From mboxrd@z Thu Jan 1 00:00:00 1970 From: joeyli Subject: Re: [PATCH V3 11/11] Add option to automatically enforce module signatures when in Secure Boot mode Date: Thu, 05 Sep 2013 16:24:28 +0800 Message-ID: <1378369468.6193.3.camel@linux-s257.site> References: <1378252218-18798-1-git-send-email-matthew.garrett@nebula.com> <1378252218-18798-12-git-send-email-matthew.garrett@nebula.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: In-Reply-To: <1378252218-18798-12-git-send-email-matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org> Sender: linux-efi-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: Matthew Garrett Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org, hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org List-Id: linux-efi@vger.kernel.org =E6=96=BC =E4=BA=8C=EF=BC=8C2013-09-03 =E6=96=BC 19:50 -0400=EF=BC=8CMa= tthew Garrett =E6=8F=90=E5=88=B0=EF=BC=9A > UEFI Secure Boot provides a mechanism for ensuring that the firmware = will > only load signed bootloaders and kernels. Certain use cases may also > require that all kernel modules also be signed. Add a configuration o= ption > that enforces this automatically when enabled. >=20 > Signed-off-by: Matthew Garrett > --- > Documentation/x86/zero-page.txt | 2 ++ > arch/x86/Kconfig | 10 ++++++++++ > arch/x86/boot/compressed/eboot.c | 36 +++++++++++++++++++++++++= ++++++++++ > arch/x86/include/uapi/asm/bootparam.h | 3 ++- > arch/x86/kernel/setup.c | 6 ++++++ > include/linux/module.h | 6 ++++++ > kernel/module.c | 7 +++++++ > 7 files changed, 69 insertions(+), 1 deletion(-) >=20 > diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero= -page.txt > index 199f453..ec38acf 100644 > --- a/Documentation/x86/zero-page.txt > +++ b/Documentation/x86/zero-page.txt > @@ -30,6 +30,8 @@ Offset Proto Name Meaning > 1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below) > 1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig= _buffer > (below) > +1EB/001 ALL kbd_status Numlock is enabled > +1EC/001 ALL secure_boot Secure boot is enabled in the firmware > 1EF/001 ALL sentinel Used to detect broken bootloaders > 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures > 2D0/A00 ALL e820_map E820 memory map table > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > index b32ebf9..6a6c19b 100644 > --- a/arch/x86/Kconfig > +++ b/arch/x86/Kconfig > @@ -1581,6 +1581,16 @@ config EFI_STUB > =20 > See Documentation/x86/efi-stub.txt for more information. > =20 > +config EFI_SECURE_BOOT_SIG_ENFORCE > + def_bool n Maybe need add "select MODULE_SIG" to here for auto enable kernel modul= e signature check when user select this option? > + prompt "Force module signing when UEFI Secure Boot is enabled" > + ---help--- > + UEFI Secure Boot provides a mechanism for ensuring that the > + firmware will only load signed bootloaders and kernels. Certain > + use cases may also require that all kernel modules also be signed= =2E > + Say Y here to automatically enable module signature enforcement > + when a system boots with UEFI Secure Boot enabled. Thanks a lot! Joey Lee