------- Comment on attachment From daniel.axte...@ibm.com 2020-04-02 08:35
EDT-------
Hi,
Thanks Nayna for the reminder to look at this again.
AFAICT, Canonical's Focal kernel sets up its non-upstreamed
secure-boot-enforces-lockdown support in the following set of commits:
(edited down from the list of all commits with UBUNTU: and lockdown in the
title.)
40fc208c8aae UBUNTU: SAUCE: (lockdown) security: lockdown: expose a hook to
lock the kernel down
8309e3e2a4c2 UBUNTU: SAUCE: (lockdown) efi: Add an EFI_SECURE_BOOT flag to
indicate secure boot mode
f8d21cba9d0e UBUNTU: SAUCE: (lockdown) efi: Lock down the kernel if booted in
secure boot mode
36ca37871ad2 UBUNTU: SAUCE: (lockdown) arm64: Allow locking down the kernel
under EFI secure boot
7bfea7ace0ff UBUNTU: SAUCE: (lockdown) s390/ipl: lockdown kernel when booted
secure
d0b71cb9b8a2 UBUNTU: [Config] Enable lockdown under secure boot
ef7c6600bb3e UBUNTU: SAUCE: (lockdown) Reduce lockdown level to INTEGRITY for
secure boot
This shows a secure-boot-enforces-lockdown patch for x86, arm64 and
s390. I think we also need a powerpc one.
I've written a short 2 patch series and attached it. I also needed to
cherry-pick from upstream:
commit 1a8916ee3ac2 ("powerpc: Detect the secure boot mode of the system")
commit 2702809a4a1a ("powerpc: Detect the trusted boot state of the system")
I've only been able to build-test as I only have an unsecured system.
Nayna, could you try signing and booting the kernel on system with
secure boot, and see if it comes up in lockdown=integrity mode? I'll
send you the kernel via internal channels.
Unfortunately they're against focal/master not focal/master-next because
I had trouble with the zfs stuff in master-next, but it only affects the
config patch and I'm not sure I did that right anyway...
Kind regards,
Daniel
** Attachment added: "patch 1/2"
https://bugs.launchpad.net/bugs/1855668/+attachment/5344792/+files/0001-UBUNTU-SAUCE-lockdown-powerpc-lock-down-kernel-in-se.patch
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1855668
Title:
lockdown on power
Status in The Ubuntu-power-systems project:
Fix Committed
Status in linux package in Ubuntu:
Fix Committed
Bug description:
== Comment: #0 - Michael Ranweiler <mranw...@us.ibm.com> - 2019-11-11
08:50:51 ==
For 20.04 testing/inclusion. The ubuntu kernel team has a ppa here for
testing:
https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/unstable
Test results will follow...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1855668/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
