lockdown: Run in lockdown integrity mode when SB is enabled.

Run in lockdown integrity mode when UEFI Secure Boot is enabled.  The
lockdown command line parameter can still be used to raise the lockdown
level higher.

Orabug: 34304810
Signed-off-by: Eric Snowberg <[email protected]>
Reviewed-by: Konrad Rzeszutek Wilk <[email protected]>

Author: esnowberg

security/lockdown/lockdown.c

@@ -14,6 +14,7 @@
 #include <linux/export.h>
 #include <linux/lsm_hooks.h>
 #include <uapi/linux/lsm.h>
+#include <linux/efi.h>
 
 static enum lockdown_reason kernel_locked_down;
 
@@ -88,6 +89,9 @@ static int __init lockdown_lsm_init(void)
 #elif defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY)
 	lock_kernel_down("Kernel configuration", LOCKDOWN_CONFIDENTIALITY_MAX);
 #endif
+	if (efi_enabled(EFI_SECURE_BOOT))
+		lock_kernel_down("EFI Secure Boot", LOCKDOWN_INTEGRITY_MAX);
+
 	security_add_hooks(lockdown_hooks, ARRAY_SIZE(lockdown_hooks),
 			   &lockdown_lsmid);
 	return 0;