[PATCH] UBUNTU: [Config] CONFIG_EFI=y on armhf, reconcile secureboot EFI settings

Dimitri John Ledkov xnox at ubuntu.com
Tue Mar 6 12:29:58 UTC 2018 

Enable EFI stub on armhf, also improve Secureboot config options on
arm64/armhf to be in line with x86.

BugLink: http://bugs.launchpad.net/bugs/1726362

Signed-off-by: Dimitri John Ledkov <xnox at ubuntu.com>
---
 debian.master/config/amd64/config.common.amd64 |  2 --
 debian.master/config/annotations               | 26 +++++++++++++-------------
 debian.master/config/arm64/config.common.arm64 |  4 +---
 debian.master/config/armhf/config.common.armhf |  4 ++--
 debian.master/config/config.common.ubuntu      |  2 ++
 debian.master/config/i386/config.common.i386   |  2 --
 6 files changed, 18 insertions(+), 22 deletions(-)

diff --git a/debian.master/config/amd64/config.common.amd64 b/debian.master/config/amd64/config.common.amd64
index 7dfe3033f16b..0e5b80324b74 100644
--- a/debian.master/config/amd64/config.common.amd64
+++ b/debian.master/config/amd64/config.common.amd64
@@ -93,7 +93,6 @@ CONFIG_DUMMY_IRQ=m
 CONFIG_DW_WATCHDOG=m
 CONFIG_ECHO=m
 CONFIG_EEPROM_93CX6=m
-CONFIG_EFI=y
 CONFIG_EFI_CAPSULE_LOADER=m
 CONFIG_EFI_DEV_PATH_PARSER=y
 CONFIG_EFS_FS=m
@@ -188,7 +187,6 @@ CONFIG_LAPB=m
 CONFIG_LDM_PARTITION=y
 CONFIG_LIBNVDIMM=y
 CONFIG_LLC2=m
-CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
 CONFIG_LOCK_DOWN_KERNEL=y
 CONFIG_LOG_BUF_SHIFT=18
 CONFIG_LPC_ICH=m
diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index ee1a91bc2b1c..516d845c54f5 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -481,8 +481,8 @@ CONFIG_X509_CERTIFICATE_PARSER                  note<module signing>
 CONFIG_MODULE_SIG_KEY                           policy<{'amd64': '"certs/signing_key.pem"', 'arm64': '"certs/signing_key.pem"', 'armhf': '"certs/signing_key.pem"', 'i386': '"certs/signing_key.pem"', 'ppc64el': '"certs/signing_key.pem"', 's390x': '"certs/signing_key.pem"'}>
 CONFIG_SYSTEM_BLACKLIST_KEYRING                 policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_SYSTEM_BLACKLIST_HASH_LIST               policy<{'amd64': '""', 'arm64': '""', 'armhf': '""', 'i386': '""', 'ppc64el': '""', 's390x': '""'}>
-CONFIG_EFI_SIGNATURE_LIST_PARSER                policy<{'amd64': 'y', 'arm64': 'y', 'i386': 'y'}>
-CONFIG_LOAD_UEFI_KEYS                           policy<{'amd64': 'y', 'arm64': 'y', 'i386': 'y'}>
+CONFIG_EFI_SIGNATURE_LIST_PARSER                policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y'}>
+CONFIG_LOAD_UEFI_KEYS                           policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y'}>
 #
 CONFIG_EFI_SIGNATURE_LIST_PARSER                mark<ENFORCED>
 CONFIG_LOAD_UEFI_KEYS                           mark<ENFORCED>
@@ -9156,17 +9156,17 @@ CONFIG_FW_CFG_SYSFS_CMDLINE                     policy<{'amd64': 'n', 'arm64': '
 CONFIG_QCOM_SCM_DOWNLOAD_MODE_DEFAULT           policy<{'arm64': 'n', 'armhf': 'n'}>
 
 # Menu: Firmware Drivers >> EFI (Extensible Firmware Interface) Support
-CONFIG_EFI_VARS                                 policy<{'amd64': 'y', 'arm64': 'y', 'i386': 'y'}>
-CONFIG_EFI_VARS_PSTORE                          policy<{'amd64': 'm', 'arm64': 'm', 'i386': 'm'}>
-CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE          policy<{'amd64': 'n', 'arm64': 'n', 'i386': 'n'}>
+CONFIG_EFI_VARS                                 policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y'}>
+CONFIG_EFI_VARS_PSTORE                          policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'i386': 'm'}>
+CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE          policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n'}>
 CONFIG_EFI_RUNTIME_MAP                          policy<{'amd64': 'y', 'i386': 'y'}>
 CONFIG_EFI_FAKE_MEMMAP                          policy<{'amd64': 'n', 'i386': 'n'}>
-CONFIG_EFI_BOOTLOADER_CONTROL                   policy<{'amd64': 'm', 'arm64': 'm', 'i386': 'm'}>
-CONFIG_EFI_CAPSULE_LOADER                       policy<{'amd64': 'm', 'arm64': 'm', 'i386': 'y'}>
+CONFIG_EFI_BOOTLOADER_CONTROL                   policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'i386': 'm'}>
+CONFIG_EFI_CAPSULE_LOADER                       policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'i386': 'y'}>
 CONFIG_EFI_CAPSULE_QUIRK_QUARK_CSH              policy<{'i386': 'y'}>
-CONFIG_EFI_TEST                                 policy<{'amd64': 'm', 'arm64': 'm', 'i386': 'm'}>
+CONFIG_EFI_TEST                                 policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'i386': 'm'}>
 CONFIG_APPLE_PROPERTIES                         policy<{'amd64': 'y', 'i386': 'y'}>
-CONFIG_RESET_ATTACK_MITIGATION                  policy<{'amd64': 'y', 'arm64': 'y', 'i386': 'y'}>
+CONFIG_RESET_ATTACK_MITIGATION                  policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y'}>
 #
 CONFIG_EFI_VARS                                 mark<ENFORCED> note<EFI boot requirement (d-i) LP:#837332>
 
@@ -11248,7 +11248,7 @@ CONFIG_X86_SMAP                                 policy<{'amd64': 'y', 'i386': 'y
 CONFIG_X86_INTEL_UMIP                           policy<{'amd64': 'y', 'i386': 'y'}>
 CONFIG_X86_INTEL_MPX                            policy<{'amd64': 'y'}>
 CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS         policy<{'amd64': 'y'}>
-CONFIG_EFI_STUB                                 policy<{'amd64': 'y', 'arm64': 'y', 'i386': 'y'}>
+CONFIG_EFI_STUB                                 policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y'}>
 CONFIG_EFI_MIXED                                policy<{'amd64': 'y'}>
 CONFIG_KEXEC_VERIFY_SIG                         policy<{'amd64': 'y'}>
 CONFIG_KEXEC_BZIMAGE_VERIFY_SIG                 policy<{'amd64': 'y'}>
@@ -11503,9 +11503,9 @@ CONFIG_HARDENED_USERCOPY                        policy<{'amd64': 'y', 'arm64': '
 CONFIG_HARDENED_USERCOPY_PAGESPAN               policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_FORTIFY_SOURCE                           policy<{'amd64': 'y', 'arm64': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_STATIC_USERMODEHELPER                    policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
-CONFIG_LOCK_DOWN_KERNEL                         policy<{'amd64': 'y', 'arm64': 'n', 'armhf': 'n', 'i386': 'y', 'ppc64el': 'n', 's390x': 'n'}>
-CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ             policy<{'amd64': 'y', 'i386': 'y'}>
-CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT             policy<{'amd64': 'y', 'arm64': 'n', 'i386': 'y'}>
+CONFIG_LOCK_DOWN_KERNEL                         policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'n', 's390x': 'n'}>
+CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ             policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y'}>
+CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT             policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y'}>
 #
 CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT             mark<ENFORCED>
 CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ             mark<ENFORCED>
diff --git a/debian.master/config/arm64/config.common.arm64 b/debian.master/config/arm64/config.common.arm64
index 9d20f17f6aaf..57b75fd36c91 100644
--- a/debian.master/config/arm64/config.common.arm64
+++ b/debian.master/config/arm64/config.common.arm64
@@ -104,7 +104,6 @@ CONFIG_DUMMY_IRQ=m
 CONFIG_DW_WATCHDOG=m
 CONFIG_ECHO=m
 CONFIG_EEPROM_93CX6=m
-CONFIG_EFI=y
 CONFIG_EFI_CAPSULE_LOADER=m
 # CONFIG_EFI_DEV_PATH_PARSER is not set
 CONFIG_EFS_FS=m
@@ -206,8 +205,7 @@ CONFIG_LAPB=m
 CONFIG_LDM_PARTITION=y
 CONFIG_LIBNVDIMM=y
 CONFIG_LLC2=m
-# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
-# CONFIG_LOCK_DOWN_KERNEL is not set
+CONFIG_LOCK_DOWN_KERNEL=y
 CONFIG_LOG_BUF_SHIFT=14
 CONFIG_LPC_ICH=m
 CONFIG_LPC_SCH=m
diff --git a/debian.master/config/armhf/config.common.armhf b/debian.master/config/armhf/config.common.armhf
index 4b01fabaffa6..1ef3f0602a20 100644
--- a/debian.master/config/armhf/config.common.armhf
+++ b/debian.master/config/armhf/config.common.armhf
@@ -91,7 +91,7 @@ CONFIG_DUMMY_IRQ=m
 CONFIG_DW_WATCHDOG=m
 CONFIG_ECHO=m
 CONFIG_EEPROM_93CX6=m
-# CONFIG_EFI is not set
+CONFIG_EFI_CAPSULE_LOADER=m
 CONFIG_EFS_FS=m
 CONFIG_EM_TIMER_STI=y
 CONFIG_ENCLOSURE_SERVICES=m
@@ -184,7 +184,7 @@ CONFIG_LAPB=m
 CONFIG_LDM_PARTITION=y
 CONFIG_LIBNVDIMM=y
 CONFIG_LLC2=m
-# CONFIG_LOCK_DOWN_KERNEL is not set
+CONFIG_LOCK_DOWN_KERNEL=y
 CONFIG_LOG_BUF_SHIFT=17
 CONFIG_LPC_ICH=m
 CONFIG_LPC_SCH=m
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 84b117bc0312..7e45eca1fff2 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -2664,6 +2664,7 @@ CONFIG_EEPROM_AT25=m
 CONFIG_EEPROM_IDT_89HPESX=m
 CONFIG_EEPROM_LEGACY=m
 CONFIG_EEPROM_MAX6875=m
+CONFIG_EFI=y
 CONFIG_EFIVAR_FS=y
 CONFIG_EFI_ARMSTUB=y
 CONFIG_EFI_BOOTLOADER_CONTROL=m
@@ -4865,6 +4866,7 @@ CONFIG_LOCKD=m
 CONFIG_LOCKDEP_SUPPORT=y
 CONFIG_LOCKD_V4=y
 CONFIG_LOCKUP_DETECTOR=y
+CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
 CONFIG_LOCK_SPIN_ON_OWNER=y
 # CONFIG_LOCK_STAT is not set
 # CONFIG_LOCK_TORTURE_TEST is not set
diff --git a/debian.master/config/i386/config.common.i386 b/debian.master/config/i386/config.common.i386
index cd5a7508f3f2..99cc3060abb0 100644
--- a/debian.master/config/i386/config.common.i386
+++ b/debian.master/config/i386/config.common.i386
@@ -89,7 +89,6 @@ CONFIG_DUMMY_IRQ=m
 CONFIG_DW_WATCHDOG=m
 CONFIG_ECHO=m
 CONFIG_EEPROM_93CX6=m
-CONFIG_EFI=y
 CONFIG_EFI_CAPSULE_LOADER=y
 CONFIG_EFI_DEV_PATH_PARSER=y
 CONFIG_EFS_FS=m
@@ -184,7 +183,6 @@ CONFIG_LAPB=m
 CONFIG_LDM_PARTITION=y
 CONFIG_LIBNVDIMM=y
 CONFIG_LLC2=m
-CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
 CONFIG_LOCK_DOWN_KERNEL=y
 CONFIG_LOG_BUF_SHIFT=17
 CONFIG_LPC_ICH=m
-- 
2.15.1

More information about the kernel-team mailing list