powerpc: security: Lock down the kernel if booted in secure boot mode
BUGZILLA
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2041984
UPSTREAM STATUS
Upstream Status: RHEL only
CONFLICTS
None
BUILD INFORMATION
Build Info: http://brewweb.engineering.redhat.com/brew/taskinfo?taskID=42932907
TESTING
Using a qemu system (in order to avoid going through the huge proccess of re-creating test keys), the patched kernel was lockedown successfully on the emulated system, as follows:
> ./pseries-stb/qemu/build/qemu-system-ppc64 -M pseries,secure-boot=on -m 512 -vga none -nographic -kernel ./lib
/modules/5.14.0-56.PATCHED_rh2041984.el9.ppc64le/vmlinuz
...
[ 0.000000] Secure boot mode enabled
[ 0.000000] Kernel is locked down from Power secure boot; see man kernel_lockdown.7
DESCRIPTION
This RHEL-only patch delivers the kernel lockdown feature on powerpc in RHEL9, by means of using the security_lock_kernel_down() call that is available on <linux/security.h>.
Hence, this feature prevents unauthenticated modification of kernel space when secure boot is enabled, even by root.
Signed-off-by: Desnes A. Nunes do Rosario drosario@redhat.com
Edited by Desnes Nunes