[PATCH Xenial SRU v2] UBUNTU: SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
Tim Gardner
tim.gardner at canonical.com
Thu Jun 16 06:41:35 UTC 2016
BugLink: http://bugs.launchpad.net/bugs/1593075
This is a better method for detecting the state of secure boot and
the MOKSBState override, as opposed to grepping status from the kernel log.
Both variables return 0 or 1. If secure_boot==0 then signed module
enforcement is not enabled. Likewise, if moksbstate_disabled==1 then
signed module enforcement is not enabled. The only conditions uder which
signed module enforcement is enabled is when secure_boot==1 and
moksbstate_disabled==0.
/proc/sys/kernel/secure_boot
/proc/sys/kernel/moksbstate_disabled
Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
---
V2 - I checked other proc interfaces that set permissions to 0444. It appears
one does not need to protect against writes in that case (which simplifies the
code a bit).
arch/x86/kernel/setup.c | 1 +
kernel/sysctl.c | 31 +++++++++++++++++++++++++++++++
2 files changed, 32 insertions(+)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index be173c2..b815923 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1150,6 +1150,7 @@ void __init setup_arch(char **cmdline_p)
pr_info("Secure boot enabled\n");
}
else if (boot_params.secure_boot == EFI_MOKSBSTATE_DISABLED) {
+ set_bit(EFI_MOKSBSTATE_DISABLED, &efi.flags);
boot_params.secure_boot = 0;
pr_info("Secure boot MOKSBState disabled\n");
}
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 4a7683b..eaa7b21 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -65,6 +65,7 @@
#include <linux/sched/sysctl.h>
#include <linux/kexec.h>
#include <linux/bpf.h>
+#include <linux/efi.h>
#include <asm/uaccess.h>
#include <asm/processor.h>
@@ -279,8 +280,38 @@ static int min_extfrag_threshold;
static int max_extfrag_threshold = 1000;
#endif
+static unsigned int secure_boot_enabled;
+int secure_boot_proc_handler(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+ secure_boot_enabled = efi_enabled(EFI_SECURE_BOOT);
+ return proc_dointvec(table, write, buffer, lenp, ppos);
+}
+
+static unsigned int moksbstate_disabled;
+int moksbstate_disabled_proc_handler(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+ moksbstate_disabled = efi_enabled(EFI_MOKSBSTATE_DISABLED);
+ return proc_dointvec(table, write, buffer, lenp, ppos);
+}
+
static struct ctl_table kern_table[] = {
{
+ .procname = "secure_boot",
+ .data = &secure_boot_enabled,
+ .maxlen = sizeof(unsigned int),
+ .mode = 0444,
+ .proc_handler = secure_boot_proc_handler,
+ },
+ {
+ .procname = "moksbstate_disabled",
+ .data = &moksbstate_disabled,
+ .maxlen = sizeof(unsigned int),
+ .mode = 0444,
+ .proc_handler = moksbstate_disabled_proc_handler,
+ },
+ {
.procname = "sched_child_runs_first",
.data = &sysctl_sched_child_runs_first,
.maxlen = sizeof(unsigned int),
--
2.7.4
More information about the kernel-team
mailing list