From: Josh Boyer <[email protected]> If a machine is booted into a Secure Boot environment, we need to protect the trust model. This requires that all modules be signed with a key that is in the kernel's _modsign keyring. The checks for this are already done via the 'sig_enforce' module parameter. Make this visible within the kernel and force it to be true.
Signed-off-by: Josh Boyer <[email protected]> --- kernel/cred.c | 8 ++++++++ kernel/module.c | 4 ++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/kernel/cred.c b/kernel/cred.c index c3f4e3e..c5554e0 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -565,11 +565,19 @@ void __init cred_init(void) 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); } +#ifdef CONFIG_MODULE_SIG +extern bool sig_enforce; +#endif + void __init secureboot_enable() { pr_info("Secure boot enabled\n"); cap_lower((&init_cred)->cap_bset, CAP_COMPROMISE_KERNEL); cap_lower((&init_cred)->cap_permitted, CAP_COMPROMISE_KERNEL); +#ifdef CONFIG_MODULE_SIG + /* Enable module signature enforcing */ + sig_enforce = true; +#endif } /* Dummy Secure Boot enable option to fake out UEFI SB=1 */ diff --git a/kernel/module.c b/kernel/module.c index eab0827..93a16dc 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -109,9 +109,9 @@ struct list_head *kdb_modules = &modules; /* kdb needs the list of modules */ #ifdef CONFIG_MODULE_SIG #ifdef CONFIG_MODULE_SIG_FORCE -static bool sig_enforce = true; +bool sig_enforce = true; #else -static bool sig_enforce = false; +bool sig_enforce = false; static int param_set_bool_enable_only(const char *val, const struct kernel_param *kp) -- 1.8.0.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
