Enable CONFIG_EFI_TEST as a module (rhbz 1759325)

The driver is needed for testing purposes, enable it on the architectures
where EFI is supported. Also, disallow access to the registered device if
the kernel is locked down.

15 files changed, 104 insertions, 11 deletions

diff --git a/configs/fedora/generic/CONFIG_EFI_TEST b/configs/fedora/generic/CONFIG_EFI_TEST
index 455eb3061..09ff10ce7 100644
--- a/configs/fedora/generic/CONFIG_EFI_TEST
+++ b/configs/fedora/generic/CONFIG_EFI_TEST
@@ -1 +1 @@
-# CONFIG_EFI_TEST is not set
+CONFIG_EFI_TEST=m
diff --git a/configs/fedora/generic/powerpc/CONFIG_EFI_TEST b/configs/fedora/generic/powerpc/CONFIG_EFI_TEST
new file mode 100644
index 000000000..455eb3061
--- /dev/null
+++ b/configs/fedora/generic/powerpc/CONFIG_EFI_TEST
@@ -0,0 +1 @@
+# CONFIG_EFI_TEST is not set
diff --git a/configs/fedora/generic/s390x/CONFIG_EFI_TEST b/configs/fedora/generic/s390x/CONFIG_EFI_TEST
new file mode 100644
index 000000000..455eb3061
--- /dev/null
+++ b/configs/fedora/generic/s390x/CONFIG_EFI_TEST
@@ -0,0 +1 @@
+# CONFIG_EFI_TEST is not set
diff --git a/efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch b/efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch
new file mode 100644
index 000000000..61a52c6fd
--- /dev/null
+++ b/efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch
@@ -0,0 +1,87 @@
+From: Javier Martinez Canillas <javierm@redhat.com>
+Subject: [PATCH v2] efi/efi_test: lock down /dev/efi_test and require
+ CAP_SYS_ADMIN
+Date: Tue,  8 Oct 2019 12:55:10 +0200
+
+The driver exposes EFI runtime services to user-space through an IOCTL
+interface, calling the EFI services function pointers directly without
+using the efivar API.
+
+Disallow access to the /dev/efi_test character device when the kernel is
+locked down to prevent arbitrary user-space to call EFI runtime services.
+
+Also require CAP_SYS_ADMIN to open the chardev to prevent unprivileged
+users to call the EFI runtime services, instead of just relying on the
+chardev file mode bits for this.
+
+The main user of this driver is the fwts [0] tool that already checks if
+the effective user ID is 0 and fails otherwise. So this change shouldn't
+cause any regression to this tool.
+
+[0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfo
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Matthew Garrett <mjg59@google.com>
+---
+
+Changes in v2:
+- Also disable /dev/efi_test access when the kernel is locked down as
+  suggested by Matthew Garrett.
+- Add Acked-by tag from Laszlo Ersek.
+
+ drivers/firmware/efi/test/efi_test.c | 8 ++++++++
+ include/linux/security.h             | 1 +
+ security/lockdown/lockdown.c         | 1 +
+ 3 files changed, 10 insertions(+)
+
+diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c
+index 877745c3aaf..7baf48c01e7 100644
+--- a/drivers/firmware/efi/test/efi_test.c
++++ b/drivers/firmware/efi/test/efi_test.c
+@@ -14,6 +14,7 @@
+ #include <linux/init.h>
+ #include <linux/proc_fs.h>
+ #include <linux/efi.h>
++#include <linux/security.h>
+ #include <linux/slab.h>
+ #include <linux/uaccess.h>
+ 
+@@ -717,6 +718,13 @@ static long efi_test_ioctl(struct file *file, unsigned int cmd,
+ 
+ static int efi_test_open(struct inode *inode, struct file *file)
+ {
++	int ret = security_locked_down(LOCKDOWN_EFI_TEST);
++
++	if (ret)
++		return ret;
++
++	if (!capable(CAP_SYS_ADMIN))
++		return -EACCES;
+ 	/*
+ 	 * nothing special to do here
+ 	 * We do accept multiple open files at the same time as we
+diff --git a/include/linux/security.h b/include/linux/security.h
+index a8d59d612d2..9df7547afc0 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -105,6 +105,7 @@ enum lockdown_reason {
+ 	LOCKDOWN_NONE,
+ 	LOCKDOWN_MODULE_SIGNATURE,
+ 	LOCKDOWN_DEV_MEM,
++	LOCKDOWN_EFI_TEST,
+ 	LOCKDOWN_KEXEC,
+ 	LOCKDOWN_HIBERNATION,
+ 	LOCKDOWN_PCI_ACCESS,
+diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
+index 8a10b43daf7..40b790536de 100644
+--- a/security/lockdown/lockdown.c
++++ b/security/lockdown/lockdown.c
+@@ -20,6 +20,7 @@ static const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
+ 	[LOCKDOWN_NONE] = "none",
+ 	[LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading",
+ 	[LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port",
++	[LOCKDOWN_EFI_TEST] = "/dev/efi_test access",
+ 	[LOCKDOWN_KEXEC] = "kexec of unsigned images",
+ 	[LOCKDOWN_HIBERNATION] = "hibernation",
+ 	[LOCKDOWN_PCI_ACCESS] = "direct PCI access",
diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config
index 4b1ce9112..0c8630555 100644
--- a/kernel-aarch64-debug.config
+++ b/kernel-aarch64-debug.config
@@ -1733,7 +1733,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y
 CONFIG_EFI_PARTITION=y
 CONFIG_EFI_PGT_DUMP=y
 # CONFIG_EFI_RCI2_TABLE is not set
-# CONFIG_EFI_TEST is not set
+CONFIG_EFI_TEST=m
 CONFIG_EFIVAR_FS=y
 CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y
 CONFIG_EFI_VARS_PSTORE=y
diff --git a/kernel-aarch64.config b/kernel-aarch64.config
index 21df2fad3..2f9cab3b1 100644
--- a/kernel-aarch64.config
+++ b/kernel-aarch64.config
@@ -1725,7 +1725,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-# CONFIG_EFI_TEST is not set
+CONFIG_EFI_TEST=m
 CONFIG_EFIVAR_FS=y
 CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y
 CONFIG_EFI_VARS_PSTORE=y
diff --git a/kernel-armv7hl-debug.config b/kernel-armv7hl-debug.config
index f94f3971b..5fe089172 100644
--- a/kernel-armv7hl-debug.config
+++ b/kernel-armv7hl-debug.config
@@ -1762,7 +1762,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y
 CONFIG_EFI_PARTITION=y
 CONFIG_EFI_PGT_DUMP=y
 # CONFIG_EFI_RCI2_TABLE is not set
-# CONFIG_EFI_TEST is not set
+CONFIG_EFI_TEST=m
 CONFIG_EFIVAR_FS=y
 CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y
 CONFIG_EFI_VARS_PSTORE=y
diff --git a/kernel-armv7hl-lpae-debug.config b/kernel-armv7hl-lpae-debug.config
index 3941abcff..223238f14 100644
--- a/kernel-armv7hl-lpae-debug.config
+++ b/kernel-armv7hl-lpae-debug.config
@@ -1701,7 +1701,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y
 CONFIG_EFI_PARTITION=y
 CONFIG_EFI_PGT_DUMP=y
 # CONFIG_EFI_RCI2_TABLE is not set
-# CONFIG_EFI_TEST is not set
+CONFIG_EFI_TEST=m
 CONFIG_EFIVAR_FS=y
 CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y
 CONFIG_EFI_VARS_PSTORE=y
diff --git a/kernel-armv7hl-lpae.config b/kernel-armv7hl-lpae.config
index 02461d14b..8c0a47ce9 100644
--- a/kernel-armv7hl-lpae.config
+++ b/kernel-armv7hl-lpae.config
@@ -1694,7 +1694,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-# CONFIG_EFI_TEST is not set
+CONFIG_EFI_TEST=m
 CONFIG_EFIVAR_FS=y
 CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y
 CONFIG_EFI_VARS_PSTORE=y
diff --git a/kernel-armv7hl.config b/kernel-armv7hl.config
index 6cc7b4137..8df753f0b 100644
--- a/kernel-armv7hl.config
+++ b/kernel-armv7hl.config
@@ -1755,7 +1755,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-# CONFIG_EFI_TEST is not set
+CONFIG_EFI_TEST=m
 CONFIG_EFIVAR_FS=y
 CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y
 CONFIG_EFI_VARS_PSTORE=y
diff --git a/kernel-i686-debug.config b/kernel-i686-debug.config
index 272fe3f12..0d9448b88 100644
--- a/kernel-i686-debug.config
+++ b/kernel-i686-debug.config
@@ -1484,7 +1484,7 @@ CONFIG_EFI_PGT_DUMP=y
 CONFIG_EFI_RCI2_TABLE=y
 CONFIG_EFI_RUNTIME_MAP=y
 CONFIG_EFI_STUB=y
-# CONFIG_EFI_TEST is not set
+CONFIG_EFI_TEST=m
 CONFIG_EFIVAR_FS=y
 # CONFIG_EFI_VARS is not set
 # CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set
diff --git a/kernel-i686.config b/kernel-i686.config
index f9c8e2035..1e3916c40 100644
--- a/kernel-i686.config
+++ b/kernel-i686.config
@@ -1475,7 +1475,7 @@ CONFIG_EFI_PARTITION=y
 CONFIG_EFI_RCI2_TABLE=y
 CONFIG_EFI_RUNTIME_MAP=y
 CONFIG_EFI_STUB=y
-# CONFIG_EFI_TEST is not set
+CONFIG_EFI_TEST=m
 CONFIG_EFIVAR_FS=y
 # CONFIG_EFI_VARS is not set
 # CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set
diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config
index a40147d60..7c7573e09 100644
--- a/kernel-x86_64-debug.config
+++ b/kernel-x86_64-debug.config
@@ -1528,7 +1528,7 @@ CONFIG_EFI_PGT_DUMP=y
 CONFIG_EFI_RCI2_TABLE=y
 CONFIG_EFI_RUNTIME_MAP=y
 CONFIG_EFI_STUB=y
-# CONFIG_EFI_TEST is not set
+CONFIG_EFI_TEST=m
 CONFIG_EFIVAR_FS=y
 # CONFIG_EFI_VARS is not set
 # CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set
diff --git a/kernel-x86_64.config b/kernel-x86_64.config
index 99e018991..17386faef 100644
--- a/kernel-x86_64.config
+++ b/kernel-x86_64.config
@@ -1519,7 +1519,7 @@ CONFIG_EFI_PARTITION=y
 CONFIG_EFI_RCI2_TABLE=y
 CONFIG_EFI_RUNTIME_MAP=y
 CONFIG_EFI_STUB=y
-# CONFIG_EFI_TEST is not set
+CONFIG_EFI_TEST=m
 CONFIG_EFIVAR_FS=y
 # CONFIG_EFI_VARS is not set
 # CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set
diff --git a/kernel.spec b/kernel.spec
index 9d4dcf321..5c90963fa 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -508,6 +508,10 @@ Patch204: efi-secureboot.patch
 
 Patch205: lift-lockdown-sysrq.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=1759325
+# Submitted upstream at https://lore.kernel.org/patchwork/patch/1136967/
+Patch206: efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch
+
 # 300 - ARM patches
 Patch300: arm64-Add-option-of-13-for-FORCE_MAX_ZONEORDER.patch