3d19001293
Please refer to: [Table 4.2. Kernel module authentication requirements for loading] from https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/ 8/html/managing_monitoring_and_updating_the_kernel/ signing-kernel-modules-for-secure-boot_managing-monitoring-and-updating-the-kernel When secure boot is enabled, whether the sig_enforce is set or not the unsigned / missigned kernel modules' loading should fail. Debian has patches under debian/patches/features/all/lockdown to realize this function by the lockdown feature. We have removed all the debian patches except those about building. Here readd the lockdown feature patches for the secure boot function mentioned above. Besides, to enable CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT defined in the patches, extra configs' setting is needed. Test plan: - PASS: Boot up qemu in the way with secure boot enabled, sig_enforce is unset by default. Insmod unsigned / missigned kernel modules. It should fail. - PASS: Set KERNEL_PARAMS="module.sig_enforce=1" in the lat config file to make a test build to pass it as a kernel parameter. Then boot up qemu in the way with secure boot enabled. Insmod unsigned / missigned kernel modules. It should fail. - PASS: Do above tests for both kernel-std and kernel-rt. Story: 2009221 Task: 45071 Signed-off-by: Li Zhou <li.zhou@windriver.com> Change-Id: I32d7008941322a019dc9d72033cb0c13fb6cfbb4
37 lines
1.3 KiB
Diff
37 lines
1.3 KiB
Diff
From 816d9085688975fa3c2ed130ca3bb96f4818d2c5 Mon Sep 17 00:00:00 2001
|
|
From: Li Zhou <li.zhou@windriver.com>
|
|
Date: Fri, 15 Apr 2022 16:01:44 +0800
|
|
Subject: [PATCH] config: set configs needed for secure boot
|
|
|
|
In the debian patch
|
|
[efi: Lock down the kernel if booted in secure boot mode], the config
|
|
"CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT" depends on SECURITY_LOCKDOWN_LSM
|
|
and selects SECURITY_LOCKDOWN_LSM_EARLY.
|
|
Set those 2 configs correctly to enable
|
|
CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT.
|
|
So that unsigned / missigned kernel modules will be rejected when
|
|
secure boot is enabled and CONFIG_MODULE_SIG_FORCE is not set.
|
|
|
|
Signed-off-by: Li Zhou <li.zhou@windriver.com>
|
|
---
|
|
debian/config/amd64/none/config | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/debian/config/amd64/none/config b/debian/config/amd64/none/config
|
|
index a5dadc7..df018e4 100644
|
|
--- a/debian/config/amd64/none/config
|
|
+++ b/debian/config/amd64/none/config
|
|
@@ -5683,7 +5683,8 @@ CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
|
|
# CONFIG_SECURITY_LOADPIN is not set
|
|
CONFIG_SECURITY_YAMA=y
|
|
# CONFIG_SECURITY_SAFESETID is not set
|
|
-# CONFIG_SECURITY_LOCKDOWN_LSM is not set
|
|
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
|
|
+CONFIG_SECURITY_LOCKDOWN_LSM=y
|
|
# CONFIG_INTEGRITY is not set
|
|
# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
|
|
CONFIG_DEFAULT_SECURITY_SELINUX=y
|
|
--
|
|
2.17.1
|
|
|