From: Josh Boyer
Git-commit: Not yet
Patch-mainline: Not yet, from Fedora 18 kernel
Target: openSUSE 12.3
If a machine is booted into a Secure Boot environment, we need to
protect the trust model. This requires that all modules be signed
with a key that is in the kernel's _modsign keyring. The checks for
this are already done via the 'sig_enforce' module parameter. Make
this visible within the kernel and force it to be true.
Signed-off-by: Josh Boyer
Acked-by: Lee, Chun-Yi
---
kernel/cred.c | 8 ++++++++
kernel/module.c | 4 ++--
2 files changed, 10 insertions(+), 2 deletions(-)
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -623,11 +623,19 @@ void __init cred_init(void)
0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
}
+#ifdef CONFIG_MODULE_SIG
+extern bool sig_enforce;
+#endif
+
void __init secureboot_enable()
{
pr_info("Secure boot enabled\n");
cap_lower((&init_cred)->cap_bset, CAP_COMPROMISE_KERNEL);
cap_lower((&init_cred)->cap_permitted, CAP_COMPROMISE_KERNEL);
+#ifdef CONFIG_MODULE_SIG
+ /* Enable module signature enforcing */
+ sig_enforce = true;
+#endif
}
/* Dummy Secure Boot enable option to fake out UEFI SB=1 */
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -123,9 +123,9 @@ struct list_head *kdb_modules = &modules
#ifdef CONFIG_MODULE_SIG
#ifdef CONFIG_MODULE_SIG_FORCE
-static bool sig_enforce = true;
+bool sig_enforce = true;
#else
-static bool sig_enforce = false;
+bool sig_enforce = false;
static int param_set_bool_enable_only(const char *val,
const struct kernel_param *kp)
--
To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org