригинальной серии имеется 2 коммита: - security: lockdown: expose a hook to lock the kernel down - efi: Lock down the kernel if booted in secure boot mode А в Debian изменения обоих этих коммитов содержатся в одном патче: efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch. Мне показалось правильнее и понятнее сохранить оригинальный набор коммитов, при этом взять более качественную реализацию для 'security: lockdown: expose a hook to lock the kernel down' на основе патчей из Fedora (см PATCH 2/6). И подход Debian для 'efi: Lock down the kernel if booted in secure boot mode', где вызов security_lock_kernel_down происходит внутри efi_set_secure_boot, что необходимо для последующего патча (PATCH 5/6). По итогу, от Fedora в этом коммите только название. Заменю запись на: [egori: based on efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch Debian patch] >> Signed-off-by: Egor Ignatov >> --- >> arch/x86/kernel/setup.c | 4 ++-- >> drivers/firmware/efi/secureboot.c | 3 +++ >> security/lockdown/Kconfig | 15 +++++++++++++++ >> 3 files changed, 20 insertions(+), 2 deletions(-) >> >> diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c >> index b67b87af6f..7605f3372a 100644 >> --- a/arch/x86/kernel/setup.c >> +++ b/arch/x86/kernel/setup.c >> @@ -995,6 +995,8 @@ void __init setup_arch(char **cmdline_p) >> if (efi_enabled(EFI_BOOT)) >> efi_init(); >> >> + efi_set_secure_boot(boot_params.secure_boot); >> + >> reserve_ibft_region(); >> x86_init.resources.dmi_setup(); >> >> @@ -1156,8 +1158,6 @@ void __init setup_arch(char **cmdline_p) >> /* Allocate bigger log buffer */ >> setup_log_buf(1); >> >> - efi_set_secure_boot(boot_params.secure_boot); >> - >> reserve_initrd(); >> >> acpi_table_upgrade(); >> diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c >> index 5cdeb3b6e7..673e2d1b6c 100644 >> --- a/drivers/firmware/efi/secureboot.c >> +++ b/drivers/firmware/efi/secureboot.c >> @@ -29,6 +29,9 @@ void __init efi_set_secure_boot(enum efi_secureboot_mode mode) >> case efi_secureboot_mode_enabled: >> set_bit(EFI_SECURE_BOOT, &efi.flags); >> pr_info("Secure boot enabled\n"); >> + if (IS_ENABLED(CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT)) >> + security_lock_kernel_down("EFI Secure Boot mode", >> + LOCKDOWN_INTEGRITY_MAX); >> break; >> default: >> pr_warn("Secure boot could not be determined (mode %u)\n", >> diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig >> index e84ddf4840..f789e07849 100644 >> --- a/security/lockdown/Kconfig >> +++ b/security/lockdown/Kconfig >> @@ -16,6 +16,21 @@ config SECURITY_LOCKDOWN_LSM_EARLY >> subsystem is fully initialised. If enabled, lockdown will >> unconditionally be called before any other LSMs. >> >> +config LOCK_DOWN_IN_EFI_SECURE_BOOT >> + bool "Lock down the kernel in EFI Secure Boot mode" >> + default n >> + depends on SECURITY_LOCKDOWN_LSM >> + depends on EFI >> + select SECURITY_LOCKDOWN_LSM_EARLY >> + help >> + UEFI Secure Boot provides a mechanism for ensuring that the firmware >> + will only load signed bootloaders and kernels. Secure boot mode may >> + be determined from EFI variables provided by the system firmware if >> + not indicated by the boot parameters. >> + >> + Enabling this option results in kernel lockdown being >> + triggered in integrity mode if EFI Secure Boot is set. >> + >> choice >> prompt "Kernel default lockdown mode" >> default LOCK_DOWN_KERNEL_FORCE_NONE >> -- >> 2.50.1 >> >> _______________________________________________ >> devel-kernel mailing list >> devel-kernel@lists.altlinux.org >> https://lists.altlinux.org/mailman/listinfo/devel-kernel > _______________________________________________ > devel-kernel mailing list > devel-kernel@lists.altlinux.org > https://lists.altlinux.org/mailman/listinfo/devel-kernel -- Egor Ignatov ALT Linux Team