Skip to content

Commit

Permalink
lockdown: set default (with Secure Boot) to LOCKDOWN_INTEGRITY_MAX
Browse files Browse the repository at this point in the history 
LOCKDOWN_CONFIDENTIALITY_MAX restricts a lot of useful features,
even security ones (like monitoring via BPF), while not adding
that much value for common use cases.
Set the default level to LOCKDOWN_INTEGRITY_MAX as Ubuntu, RedHat
and SUSE did recently.

iovisor/bcc#2565 (comment)
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1868626
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/?id=ef7c6600bb3e
https://bugzilla.redhat.com/show_bug.cgi?id=1815571

Closes: #956197
  • Loading branch information
@bluca
bluca committed Apr 8, 2020
1 parent 6e1581a commit c2ea339
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 1 deletion.
4 changes: 4 additions & 0 deletions debian/changelog
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,10 @@ linux (5.6.2-1~exp1) UNRELEASED; urgency=medium
* [x86] udeb: Add crc32_pclmul to crc-modules
* udeb: Add crc32_generic to crc-modules

[ Luca Boccassi ]
* lockdown: set default (with Secure Boot) to LOCKDOWN_INTEGRITY_MAX
(Closes: #956197)

-- Ben Hutchings <[email protected]> Mon, 30 Mar 2020 14:50:42 +0100

linux (5.5.13-1) unstable; urgency=medium
Expand Down
2 changes: 1 addition & 1 deletion .../patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ Signed-off-by: Ben Hutchings <[email protected]>
set_bit(EFI_SECURE_BOOT, &efi.flags);
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
+ lock_kernel_down("EFI Secure Boot",
+ LOCKDOWN_CONFIDENTIALITY_MAX);
+ LOCKDOWN_INTEGRITY_MAX);
+#endif
pr_info("Secure boot enabled\n");
break;
Expand Down

0 comments on commit c2ea339

Please sign in to comment.