From: Jeremy Cline on gitlab.com Merge Request: https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3862
JIRA: https://issues.redhat.com/browse/RHEL-82437 There is RHEL/Fedora specific functionality on x86 and other arches which enables extra kernel lockdowns when booted by secureboot. Let's do the same for arm now that secureboot is working. This is a rebase of the patch set from Mark that's been submitted for [RHEL 10](https://gitlab.com/redhat/centos-stream/src/kernel/centos- stream-10/-/merge_requests/609) and [RHEL 9](https://gitlab.com/redhat/centos- stream/src/kernel/centos-stream-9/-/merge_requests/5192), but which I don't see in ARK. In particular, I'm interested in getting this into Fedora since, although we do not currently sign aarch64 for SecureBoot, we're working on getting the infrastructure ready for that. In the mean time, carrying this patch is useful for folks who build and sign their own aarch64 kernels. I hope I'm not stepping on Mark's toes here, I figured the easiest place to ask about plans for it in Fedora/ARK was in a PR to add it. Signed-off-by: Mark Salter <[email protected]> Signed-off-by: Jeremy Cline <[email protected]> --- arch/arm64/kernel/setup.c | 27 ++++++++++ drivers/firmware/efi/libstub/fdt.c | 5 + drivers/firmware/efi/libstub/secureboot.c | 14 +++- redhat/configs/common/generic/arm/aarch64/CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT | 1 + 4 files changed, 43 insertions(+), 4 deletions(-) -- _______________________________________________ kernel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
