[CIQ] Arm Lockdown Config Enablement

PlaidCat · PlaidCat · commit 15b2f6b98154 · 2025-04-03T18:21:19.000-04:00
jira LE-2629 The config option CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is enabled for x86_64 from our base kernel-ark fork process however since we prioritized the additional lockdown patches from Debian as they also support ARM they've also set the config CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT to for their arm configs as well so we must do the same. For technical reasons its defined here: https://salsa.debian.org/kernel-team/linux/-/blob/debian/latest/debian/config/config?ref_type=heads#L7762 It was validated that this is the generic setting by downloading their arm64 configs from here: https://packages.debian.org/sid/amd64/linux-config-6.12/download
diff --git a/ciq/configs/kernel-aarch64-64k-debug.config b/ciq/configs/kernel-aarch64-64k-debug.config
@@ -7830,7 +7830,7 @@ CONFIG_SECURITY_YAMA=y
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
-# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
 CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
 # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
diff --git a/ciq/configs/kernel-aarch64-64k.config b/ciq/configs/kernel-aarch64-64k.config
@@ -7808,7 +7808,7 @@ CONFIG_SECURITY_YAMA=y
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
-# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
 CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
 # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
diff --git a/ciq/configs/kernel-aarch64-debug.config b/ciq/configs/kernel-aarch64-debug.config
@@ -7836,7 +7836,7 @@ CONFIG_SECURITY_YAMA=y
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
-# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
 CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
 # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
diff --git a/ciq/configs/kernel-aarch64.config b/ciq/configs/kernel-aarch64.config
@@ -7814,7 +7814,7 @@ CONFIG_SECURITY_YAMA=y
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
-# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
 CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
 # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
