From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: Josh Boyer <jwboyer@fedoraproject.org>
Cc: David Howells <dhowells@redhat.com>,
keyrings@vger.kernel.org,
Matthew Garrett <matthew.garrett@nebula.com>,
"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH 05/16] efi: Add EFI_SECURE_BOOT bit
Date: Fri, 18 Nov 2016 12:10:32 +0000 [thread overview]
Message-ID: <CAKv+Gu8tx8OgFG6xhZE7UB5pQ0Wy-LPcat0Tj3ZOUbHME-ECYg@mail.gmail.com> (raw)
In-Reply-To: <CA+5PVA6F5qEnuL2UaXS9_fJ217J93cEZDDsz9Y2BPwHXcMdX-A@mail.gmail.com>
On 18 November 2016 at 11:58, Josh Boyer <jwboyer@fedoraproject.org> wrote:
> On Thu, Nov 17, 2016 at 4:58 PM, Ard Biesheuvel
> <ard.biesheuvel@linaro.org> wrote:
>> On 16 November 2016 at 21:47, David Howells <dhowells@redhat.com> wrote:
>>> From: Josh Boyer <jwboyer@fedoraproject.org>
>>>
>>> UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
>>> for use with efi_enabled.
>>>
>>> Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
>>> Signed-off-by: David Howells <dhowells@redhat.com>
>>> ---
>>>
>>> arch/x86/kernel/setup.c | 1 +
>>> include/linux/efi.h | 1 +
>>> 2 files changed, 2 insertions(+)
>>>
>>> diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
>>> index 9521acce8378..539f29587712 100644
>>> --- a/arch/x86/kernel/setup.c
>>> +++ b/arch/x86/kernel/setup.c
>>> @@ -1164,6 +1164,7 @@ void __init setup_arch(char **cmdline_p)
>>> if (boot_params.secure_boot &&
>>> IS_ENABLED(CONFIG_EFI_SECURE_BOOT_LOCK_DOWN)) {
>>> lock_kernel_down();
>>> + set_bit(EFI_SECURE_BOOT, &efi.flags);
>>
>> Why is this x86 only? And why is this bit only set if
>
> Because it was initially written like 3 years ago before ARM even had
> UEFI. Needs a refresh.
>
Ah ok. I missed that part.
In any case, we have been working very hard over the past couple of
years to move all the UEFI stuff out of arch/x86, except for the
pieces that *really* belong there. For this series, that means that a
fair share of the changes will need to be reworked and moved under
drivers/firmware/efi. Note that that also means you cannot use L""
string literals anymore, since arm64's UEFI stub is linked into the
kernel proper, and the wide character formats are incompatible between
UEFI and the wide char handling that occurs under fs/. Please check
the existing secureboot_enabled() function Lukas referred to as an
example how to emit wide string literals instead.
>> CONFIG_EFI_SECURE_BOOT_LOCK_DOWN is enabled?
>
> That part is new and something David added. Probably not necessary.
>
Regardless of anything else, think is is useful to have a EFI_xx flag
that is always set when secure boot is enabled.
next prev parent reply other threads:[~2016-11-18 12:10 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-16 21:47 [PATCH 00/16] Kernel lockdown David Howells
2016-11-16 21:47 ` [PATCH 01/16] Add the ability to lock down access to the running kernel image David Howells
2016-11-16 22:20 ` Borislav Petkov
2016-11-16 22:40 ` David Howells
2016-12-25 21:20 ` Pavel Machek
2016-12-25 21:44 ` David Howells
2016-11-16 21:47 ` [PATCH 02/16] efi: Get the secure boot status David Howells
2016-11-17 12:37 ` Lukas Wunner
2016-11-22 0:31 ` [PATCH 1/6] x86/efi: Allow invocation of arbitrary runtime services David Howells
2016-11-22 10:20 ` Lukas Wunner
2016-11-22 14:17 ` David Howells
2016-11-22 14:58 ` Joe Perches
2016-11-22 15:52 ` David Howells
2016-11-22 16:25 ` Joe Perches
2016-11-22 16:40 ` David Howells
2016-11-22 16:51 ` Joe Perches
2016-11-22 0:31 ` [PATCH 2/6] arm/efi: " David Howells
2016-11-22 0:31 ` [PATCH 3/6] efi: Add SHIM and image security database GUID definitions David Howells
2016-11-22 0:32 ` [PATCH 4/6] efi: Get the secure boot status David Howells
2016-11-22 10:44 ` Lukas Wunner
2016-11-22 10:49 ` Ard Biesheuvel
2016-11-22 14:47 ` David Howells
2016-11-22 20:30 ` Lukas Wunner
2016-11-23 0:02 ` David Howells
2016-11-22 14:52 ` David Howells
2016-11-22 20:36 ` Lukas Wunner
2016-11-22 14:57 ` David Howells
2016-11-22 0:32 ` [PATCH 5/6] efi: Disable secure boot if shim is in insecure mode David Howells
2016-11-22 13:03 ` Lukas Wunner
2016-11-22 0:32 ` [PATCH 6/6] efi: Add EFI_SECURE_BOOT bit David Howells
2016-11-22 13:04 ` Lukas Wunner
2016-11-21 11:42 ` [PATCH 02/16] efi: Get the secure boot status David Howells
2016-11-21 11:52 ` Ard Biesheuvel
2016-11-21 12:41 ` David Howells
2016-11-21 13:14 ` Ard Biesheuvel
2016-11-21 15:17 ` Lukas Wunner
2016-11-21 15:25 ` Ard Biesheuvel
2016-11-21 11:46 ` David Howells
2016-11-21 19:58 ` Lukas Wunner
2016-11-16 21:47 ` [PATCH 03/16] efi: Disable secure boot if shim is in insecure mode David Howells
2016-11-16 21:47 ` [PATCH 04/16] efi: Lock down the kernel if booted in secure boot mode David Howells
2016-11-16 21:47 ` [PATCH 05/16] efi: Add EFI_SECURE_BOOT bit David Howells
2016-11-17 21:58 ` Ard Biesheuvel
2016-11-18 11:58 ` Josh Boyer
2016-11-18 12:10 ` Ard Biesheuvel [this message]
2016-11-18 17:28 ` David Howells
2016-11-16 21:48 ` [PATCH 06/16] Add a sysrq option to exit secure boot mode David Howells
2016-11-16 21:48 ` [PATCH 07/16] kexec: Disable at runtime if the kernel is locked down David Howells
2016-11-16 21:48 ` [PATCH 08/16] Copy secure_boot flag in boot params across kexec reboot David Howells
2016-11-16 21:48 ` [PATCH 09/16] hibernate: Disable when the kernel is locked down David Howells
2016-11-16 21:48 ` [PATCH 10/16] PCI: Lock down BAR access " David Howells
2016-11-16 21:48 ` [PATCH 11/16] x86: Lock down IO port " David Howells
2016-11-16 21:48 ` [PATCH 12/16] ACPI: Limit access to custom_method " David Howells
2016-11-16 21:48 ` [PATCH 13/16] asus-wmi: Restrict debugfs interface " David Howells
2016-11-16 21:48 ` [PATCH 14/16] Restrict /dev/mem and /dev/kmem " David Howells
2016-11-16 21:49 ` [PATCH 15/16] acpi: Ignore acpi_rsdp kernel param when the kernel has been " David Howells
2016-11-16 21:49 ` [PATCH 16/16] x86: Restrict MSR access when the kernel is " David Howells
2016-11-16 22:27 ` [PATCH 00/16] Kernel lockdown One Thousand Gnomes
2016-11-21 19:53 ` Ard Biesheuvel
2016-11-30 14:27 ` One Thousand Gnomes
2016-11-16 22:28 ` Justin Forbes
2016-11-21 23:10 ` [PATCH] Lock down drivers that can have io ports, io mem, irqs and dma changed David Howells
2016-11-22 6:12 ` Dominik Brodowski
2016-11-23 12:58 ` David Howells
2016-11-23 19:21 ` Dominik Brodowski
2016-11-24 17:34 ` David Howells
2016-11-24 20:19 ` Dominik Brodowski
2016-11-25 14:49 ` David Howells
2016-11-28 22:32 ` Corey Minyard
2016-11-29 0:11 ` David Howells
2016-11-29 0:23 ` Corey Minyard
2016-11-29 14:03 ` David Howells
2016-11-29 14:35 ` Corey Minyard
2016-11-30 14:41 ` One Thousand Gnomes
2016-11-30 16:25 ` David Howells
2016-11-29 10:40 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKv+Gu8tx8OgFG6xhZE7UB5pQ0Wy-LPcat0Tj3ZOUbHME-ECYg@mail.gmail.com \
--to=ard.biesheuvel@linaro.org \
--cc=dhowells@redhat.com \
--cc=jwboyer@fedoraproject.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthew.garrett@nebula.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).