68d0d67
Bugzilla: N/A
68d0d67
Upstream-status: Fedora mustard.  Replaced by securelevels, but that was nak'd
68d0d67
713abc0
From 0fc411ee00c81b8a18b1417d31f2736fad155d89 Mon Sep 17 00:00:00 2001
c9d9c5a
From: Matthew Garrett <matthew.garrett@nebula.com>
d7ee6f3
Date: Fri, 9 Aug 2013 17:58:15 -0400
d7ee6f3
Subject: [PATCH 01/14] Add secure_modules() call
c9d9c5a
c9d9c5a
Provide a single call to allow kernel code to determine whether the system
c9d9c5a
has been configured to either disable module loading entirely or to load
c9d9c5a
only modules signed with a trusted key.
c9d9c5a
c9d9c5a
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
c9d9c5a
---
c9d9c5a
 include/linux/module.h |  7 +++++++
c9d9c5a
 kernel/module.c        | 10 ++++++++++
c9d9c5a
 2 files changed, 17 insertions(+)
c9d9c5a
c9d9c5a
diff --git a/include/linux/module.h b/include/linux/module.h
713abc0
index 05f2447..de97e77 100644
c9d9c5a
--- a/include/linux/module.h
c9d9c5a
+++ b/include/linux/module.h
713abc0
@@ -515,6 +515,8 @@ int unregister_module_notifier(struct notifier_block * nb);
c9d9c5a
 
c9d9c5a
 extern void print_modules(void);
c9d9c5a
 
c9d9c5a
+extern bool secure_modules(void);
c9d9c5a
+
c9d9c5a
 #else /* !CONFIG_MODULES... */
c9d9c5a
 
c9d9c5a
 /* Given an address, look for it in the exception tables. */
713abc0
@@ -625,6 +627,11 @@ static inline int unregister_module_notifier(struct notifier_block * nb)
c9d9c5a
 static inline void print_modules(void)
c9d9c5a
 {
c9d9c5a
 }
c9d9c5a
+
c9d9c5a
+static inline bool secure_modules(void)
c9d9c5a
+{
c9d9c5a
+	return false;
c9d9c5a
+}
c9d9c5a
 #endif /* CONFIG_MODULES */
c9d9c5a
 
c9d9c5a
 #ifdef CONFIG_SYSFS
c9d9c5a
diff --git a/kernel/module.c b/kernel/module.c
713abc0
index dc58274..81206c1 100644
c9d9c5a
--- a/kernel/module.c
c9d9c5a
+++ b/kernel/module.c
713abc0
@@ -3860,3 +3860,13 @@ void module_layout(struct module *mod,
c9d9c5a
 }
c9d9c5a
 EXPORT_SYMBOL(module_layout);
c9d9c5a
 #endif
c9d9c5a
+
c9d9c5a
+bool secure_modules(void)
c9d9c5a
+{
c9d9c5a
+#ifdef CONFIG_MODULE_SIG
c9d9c5a
+	return (sig_enforce || modules_disabled);
c9d9c5a
+#else
c9d9c5a
+	return modules_disabled;
c9d9c5a
+#endif
c9d9c5a
+}
d7ee6f3
+EXPORT_SYMBOL(secure_modules);
c9d9c5a
-- 
c9d9c5a
1.8.3.1
c9d9c5a
c9d9c5a
713abc0
From b94942e55b519e70366e970cea3665c464d1b7da Mon Sep 17 00:00:00 2001
c9d9c5a
From: Matthew Garrett <matthew.garrett@nebula.com>
d7ee6f3
Date: Thu, 8 Mar 2012 10:10:38 -0500
d7ee6f3
Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is
c9d9c5a
 enabled
c9d9c5a
c9d9c5a
Any hardware that can potentially generate DMA has to be locked down from
c9d9c5a
userspace in order to avoid it being possible for an attacker to modify
c9d9c5a
kernel code, allowing them to circumvent disabled module loading or module
c9d9c5a
signing. Default to paranoid - in future we can potentially relax this for
c9d9c5a
sufficiently IOMMU-isolated devices.
c9d9c5a
c9d9c5a
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
c9d9c5a
---
c9d9c5a
 drivers/pci/pci-sysfs.c | 10 ++++++++++
c9d9c5a
 drivers/pci/proc.c      |  8 +++++++-
c9d9c5a
 drivers/pci/syscall.c   |  3 ++-
c9d9c5a
 3 files changed, 19 insertions(+), 2 deletions(-)
c9d9c5a
c9d9c5a
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
713abc0
index d8eb880..a851ad6 100644
c9d9c5a
--- a/drivers/pci/pci-sysfs.c
c9d9c5a
+++ b/drivers/pci/pci-sysfs.c
c9d9c5a
@@ -29,6 +29,7 @@
c9d9c5a
 #include <linux/slab.h>
c9d9c5a
 #include <linux/vgaarb.h>
c9d9c5a
 #include <linux/pm_runtime.h>
c9d9c5a
+#include <linux/module.h>
c9d9c5a
 #include "pci.h"
c9d9c5a
 
c9d9c5a
 static int sysfs_initialized;	/* = 0 */
713abc0
@@ -644,6 +645,9 @@ pci_write_config(struct file* filp, struct kobject *kobj,
c9d9c5a
 	loff_t init_off = off;
c9d9c5a
 	u8 *data = (u8*) buf;
c9d9c5a
 
c9d9c5a
+	if (secure_modules())
c9d9c5a
+		return -EPERM;
c9d9c5a
+
c9d9c5a
 	if (off > dev->cfg_size)
c9d9c5a
 		return 0;
c9d9c5a
 	if (off + count > dev->cfg_size) {
713abc0
@@ -950,6 +954,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
c9d9c5a
 	resource_size_t start, end;
c9d9c5a
 	int i;
c9d9c5a
 
c9d9c5a
+	if (secure_modules())
c9d9c5a
+		return -EPERM;
c9d9c5a
+
c9d9c5a
 	for (i = 0; i < PCI_ROM_RESOURCE; i++)
c9d9c5a
 		if (res == &pdev->resource[i])
c9d9c5a
 			break;
713abc0
@@ -1057,6 +1064,9 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj,
c9d9c5a
 		      struct bin_attribute *attr, char *buf,
c9d9c5a
 		      loff_t off, size_t count)
c9d9c5a
 {
c9d9c5a
+	if (secure_modules())
c9d9c5a
+		return -EPERM;
c9d9c5a
+
c9d9c5a
 	return pci_resource_io(filp, kobj, attr, buf, off, count, true);
c9d9c5a
 }
c9d9c5a
 
c9d9c5a
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
c9d9c5a
index cdc7836..e3d498b 100644
c9d9c5a
--- a/drivers/pci/proc.c
c9d9c5a
+++ b/drivers/pci/proc.c
c9d9c5a
@@ -117,6 +117,9 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof
c9d9c5a
 	int size = dev->cfg_size;
c9d9c5a
 	int cnt;
c9d9c5a
 
c9d9c5a
+	if (secure_modules())
c9d9c5a
+		return -EPERM;
c9d9c5a
+
c9d9c5a
 	if (pos >= size)
c9d9c5a
 		return 0;
c9d9c5a
 	if (nbytes >= size)
c9d9c5a
@@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
c9d9c5a
 #endif /* HAVE_PCI_MMAP */
c9d9c5a
 	int ret = 0;
c9d9c5a
 
c9d9c5a
+	if (secure_modules())
c9d9c5a
+		return -EPERM;
c9d9c5a
+
c9d9c5a
 	switch (cmd) {
c9d9c5a
 	case PCIIOC_CONTROLLER:
c9d9c5a
 		ret = pci_domain_nr(dev->bus);
c9d9c5a
@@ -234,7 +240,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
c9d9c5a
 	struct pci_filp_private *fpriv = file->private_data;
c9d9c5a
 	int i, ret;
c9d9c5a
 
c9d9c5a
-	if (!capable(CAP_SYS_RAWIO))
c9d9c5a
+	if (!capable(CAP_SYS_RAWIO) || secure_modules())
c9d9c5a
 		return -EPERM;
c9d9c5a
 
c9d9c5a
 	/* Make sure the caller is mapping a real resource for this device */
c9d9c5a
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
c9d9c5a
index e1c1ec5..bffbf71 100644
c9d9c5a
--- a/drivers/pci/syscall.c
c9d9c5a
+++ b/drivers/pci/syscall.c
c9d9c5a
@@ -10,6 +10,7 @@
c9d9c5a
 #include <linux/errno.h>
c9d9c5a
 #include <linux/pci.h>
c9d9c5a
 #include <linux/syscalls.h>
c9d9c5a
+#include <linux/module.h>
c9d9c5a
 #include <asm/uaccess.h>
c9d9c5a
 #include "pci.h"
c9d9c5a
 
c9d9c5a
@@ -92,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
c9d9c5a
 	u32 dword;
c9d9c5a
 	int err = 0;
c9d9c5a
 
c9d9c5a
-	if (!capable(CAP_SYS_ADMIN))
c9d9c5a
+	if (!capable(CAP_SYS_ADMIN) || secure_modules())
c9d9c5a
 		return -EPERM;
c9d9c5a
 
c9d9c5a
 	dev = pci_get_bus_and_slot(bus, dfn);
c9d9c5a
-- 
c9d9c5a
1.8.3.1
c9d9c5a
c9d9c5a
713abc0
From 36f34509fe52cc49e1b1f6815a3f235040f64a03 Mon Sep 17 00:00:00 2001
c9d9c5a
From: Matthew Garrett <matthew.garrett@nebula.com>
d7ee6f3
Date: Thu, 8 Mar 2012 10:35:59 -0500
d7ee6f3
Subject: [PATCH 03/14] x86: Lock down IO port access when module security is
c9d9c5a
 enabled
c9d9c5a
c9d9c5a
IO port access would permit users to gain access to PCI configuration
c9d9c5a
registers, which in turn (on a lot of hardware) give access to MMIO register
c9d9c5a
space. This would potentially permit root to trigger arbitrary DMA, so lock
c9d9c5a
it down by default.
c9d9c5a
c9d9c5a
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
c9d9c5a
---
c9d9c5a
 arch/x86/kernel/ioport.c | 5 +++--
c9d9c5a
 drivers/char/mem.c       | 4 ++++
c9d9c5a
 2 files changed, 7 insertions(+), 2 deletions(-)
c9d9c5a
c9d9c5a
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
c9d9c5a
index 4ddaf66..00b4403 100644
c9d9c5a
--- a/arch/x86/kernel/ioport.c
c9d9c5a
+++ b/arch/x86/kernel/ioport.c
c9d9c5a
@@ -15,6 +15,7 @@
c9d9c5a
 #include <linux/thread_info.h>
c9d9c5a
 #include <linux/syscalls.h>
c9d9c5a
 #include <linux/bitmap.h>
c9d9c5a
+#include <linux/module.h>
c9d9c5a
 #include <asm/syscalls.h>
c9d9c5a
 
c9d9c5a
 /*
c9d9c5a
@@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
c9d9c5a
 
c9d9c5a
 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
c9d9c5a
 		return -EINVAL;
c9d9c5a
-	if (turn_on && !capable(CAP_SYS_RAWIO))
c9d9c5a
+	if (turn_on && (!capable(CAP_SYS_RAWIO) || secure_modules()))
c9d9c5a
 		return -EPERM;
c9d9c5a
 
c9d9c5a
 	/*
c9d9c5a
@@ -103,7 +104,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
c9d9c5a
 		return -EINVAL;
c9d9c5a
 	/* Trying to gain more privileges? */
c9d9c5a
 	if (level > old) {
c9d9c5a
-		if (!capable(CAP_SYS_RAWIO))
c9d9c5a
+		if (!capable(CAP_SYS_RAWIO) || secure_modules())
c9d9c5a
 			return -EPERM;
c9d9c5a
 	}
c9d9c5a
 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
c9d9c5a
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
c9d9c5a
index f895a8c..1af8664 100644
c9d9c5a
--- a/drivers/char/mem.c
c9d9c5a
+++ b/drivers/char/mem.c
c9d9c5a
@@ -28,6 +28,7 @@
c9d9c5a
 #include <linux/export.h>
c9d9c5a
 #include <linux/io.h>
c9d9c5a
 #include <linux/aio.h>
c9d9c5a
+#include <linux/module.h>
c9d9c5a
 
c9d9c5a
 #include <asm/uaccess.h>
c9d9c5a
 
c9d9c5a
@@ -563,6 +564,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
c9d9c5a
 	unsigned long i = *ppos;
c9d9c5a
 	const char __user *tmp = buf;
c9d9c5a
 
c9d9c5a
+	if (secure_modules())
c9d9c5a
+		return -EPERM;
c9d9c5a
+
c9d9c5a
 	if (!access_ok(VERIFY_READ, buf, count))
c9d9c5a
 		return -EFAULT;
c9d9c5a
 	while (count-- > 0 && i < 65536) {
c9d9c5a
-- 
c9d9c5a
1.8.3.1
c9d9c5a
c9d9c5a
713abc0
From 67d9800dcf60467e076587b0aac67bcdc516cfe2 Mon Sep 17 00:00:00 2001
c9d9c5a
From: Matthew Garrett <matthew.garrett@nebula.com>
d7ee6f3
Date: Fri, 9 Mar 2012 08:39:37 -0500
d7ee6f3
Subject: [PATCH 04/14] ACPI: Limit access to custom_method
c9d9c5a
c9d9c5a
custom_method effectively allows arbitrary access to system memory, making
c9d9c5a
it possible for an attacker to circumvent restrictions on module loading.
c9d9c5a
Disable it if any such restrictions have been enabled.
c9d9c5a
c9d9c5a
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
c9d9c5a
---
d7ee6f3
 drivers/acpi/custom_method.c | 3 +++
d7ee6f3
 1 file changed, 3 insertions(+)
c9d9c5a
c9d9c5a
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
d7ee6f3
index 12b62f2..50647b3 100644
c9d9c5a
--- a/drivers/acpi/custom_method.c
c9d9c5a
+++ b/drivers/acpi/custom_method.c
d7ee6f3
@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
c9d9c5a
 	struct acpi_table_header table;
c9d9c5a
 	acpi_status status;
c9d9c5a
 
c9d9c5a
+	if (secure_modules())
c9d9c5a
+		return -EPERM;
c9d9c5a
+
c9d9c5a
 	if (!(*ppos)) {
c9d9c5a
 		/* parse the table header to get the table length */
c9d9c5a
 		if (count <= sizeof(struct acpi_table_header))
c9d9c5a
-- 
c9d9c5a
1.8.3.1
c9d9c5a
c9d9c5a
713abc0
From bdf3761573167c20c72b151c1088b24fd24869ac Mon Sep 17 00:00:00 2001
c9d9c5a
From: Matthew Garrett <matthew.garrett@nebula.com>
d7ee6f3
Date: Fri, 9 Mar 2012 08:46:50 -0500
d7ee6f3
Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module
c9d9c5a
 loading is restricted
c9d9c5a
c9d9c5a
We have no way of validating what all of the Asus WMI methods do on a
c9d9c5a
given machine, and there's a risk that some will allow hardware state to
c9d9c5a
be manipulated in such a way that arbitrary code can be executed in the
c9d9c5a
kernel, circumventing module loading restrictions. Prevent that if any of
c9d9c5a
these features are enabled.
c9d9c5a
c9d9c5a
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
c9d9c5a
---
c9d9c5a
 drivers/platform/x86/asus-wmi.c | 9 +++++++++
c9d9c5a
 1 file changed, 9 insertions(+)
c9d9c5a
c9d9c5a
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
c9d9c5a
index 19c313b..db18ef66 100644
c9d9c5a
--- a/drivers/platform/x86/asus-wmi.c
c9d9c5a
+++ b/drivers/platform/x86/asus-wmi.c
c9d9c5a
@@ -1618,6 +1618,9 @@ static int show_dsts(struct seq_file *m, void *data)
c9d9c5a
 	int err;
c9d9c5a
 	u32 retval = -1;
c9d9c5a
 
c9d9c5a
+	if (secure_modules())
c9d9c5a
+		return -EPERM;
c9d9c5a
+
c9d9c5a
 	err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
c9d9c5a
 
c9d9c5a
 	if (err < 0)
c9d9c5a
@@ -1634,6 +1637,9 @@ static int show_devs(struct seq_file *m, void *data)
c9d9c5a
 	int err;
c9d9c5a
 	u32 retval = -1;
c9d9c5a
 
c9d9c5a
+	if (secure_modules())
c9d9c5a
+		return -EPERM;
c9d9c5a
+
c9d9c5a
 	err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
c9d9c5a
 				    &retval);
c9d9c5a
 
c9d9c5a
@@ -1658,6 +1664,9 @@ static int show_call(struct seq_file *m, void *data)
c9d9c5a
 	union acpi_object *obj;
c9d9c5a
 	acpi_status status;
c9d9c5a
 
c9d9c5a
+	if (secure_modules())
c9d9c5a
+		return -EPERM;
c9d9c5a
+
c9d9c5a
 	status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
c9d9c5a
 				     1, asus->debug.method_id,
c9d9c5a
 				     &input, &output);
c9d9c5a
-- 
c9d9c5a
1.8.3.1
c9d9c5a
c9d9c5a
713abc0
From 65d88af5a2c6bb6d01da17819d8ba782bd208837 Mon Sep 17 00:00:00 2001
c9d9c5a
From: Matthew Garrett <matthew.garrett@nebula.com>
d7ee6f3
Date: Fri, 9 Mar 2012 09:28:15 -0500
d7ee6f3
Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is
c9d9c5a
 restricted
c9d9c5a
c9d9c5a
Allowing users to write to address space makes it possible for the kernel
c9d9c5a
to be subverted, avoiding module loading restrictions. Prevent this when
c9d9c5a
any restrictions have been imposed on loading modules.
c9d9c5a
c9d9c5a
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
c9d9c5a
---
c9d9c5a
 drivers/char/mem.c | 6 ++++++
c9d9c5a
 1 file changed, 6 insertions(+)
c9d9c5a
c9d9c5a
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
c9d9c5a
index 1af8664..61406c8 100644
c9d9c5a
--- a/drivers/char/mem.c
c9d9c5a
+++ b/drivers/char/mem.c
c9d9c5a
@@ -159,6 +159,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
c9d9c5a
 	unsigned long copied;
c9d9c5a
 	void *ptr;
c9d9c5a
 
c9d9c5a
+	if (secure_modules())
c9d9c5a
+		return -EPERM;
c9d9c5a
+
c9d9c5a
 	if (!valid_phys_addr_range(p, count))
c9d9c5a
 		return -EFAULT;
c9d9c5a
 
c9d9c5a
@@ -497,6 +500,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
c9d9c5a
 	char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
c9d9c5a
 	int err = 0;
c9d9c5a
 
c9d9c5a
+	if (secure_modules())
c9d9c5a
+		return -EPERM;
c9d9c5a
+
c9d9c5a
 	if (p < (unsigned long) high_memory) {
c9d9c5a
 		unsigned long to_write = min_t(unsigned long, count,
c9d9c5a
 					       (unsigned long)high_memory - p);
c9d9c5a
-- 
c9d9c5a
1.8.3.1
c9d9c5a
c9d9c5a
713abc0
From 4aa42b7fa5d7f79eb1d179e728ffa561fd9cf354 Mon Sep 17 00:00:00 2001
c9d9c5a
From: Josh Boyer <jwboyer@redhat.com>
d7ee6f3
Date: Mon, 25 Jun 2012 19:57:30 -0400
d7ee6f3
Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module
c9d9c5a
 loading is restricted
c9d9c5a
c9d9c5a
This option allows userspace to pass the RSDP address to the kernel, which
c9d9c5a
makes it possible for a user to circumvent any restrictions imposed on
c9d9c5a
loading modules. Disable it in that case.
c9d9c5a
c9d9c5a
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
c9d9c5a
---
c9d9c5a
 drivers/acpi/osl.c | 3 ++-
c9d9c5a
 1 file changed, 2 insertions(+), 1 deletion(-)
c9d9c5a
c9d9c5a
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
713abc0
index e5f416c..9311c00 100644
c9d9c5a
--- a/drivers/acpi/osl.c
c9d9c5a
+++ b/drivers/acpi/osl.c
c9d9c5a
@@ -45,6 +45,7 @@
c9d9c5a
 #include <linux/list.h>
c9d9c5a
 #include <linux/jiffies.h>
c9d9c5a
 #include <linux/semaphore.h>
c9d9c5a
+#include <linux/module.h>
c9d9c5a
 
c9d9c5a
 #include <asm/io.h>
c9d9c5a
 #include <asm/uaccess.h>
713abc0
@@ -249,7 +250,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
c9d9c5a
 acpi_physical_address __init acpi_os_get_root_pointer(void)
c9d9c5a
 {
c9d9c5a
 #ifdef CONFIG_KEXEC
c9d9c5a
-	if (acpi_rsdp)
c9d9c5a
+	if (acpi_rsdp && !secure_modules())
c9d9c5a
 		return acpi_rsdp;
c9d9c5a
 #endif
c9d9c5a
 
c9d9c5a
-- 
c9d9c5a
1.8.3.1
c9d9c5a
c9d9c5a
713abc0
From c9e62c2ce588d98a774a3853e56d95e48b9df98c Mon Sep 17 00:00:00 2001
d7ee6f3
From: Matthew Garrett <matthew.garrett@nebula.com>
d7ee6f3
Date: Fri, 9 Aug 2013 03:33:56 -0400
d7ee6f3
Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module
d7ee6f3
 loading restrictions
d7ee6f3
d7ee6f3
kexec permits the loading and execution of arbitrary code in ring 0, which
d7ee6f3
is something that module signing enforcement is meant to prevent. It makes
d7ee6f3
sense to disable kexec in this situation.
d7ee6f3
d7ee6f3
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
d7ee6f3
---
d7ee6f3
 kernel/kexec.c | 8 ++++++++
d7ee6f3
 1 file changed, 8 insertions(+)
d7ee6f3
d7ee6f3
diff --git a/kernel/kexec.c b/kernel/kexec.c
713abc0
index 2a74f30..13601e3 100644
d7ee6f3
--- a/kernel/kexec.c
d7ee6f3
+++ b/kernel/kexec.c
d7ee6f3
@@ -32,6 +32,7 @@
d7ee6f3
 #include <linux/vmalloc.h>
d7ee6f3
 #include <linux/swap.h>
d7ee6f3
 #include <linux/syscore_ops.h>
d7ee6f3
+#include <linux/module.h>
d7ee6f3
 
d7ee6f3
 #include <asm/page.h>
d7ee6f3
 #include <asm/uaccess.h>
d7ee6f3
@@ -943,6 +944,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
d7ee6f3
 		return -EPERM;
d7ee6f3
 
d7ee6f3
 	/*
d7ee6f3
+	 * kexec can be used to circumvent module loading restrictions, so
d7ee6f3
+	 * prevent loading in that case
d7ee6f3
+	 */
d7ee6f3
+	if (secure_modules())
d7ee6f3
+		return -EPERM;
d7ee6f3
+
d7ee6f3
+	/*
d7ee6f3
 	 * Verify we have a legal set of flags
d7ee6f3
 	 * This leaves us room for future extensions.
d7ee6f3
 	 */
d7ee6f3
-- 
d7ee6f3
1.8.3.1
d7ee6f3
d7ee6f3
713abc0
From d0e3cb2c13dc9634849ddacf75b6f0d94147516a Mon Sep 17 00:00:00 2001
d7ee6f3
From: Matthew Garrett <matthew.garrett@nebula.com>
d7ee6f3
Date: Tue, 3 Sep 2013 11:23:29 -0400
d7ee6f3
Subject: [PATCH 09/14] uswsusp: Disable when module loading is restricted
d7ee6f3
d7ee6f3
uswsusp allows a user process to dump and then restore kernel state, which
d7ee6f3
makes it possible to avoid module loading restrictions. Prevent this when
d7ee6f3
any restrictions have been imposed on loading modules.
d7ee6f3
d7ee6f3
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
d7ee6f3
---
d7ee6f3
 kernel/power/user.c | 4 ++++
d7ee6f3
 1 file changed, 4 insertions(+)
d7ee6f3
d7ee6f3
diff --git a/kernel/power/user.c b/kernel/power/user.c
713abc0
index 957f061..e570609d 100644
d7ee6f3
--- a/kernel/power/user.c
d7ee6f3
+++ b/kernel/power/user.c
d7ee6f3
@@ -24,6 +24,7 @@
d7ee6f3
 #include <linux/console.h>
d7ee6f3
 #include <linux/cpu.h>
d7ee6f3
 #include <linux/freezer.h>
d7ee6f3
+#include <linux/module.h>
d7ee6f3
 
d7ee6f3
 #include <asm/uaccess.h>
d7ee6f3
 
713abc0
@@ -49,6 +50,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
d7ee6f3
 	struct snapshot_data *data;
d7ee6f3
 	int error;
d7ee6f3
 
d7ee6f3
+	if (secure_modules())
d7ee6f3
+		return -EPERM;
d7ee6f3
+
d7ee6f3
 	lock_system_sleep();
d7ee6f3
 
d7ee6f3
 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
d7ee6f3
-- 
d7ee6f3
1.8.3.1
d7ee6f3
d7ee6f3
713abc0
From b238417ed3c5a0b21bbfcac84f6c70011b8977c0 Mon Sep 17 00:00:00 2001
c9d9c5a
From: Matthew Garrett <matthew.garrett@nebula.com>
d7ee6f3
Date: Fri, 8 Feb 2013 11:12:13 -0800
d7ee6f3
Subject: [PATCH 10/14] x86: Restrict MSR access when module loading is
c9d9c5a
 restricted
c9d9c5a
c9d9c5a
Writing to MSRs should not be allowed if module loading is restricted,
c9d9c5a
since it could lead to execution of arbitrary code in kernel mode. Based
c9d9c5a
on a patch by Kees Cook.
c9d9c5a
c9d9c5a
Cc: Kees Cook <keescook@chromium.org>
c9d9c5a
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
c9d9c5a
---
c9d9c5a
 arch/x86/kernel/msr.c | 7 +++++++
c9d9c5a
 1 file changed, 7 insertions(+)
c9d9c5a
c9d9c5a
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
713abc0
index 05266b5..e2bd647 100644
c9d9c5a
--- a/arch/x86/kernel/msr.c
c9d9c5a
+++ b/arch/x86/kernel/msr.c
c9d9c5a
@@ -103,6 +103,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
c9d9c5a
 	int err = 0;
c9d9c5a
 	ssize_t bytes = 0;
c9d9c5a
 
c9d9c5a
+	if (secure_modules())
c9d9c5a
+		return -EPERM;
c9d9c5a
+
c9d9c5a
 	if (count % 8)
c9d9c5a
 		return -EINVAL;	/* Invalid chunk size */
c9d9c5a
 
c9d9c5a
@@ -150,6 +153,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
c9d9c5a
 			err = -EBADF;
c9d9c5a
 			break;
c9d9c5a
 		}
c9d9c5a
+		if (secure_modules()) {
c9d9c5a
+			err = -EPERM;
c9d9c5a
+			break;
c9d9c5a
+		}
c9d9c5a
 		if (copy_from_user(&regs, uregs, sizeof regs)) {
c9d9c5a
 			err = -EFAULT;
c9d9c5a
 			break;
c9d9c5a
-- 
c9d9c5a
1.8.3.1
c9d9c5a
c9d9c5a
713abc0
From c3a9afb3b580b4f721d245fc5d13e378b99b9cd8 Mon Sep 17 00:00:00 2001
c9d9c5a
From: Matthew Garrett <matthew.garrett@nebula.com>
d7ee6f3
Date: Fri, 9 Aug 2013 18:36:30 -0400
d7ee6f3
Subject: [PATCH 11/14] Add option to automatically enforce module signatures
c9d9c5a
 when in Secure Boot mode
c9d9c5a
c9d9c5a
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
c9d9c5a
only load signed bootloaders and kernels. Certain use cases may also
c9d9c5a
require that all kernel modules also be signed. Add a configuration option
c9d9c5a
that enforces this automatically when enabled.
c9d9c5a
c9d9c5a
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
c9d9c5a
---
d7ee6f3
 Documentation/x86/zero-page.txt       |  2 ++
d7ee6f3
 arch/x86/Kconfig                      | 10 ++++++++++
d7ee6f3
 arch/x86/boot/compressed/eboot.c      | 36 +++++++++++++++++++++++++++++++++++
d7ee6f3
 arch/x86/include/uapi/asm/bootparam.h |  3 ++-
d7ee6f3
 arch/x86/kernel/setup.c               |  6 ++++++
d7ee6f3
 include/linux/module.h                |  6 ++++++
d7ee6f3
 kernel/module.c                       |  7 +++++++
d7ee6f3
 7 files changed, 69 insertions(+), 1 deletion(-)
c9d9c5a
c9d9c5a
diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
c9d9c5a
index 199f453..ec38acf 100644
c9d9c5a
--- a/Documentation/x86/zero-page.txt
c9d9c5a
+++ b/Documentation/x86/zero-page.txt
c9d9c5a
@@ -30,6 +30,8 @@ Offset	Proto	Name		Meaning
c9d9c5a
 1E9/001	ALL	eddbuf_entries	Number of entries in eddbuf (below)
c9d9c5a
 1EA/001	ALL	edd_mbr_sig_buf_entries	Number of entries in edd_mbr_sig_buffer
c9d9c5a
 				(below)
c9d9c5a
+1EB/001	ALL     kbd_status      Numlock is enabled
c9d9c5a
+1EC/001	ALL     secure_boot	Secure boot is enabled in the firmware
c9d9c5a
 1EF/001	ALL	sentinel	Used to detect broken bootloaders
c9d9c5a
 290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures
c9d9c5a
 2D0/A00	ALL	e820_map	E820 memory map table
c9d9c5a
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
713abc0
index 725e157..fe212ef 100644
c9d9c5a
--- a/arch/x86/Kconfig
c9d9c5a
+++ b/arch/x86/Kconfig
713abc0
@@ -1604,6 +1604,16 @@ config EFI_STUB
c9d9c5a
 
713abc0
 	  See Documentation/efi-stub.txt for more information.
c9d9c5a
 
c9d9c5a
+config EFI_SECURE_BOOT_SIG_ENFORCE
c9d9c5a
+        def_bool n
c9d9c5a
+	prompt "Force module signing when UEFI Secure Boot is enabled"
c9d9c5a
+	---help---
c9d9c5a
+	  UEFI Secure Boot provides a mechanism for ensuring that the
c9d9c5a
+	  firmware will only load signed bootloaders and kernels. Certain
c9d9c5a
+	  use cases may also require that all kernel modules also be signed.
c9d9c5a
+	  Say Y here to automatically enable module signature enforcement
c9d9c5a
+	  when a system boots with UEFI Secure Boot enabled.
c9d9c5a
+
c9d9c5a
 config SECCOMP
c9d9c5a
 	def_bool y
c9d9c5a
 	prompt "Enable seccomp to safely compute untrusted bytecode"
c9d9c5a
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
713abc0
index a7677ba..4e172e9 100644
c9d9c5a
--- a/arch/x86/boot/compressed/eboot.c
c9d9c5a
+++ b/arch/x86/boot/compressed/eboot.c
d7ee6f3
@@ -12,6 +12,7 @@
d7ee6f3
 #include <asm/efi.h>
d7ee6f3
 #include <asm/setup.h>
d7ee6f3
 #include <asm/desc.h>
d7ee6f3
+#include <asm/bootparam_utils.h>
d7ee6f3
 
d7ee6f3
 #undef memcpy			/* Use memcpy from misc.c */
d7ee6f3
 
713abc0
@@ -741,6 +742,37 @@ free_mem_map:
c9d9c5a
 }
c9d9c5a
 
713abc0
 
d7ee6f3
+static int get_secure_boot(void)
c9d9c5a
+{
c9d9c5a
+	u8 sb, setup;
c9d9c5a
+	unsigned long datasize = sizeof(sb);
c9d9c5a
+	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
c9d9c5a
+	efi_status_t status;
c9d9c5a
+
c9d9c5a
+	status = efi_call_phys5(sys_table->runtime->get_variable,
c9d9c5a
+				L"SecureBoot", &var_guid, NULL, &datasize, &sb);
c9d9c5a
+
c9d9c5a
+	if (status != EFI_SUCCESS)
c9d9c5a
+		return 0;
c9d9c5a
+
c9d9c5a
+	if (sb == 0)
c9d9c5a
+		return 0;
c9d9c5a
+
c9d9c5a
+
c9d9c5a
+	status = efi_call_phys5(sys_table->runtime->get_variable,
c9d9c5a
+				L"SetupMode", &var_guid, NULL, &datasize,
c9d9c5a
+				&setup);
c9d9c5a
+
c9d9c5a
+	if (status != EFI_SUCCESS)
c9d9c5a
+		return 0;
c9d9c5a
+
c9d9c5a
+	if (setup == 1)
c9d9c5a
+		return 0;
c9d9c5a
+
c9d9c5a
+	return 1;
c9d9c5a
+}
c9d9c5a
+
c9d9c5a
+
c9d9c5a
 /*
713abc0
  * On success we return a pointer to a boot_params structure, and NULL
713abc0
  * on failure.
713abc0
@@ -760,6 +792,10 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
c9d9c5a
 	if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE)
c9d9c5a
 		goto fail;
c9d9c5a
 
d7ee6f3
+	sanitize_boot_params(boot_params);
d7ee6f3
+
d7ee6f3
+	boot_params->secure_boot = get_secure_boot();
c9d9c5a
+
c9d9c5a
 	setup_graphics(boot_params);
c9d9c5a
 
c9d9c5a
 	setup_efi_pci(boot_params);
c9d9c5a
diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
713abc0
index 9c3733c..a7ba210 100644
c9d9c5a
--- a/arch/x86/include/uapi/asm/bootparam.h
c9d9c5a
+++ b/arch/x86/include/uapi/asm/bootparam.h
c9d9c5a
@@ -131,7 +131,8 @@ struct boot_params {
c9d9c5a
 	__u8  eddbuf_entries;				/* 0x1e9 */
c9d9c5a
 	__u8  edd_mbr_sig_buf_entries;			/* 0x1ea */
c9d9c5a
 	__u8  kbd_status;				/* 0x1eb */
c9d9c5a
-	__u8  _pad5[3];					/* 0x1ec */
c9d9c5a
+	__u8  secure_boot;				/* 0x1ec */
d7ee6f3
+	__u8  _pad5[2];					/* 0x1ed */
c9d9c5a
 	/*
c9d9c5a
 	 * The sentinel is set to a nonzero value (0xff) in header.S.
c9d9c5a
 	 *
c9d9c5a
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
713abc0
index 918d489..fe429c1 100644
c9d9c5a
--- a/arch/x86/kernel/setup.c
c9d9c5a
+++ b/arch/x86/kernel/setup.c
713abc0
@@ -1127,6 +1127,12 @@ void __init setup_arch(char **cmdline_p)
c9d9c5a
 
c9d9c5a
 	io_delay_init();
c9d9c5a
 
c9d9c5a
+#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
c9d9c5a
+	if (boot_params.secure_boot) {
c9d9c5a
+		enforce_signed_modules();
c9d9c5a
+	}
c9d9c5a
+#endif
c9d9c5a
+
c9d9c5a
 	/*
c9d9c5a
 	 * Parse the ACPI tables for possible boot-time SMP configuration.
c9d9c5a
 	 */
c9d9c5a
diff --git a/include/linux/module.h b/include/linux/module.h
713abc0
index de97e77..d69fe19 100644
c9d9c5a
--- a/include/linux/module.h
c9d9c5a
+++ b/include/linux/module.h
713abc0
@@ -190,6 +190,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
c9d9c5a
 
c9d9c5a
 struct notifier_block;
c9d9c5a
 
c9d9c5a
+#ifdef CONFIG_MODULE_SIG
c9d9c5a
+extern void enforce_signed_modules(void);
c9d9c5a
+#else
c9d9c5a
+static inline void enforce_signed_modules(void) {};
c9d9c5a
+#endif
c9d9c5a
+
c9d9c5a
 #ifdef CONFIG_MODULES
c9d9c5a
 
c9d9c5a
 extern int modules_disabled; /* for sysctl */
c9d9c5a
diff --git a/kernel/module.c b/kernel/module.c
713abc0
index 81206c1..e1428f0 100644
c9d9c5a
--- a/kernel/module.c
c9d9c5a
+++ b/kernel/module.c
713abc0
@@ -3861,6 +3861,13 @@ void module_layout(struct module *mod,
c9d9c5a
 EXPORT_SYMBOL(module_layout);
c9d9c5a
 #endif
c9d9c5a
 
c9d9c5a
+#ifdef CONFIG_MODULE_SIG
c9d9c5a
+void enforce_signed_modules(void)
c9d9c5a
+{
c9d9c5a
+	sig_enforce = true;
c9d9c5a
+}
c9d9c5a
+#endif
c9d9c5a
+
c9d9c5a
 bool secure_modules(void)
c9d9c5a
 {
c9d9c5a
 #ifdef CONFIG_MODULE_SIG
c9d9c5a
-- 
c9d9c5a
1.8.3.1
c9d9c5a
c9d9c5a
713abc0
From 27a1aa77c7fbaaae8c6a776190a38dcbf3c3d6d2 Mon Sep 17 00:00:00 2001
c9d9c5a
From: Josh Boyer <jwboyer@redhat.com>
c9d9c5a
Date: Tue, 5 Feb 2013 19:25:05 -0500
d7ee6f3
Subject: [PATCH 12/14] efi: Disable secure boot if shim is in insecure mode
c9d9c5a
c9d9c5a
A user can manually tell the shim boot loader to disable validation of
c9d9c5a
images it loads.  When a user does this, it creates a UEFI variable called
c9d9c5a
MokSBState that does not have the runtime attribute set.  Given that the
c9d9c5a
user explicitly disabled validation, we can honor that and not enable
c9d9c5a
secure boot mode if that variable is set.
c9d9c5a
c9d9c5a
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
c9d9c5a
---
c9d9c5a
 arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++-
c9d9c5a
 1 file changed, 19 insertions(+), 1 deletion(-)
c9d9c5a
c9d9c5a
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
713abc0
index 4e172e9..4905f4d 100644
c9d9c5a
--- a/arch/x86/boot/compressed/eboot.c
c9d9c5a
+++ b/arch/x86/boot/compressed/eboot.c
713abc0
@@ -744,8 +744,9 @@ free_mem_map:
c9d9c5a
 
d7ee6f3
 static int get_secure_boot(void)
c9d9c5a
 {
c9d9c5a
-	u8 sb, setup;
c9d9c5a
+	u8 sb, setup, moksbstate;
c9d9c5a
 	unsigned long datasize = sizeof(sb);
c9d9c5a
+	u32 attr;
c9d9c5a
 	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
c9d9c5a
 	efi_status_t status;
c9d9c5a
 
713abc0
@@ -769,6 +770,23 @@ static int get_secure_boot(void)
c9d9c5a
 	if (setup == 1)
c9d9c5a
 		return 0;
c9d9c5a
 
c9d9c5a
+	/* See if a user has put shim into insecure_mode.  If so, and the variable
c9d9c5a
+	 * doesn't have the runtime attribute set, we might as well honor that.
c9d9c5a
+	 */
c9d9c5a
+	var_guid = EFI_SHIM_LOCK_GUID;
c9d9c5a
+	status = efi_call_phys5(sys_table->runtime->get_variable,
c9d9c5a
+				L"MokSBState", &var_guid, &attr, &datasize,
c9d9c5a
+				&moksbstate);
c9d9c5a
+
c9d9c5a
+	/* If it fails, we don't care why.  Default to secure */
c9d9c5a
+	if (status != EFI_SUCCESS)
c9d9c5a
+		return 1;
c9d9c5a
+
c9d9c5a
+	if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
c9d9c5a
+		if (moksbstate == 1)
c9d9c5a
+			return 0;
c9d9c5a
+	}
c9d9c5a
+
c9d9c5a
 	return 1;
c9d9c5a
 }
c9d9c5a
 
c9d9c5a
-- 
c9d9c5a
1.8.3.1
c9d9c5a
c9d9c5a
713abc0
From 2a445ca2c187da4497ef5f68f111574fd2b0d419 Mon Sep 17 00:00:00 2001
c9d9c5a
From: Josh Boyer <jwboyer@fedoraproject.org>
c9d9c5a
Date: Tue, 27 Aug 2013 13:28:43 -0400
d7ee6f3
Subject: [PATCH 13/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
c9d9c5a
c9d9c5a
The functionality of the config option is dependent upon the platform being
c9d9c5a
UEFI based.  Reflect this in the config deps.
c9d9c5a
c9d9c5a
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
c9d9c5a
---
c9d9c5a
 arch/x86/Kconfig | 3 ++-
c9d9c5a
 1 file changed, 2 insertions(+), 1 deletion(-)
c9d9c5a
c9d9c5a
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
713abc0
index fe212ef..bf83fd3 100644
c9d9c5a
--- a/arch/x86/Kconfig
c9d9c5a
+++ b/arch/x86/Kconfig
713abc0
@@ -1605,7 +1605,8 @@ config EFI_STUB
713abc0
 	  See Documentation/efi-stub.txt for more information.
c9d9c5a
 
c9d9c5a
 config EFI_SECURE_BOOT_SIG_ENFORCE
c9d9c5a
-        def_bool n
c9d9c5a
+	def_bool n
c9d9c5a
+	depends on EFI
c9d9c5a
 	prompt "Force module signing when UEFI Secure Boot is enabled"
c9d9c5a
 	---help---
c9d9c5a
 	  UEFI Secure Boot provides a mechanism for ensuring that the
c9d9c5a
-- 
c9d9c5a
1.8.3.1
c9d9c5a
c9d9c5a
713abc0
From b1c533cc1d1ca7a03497cc4f2e1b029bde95633c Mon Sep 17 00:00:00 2001
c9d9c5a
From: Josh Boyer <jwboyer@fedoraproject.org>
c9d9c5a
Date: Tue, 27 Aug 2013 13:33:03 -0400
d7ee6f3
Subject: [PATCH 14/14] efi: Add EFI_SECURE_BOOT bit
c9d9c5a
c9d9c5a
UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
c9d9c5a
for use with efi_enabled.
c9d9c5a
c9d9c5a
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
c9d9c5a
---
c9d9c5a
 arch/x86/kernel/setup.c | 2 ++
c9d9c5a
 include/linux/efi.h     | 1 +
c9d9c5a
 2 files changed, 3 insertions(+)
c9d9c5a
c9d9c5a
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
713abc0
index fe429c1..469fbf0 100644
c9d9c5a
--- a/arch/x86/kernel/setup.c
c9d9c5a
+++ b/arch/x86/kernel/setup.c
713abc0
@@ -1129,7 +1129,9 @@ void __init setup_arch(char **cmdline_p)
c9d9c5a
 
c9d9c5a
 #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
c9d9c5a
 	if (boot_params.secure_boot) {
c9d9c5a
+		set_bit(EFI_SECURE_BOOT, &x86_efi_facility);
c9d9c5a
 		enforce_signed_modules();
c9d9c5a
+		pr_info("Secure boot enabled\n");
c9d9c5a
 	}
c9d9c5a
 #endif
c9d9c5a
 
c9d9c5a
diff --git a/include/linux/efi.h b/include/linux/efi.h
713abc0
index bc5687d..b010a2e 100644
c9d9c5a
--- a/include/linux/efi.h
c9d9c5a
+++ b/include/linux/efi.h
713abc0
@@ -653,6 +653,7 @@ extern int __init efi_setup_pcdp_console(char *);
c9d9c5a
 #define EFI_RUNTIME_SERVICES	3	/* Can we use runtime services? */
c9d9c5a
 #define EFI_MEMMAP		4	/* Can we use EFI memory map? */
c9d9c5a
 #define EFI_64BIT		5	/* Is the firmware 64-bit? */
c9d9c5a
+#define EFI_SECURE_BOOT		6 /* Are we in Secure Boot mode? */
c9d9c5a
 
c9d9c5a
 #ifdef CONFIG_EFI
c9d9c5a
 # ifdef CONFIG_X86
c9d9c5a
-- 
c9d9c5a
1.8.3.1
c9d9c5a