From: Jeremy Cline on gitlab.com Merge Request: https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3862 JIRA: https://issues.redhat.com/browse/RHEL-82437 There is RHEL/Fedora specific functionality on x86 and other arches which enables extra kernel lockdowns when booted by secureboot. Let's do the same for arm now that secureboot is working. This is a rebase of the patch set from Mark that's been submitted for [RHEL 10](https://gitlab.com/redhat/centos-stream/src/kernel/centos- stream-10/-/merge_requests/609) and [RHEL 9](https://gitlab.com/redhat/centos- stream/src/kernel/centos-stream-9/-/merge_requests/5192), but which I don't see in ARK. In particular, I'm interested in getting this into Fedora since, although we do not currently sign aarch64 for SecureBoot, we're working on getting the infrastructure ready for that. In the mean time, carrying this patch is useful for folks who build and sign their own aarch64 kernels. I hope I'm not stepping on Mark's toes here, I figured the easiest place to ask about plans for it in Fedora/ARK was in a PR to add it. Signed-off-by: Mark Salter <msalter@xxxxxxxxxx> Signed-off-by: Jeremy Cline <jeremycline@xxxxxxxxxxxxxxxxxxx> --- arch/arm64/kernel/setup.c | 27 ++++++++++ drivers/firmware/efi/libstub/fdt.c | 5 + drivers/firmware/efi/libstub/secureboot.c | 14 +++- redhat/configs/common/generic/arm/aarch64/CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT | 1 + 4 files changed, 43 insertions(+), 4 deletions(-) -- _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
