Bug#945604: linux-source-5.4: Failed to build linux-source-5.4 in efi_set_secure_boot

Mon, 17 Feb 2020 04:40:08 -0800 

Control: tags -1 patch

The root cause is that lock_kernel_down() is unconditionally called
in efi_set_secure_boot, even if the kernel is compiled without
lockdown support (i.e. SECURITY_LOCKDOWN_LSM=n).

This build failure shouldn't affect the Debian official kernel
packages because the Kconfig default value is overridden
to enable lockdown support. However, if you use the Kconfig
defaults (e.g. when building via the linux-source package)
then you may encounter this error.

There is a flag LOCK_DOWN_IN_EFI_SECURE_BOOT (depending
on SECURITY_LOCKDOWN_LSM) that is currently ignored. It seems
like it was originally supposed to gate the lock_kernel_down call().

I've attached a patch to honor this flag again, which should fix this issue.

From de06de54508caf6bb1d3f25d4ef652d1360a43e0 Mon Sep 17 00:00:00 2001
From: Christian Barcenas <christian@cbarcenas.com>
Date: Mon, 17 Feb 2020 02:50:58 -0800
Subject: [PATCH] lockdown: honor LOCK_DOWN_IN_EFI_SECURE_BOOT

Previously LOCK_DOWN_IN_EFI_SECURE_BOOT was ignored;
lock_kernel_down() was always called during EFI Secure Boot.

Additionally this resolves a link-time error that occurs when
the kernel is built with EFI=y and SECURITY_LOCKDOWN_LSM=n.

Closes: #945604
---
 ...efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
index e20fd562963c..7d7eada166d0 100644
--- a/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
+++ b/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
@@ -50,12 +50,14 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  
  /*
   * Decide what to do when UEFI secure boot mode is enabled.
-@@ -28,6 +29,8 @@ void __init efi_set_secure_boot(enum efi
+@@ -28,6 +29,10 @@ void __init efi_set_secure_boot(enum efi
  			break;
  		case efi_secureboot_mode_enabled:
  			set_bit(EFI_SECURE_BOOT, &efi.flags);
++#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
 +			lock_kernel_down("EFI Secure Boot",
 +					 LOCKDOWN_CONFIDENTIALITY_MAX);
++#endif
  			pr_info("Secure boot enabled\n");
  			break;
  		default:
-- 
2.25.0

Reply via email to