Re: [PATCH V3 11/11] Add option to automatically enforce module signatures when in Secure Boot mode
On Thu, 2013-09-05 at 11:16 +0100, Matt Fleming wrote: > I'd advise checking efi_enabled(EFI_BOOT) along with .secure_boot to > guard against garbage values in boot_params. We've called sanitize_boot_params(), so we can assert that there are no garbage values. -- Matthew Garrett
Re: [PATCH V3 11/11] Add option to automatically enforce module signatures when in Secure Boot mode
On Tue, 03 Sep, at 07:50:18PM, Matthew Garrett wrote: > UEFI Secure Boot provides a mechanism for ensuring that the firmware will > only load signed bootloaders and kernels. Certain use cases may also > require that all kernel modules also be signed. Add a configuration option > that enforces this automatically when enabled. > > Signed-off-by: Matthew Garrett > --- > Documentation/x86/zero-page.txt | 2 ++ > arch/x86/Kconfig | 10 ++ > arch/x86/boot/compressed/eboot.c | 36 > +++ > arch/x86/include/uapi/asm/bootparam.h | 3 ++- > arch/x86/kernel/setup.c | 6 ++ > include/linux/module.h| 6 ++ > kernel/module.c | 7 +++ > 7 files changed, 69 insertions(+), 1 deletion(-) [...] > @@ -1129,6 +1129,12 @@ void __init setup_arch(char **cmdline_p) > > io_delay_init(); > > +#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE > + if (boot_params.secure_boot) { > + enforce_signed_modules(); > + } > +#endif > + I'd advise checking efi_enabled(EFI_BOOT) along with .secure_boot to guard against garbage values in boot_params. -- Matt Fleming, Intel Open Source Technology Center -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH V3 11/11] Add option to automatically enforce module signatures when in Secure Boot mode
於 二,2013-09-03 於 19:50 -0400,Matthew Garrett 提到: > UEFI Secure Boot provides a mechanism for ensuring that the firmware will > only load signed bootloaders and kernels. Certain use cases may also > require that all kernel modules also be signed. Add a configuration option > that enforces this automatically when enabled. > > Signed-off-by: Matthew Garrett > --- > Documentation/x86/zero-page.txt | 2 ++ > arch/x86/Kconfig | 10 ++ > arch/x86/boot/compressed/eboot.c | 36 > +++ > arch/x86/include/uapi/asm/bootparam.h | 3 ++- > arch/x86/kernel/setup.c | 6 ++ > include/linux/module.h| 6 ++ > kernel/module.c | 7 +++ > 7 files changed, 69 insertions(+), 1 deletion(-) > > diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt > index 199f453..ec38acf 100644 > --- a/Documentation/x86/zero-page.txt > +++ b/Documentation/x86/zero-page.txt > @@ -30,6 +30,8 @@ Offset Proto NameMeaning > 1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below) > 1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in > edd_mbr_sig_buffer > (below) > +1EB/001 ALL kbd_status Numlock is enabled > +1EC/001 ALL secure_boot Secure boot is enabled in the firmware > 1EF/001 ALL sentinelUsed to detect broken bootloaders > 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures > 2D0/A00 ALL e820_mapE820 memory map table > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > index b32ebf9..6a6c19b 100644 > --- a/arch/x86/Kconfig > +++ b/arch/x86/Kconfig > @@ -1581,6 +1581,16 @@ config EFI_STUB > > See Documentation/x86/efi-stub.txt for more information. > > +config EFI_SECURE_BOOT_SIG_ENFORCE > +def_bool n Maybe need add "select MODULE_SIG" to here for auto enable kernel module signature check when user select this option? > + prompt "Force module signing when UEFI Secure Boot is enabled" > + ---help--- > + UEFI Secure Boot provides a mechanism for ensuring that the > + firmware will only load signed bootloaders and kernels. Certain > + use cases may also require that all kernel modules also be signed. > + Say Y here to automatically enable module signature enforcement > + when a system boots with UEFI Secure Boot enabled. Thanks a lot! Joey Lee -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH V3 11/11] Add option to automatically enforce module signatures when in Secure Boot mode
於 二,2013-09-03 於 19:50 -0400,Matthew Garrett 提到: UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also require that all kernel modules also be signed. Add a configuration option that enforces this automatically when enabled. Signed-off-by: Matthew Garrett matthew.garr...@nebula.com --- Documentation/x86/zero-page.txt | 2 ++ arch/x86/Kconfig | 10 ++ arch/x86/boot/compressed/eboot.c | 36 +++ arch/x86/include/uapi/asm/bootparam.h | 3 ++- arch/x86/kernel/setup.c | 6 ++ include/linux/module.h| 6 ++ kernel/module.c | 7 +++ 7 files changed, 69 insertions(+), 1 deletion(-) diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt index 199f453..ec38acf 100644 --- a/Documentation/x86/zero-page.txt +++ b/Documentation/x86/zero-page.txt @@ -30,6 +30,8 @@ Offset Proto NameMeaning 1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below) 1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer (below) +1EB/001 ALL kbd_status Numlock is enabled +1EC/001 ALL secure_boot Secure boot is enabled in the firmware 1EF/001 ALL sentinelUsed to detect broken bootloaders 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00 ALL e820_mapE820 memory map table diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index b32ebf9..6a6c19b 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1581,6 +1581,16 @@ config EFI_STUB See Documentation/x86/efi-stub.txt for more information. +config EFI_SECURE_BOOT_SIG_ENFORCE +def_bool n Maybe need add select MODULE_SIG to here for auto enable kernel module signature check when user select this option? + prompt Force module signing when UEFI Secure Boot is enabled + ---help--- + UEFI Secure Boot provides a mechanism for ensuring that the + firmware will only load signed bootloaders and kernels. Certain + use cases may also require that all kernel modules also be signed. + Say Y here to automatically enable module signature enforcement + when a system boots with UEFI Secure Boot enabled. Thanks a lot! Joey Lee -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH V3 11/11] Add option to automatically enforce module signatures when in Secure Boot mode
On Tue, 03 Sep, at 07:50:18PM, Matthew Garrett wrote: UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also require that all kernel modules also be signed. Add a configuration option that enforces this automatically when enabled. Signed-off-by: Matthew Garrett matthew.garr...@nebula.com --- Documentation/x86/zero-page.txt | 2 ++ arch/x86/Kconfig | 10 ++ arch/x86/boot/compressed/eboot.c | 36 +++ arch/x86/include/uapi/asm/bootparam.h | 3 ++- arch/x86/kernel/setup.c | 6 ++ include/linux/module.h| 6 ++ kernel/module.c | 7 +++ 7 files changed, 69 insertions(+), 1 deletion(-) [...] @@ -1129,6 +1129,12 @@ void __init setup_arch(char **cmdline_p) io_delay_init(); +#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE + if (boot_params.secure_boot) { + enforce_signed_modules(); + } +#endif + I'd advise checking efi_enabled(EFI_BOOT) along with .secure_boot to guard against garbage values in boot_params. -- Matt Fleming, Intel Open Source Technology Center -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH V3 11/11] Add option to automatically enforce module signatures when in Secure Boot mode
On Thu, 2013-09-05 at 11:16 +0100, Matt Fleming wrote: I'd advise checking efi_enabled(EFI_BOOT) along with .secure_boot to guard against garbage values in boot_params. We've called sanitize_boot_params(), so we can assert that there are no garbage values. -- Matthew Garrett matthew.garr...@nebula.com
Re: [PATCH V3 11/11] Add option to automatically enforce module signatures when in Secure Boot mode
於 二,2013-09-03 於 19:50 -0400,Matthew Garrett 提到: > UEFI Secure Boot provides a mechanism for ensuring that the firmware will > only load signed bootloaders and kernels. Certain use cases may also > require that all kernel modules also be signed. Add a configuration option > that enforces this automatically when enabled. > > Signed-off-by: Matthew Garrett Tested-by: Lee, Chun-Yi Thanks Joey Lee > --- > Documentation/x86/zero-page.txt | 2 ++ > arch/x86/Kconfig | 10 ++ > arch/x86/boot/compressed/eboot.c | 36 > +++ > arch/x86/include/uapi/asm/bootparam.h | 3 ++- > arch/x86/kernel/setup.c | 6 ++ > include/linux/module.h| 6 ++ > kernel/module.c | 7 +++ > 7 files changed, 69 insertions(+), 1 deletion(-) > > diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt > index 199f453..ec38acf 100644 > --- a/Documentation/x86/zero-page.txt > +++ b/Documentation/x86/zero-page.txt > @@ -30,6 +30,8 @@ Offset Proto NameMeaning > 1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below) > 1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in > edd_mbr_sig_buffer > (below) > +1EB/001 ALL kbd_status Numlock is enabled > +1EC/001 ALL secure_boot Secure boot is enabled in the firmware > 1EF/001 ALL sentinelUsed to detect broken bootloaders > 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures > 2D0/A00 ALL e820_mapE820 memory map table > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > index b32ebf9..6a6c19b 100644 > --- a/arch/x86/Kconfig > +++ b/arch/x86/Kconfig > @@ -1581,6 +1581,16 @@ config EFI_STUB > > See Documentation/x86/efi-stub.txt for more information. > > +config EFI_SECURE_BOOT_SIG_ENFORCE > +def_bool n > + prompt "Force module signing when UEFI Secure Boot is enabled" > + ---help--- > + UEFI Secure Boot provides a mechanism for ensuring that the > + firmware will only load signed bootloaders and kernels. Certain > + use cases may also require that all kernel modules also be signed. > + Say Y here to automatically enable module signature enforcement > + when a system boots with UEFI Secure Boot enabled. > + > config SECCOMP > def_bool y > prompt "Enable seccomp to safely compute untrusted bytecode" > diff --git a/arch/x86/boot/compressed/eboot.c > b/arch/x86/boot/compressed/eboot.c > index b7388a4..53bfe4f 100644 > --- a/arch/x86/boot/compressed/eboot.c > +++ b/arch/x86/boot/compressed/eboot.c > @@ -12,6 +12,7 @@ > #include > #include > #include > +#include > > #undef memcpy/* Use memcpy from misc.c */ > > @@ -861,6 +862,37 @@ fail: > return status; > } > > +static int get_secure_boot(void) > +{ > + u8 sb, setup; > + unsigned long datasize = sizeof(sb); > + efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; > + efi_status_t status; > + > + status = efi_call_phys5(sys_table->runtime->get_variable, > + L"SecureBoot", _guid, NULL, , ); > + > + if (status != EFI_SUCCESS) > + return 0; > + > + if (sb == 0) > + return 0; > + > + > + status = efi_call_phys5(sys_table->runtime->get_variable, > + L"SetupMode", _guid, NULL, , > + ); > + > + if (status != EFI_SUCCESS) > + return 0; > + > + if (setup == 1) > + return 0; > + > + return 1; > +} > + > + > /* > * Because the x86 boot code expects to be passed a boot_params we > * need to create one ourselves (usually the bootloader would create > @@ -1169,6 +1201,10 @@ struct boot_params *efi_main(void *handle, > efi_system_table_t *_table, > if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE) > goto fail; > > + sanitize_boot_params(boot_params); > + > + boot_params->secure_boot = get_secure_boot(); > + > setup_graphics(boot_params); > > setup_efi_pci(boot_params); > diff --git a/arch/x86/include/uapi/asm/bootparam.h > b/arch/x86/include/uapi/asm/bootparam.h > index c15ddaf..85d7685 100644 > --- a/arch/x86/include/uapi/asm/bootparam.h > +++ b/arch/x86/include/uapi/asm/bootparam.h > @@ -131,7 +131,8 @@ struct boot_params { > __u8 eddbuf_entries; /* 0x1e9 */ > __u8 edd_mbr_sig_buf_entries; /* 0x1ea */ > __u8 kbd_status; /* 0x1eb */ > - __u8 _pad5[3]; /* 0x1ec */ > + __u8 secure_boot; /* 0x1ec */ > + __u8 _pad5[2]; /* 0x1ed */ > /* >* The sentinel is set to a nonzero value (0xff) in header.S. >*
Re: [PATCH V3 11/11] Add option to automatically enforce module signatures when in Secure Boot mode
於 二,2013-09-03 於 19:50 -0400,Matthew Garrett 提到: UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also require that all kernel modules also be signed. Add a configuration option that enforces this automatically when enabled. Signed-off-by: Matthew Garrett matthew.garr...@nebula.com Tested-by: Lee, Chun-Yi j...@suse.com Thanks Joey Lee --- Documentation/x86/zero-page.txt | 2 ++ arch/x86/Kconfig | 10 ++ arch/x86/boot/compressed/eboot.c | 36 +++ arch/x86/include/uapi/asm/bootparam.h | 3 ++- arch/x86/kernel/setup.c | 6 ++ include/linux/module.h| 6 ++ kernel/module.c | 7 +++ 7 files changed, 69 insertions(+), 1 deletion(-) diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt index 199f453..ec38acf 100644 --- a/Documentation/x86/zero-page.txt +++ b/Documentation/x86/zero-page.txt @@ -30,6 +30,8 @@ Offset Proto NameMeaning 1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below) 1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer (below) +1EB/001 ALL kbd_status Numlock is enabled +1EC/001 ALL secure_boot Secure boot is enabled in the firmware 1EF/001 ALL sentinelUsed to detect broken bootloaders 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00 ALL e820_mapE820 memory map table diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index b32ebf9..6a6c19b 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1581,6 +1581,16 @@ config EFI_STUB See Documentation/x86/efi-stub.txt for more information. +config EFI_SECURE_BOOT_SIG_ENFORCE +def_bool n + prompt Force module signing when UEFI Secure Boot is enabled + ---help--- + UEFI Secure Boot provides a mechanism for ensuring that the + firmware will only load signed bootloaders and kernels. Certain + use cases may also require that all kernel modules also be signed. + Say Y here to automatically enable module signature enforcement + when a system boots with UEFI Secure Boot enabled. + config SECCOMP def_bool y prompt Enable seccomp to safely compute untrusted bytecode diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c index b7388a4..53bfe4f 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -12,6 +12,7 @@ #include asm/efi.h #include asm/setup.h #include asm/desc.h +#include asm/bootparam_utils.h #undef memcpy/* Use memcpy from misc.c */ @@ -861,6 +862,37 @@ fail: return status; } +static int get_secure_boot(void) +{ + u8 sb, setup; + unsigned long datasize = sizeof(sb); + efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; + efi_status_t status; + + status = efi_call_phys5(sys_table-runtime-get_variable, + LSecureBoot, var_guid, NULL, datasize, sb); + + if (status != EFI_SUCCESS) + return 0; + + if (sb == 0) + return 0; + + + status = efi_call_phys5(sys_table-runtime-get_variable, + LSetupMode, var_guid, NULL, datasize, + setup); + + if (status != EFI_SUCCESS) + return 0; + + if (setup == 1) + return 0; + + return 1; +} + + /* * Because the x86 boot code expects to be passed a boot_params we * need to create one ourselves (usually the bootloader would create @@ -1169,6 +1201,10 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table, if (sys_table-hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE) goto fail; + sanitize_boot_params(boot_params); + + boot_params-secure_boot = get_secure_boot(); + setup_graphics(boot_params); setup_efi_pci(boot_params); diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h index c15ddaf..85d7685 100644 --- a/arch/x86/include/uapi/asm/bootparam.h +++ b/arch/x86/include/uapi/asm/bootparam.h @@ -131,7 +131,8 @@ struct boot_params { __u8 eddbuf_entries; /* 0x1e9 */ __u8 edd_mbr_sig_buf_entries; /* 0x1ea */ __u8 kbd_status; /* 0x1eb */ - __u8 _pad5[3]; /* 0x1ec */ + __u8 secure_boot; /* 0x1ec */ + __u8 _pad5[2]; /* 0x1ed */ /* * The sentinel is set to a nonzero value (0xff) in header.S. * diff --git
Re: [PATCH V3 11/11] Add option to automatically enforce module signatures when in Secure Boot mode
On Wed, 2013-09-04 at 11:42 +1000, James Morris wrote: > On Tue, 3 Sep 2013, Matthew Garrett wrote: > > > + status = efi_call_phys5(sys_table->runtime->get_variable, > > + L"SecureBoot", _guid, NULL, , ); > > + > > > What's 'L' ? Wide-character string constant. UEFI variable names are 16-bits per character. -- Matthew Garrett
Re: [PATCH V3 11/11] Add option to automatically enforce module signatures when in Secure Boot mode
On Tue, 3 Sep 2013, Matthew Garrett wrote: > + status = efi_call_phys5(sys_table->runtime->get_variable, > + L"SecureBoot", _guid, NULL, , ); > + What's 'L' ? -- James Morris -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH V3 11/11] Add option to automatically enforce module signatures when in Secure Boot mode
UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also require that all kernel modules also be signed. Add a configuration option that enforces this automatically when enabled. Signed-off-by: Matthew Garrett --- Documentation/x86/zero-page.txt | 2 ++ arch/x86/Kconfig | 10 ++ arch/x86/boot/compressed/eboot.c | 36 +++ arch/x86/include/uapi/asm/bootparam.h | 3 ++- arch/x86/kernel/setup.c | 6 ++ include/linux/module.h| 6 ++ kernel/module.c | 7 +++ 7 files changed, 69 insertions(+), 1 deletion(-) diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt index 199f453..ec38acf 100644 --- a/Documentation/x86/zero-page.txt +++ b/Documentation/x86/zero-page.txt @@ -30,6 +30,8 @@ OffsetProto NameMeaning 1E9/001ALL eddbuf_entries Number of entries in eddbuf (below) 1EA/001ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer (below) +1EB/001ALL kbd_status Numlock is enabled +1EC/001ALL secure_boot Secure boot is enabled in the firmware 1EF/001ALL sentinelUsed to detect broken bootloaders 290/040ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00ALL e820_mapE820 memory map table diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index b32ebf9..6a6c19b 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1581,6 +1581,16 @@ config EFI_STUB See Documentation/x86/efi-stub.txt for more information. +config EFI_SECURE_BOOT_SIG_ENFORCE +def_bool n + prompt "Force module signing when UEFI Secure Boot is enabled" + ---help--- + UEFI Secure Boot provides a mechanism for ensuring that the + firmware will only load signed bootloaders and kernels. Certain + use cases may also require that all kernel modules also be signed. + Say Y here to automatically enable module signature enforcement + when a system boots with UEFI Secure Boot enabled. + config SECCOMP def_bool y prompt "Enable seccomp to safely compute untrusted bytecode" diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c index b7388a4..53bfe4f 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -12,6 +12,7 @@ #include #include #include +#include #undef memcpy /* Use memcpy from misc.c */ @@ -861,6 +862,37 @@ fail: return status; } +static int get_secure_boot(void) +{ + u8 sb, setup; + unsigned long datasize = sizeof(sb); + efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; + efi_status_t status; + + status = efi_call_phys5(sys_table->runtime->get_variable, + L"SecureBoot", _guid, NULL, , ); + + if (status != EFI_SUCCESS) + return 0; + + if (sb == 0) + return 0; + + + status = efi_call_phys5(sys_table->runtime->get_variable, + L"SetupMode", _guid, NULL, , + ); + + if (status != EFI_SUCCESS) + return 0; + + if (setup == 1) + return 0; + + return 1; +} + + /* * Because the x86 boot code expects to be passed a boot_params we * need to create one ourselves (usually the bootloader would create @@ -1169,6 +1201,10 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table, if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE) goto fail; + sanitize_boot_params(boot_params); + + boot_params->secure_boot = get_secure_boot(); + setup_graphics(boot_params); setup_efi_pci(boot_params); diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h index c15ddaf..85d7685 100644 --- a/arch/x86/include/uapi/asm/bootparam.h +++ b/arch/x86/include/uapi/asm/bootparam.h @@ -131,7 +131,8 @@ struct boot_params { __u8 eddbuf_entries; /* 0x1e9 */ __u8 edd_mbr_sig_buf_entries; /* 0x1ea */ __u8 kbd_status; /* 0x1eb */ - __u8 _pad5[3]; /* 0x1ec */ + __u8 secure_boot; /* 0x1ec */ + __u8 _pad5[2]; /* 0x1ed */ /* * The sentinel is set to a nonzero value (0xff) in header.S. * diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c index f8ec578..deeb7bc 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -1129,6 +1129,12 @@ void __init setup_arch(char **cmdline_p) io_delay_init(); +#ifdef
[PATCH V3 11/11] Add option to automatically enforce module signatures when in Secure Boot mode
UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also require that all kernel modules also be signed. Add a configuration option that enforces this automatically when enabled. Signed-off-by: Matthew Garrett matthew.garr...@nebula.com --- Documentation/x86/zero-page.txt | 2 ++ arch/x86/Kconfig | 10 ++ arch/x86/boot/compressed/eboot.c | 36 +++ arch/x86/include/uapi/asm/bootparam.h | 3 ++- arch/x86/kernel/setup.c | 6 ++ include/linux/module.h| 6 ++ kernel/module.c | 7 +++ 7 files changed, 69 insertions(+), 1 deletion(-) diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt index 199f453..ec38acf 100644 --- a/Documentation/x86/zero-page.txt +++ b/Documentation/x86/zero-page.txt @@ -30,6 +30,8 @@ OffsetProto NameMeaning 1E9/001ALL eddbuf_entries Number of entries in eddbuf (below) 1EA/001ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer (below) +1EB/001ALL kbd_status Numlock is enabled +1EC/001ALL secure_boot Secure boot is enabled in the firmware 1EF/001ALL sentinelUsed to detect broken bootloaders 290/040ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00ALL e820_mapE820 memory map table diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index b32ebf9..6a6c19b 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1581,6 +1581,16 @@ config EFI_STUB See Documentation/x86/efi-stub.txt for more information. +config EFI_SECURE_BOOT_SIG_ENFORCE +def_bool n + prompt Force module signing when UEFI Secure Boot is enabled + ---help--- + UEFI Secure Boot provides a mechanism for ensuring that the + firmware will only load signed bootloaders and kernels. Certain + use cases may also require that all kernel modules also be signed. + Say Y here to automatically enable module signature enforcement + when a system boots with UEFI Secure Boot enabled. + config SECCOMP def_bool y prompt Enable seccomp to safely compute untrusted bytecode diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c index b7388a4..53bfe4f 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -12,6 +12,7 @@ #include asm/efi.h #include asm/setup.h #include asm/desc.h +#include asm/bootparam_utils.h #undef memcpy /* Use memcpy from misc.c */ @@ -861,6 +862,37 @@ fail: return status; } +static int get_secure_boot(void) +{ + u8 sb, setup; + unsigned long datasize = sizeof(sb); + efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; + efi_status_t status; + + status = efi_call_phys5(sys_table-runtime-get_variable, + LSecureBoot, var_guid, NULL, datasize, sb); + + if (status != EFI_SUCCESS) + return 0; + + if (sb == 0) + return 0; + + + status = efi_call_phys5(sys_table-runtime-get_variable, + LSetupMode, var_guid, NULL, datasize, + setup); + + if (status != EFI_SUCCESS) + return 0; + + if (setup == 1) + return 0; + + return 1; +} + + /* * Because the x86 boot code expects to be passed a boot_params we * need to create one ourselves (usually the bootloader would create @@ -1169,6 +1201,10 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table, if (sys_table-hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE) goto fail; + sanitize_boot_params(boot_params); + + boot_params-secure_boot = get_secure_boot(); + setup_graphics(boot_params); setup_efi_pci(boot_params); diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h index c15ddaf..85d7685 100644 --- a/arch/x86/include/uapi/asm/bootparam.h +++ b/arch/x86/include/uapi/asm/bootparam.h @@ -131,7 +131,8 @@ struct boot_params { __u8 eddbuf_entries; /* 0x1e9 */ __u8 edd_mbr_sig_buf_entries; /* 0x1ea */ __u8 kbd_status; /* 0x1eb */ - __u8 _pad5[3]; /* 0x1ec */ + __u8 secure_boot; /* 0x1ec */ + __u8 _pad5[2]; /* 0x1ed */ /* * The sentinel is set to a nonzero value (0xff) in header.S. * diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c index f8ec578..deeb7bc 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@
Re: [PATCH V3 11/11] Add option to automatically enforce module signatures when in Secure Boot mode
On Tue, 3 Sep 2013, Matthew Garrett wrote: + status = efi_call_phys5(sys_table-runtime-get_variable, + LSecureBoot, var_guid, NULL, datasize, sb); + What's 'L' ? -- James Morris jmor...@namei.org -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH V3 11/11] Add option to automatically enforce module signatures when in Secure Boot mode
On Wed, 2013-09-04 at 11:42 +1000, James Morris wrote: On Tue, 3 Sep 2013, Matthew Garrett wrote: + status = efi_call_phys5(sys_table-runtime-get_variable, + LSecureBoot, var_guid, NULL, datasize, sb); + What's 'L' ? Wide-character string constant. UEFI variable names are 16-bits per character. -- Matthew Garrett matthew.garr...@nebula.com