[EOAN][PATCH 1/2] UBUNTU: SAUCE: (lockdown) s390/ipl: lockdown kernel when booted secure
Dimitri John Ledkov
xnox at ubuntu.com
Fri Aug 9 14:49:46 UTC 2019
From: Philipp Rudo <prudo at linux.ibm.com>
BugLink: https://bugs.launchpad.net/bugs/1839622
Signed-off-by: Philipp Rudo <prudo at linux.ibm.com>
Signed-off-by: Dimitri John Ledkov <xnox at ubuntu.com>
---
arch/s390/include/asm/ipl.h | 1 +
arch/s390/kernel/ipl.c | 5 +++++
security/lock_down.c | 7 +++++++
3 files changed, 13 insertions(+)
diff --git a/arch/s390/include/asm/ipl.h b/arch/s390/include/asm/ipl.h
index 084e71b7272a..1d1b5ec7357b 100644
--- a/arch/s390/include/asm/ipl.h
+++ b/arch/s390/include/asm/ipl.h
@@ -109,6 +109,7 @@ int ipl_report_add_component(struct ipl_report *report, struct kexec_buf *kbuf,
unsigned char flags, unsigned short cert);
int ipl_report_add_certificate(struct ipl_report *report, void *key,
unsigned long addr, unsigned long len);
+bool ipl_get_secureboot(void);
/*
* DIAG 308 support
diff --git a/arch/s390/kernel/ipl.c b/arch/s390/kernel/ipl.c
index d836af3ccc38..099e731ec528 100644
--- a/arch/s390/kernel/ipl.c
+++ b/arch/s390/kernel/ipl.c
@@ -1856,3 +1856,8 @@ int ipl_report_free(struct ipl_report *report)
}
#endif
+
+bool ipl_get_secureboot(void)
+{
+ return !!ipl_secure_flag;
+}
diff --git a/security/lock_down.c b/security/lock_down.c
index bb4dc7838f3e..db7645c7a7ef 100644
--- a/security/lock_down.c
+++ b/security/lock_down.c
@@ -13,6 +13,9 @@
#include <linux/security.h>
#include <linux/export.h>
#include <linux/efi.h>
+#ifdef CONFIG_S390
+#include <asm/ipl.h>
+#endif
static __ro_after_init bool kernel_locked_down;
@@ -49,6 +52,10 @@ void __init init_lockdown(void)
if (efi_enabled(EFI_SECURE_BOOT))
lock_kernel_down("EFI secure boot");
#endif
+#ifdef CONFIG_S390
+ if (ipl_get_secureboot())
+ lock_kernel_down("Secure IPL");
+#endif
}
/**
--
2.20.1
More information about the kernel-team
mailing list