Re: [PATCH V3 11/11] Add option to automatically enforce modulesignatures when in Secure Boot mode
From: Matt Fleming
Date: Thu Sep 05 2013 - 06:16:58 EST
On Tue, 03 Sep, at 07:50:18PM, Matthew Garrett wrote:
> UEFI Secure Boot provides a mechanism for ensuring that the firmware will
> only load signed bootloaders and kernels. Certain use cases may also
> require that all kernel modules also be signed. Add a configuration option
> that enforces this automatically when enabled.
>
> Signed-off-by: Matthew Garrett <matthew.garrett@xxxxxxxxxx>
> ---
> Documentation/x86/zero-page.txt | 2 ++
> arch/x86/Kconfig | 10 ++++++++++
> arch/x86/boot/compressed/eboot.c | 36 +++++++++++++++++++++++++++++++++++
> arch/x86/include/uapi/asm/bootparam.h | 3 ++-
> arch/x86/kernel/setup.c | 6 ++++++
> include/linux/module.h | 6 ++++++
> kernel/module.c | 7 +++++++
> 7 files changed, 69 insertions(+), 1 deletion(-)
[...]
> @@ -1129,6 +1129,12 @@ void __init setup_arch(char **cmdline_p)
>
> io_delay_init();
>
> +#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
> + if (boot_params.secure_boot) {
> + enforce_signed_modules();
> + }
> +#endif
> +
I'd advise checking efi_enabled(EFI_BOOT) along with .secure_boot to
guard against garbage values in boot_params.
--
Matt Fleming, Intel Open Source Technology Center
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/