Re: [PATCH 09/18] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode
You may want to check subject. If it does something, it is not dummy. > --- a/Documentation/kernel-parameters.txt > +++ b/Documentation/kernel-parameters.txt > @@ -2784,6 +2784,13 @@ bytes respectively. Such letter suffixes can also be > entirely omitted. > Note: increases power consumption, thus should only be > enabled if running jitter sensitive (HPC/RT) workloads. > > + secureboot_enable= > + [KNL] Enables an emulated UEFI Secure Boot mode. This > + locks down various aspects of the kernel guarded by the > + CAP_COMPROMISE_KERNEL capability. This includes things > + like /dev/mem, IO port access, and other areas. It can > + be used on non-UEFI machines for testing purposes. > + > security= [SECURITY] Choose a security module to enable at boot. > If this boot parameter is not specified, only the first > security module asking for security registration will be > diff --git a/kernel/cred.c b/kernel/cred.c > index e0573a4..c3f4e3e 100644 > --- a/kernel/cred.c > +++ b/kernel/cred.c > @@ -565,6 +565,23 @@ void __init cred_init(void) >0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); > } > > +void __init secureboot_enable() > +{ > + pr_info("Secure boot enabled\n"); > + cap_lower((_cred)->cap_bset, CAP_COMPROMISE_KERNEL); > + cap_lower((_cred)->cap_permitted, CAP_COMPROMISE_KERNEL); > +} OTOH you don't implement CAP_COMPROMISE_KERNEL, so it is dummy after all. But CAP_COMPROMISE_KERNEL is infeasible to implement, right? Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 09/18] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode
You may want to check subject. If it does something, it is not dummy. --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -2784,6 +2784,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted. Note: increases power consumption, thus should only be enabled if running jitter sensitive (HPC/RT) workloads. + secureboot_enable= + [KNL] Enables an emulated UEFI Secure Boot mode. This + locks down various aspects of the kernel guarded by the + CAP_COMPROMISE_KERNEL capability. This includes things + like /dev/mem, IO port access, and other areas. It can + be used on non-UEFI machines for testing purposes. + security= [SECURITY] Choose a security module to enable at boot. If this boot parameter is not specified, only the first security module asking for security registration will be diff --git a/kernel/cred.c b/kernel/cred.c index e0573a4..c3f4e3e 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -565,6 +565,23 @@ void __init cred_init(void) 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); } +void __init secureboot_enable() +{ + pr_info(Secure boot enabled\n); + cap_lower((init_cred)-cap_bset, CAP_COMPROMISE_KERNEL); + cap_lower((init_cred)-cap_permitted, CAP_COMPROMISE_KERNEL); +} OTOH you don't implement CAP_COMPROMISE_KERNEL, so it is dummy after all. But CAP_COMPROMISE_KERNEL is infeasible to implement, right? Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 09/18] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode
From: Josh Boyer This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset in the init_cred struct, which everything else inherits from. This works on any machine and can be used to develop even if the box doesn't have UEFI. Signed-off-by: Josh Boyer Acked-by: Lee, Chun-Yi Signed-off-by: Lee, Chun-Yi --- Documentation/kernel-parameters.txt |7 +++ kernel/cred.c | 17 + 2 files changed, 24 insertions(+), 0 deletions(-) diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index 15356ac..6ad8292 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -2784,6 +2784,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted. Note: increases power consumption, thus should only be enabled if running jitter sensitive (HPC/RT) workloads. + secureboot_enable= + [KNL] Enables an emulated UEFI Secure Boot mode. This + locks down various aspects of the kernel guarded by the + CAP_COMPROMISE_KERNEL capability. This includes things + like /dev/mem, IO port access, and other areas. It can + be used on non-UEFI machines for testing purposes. + security= [SECURITY] Choose a security module to enable at boot. If this boot parameter is not specified, only the first security module asking for security registration will be diff --git a/kernel/cred.c b/kernel/cred.c index e0573a4..c3f4e3e 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -565,6 +565,23 @@ void __init cred_init(void) 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); } +void __init secureboot_enable() +{ + pr_info("Secure boot enabled\n"); + cap_lower((_cred)->cap_bset, CAP_COMPROMISE_KERNEL); + cap_lower((_cred)->cap_permitted, CAP_COMPROMISE_KERNEL); +} + +/* Dummy Secure Boot enable option to fake out UEFI SB=1 */ +static int __init secureboot_enable_opt(char *str) +{ + int sb_enable = !!simple_strtol(str, NULL, 0); + if (sb_enable) + secureboot_enable(); + return 1; +} +__setup("secureboot_enable=", secureboot_enable_opt); + /** * prepare_kernel_cred - Prepare a set of credentials for a kernel service * @daemon: A userspace daemon to be used as a reference -- 1.6.4.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 09/18] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode
From: Josh Boyer jwbo...@redhat.com This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset in the init_cred struct, which everything else inherits from. This works on any machine and can be used to develop even if the box doesn't have UEFI. Signed-off-by: Josh Boyer jwbo...@redhat.com Acked-by: Lee, Chun-Yi j...@suse.com Signed-off-by: Lee, Chun-Yi j...@suse.com --- Documentation/kernel-parameters.txt |7 +++ kernel/cred.c | 17 + 2 files changed, 24 insertions(+), 0 deletions(-) diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index 15356ac..6ad8292 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -2784,6 +2784,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted. Note: increases power consumption, thus should only be enabled if running jitter sensitive (HPC/RT) workloads. + secureboot_enable= + [KNL] Enables an emulated UEFI Secure Boot mode. This + locks down various aspects of the kernel guarded by the + CAP_COMPROMISE_KERNEL capability. This includes things + like /dev/mem, IO port access, and other areas. It can + be used on non-UEFI machines for testing purposes. + security= [SECURITY] Choose a security module to enable at boot. If this boot parameter is not specified, only the first security module asking for security registration will be diff --git a/kernel/cred.c b/kernel/cred.c index e0573a4..c3f4e3e 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -565,6 +565,23 @@ void __init cred_init(void) 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); } +void __init secureboot_enable() +{ + pr_info(Secure boot enabled\n); + cap_lower((init_cred)-cap_bset, CAP_COMPROMISE_KERNEL); + cap_lower((init_cred)-cap_permitted, CAP_COMPROMISE_KERNEL); +} + +/* Dummy Secure Boot enable option to fake out UEFI SB=1 */ +static int __init secureboot_enable_opt(char *str) +{ + int sb_enable = !!simple_strtol(str, NULL, 0); + if (sb_enable) + secureboot_enable(); + return 1; +} +__setup(secureboot_enable=, secureboot_enable_opt); + /** * prepare_kernel_cred - Prepare a set of credentials for a kernel service * @daemon: A userspace daemon to be used as a reference -- 1.6.4.2 -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/