powerpc: security: Lock down the kernel if booted in secure boot mode (!507) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Desnes Nunes requested to merge desnesn/centos-stream-9:rh2041984 into main Feb 10, 2022

BUGZILLA

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2041984

UPSTREAM STATUS

Upstream Status: RHEL only

CONFLICTS

None

BUILD INFORMATION

Build Info: http://brewweb.engineering.redhat.com/brew/taskinfo?taskID=42932907

TESTING

Using a qemu system (in order to avoid going through the huge proccess of re-creating test keys), the patched kernel was lockedown successfully on the emulated system, as follows:

> ./pseries-stb/qemu/build/qemu-system-ppc64 -M pseries,secure-boot=on -m 512 -vga none -nographic -kernel ./lib
/modules/5.14.0-56.PATCHED_rh2041984.el9.ppc64le/vmlinuz
...
[    0.000000] Secure boot mode enabled
[    0.000000] Kernel is locked down from Power secure boot; see man kernel_lockdown.7

DESCRIPTION

This RHEL-only patch delivers the kernel lockdown feature on powerpc in RHEL9, by means of using the security_lock_kernel_down() call that is available on <linux/security.h>.

Hence, this feature prevents unauthenticated modification of kernel space when secure boot is enabled, even by root.

Signed-off-by: Desnes A. Nunes do Rosario drosario@redhat.com

Edited Feb 10, 2022 by Desnes Nunes

powerpc: security: Lock down the kernel if booted in secure boot mode