From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
To: linux-kernel@vger.kernel.org
Cc: Ard Biesheuvel <ardb@kernel.org>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Yue Haibing <yuehaibing@huawei.com>,
Tanya Agarwal <tanyaagarwal25699@gmail.com>,
Kees Cook <kees@kernel.org>,
linux-efi@vger.kernel.org, linux-security-module@vger.kernel.org,
Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
Subject: [PATCH 0/2] Secure Boot lock down
Date: Thu, 26 Jun 2025 15:10:37 -0700 [thread overview]
Message-ID: <1750975839-32463-1-git-send-email-hamzamahfooz@linux.microsoft.com> (raw)
All major distros have had carried a version of this patch-set
out of tree for sometime now, but with a bunch of magic (typically
sprinkled in setup_arch()). Though we can avoid those architecture
specific quirks if we call efi_get_secureboot_mode() from
efisubsys_init() and that allows us to have a generic solution.
Hamza Mahfooz (2):
security: introduce security_lock_kernel_down()
efi: introduce EFI_KERNEL_LOCK_DOWN_IN_SECURE_BOOT
drivers/firmware/efi/Kconfig | 10 ++++++++++
drivers/firmware/efi/efi.c | 9 +++++++++
include/linux/lsm_hook_defs.h | 1 +
include/linux/security.h | 8 ++++++++
security/lockdown/lockdown.c | 1 +
security/security.c | 15 +++++++++++++++
6 files changed, 44 insertions(+)
--
2.49.0
next reply other threads:[~2025-06-26 22:13 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-26 22:10 Hamza Mahfooz [this message]
2025-06-26 22:10 ` [PATCH 1/2] security: introduce security_lock_kernel_down() Hamza Mahfooz
2025-06-26 22:10 ` [PATCH 2/2] efi: introduce EFI_KERNEL_LOCK_DOWN_IN_SECURE_BOOT Hamza Mahfooz
2025-07-16 21:29 ` [PATCH 0/2] Secure Boot lock down Hamza Mahfooz
2025-07-17 18:22 ` Paul Moore
2025-07-24 12:59 ` Nicolas Bouchinet
2025-07-24 14:13 ` sergeh
2025-07-24 15:03 ` Nicolas Bouchinet
2025-07-25 2:43 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1750975839-32463-1-git-send-email-hamzamahfooz@linux.microsoft.com \
--to=hamzamahfooz@linux.microsoft.com \
--cc=ardb@kernel.org \
--cc=jmorris@namei.org \
--cc=kees@kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=tanyaagarwal25699@gmail.com \
--cc=yuehaibing@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.