[UNSTABLE][PATCH 0/2] Enable lockdown on s390x

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[UNSTABLE][PATCH 0/2] Enable lockdown on s390x

Dimitri John Ledkov
Enable lockdown, and enforce it when booted with secure ipl.

Dimitri John Ledkov (1):
  Ubuntu: [Config] Enable CONFIG_LOCK_DOWN_KERNEL on s390x.

Philipp Rudo (1):
  UBUNTU: SAUCE: (lockdown) s390/ipl: lockdown kernel when booted secure

 arch/s390/include/asm/ipl.h                    | 1 +
 arch/s390/kernel/ipl.c                         | 5 +++++
 debian.master/config/annotations               | 4 ++--
 debian.master/config/s390x/config.common.s390x | 2 +-
 security/lock_down.c                           | 7 +++++++
 5 files changed, 16 insertions(+), 3 deletions(-)

--
2.20.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[UNSTABLE][PATCH 1/2] UBUNTU: SAUCE: (lockdown) s390/ipl: lockdown kernel when booted secure

Dimitri John Ledkov
From: Philipp Rudo <[hidden email]>

BugLink: https://bugs.launchpad.net/bugs/1839622
Signed-off-by: Philipp Rudo <[hidden email]>
Signed-off-by: Dimitri John Ledkov <[hidden email]>
---
 arch/s390/include/asm/ipl.h | 1 +
 arch/s390/kernel/ipl.c      | 5 +++++
 security/lock_down.c        | 7 +++++++
 3 files changed, 13 insertions(+)

diff --git a/arch/s390/include/asm/ipl.h b/arch/s390/include/asm/ipl.h
index 084e71b7272a..1d1b5ec7357b 100644
--- a/arch/s390/include/asm/ipl.h
+++ b/arch/s390/include/asm/ipl.h
@@ -109,6 +109,7 @@ int ipl_report_add_component(struct ipl_report *report, struct kexec_buf *kbuf,
      unsigned char flags, unsigned short cert);
 int ipl_report_add_certificate(struct ipl_report *report, void *key,
        unsigned long addr, unsigned long len);
+bool ipl_get_secureboot(void);
 
 /*
  * DIAG 308 support
diff --git a/arch/s390/kernel/ipl.c b/arch/s390/kernel/ipl.c
index 2c0a515428d6..db491b068061 100644
--- a/arch/s390/kernel/ipl.c
+++ b/arch/s390/kernel/ipl.c
@@ -1851,3 +1851,8 @@ int ipl_report_free(struct ipl_report *report)
 }
 
 #endif
+
+bool ipl_get_secureboot(void)
+{
+ return !!ipl_secure_flag;
+}
diff --git a/security/lock_down.c b/security/lock_down.c
index b66b3bac8d79..973118384a0c 100644
--- a/security/lock_down.c
+++ b/security/lock_down.c
@@ -15,6 +15,9 @@
 #include <linux/efi.h>
 #include <linux/sysrq.h>
 #include <asm/setup.h>
+#ifdef CONFIG_S390
+#include <asm/ipl.h>
+#endif
 
 #ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
 static __read_mostly bool kernel_locked_down;
@@ -55,6 +58,10 @@ void __init init_lockdown(void)
  if (efi_enabled(EFI_SECURE_BOOT))
  lock_kernel_down("EFI secure boot");
 #endif
+#ifdef CONFIG_S390
+ if (ipl_get_secureboot())
+ lock_kernel_down("Secure IPL");
+#endif
 }
 
 /**
--
2.20.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[UNSTABLE][PATCH 2/2] Ubuntu: [Config] Enable CONFIG_LOCK_DOWN_KERNEL on s390x.

Dimitri John Ledkov
In reply to this post by Dimitri John Ledkov
BugLink: https://bugs.launchpad.net/bugs/1839622
Signed-off-by: Dimitri John Ledkov <[hidden email]>
---
 debian.master/config/annotations               | 4 ++--
 debian.master/config/s390x/config.common.s390x | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 0ce63ed6d25a..1901bd1fd5c9 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -12620,8 +12620,8 @@ CONFIG_HARDENED_USERCOPY_FALLBACK               policy<{'amd64': 'y', 'arm64': '
 CONFIG_HARDENED_USERCOPY_PAGESPAN               policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_FORTIFY_SOURCE                           policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_STATIC_USERMODEHELPER                    policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
-CONFIG_LOCK_DOWN_KERNEL                         policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'n', 's390x': 'n'}>
-CONFIG_LOCK_DOWN_KERNEL_FORCE                   policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n'}>
+CONFIG_LOCK_DOWN_KERNEL                         policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'n', 's390x': 'y'}>
+CONFIG_LOCK_DOWN_KERNEL_FORCE                   policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 's390x': 'n'}>
 CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ             policy<{'amd64': 'y', 'i386': 'y'}>
 CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT             policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y'}>
 CONFIG_LSM                                      policy<{'amd64': '"yama,loadpin,integrity,apparmor"', 'arm64': '"yama,loadpin,integrity,apparmor"', 'armhf': '"yama,loadpin,integrity,apparmor"', 'i386': '"yama,loadpin,integrity,apparmor"', 'ppc64el': '"yama,loadpin,integrity,apparmor"', 's390x': '"yama,loadpin,integrity,apparmor"'}>
diff --git a/debian.master/config/s390x/config.common.s390x b/debian.master/config/s390x/config.common.s390x
index afd13fa2a6e2..889f00e1ba24 100644
--- a/debian.master/config/s390x/config.common.s390x
+++ b/debian.master/config/s390x/config.common.s390x
@@ -268,7 +268,7 @@ CONFIG_KVM=y
 # CONFIG_LDM_PARTITION is not set
 # CONFIG_LIBNVDIMM is not set
 # CONFIG_LLC2 is not set
-# CONFIG_LOCK_DOWN_KERNEL is not set
+CONFIG_LOCK_DOWN_KERNEL=y
 CONFIG_LOG_BUF_SHIFT=18
 # CONFIG_LPC_ICH is not set
 # CONFIG_LPC_SCH is not set
--
2.20.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team