lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1750975839-32463-3-git-send-email-hamzamahfooz@linux.microsoft.com>
Date: Thu, 26 Jun 2025 15:10:39 -0700
From: Hamza Mahfooz <hamzamahfooz@...ux.microsoft.com>
To: linux-kernel@...r.kernel.org
Cc: Ard Biesheuvel <ardb@...nel.org>,
	Paul Moore <paul@...l-moore.com>,
	James Morris <jmorris@...ei.org>,
	"Serge E. Hallyn" <serge@...lyn.com>,
	Yue Haibing <yuehaibing@...wei.com>,
	Tanya Agarwal <tanyaagarwal25699@...il.com>,
	Kees Cook <kees@...nel.org>,
	linux-efi@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	Hamza Mahfooz <hamzamahfooz@...ux.microsoft.com>
Subject: [PATCH 2/2] efi: introduce EFI_KERNEL_LOCK_DOWN_IN_SECURE_BOOT

Add a kernel configuration option to lock down the kernel, to restrict
userspace's ability to modify the running kernel when Secure Boot is
enabled.

Signed-off-by: Hamza Mahfooz <hamzamahfooz@...ux.microsoft.com>
---
 drivers/firmware/efi/Kconfig | 10 ++++++++++
 drivers/firmware/efi/efi.c   |  9 +++++++++
 2 files changed, 19 insertions(+)

diff --git a/drivers/firmware/efi/Kconfig b/drivers/firmware/efi/Kconfig
index 5fe61b9ab5f9..4e827354e919 100644
--- a/drivers/firmware/efi/Kconfig
+++ b/drivers/firmware/efi/Kconfig
@@ -248,6 +248,16 @@ config EFI_DISABLE_RUNTIME
 
 	  This default can be overridden by using the efi=runtime option.
 
+config EFI_KERNEL_LOCK_DOWN_IN_SECURE_BOOT
+	bool "Lock down the kernel in EFI Secure Boot mode"
+	default n
+	depends on EFI
+	depends on SECURITY_LOCKDOWN_LSM
+	select SECURITY_LOCKDOWN_LSM_EARLY
+	help
+	  Enabling this option results in kernel lockdown being
+	  set in integrity mode if EFI Secure Boot is enabled.
+
 config EFI_COCO_SECRET
 	bool "EFI Confidential Computing Secret Area Support"
 	help
diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
index 7309394b8fc9..b7a5fc79b065 100644
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -427,6 +427,15 @@ static int __init efisubsys_init(void)
 		}
 	}
 
+#ifdef CONFIG_EFI_KERNEL_LOCK_DOWN_IN_SECURE_BOOT
+	if (efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) {
+		if (efi_get_secureboot_mode(efi.get_variable) ==
+		    efi_secureboot_mode_enabled)
+			security_lock_kernel_down("EFI Secure Boot",
+						  LOCKDOWN_INTEGRITY_MAX);
+	}
+#endif
+
 	if (efi_rt_services_supported(EFI_RT_SUPPORTED_TIME_SERVICES))
 		platform_device_register_simple("rtc-efi", 0, NULL, 0);
 
-- 
2.49.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ