UBUNTU: SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl

BugLink: http://bugs.launchpad.net/bugs/1593075 This is a better method for detecting the state of secure boot and the MOKSBState override, as opposed to grepping status from the kernel log. Both variables return 0 or 1. If secure_boot==0 then signed module enforcement is not enabled. Likewise, if moksbstate_disabled==1 then signed module enforcement is not enabled. The only conditions uder which signed module enforcement is enabled is when secure_boot==1 and moksbstate_disabled==0. /proc/sys/kernel/secure_boot /proc/sys/kernel/moksbstate_disabled Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com>

UBUNTU: SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
BugLink: http://bugs.launchpad.net/bugs/1593075 This is a better method for detecting the state of secure boot and the MOKSBState override, as opposed to grepping status from the kernel log. Both variables return 0 or 1. If secure_boot==0 then signed module enforcement is not enabled. Likewise, if moksbstate_disabled==1 then signed module enforcement is not enabled. The only conditions uder which signed module enforcement is enabled is when secure_boot==1 and moksbstate_disabled==0. /proc/sys/kernel/secure_boot /proc/sys/kernel/moksbstate_disabled Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
0838c26a · Tim Gardner · Kamal Mostafa · c9bb5382 · 0838c26a · 0838c26a
Commit 0838c26a authored Jun 16, 2016 by Tim Gardner Committed by Kamal Mostafa Jun 20, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 32 additions and 0 deletions

arch/x86/kernel/setup.c arch/x86/kernel/setup.c +1 -0

kernel/sysctl.c kernel/sysctl.c +31 -0

No files found.
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1150,6 +1150,7 @@ void __init setup_arch(char **cmdline_p)
 		pr_info("Secure boot enabled\n");
 	}
 	else if (boot_params.secure_boot == EFI_MOKSBSTATE_DISABLED) {
+		set_bit(EFI_MOKSBSTATE_DISABLED, &efi.flags);
 		boot_params.secure_boot = 0;
 		pr_info("Secure boot MOKSBState disabled\n");
    }

--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -65,6 +65,7 @@
 #include <linux/sched/sysctl.h>
 #include <linux/kexec.h>
 #include <linux/bpf.h>
+#include <linux/efi.h>
 #include <asm/uaccess.h>
 #include <asm/processor.h>
@@ -279,7 +280,37 @@ static int min_extfrag_threshold;
 static int max_extfrag_threshold = 1000;
 #endif
+static unsigned int secure_boot_enabled;
+int secure_boot_proc_handler(struct ctl_table *table, int write,
+	void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+	secure_boot_enabled = efi_enabled(EFI_SECURE_BOOT);
+	return proc_dointvec(table, write, buffer, lenp, ppos);
+}
+static unsigned int moksbstate_disabled;
+int moksbstate_disabled_proc_handler(struct ctl_table *table, int write,
+	void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+	moksbstate_disabled = efi_enabled(EFI_MOKSBSTATE_DISABLED);
+	return proc_dointvec(table, write, buffer, lenp, ppos);
+}
 static struct ctl_table kern_table[] = {
+	{
+		.procname   = "secure_boot",
+		.data       = &secure_boot_enabled,
+		.maxlen     = sizeof(unsigned int),
+		.mode       = 0444,
+		.proc_handler   = secure_boot_proc_handler,
+	},
+	{
+		.procname   = "moksbstate_disabled",
+		.data       = &moksbstate_disabled,
+		.maxlen     = sizeof(unsigned int),
+		.mode       = 0444,
+		.proc_handler   = moksbstate_disabled_proc_handler,
+	},
 	{
 		.procname	= "sched_child_runs_first",
 		.data		= &sysctl_sched_child_runs_first,