summaryrefslogtreecommitdiffstats
path: root/efi-lockdown.patch
diff options
context:
space:
mode:
authorJustin M. Forbes <jforbes@fedoraproject.org>2017-10-20 16:22:53 -0500
committerJustin M. Forbes <jforbes@fedoraproject.org>2017-10-20 16:22:53 -0500
commit135abd0c282fbe19d4565c75b6c058d388cfd2bc (patch)
treeaa0ebfd7c029213a4d3fb9a45edad4a041816217 /efi-lockdown.patch
parent59566d9a2cbf6092cd9f7b0990f073c81ce668d3 (diff)
downloadkernel-135abd0c282fbe19d4565c75b6c058d388cfd2bc.tar.gz
kernel-135abd0c282fbe19d4565c75b6c058d388cfd2bc.tar.xz
kernel-135abd0c282fbe19d4565c75b6c058d388cfd2bc.zip
Linux v4.14-rc5-94-g9a27ded2195a
Diffstat (limited to 'efi-lockdown.patch')
-rw-r--r--efi-lockdown.patch928
1 files changed, 319 insertions, 609 deletions
diff --git a/efi-lockdown.patch b/efi-lockdown.patch
index a45be8771..2f47274cc 100644
--- a/efi-lockdown.patch
+++ b/efi-lockdown.patch
@@ -1,17 +1,8 @@
-From patchwork Thu Oct 19 14:50:40 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [01/27] Add the ability to lock down access to the running kernel
- image
+From ae255bb7a54aa44ae4ac1b7a38617f976bdb07db Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017331
-Message-Id: <150842463996.7923.6815305873334959305.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:50:40 +0100
+Date: Wed, 24 May 2017 14:56:00 +0100
+Subject: [PATCH] Add the ability to lock down access to the running kernel
+ image
Provide a single call to allow kernel code to determine whether the system
should be locked down, thereby disallowing various accesses that might
@@ -21,12 +12,11 @@ MSR registers and disallowing hibernation,
Signed-off-by: David Howells <dhowells@redhat.com>
---
-
- include/linux/kernel.h | 17 +++++++++++++
- include/linux/security.h | 8 ++++++
- security/Kconfig | 8 ++++++
- security/Makefile | 3 ++
- security/lock_down.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++
+ include/linux/kernel.h | 17 ++++++++++++++
+ include/linux/security.h | 8 +++++++
+ security/Kconfig | 8 +++++++
+ security/Makefile | 3 +++
+ security/lock_down.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++
5 files changed, 96 insertions(+)
create mode 100644 security/lock_down.c
@@ -37,7 +27,7 @@ index 0ad4c3044cf9..362da2e4bf53 100644
@@ -287,6 +287,23 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err)
{ }
#endif
-
+
+#ifdef CONFIG_LOCK_DOWN_KERNEL
+extern bool __kernel_is_locked_down(const char *what, bool first);
+#else
@@ -59,23 +49,23 @@ index 0ad4c3044cf9..362da2e4bf53 100644
int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
int __must_check _kstrtol(const char *s, unsigned int base, long *res);
diff --git a/include/linux/security.h b/include/linux/security.h
-index ce6265960d6c..f9a894b42d4c 100644
+index ce6265960d6c..310775476b68 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1753,5 +1753,13 @@ static inline void free_secdata(void *secdata)
{ }
#endif /* CONFIG_SECURITY */
-
+
+#ifdef CONFIG_LOCK_DOWN_KERNEL
+extern void __init init_lockdown(void);
+#else
-+static inline void __init init_lockdown(void);
++static inline void __init init_lockdown(void)
+{
+}
+#endif
+
#endif /* ! __LINUX_SECURITY_H */
-
+
diff --git a/security/Kconfig b/security/Kconfig
index e8e449444e65..8e01fd59ae7e 100644
--- a/security/Kconfig
@@ -83,7 +73,7 @@ index e8e449444e65..8e01fd59ae7e 100644
@@ -205,6 +205,14 @@ config STATIC_USERMODEHELPER_PATH
If you wish for all usermode helper programs to be disabled,
specify an empty string here (i.e. "").
-
+
+config LOCK_DOWN_KERNEL
+ bool "Allow the kernel to be 'locked down'"
+ help
@@ -172,22 +162,13 @@ index 000000000000..d8595c0e6673
+ return kernel_locked_down;
+}
+EXPORT_SYMBOL(__kernel_is_locked_down);
+--
+2.13.5
-From patchwork Thu Oct 19 14:50:47 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [02/27] Add a SysRq option to lift kernel lockdown
-From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017333
-Message-Id: <150842464774.7923.7951986297563109339.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:50:47 +0100
-
+From 0712c10c74f2a24592f0c54595c2f19ee847b209 Mon Sep 17 00:00:00 2001
From: Kyle McMartin <kyle@redhat.com>
+Date: Wed, 18 Oct 2017 14:02:25 +0100
+Subject: [PATCH 01/25] Add a SysRq option to lift kernel lockdown
Make an option to provide a sysrq key that will lift the kernel lockdown,
thereby allowing the running kernel image to be accessed and modified.
@@ -199,16 +180,15 @@ Signed-off-by: Kyle McMartin <kyle@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: x86@kernel.org
---
-
- arch/x86/include/asm/setup.h | 2 ++
- drivers/input/misc/uinput.c | 1 +
- drivers/tty/sysrq.c | 19 +++++++++++------
- include/linux/input.h | 5 ++++
- include/linux/sysrq.h | 8 ++++++-
- kernel/debug/kdb/kdb_main.c | 2 +-
- security/Kconfig | 15 +++++++++++++
- security/lock_down.c | 48 ++++++++++++++++++++++++++++++++++++++++++
- 8 files changed, 92 insertions(+), 8 deletions(-)
+ arch/x86/include/asm/setup.h | 2 ++
+ drivers/input/misc/uinput.c | 1 +
+ drivers/tty/sysrq.c | 19 ++++++++++++------
+ include/linux/input.h | 5 +++++
+ include/linux/sysrq.h | 8 +++++++-
+ kernel/debug/kdb/kdb_main.c | 2 +-
+ security/Kconfig | 8 ++++++++
+ security/lock_down.c | 47 ++++++++++++++++++++++++++++++++++++++++++++
+ 8 files changed, 84 insertions(+), 8 deletions(-)
diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h
index a65cf544686a..863f77582c09 100644
@@ -217,11 +197,11 @@ index a65cf544686a..863f77582c09 100644
@@ -8,6 +8,8 @@
#include <linux/linkage.h>
#include <asm/page_types.h>
-
+
+#define LOCKDOWN_LIFT_KEY 'x'
+
#ifdef __i386__
-
+
#include <linux/pfn.h>
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
index 443151de90c6..45a1f5460805 100644
@@ -230,11 +210,11 @@ index 443151de90c6..45a1f5460805 100644
@@ -408,6 +408,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
if (!udev->dev)
return -ENOMEM;
-
+
+ udev->dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;
udev->dev->event = uinput_dev_event;
input_set_drvdata(udev->dev, udev);
-
+
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
index 3ffc1ce29023..8b766dbad6dd 100644
--- a/drivers/tty/sysrq.c
@@ -250,14 +230,14 @@ index 3ffc1ce29023..8b766dbad6dd 100644
@@ -524,7 +525,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
sysrq_key_table[i] = op_p;
}
-
+
-void __handle_sysrq(int key, bool check_mask)
+void __handle_sysrq(int key, unsigned int from)
{
struct sysrq_key_op *op_p;
int orig_log_level;
@@ -544,11 +545,15 @@ void __handle_sysrq(int key, bool check_mask)
-
+
op_p = __sysrq_get_key_op(key);
if (op_p) {
+ /* Ban synthetic events from some sysrq functionality */
@@ -281,18 +261,18 @@ index 3ffc1ce29023..8b766dbad6dd 100644
+ __handle_sysrq(key, SYSRQ_FROM_KERNEL);
}
EXPORT_SYMBOL(handle_sysrq);
-
+
@@ -661,7 +666,7 @@ static void sysrq_do_reset(unsigned long _state)
static void sysrq_handle_reset_request(struct sysrq_state *state)
{
if (state->reset_requested)
- __handle_sysrq(sysrq_xlate[KEY_B], false);
+ __handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL);
-
+
if (sysrq_reset_downtime_ms)
mod_timer(&state->keyreset_timer,
@@ -812,8 +817,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
-
+
default:
if (sysrq->active && value && value != 2) {
+ int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ?
@@ -304,13 +284,13 @@ index 3ffc1ce29023..8b766dbad6dd 100644
break;
}
@@ -1097,7 +1104,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
-
+
if (get_user(c, buf))
return -EFAULT;
- __handle_sysrq(c, false);
+ __handle_sysrq(c, SYSRQ_FROM_PROC);
}
-
+
return count;
diff --git a/include/linux/input.h b/include/linux/input.h
index fb5e23c7ed98..9d2b45a21ade 100644
@@ -327,16 +307,16 @@ index fb5e23c7ed98..9d2b45a21ade 100644
@@ -124,6 +125,8 @@ struct input_dev {
const char *uniq;
struct input_id id;
-
+
+ unsigned int flags;
+
unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)];
-
+
unsigned long evbit[BITS_TO_LONGS(EV_CNT)];
@@ -190,6 +193,8 @@ struct input_dev {
};
#define to_input_dev(d) container_of(d, struct input_dev, dev)
-
+
+#define INPUTDEV_FLAGS_SYNTHETIC 0x000000001
+
/*
@@ -349,7 +329,7 @@ index 387fa7d05c98..f7c52a9ea394 100644
@@ -28,6 +28,8 @@
#define SYSRQ_ENABLE_BOOT 0x0080
#define SYSRQ_ENABLE_RTNICE 0x0100
-
+
+#define SYSRQ_DISABLE_USERSPACE 0x00010000
+
struct sysrq_key_op {
@@ -358,7 +338,7 @@ index 387fa7d05c98..f7c52a9ea394 100644
@@ -42,8 +44,12 @@ struct sysrq_key_op {
* are available -- else NULL's).
*/
-
+
+#define SYSRQ_FROM_KERNEL 0x0001
+#define SYSRQ_FROM_PROC 0x0002
+#define SYSRQ_FROM_SYNTHETIC 0x0004
@@ -375,31 +355,24 @@ index c8146d53ca67..b480cadf9272 100644
+++ b/kernel/debug/kdb/kdb_main.c
@@ -1970,7 +1970,7 @@ static int kdb_sr(int argc, const char **argv)
return KDB_ARGCOUNT;
-
+
kdb_trap_printk++;
- __handle_sysrq(*argv[1], check_mask);
+ __handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0);
kdb_trap_printk--;
-
+
return 0;
diff --git a/security/Kconfig b/security/Kconfig
-index 8e01fd59ae7e..4be6be71e075 100644
+index 8e01fd59ae7e..453cc89c198a 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -213,6 +213,21 @@ config LOCK_DOWN_KERNEL
+@@ -213,6 +213,14 @@ config LOCK_DOWN_KERNEL
turns off various features that might otherwise allow access to the
kernel image (eg. setting MSR registers).
-
-+config ALLOW_LOCKDOWN_LIFT
-+ bool
-+ help
-+ Allow the lockdown on a kernel to be lifted, thereby restoring the
-+ ability of userspace to access the kernel image (eg. by SysRq+x under
-+ x86).
-+
+
+config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
+ bool "Allow the kernel lockdown to be lifted by SysRq"
-+ depends on MAGIC_SYSRQ
++ depends on LOCK_DOWN_KERNEL && MAGIC_SYSRQ
+ help
+ Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
+ combination on a wired keyboard.
@@ -409,45 +382,44 @@ index 8e01fd59ae7e..4be6be71e075 100644
source security/smack/Kconfig
source security/tomoyo/Kconfig
diff --git a/security/lock_down.c b/security/lock_down.c
-index d8595c0e6673..f71118c340d2 100644
+index d8595c0e6673..2c6b00f0c229 100644
--- a/security/lock_down.c
+++ b/security/lock_down.c
-@@ -11,8 +11,13 @@
-
+@@ -11,8 +11,14 @@
+
#include <linux/security.h>
#include <linux/export.h>
+#include <linux/sysrq.h>
-
-+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT
++#include <asm/setup.h>
+
++#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
+static __read_mostly bool kernel_locked_down;
+#else
static __ro_after_init bool kernel_locked_down;
+#endif
-
+
/*
* Put the kernel into lock-down mode.
-@@ -58,3 +63,46 @@ bool __kernel_is_locked_down(const char *what, bool first)
+@@ -58,3 +64,44 @@ bool __kernel_is_locked_down(const char *what, bool first)
return kernel_locked_down;
}
EXPORT_SYMBOL(__kernel_is_locked_down);
+
++#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
++
+/*
+ * Take the kernel out of lockdown mode.
+ */
-+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT
+static void lift_kernel_lockdown(void)
+{
+ pr_notice("Lifting lockdown\n");
+ kernel_locked_down = false;
+}
-+#endif
+
+/*
+ * Allow lockdown to be lifted by pressing something like SysRq+x (and not by
+ * echoing the appropriate letter into the sysrq-trigger file).
+ */
-+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_KEY
-+
+static void sysrq_handle_lockdown_lift(int key)
+{
+ if (kernel_locked_down)
@@ -472,29 +444,22 @@ index d8595c0e6673..f71118c340d2 100644
+
+late_initcall(lockdown_lift_sysrq);
+
-+#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_KEY */
++#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */
+--
+2.13.5
-From patchwork Thu Oct 19 14:50:55 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [03/27] Enforce module signatures if the kernel is locked down
+From a77c5e9c49ac6458581e607a033e1e6a3928b21c Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017335
-Message-Id: <150842465546.7923.6762214527898273559.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:50:55 +0100
+Date: Wed, 24 May 2017 14:56:01 +0100
+Subject: [PATCH 02/25] Enforce module signatures if the kernel is locked down
If the kernel is locked down, require that all modules have valid
signatures that we can verify.
Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
---
-
- kernel/module.c | 3 ++-
+ kernel/module.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/module.c b/kernel/module.c
@@ -503,30 +468,22 @@ index de66ec825992..3d9a3270c179 100644
+++ b/kernel/module.c
@@ -2781,7 +2781,8 @@ static int module_sig_check(struct load_info *info, int flags)
}
-
+
/* Not having a signature is only an error if we're strict. */
- if (err == -ENOKEY && !sig_enforce)
+ if (err == -ENOKEY && !sig_enforce &&
+ !kernel_is_locked_down("Loading of unsigned modules"))
err = 0;
-
- return err;
-From patchwork Thu Oct 19 14:51:02 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down
-From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017337
-Message-Id: <150842466261.7923.14359746674406637357.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:51:02 +0100
+ return err;
+--
+2.13.5
+From 8ed6fd87e9e639955c0b9d864ea42dc7611670ca Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Wed, 24 May 2017 14:56:02 +0100
+Subject: [PATCH 03/25] Restrict /dev/mem and /dev/kmem when the kernel is
+ locked down
Allowing users to write to address space makes it possible for the kernel to
be subverted, avoiding module loading restrictions. Prevent this when the
@@ -534,9 +491,9 @@ kernel has been locked down.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
---
-
- drivers/char/mem.c | 6 ++++++
+ drivers/char/mem.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
@@ -546,39 +503,30 @@ index 593a8818aca9..b7c36898b689 100644
@@ -179,6 +179,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
if (p != *ppos)
return -EFBIG;
-
+
+ if (kernel_is_locked_down("/dev/mem"))
+ return -EPERM;
+
if (!valid_phys_addr_range(p, count))
return -EFAULT;
-
+
@@ -540,6 +543,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
int err = 0;
-
+
+ if (kernel_is_locked_down("/dev/kmem"))
+ return -EPERM;
+
if (p < (unsigned long) high_memory) {
unsigned long to_write = min_t(unsigned long, count,
(unsigned long)high_memory - p);
+--
+2.13.5
-From patchwork Thu Oct 19 14:51:09 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [05/27] kexec: Disable at runtime if the kernel is locked down
-From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017339
-Message-Id: <150842466996.7923.17995994984545441369.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:51:09 +0100
-
+From befd1007b58e66dbcf7367f6ccc3d992c7262d3a Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Wed, 24 May 2017 14:56:02 +0100
+Subject: [PATCH 04/25] kexec: Disable at runtime if the kernel is locked down
kexec permits the loading and execution of arbitrary code in ring 0, which
is something that lock-down is meant to prevent. It makes sense to disable
@@ -590,10 +538,10 @@ image to be booted.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Dave Young <dyoung@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: kexec@lists.infradead.org
---
-
- kernel/kexec.c | 7 +++++++
+ kernel/kexec.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/kernel/kexec.c b/kernel/kexec.c
@@ -602,7 +550,7 @@ index e62ec4dc6620..7dadfed9b676 100644
+++ b/kernel/kexec.c
@@ -202,6 +202,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
return -EPERM;
-
+
/*
+ * kexec can be used to circumvent module loading restrictions, so
+ * prevent loading in that case
@@ -614,22 +562,14 @@ index e62ec4dc6620..7dadfed9b676 100644
* Verify we have a legal set of flags
* This leaves us room for future extensions.
*/
+--
+2.13.5
-From patchwork Thu Oct 19 14:51:20 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [06/27] Copy secure_boot flag in boot params across kexec reboot
-From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017341
-Message-Id: <150842468009.7923.5512653689857540199.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:51:20 +0100
-
+From 845d8a124c5be487f29ab05cc69a45119a715184 Mon Sep 17 00:00:00 2001
From: Dave Young <dyoung@redhat.com>
+Date: Wed, 24 May 2017 14:56:02 +0100
+Subject: [PATCH 05/25] Copy secure_boot flag in boot params across kexec
+ reboot
Kexec reboot in case secure boot being enabled does not keep the secure
boot mode in new kernel, so later one can load unsigned kernel via legacy
@@ -644,10 +584,10 @@ stub. Fixing this issue by copying secure_boot flag across kexec reboot.
Signed-off-by: Dave Young <dyoung@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: kexec@lists.infradead.org
---
-
- arch/x86/kernel/kexec-bzimage64.c | 1 +
+ arch/x86/kernel/kexec-bzimage64.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
@@ -657,27 +597,19 @@ index fb095ba0c02f..7d0fac5bcbbe 100644
@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
if (efi_enabled(EFI_OLD_MEMMAP))
return 0;
-
+
+ params->secure_boot = boot_params.secure_boot;
ei->efi_loader_signature = current_ei->efi_loader_signature;
ei->efi_systab = current_ei->efi_systab;
ei->efi_systab_hi = current_ei->efi_systab_hi;
+--
+2.13.5
-From patchwork Thu Oct 19 14:51:27 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [07/27] kexec_file: Disable at runtime if securelevel has been set
-From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017343
-Message-Id: <150842468754.7923.10037578333644594134.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:51:27 +0100
-
+From d61c8a5a7719d363ef4213f1d1d99d1bde87f78b Mon Sep 17 00:00:00 2001
From: Chun-Yi Lee <joeyli.kernel@gmail.com>
+Date: Wed, 24 May 2017 14:56:03 +0100
+Subject: [PATCH 06/25] kexec_file: Disable at runtime if securelevel has been
+ set
When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
through kexec_file systemcall if securelevel has been set.
@@ -690,8 +622,7 @@ Signed-off-by: Chun-Yi Lee <jlee@suse.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: kexec@lists.infradead.org
---
-
- kernel/kexec_file.c | 7 +++++++
+ kernel/kexec_file.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
@@ -701,7 +632,7 @@ index 9f48f4412297..ff6523f2dcc2 100644
@@ -255,6 +255,13 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
return -EPERM;
-
+
+ /* Don't permit images to be loaded into trusted kernels if we're not
+ * going to verify the signature on them
+ */
@@ -712,22 +643,13 @@ index 9f48f4412297..ff6523f2dcc2 100644
/* Make sure we have a legal set of flags */
if (flags != (flags & KEXEC_FILE_FLAGS))
return -EINVAL;
+--
+2.13.5
-From patchwork Thu Oct 19 14:51:34 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [08/27] hibernate: Disable when the kernel is locked down
-From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017345
-Message-Id: <150842469486.7923.10376463083069013490.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:51:34 +0100
-
+From 18eab166de1f6e89ca75e6d6056cdbb10cce9b1a Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Wed, 24 May 2017 14:56:03 +0100
+Subject: [PATCH 07/25] hibernate: Disable when the kernel is locked down
There is currently no way to verify the resume image when returning
from hibernate. This might compromise the signed modules trust model,
@@ -736,10 +658,10 @@ kernel is locked down.
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: linux-pm@vger.kernel.org
---
-
- kernel/power/hibernate.c | 2 +-
+ kernel/power/hibernate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
@@ -747,30 +669,21 @@ index a5c36e9c56a6..f2eafefeec50 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
-
+
bool hibernation_available(void)
{
- return (nohibernate == 0);
+ return nohibernate == 0 && !kernel_is_locked_down("Hibernation");
}
-
- /**
-From patchwork Thu Oct 19 14:51:42 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [09/27] uswsusp: Disable when the kernel is locked down
-From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017347
-Message-Id: <150842470227.7923.15293760935442172683.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:51:42 +0100
+ /**
+--
+2.13.5
+From 0faef5cb3afb04f0c33ffcc923d86e49353b36da Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@srcf.ucam.org>
+Date: Wed, 24 May 2017 14:56:03 +0100
+Subject: [PATCH 08/25] uswsusp: Disable when the kernel is locked down
uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to modify the running kernel. Disable this if the kernel
@@ -778,10 +691,10 @@ is locked down.
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: linux-pm@vger.kernel.org
---
-
- kernel/power/user.c | 3 +++
+ kernel/power/user.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/power/user.c b/kernel/power/user.c
@@ -791,29 +704,21 @@ index 22df9f7ff672..678ade9decfe 100644
@@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
if (!hibernation_available())
return -EPERM;
-
+
+ if (kernel_is_locked_down("/dev/snapshot"))
+ return -EPERM;
+
lock_system_sleep();
-
- if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
-From patchwork Thu Oct 19 14:51:49 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [10/27] PCI: Lock down BAR access when the kernel is locked down
-From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017349
-Message-Id: <150842470945.7923.134066103094708461.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:51:49 +0100
+ if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
+--
+2.13.5
+From 2aa540f7f43590b14e01327c631bbe42ba3e8baf Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Wed, 24 May 2017 14:56:03 +0100
+Subject: [PATCH 09/25] PCI: Lock down BAR access when the kernel is locked
+ down
Any hardware that can potentially generate DMA has to be locked down in
order to avoid it being possible for an attacker to modify kernel code,
@@ -824,12 +729,12 @@ sufficiently IOMMU-isolated devices.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: linux-pci@vger.kernel.org
---
-
- drivers/pci/pci-sysfs.c | 9 +++++++++
- drivers/pci/proc.c | 9 ++++++++-
- drivers/pci/syscall.c | 3 ++-
+ drivers/pci/pci-sysfs.c | 9 +++++++++
+ drivers/pci/proc.c | 9 ++++++++-
+ drivers/pci/syscall.c | 3 ++-
3 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
@@ -839,7 +744,7 @@ index 1eecfa301f7f..e1a3b0e765c2 100644
@@ -881,6 +881,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
loff_t init_off = off;
u8 *data = (u8 *) buf;
-
+
+ if (kernel_is_locked_down("Direct PCI access"))
+ return -EPERM;
+
@@ -849,13 +754,13 @@ index 1eecfa301f7f..e1a3b0e765c2 100644
@@ -1175,6 +1178,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
enum pci_mmap_state mmap_type;
struct resource *res = &pdev->resource[bar];
-
+
+ if (kernel_is_locked_down("Direct PCI access"))
+ return -EPERM;
+
if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
return -EINVAL;
-
+
@@ -1255,6 +1261,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
struct bin_attribute *attr, char *buf,
loff_t off, size_t count)
@@ -865,7 +770,7 @@ index 1eecfa301f7f..e1a3b0e765c2 100644
+
return pci_resource_io(filp, kobj, attr, buf, off, count, true);
}
-
+
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
index 098360d7ff81..a6c53d855daa 100644
--- a/drivers/pci/proc.c
@@ -873,7 +778,7 @@ index 098360d7ff81..a6c53d855daa 100644
@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
int size = dev->cfg_size;
int cnt;
-
+
+ if (kernel_is_locked_down("Direct PCI access"))
+ return -EPERM;
+
@@ -883,7 +788,7 @@ index 098360d7ff81..a6c53d855daa 100644
@@ -195,6 +198,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
#endif /* HAVE_PCI_MMAP */
int ret = 0;
-
+
+ if (kernel_is_locked_down("Direct PCI access"))
+ return -EPERM;
+
@@ -893,12 +798,12 @@ index 098360d7ff81..a6c53d855daa 100644
@@ -236,7 +242,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
struct pci_filp_private *fpriv = file->private_data;
int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM;
-
+
- if (!capable(CAP_SYS_RAWIO))
+ if (!capable(CAP_SYS_RAWIO) ||
+ kernel_is_locked_down("Direct PCI access"))
return -EPERM;
-
+
if (fpriv->mmap_state == pci_mmap_io) {
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
index 9bf993e1f71e..afa01cc3ceec 100644
@@ -907,29 +812,21 @@ index 9bf993e1f71e..afa01cc3ceec 100644
@@ -92,7 +92,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
u32 dword;
int err = 0;
-
+
- if (!capable(CAP_SYS_ADMIN))
+ if (!capable(CAP_SYS_ADMIN) ||
+ kernel_is_locked_down("Direct PCI access"))
return -EPERM;
-
- dev = pci_get_bus_and_slot(bus, dfn);
-From patchwork Thu Oct 19 14:51:56 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [11/27] x86: Lock down IO port access when the kernel is locked down
-From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017351
-Message-Id: <150842471673.7923.7676307847318724274.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:51:56 +0100
+ dev = pci_get_bus_and_slot(bus, dfn);
+--
+2.13.5
+From 9dd0a9e68cf8e066e101a4fabd1ec62f6c22de2f Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Wed, 24 May 2017 14:56:04 +0100
+Subject: [PATCH 10/25] x86: Lock down IO port access when the kernel is locked
+ down
IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO
@@ -942,11 +839,11 @@ KDDISABIO console ioctls.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: x86@kernel.org
---
-
- arch/x86/kernel/ioport.c | 6 ++++--
- drivers/char/mem.c | 2 ++
+ arch/x86/kernel/ioport.c | 6 ++++--
+ drivers/char/mem.c | 2 ++
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
@@ -954,14 +851,14 @@ index 9c3cf0944bce..2c0f058651c5 100644
--- a/arch/x86/kernel/ioport.c
+++ b/arch/x86/kernel/ioport.c
@@ -30,7 +30,8 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
-
+
if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
return -EINVAL;
- if (turn_on && !capable(CAP_SYS_RAWIO))
+ if (turn_on && (!capable(CAP_SYS_RAWIO) ||
+ kernel_is_locked_down("ioperm")))
return -EPERM;
-
+
/*
@@ -120,7 +121,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
return -EINVAL;
@@ -978,30 +875,22 @@ index b7c36898b689..0875b3d47773 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -768,6 +768,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
-
+
static int open_port(struct inode *inode, struct file *filp)
{
+ if (kernel_is_locked_down("Direct ioport access"))
+ return -EPERM;
return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
}
-
-From patchwork Thu Oct 19 14:52:04 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [12/27] x86/msr: Restrict MSR access when the kernel is locked down
-From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017353
-Message-Id: <150842472452.7923.2592278090192179002.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:52:04 +0100
+--
+2.13.5
+From ecec11fa386fc7c8f6865b4721eaa46360b89622 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Wed, 24 May 2017 14:56:04 +0100
+Subject: [PATCH 11/25] x86/msr: Restrict MSR access when the kernel is locked
+ down
Writing to MSRs should not be allowed if the kernel is locked down, since
it could lead to execution of arbitrary code in kernel mode. Based on a
@@ -1011,10 +900,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: x86@kernel.org
---
-
- arch/x86/kernel/msr.c | 7 +++++++
+ arch/x86/kernel/msr.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
@@ -1024,13 +913,13 @@ index ef688804f80d..a05a97863286 100644
@@ -84,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
int err = 0;
ssize_t bytes = 0;
-
+
+ if (kernel_is_locked_down("Direct MSR access"))
+ return -EPERM;
+
if (count % 8)
return -EINVAL; /* Invalid chunk size */
-
+
@@ -131,6 +134,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
err = -EBADF;
break;
@@ -1042,23 +931,14 @@ index ef688804f80d..a05a97863286 100644
if (copy_from_user(&regs, uregs, sizeof regs)) {
err = -EFAULT;
break;
+--
+2.13.5
-From patchwork Thu Oct 19 14:52:11 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [13/27] asus-wmi: Restrict debugfs interface when the kernel is
- locked down
-From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017355
-Message-Id: <150842473184.7923.9538070958624850416.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:52:11 +0100
-
+From 09e16301455c0a8a4ee405ad531c231b70610b5b Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Wed, 24 May 2017 14:56:04 +0100
+Subject: [PATCH 12/25] asus-wmi: Restrict debugfs interface when the kernel is
+ locked down
We have no way of validating what all of the Asus WMI methods do on a given
machine - and there's a risk that some will allow hardware state to be
@@ -1068,11 +948,11 @@ kernel is locked down.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: acpi4asus-user@lists.sourceforge.net
cc: platform-driver-x86@vger.kernel.org
---
-
- drivers/platform/x86/asus-wmi.c | 9 +++++++++
+ drivers/platform/x86/asus-wmi.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
@@ -1082,50 +962,41 @@ index 48e1541dc8d4..ef5587469337 100644
@@ -1905,6 +1905,9 @@ static int show_dsts(struct seq_file *m, void *data)
int err;
u32 retval = -1;
-
+
+ if (kernel_is_locked_down("Asus WMI"))
+ return -EPERM;
+
err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
-
+
if (err < 0)
@@ -1921,6 +1924,9 @@ static int show_devs(struct seq_file *m, void *data)
int err;
u32 retval = -1;
-
+
+ if (kernel_is_locked_down("Asus WMI"))
+ return -EPERM;
+
err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
&retval);
-
+
@@ -1945,6 +1951,9 @@ static int show_call(struct seq_file *m, void *data)
union acpi_object *obj;
acpi_status status;
-
+
+ if (kernel_is_locked_down("Asus WMI"))
+ return -EPERM;
+
status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
0, asus->debug.method_id,
&input, &output);
+--
+2.13.5
-From patchwork Thu Oct 19 14:52:19 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [14/27] ACPI: Limit access to custom_method when the kernel is locked
- down
-From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017357
-Message-Id: <150842473899.7923.6590815561953001126.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:52:19 +0100
-
+From 2f2199e407b1e0b3254a61236cd3e6a6efff170a Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
+Date: Wed, 24 May 2017 14:56:04 +0100
+Subject: [PATCH 13/25] ACPI: Limit access to custom_method when the kernel is
+ locked down
custom_method effectively allows arbitrary access to system memory, making
it possible for an attacker to circumvent restrictions on module loading.
@@ -1133,10 +1004,10 @@ Disable it if the kernel is locked down.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: linux-acpi@vger.kernel.org
---
-
- drivers/acpi/custom_method.c | 3 +++
+ drivers/acpi/custom_method.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
@@ -1146,30 +1017,21 @@ index c68e72414a67..b33fba70ec51 100644
@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
struct acpi_table_header table;
acpi_status status;
-
+
+ if (kernel_is_locked_down("ACPI custom methods"))
+ return -EPERM;
+
if (!(*ppos)) {
/* parse the table header to get the table length */
if (count <= sizeof(struct acpi_table_header))
+--
+2.13.5
-From patchwork Thu Oct 19 14:52:27 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been
- locked down
-From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017359
-Message-Id: <150842474713.7923.4851355698276917280.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:52:27 +0100
-
+From a71db99ed6004cdc5fa9d91cc964712103a606a0 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
+Date: Wed, 24 May 2017 14:56:05 +0100
+Subject: [PATCH 14/25] acpi: Ignore acpi_rsdp kernel param when the kernel has
+ been locked down
This option allows userspace to pass the RSDP address to the kernel, which
makes it possible for a user to modify the workings of hardware . Reject
@@ -1177,11 +1039,11 @@ the option when the kernel is locked down.
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: Dave Young <dyoung@redhat.com>
cc: linux-acpi@vger.kernel.org
---
-
- drivers/acpi/osl.c | 2 +-
+ drivers/acpi/osl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
@@ -1190,31 +1052,23 @@ index db78d353bab1..36c6527c1b0a 100644
+++ b/drivers/acpi/osl.c
@@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
acpi_physical_address pa = 0;
-
+
#ifdef CONFIG_KEXEC
- if (acpi_rsdp)
+ if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification"))
return acpi_rsdp;
#endif
-
-From patchwork Thu Oct 19 14:52:34 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [16/27] acpi: Disable ACPI table override if the kernel is locked down
-From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017361
-Message-Id: <150842475442.7923.12198790224494561644.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:52:34 +0100
+--
+2.13.5
+From 23cf57806ecd304a5f25e50f3292b0dfeb5a33b1 Mon Sep 17 00:00:00 2001
From: Linn Crosetto <linn@hpe.com>
+Date: Wed, 24 May 2017 14:56:05 +0100
+Subject: [PATCH 15/25] acpi: Disable ACPI table override if the kernel is
+ locked down
->From the kernel documentation (initrd_table_override.txt):
+From the kernel documentation (initrd_table_override.txt):
If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
to override nearly any ACPI table provided by the BIOS with an
@@ -1226,10 +1080,10 @@ so do not allow ACPI tables to be overridden if the kernel is locked down.
Signed-off-by: Linn Crosetto <linn@hpe.com>
Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: linux-acpi@vger.kernel.org
---
-
- drivers/acpi/tables.c | 5 +++++
+ drivers/acpi/tables.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
@@ -1239,7 +1093,7 @@ index 80ce2a7d224b..5cc13c42daf9 100644
@@ -526,6 +526,11 @@ void __init acpi_table_upgrade(void)
if (table_nr == 0)
return;
-
+
+ if (kernel_is_locked_down("ACPI table override")) {
+ pr_notice("kernel is locked down, ignoring table override\n");
+ return;
@@ -1248,23 +1102,14 @@ index 80ce2a7d224b..5cc13c42daf9 100644
acpi_tables_addr =
memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
all_tables_size, PAGE_SIZE);
+--
+2.13.5
-From patchwork Thu Oct 19 14:52:41 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [17/27] acpi: Disable APEI error injection if the kernel is locked
- down
-From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017363
-Message-Id: <150842476188.7923.14340260837257633120.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:52:41 +0100
-
+From a0d24f5ce005a299a2d8ff31350fe9415648c732 Mon Sep 17 00:00:00 2001
From: Linn Crosetto <linn@hpe.com>
+Date: Wed, 24 May 2017 14:56:05 +0100
+Subject: [PATCH 16/25] acpi: Disable APEI error injection if the kernel is
+ locked down
ACPI provides an error injection mechanism, EINJ, for debugging and testing
the ACPI Platform Error Interface (APEI) and other RAS features. If
@@ -1283,10 +1128,10 @@ the kernel is locked down.
Signed-off-by: Linn Crosetto <linn@hpe.com>
Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: linux-acpi@vger.kernel.org
---
-
- drivers/acpi/apei/einj.c | 3 +++
+ drivers/acpi/apei/einj.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c
@@ -1296,95 +1141,20 @@ index b38737c83a24..6d71e1e97b20 100644
@@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
int rc;
u64 base_addr, size;
-
+
+ if (kernel_is_locked_down("ACPI error injection"))
+ return -EPERM;
+
/* If user manually set "flags", make sure it is legal */
if (flags && (flags &
~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
+--
+2.13.5
-From patchwork Thu Oct 19 14:52:49 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [18/27] bpf: Restrict kernel image access functions when the kernel
- is locked down
-From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017365
-Message-Id: <150842476953.7923.18174368926573855810.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:52:49 +0100
-
-From: Chun-Yi Lee <jlee@suse.com>
-
-There are some bpf functions can be used to read kernel memory:
-bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow
-private keys in kernel memory (e.g. the hibernation image signing key) to
-be read by an eBPF program. Prohibit those functions when the kernel is
-locked down.
-
-Signed-off-by: Chun-Yi Lee <jlee@suse.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: netdev@vger.kernel.org
----
-
- kernel/trace/bpf_trace.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
-index dc498b605d5d..35e85a3fdb37 100644
---- a/kernel/trace/bpf_trace.c
-+++ b/kernel/trace/bpf_trace.c
-@@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr)
- {
- int ret;
-
-+ if (kernel_is_locked_down("BPF")) {
-+ memset(dst, 0, size);
-+ return -EPERM;
-+ }
-+
- ret = probe_kernel_read(dst, unsafe_ptr, size);
- if (unlikely(ret < 0))
- memset(dst, 0, size);
-@@ -84,6 +89,9 @@ static const struct bpf_func_proto bpf_probe_read_proto = {
- BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src,
- u32, size)
- {
-+ if (kernel_is_locked_down("BPF"))
-+ return -EPERM;
-+
- /*
- * Ensure we're in user context which is safe for the helper to
- * run. This helper has no business in a kthread.
-@@ -143,6 +151,9 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1,
- if (fmt[--fmt_size] != 0)
- return -EINVAL;
-
-+ if (kernel_is_locked_down("BPF"))
-+ return __trace_printk(1, fmt, 0, 0, 0);
-+
- /* check format string for allowed specifiers */
- for (i = 0; i < fmt_size; i++) {
- if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i]))
-
-From patchwork Thu Oct 19 14:52:57 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [19/27] scsi: Lock down the eata driver
+From bfb5183f23fa4369b1c0897bb0afcb73540a7de2 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017367
-Message-Id: <150842477698.7923.15570916285929038112.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:52:57 +0100
+Date: Wed, 24 May 2017 14:56:06 +0100
+Subject: [PATCH 17/25] scsi: Lock down the eata driver
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
@@ -1403,8 +1173,7 @@ cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>
cc: "Martin K. Petersen" <martin.petersen@oracle.com>
cc: linux-scsi@vger.kernel.org
---
-
- drivers/scsi/eata.c | 5 ++++-
+ drivers/scsi/eata.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/eata.c b/drivers/scsi/eata.c
@@ -1412,32 +1181,26 @@ index 6501c330d8c8..72fceaa8f3da 100644
--- a/drivers/scsi/eata.c
+++ b/drivers/scsi/eata.c
@@ -1552,8 +1552,11 @@ static int eata2x_detect(struct scsi_host_template *tpnt)
-
+
tpnt->proc_name = "eata2x";
-
+
- if (strlen(boot_options))
+ if (strlen(boot_options)) {
+ if (kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels"))
+ return -EPERM;
option_setup(boot_options);
+ }
-
+
#if defined(MODULE)
/* io_port could have been modified when loading as a module */
+--
+2.13.5
-From patchwork Thu Oct 19 14:53:04 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [20/27] Prohibit PCMCIA CIS storage when the kernel is locked down
+From 0f263953a98b222cc942e1cbba977fc1a351272f Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017369
-Message-Id: <150842478444.7923.5111743275510836636.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:53:04 +0100
+Date: Wed, 24 May 2017 14:56:06 +0100
+Subject: [PATCH 18/25] Prohibit PCMCIA CIS storage when the kernel is locked
+ down
Prohibit replacement of the PCMCIA Card Information Structure when the
kernel is locked down.
@@ -1446,8 +1209,7 @@ Suggested-by: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: linux-pcmcia@lists.infradead.org
---
-
- drivers/pcmcia/cistpl.c | 3 +++
+ drivers/pcmcia/cistpl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
@@ -1457,27 +1219,20 @@ index 55ef7d1fd8da..b7a0e42eeb25 100644
@@ -1578,6 +1578,9 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
struct pcmcia_socket *s;
int error;
-
+
+ if (kernel_is_locked_down("Direct PCMCIA CIS storage"))
+ return -EPERM;
+
s = to_socket(container_of(kobj, struct device, kobj));
-
+
if (off)
+--
+2.13.5
-From patchwork Thu Oct 19 14:53:12 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [21/27] Lock down TIOCSSERIAL
+From 17c75715372a9d913b7396c1f5c1db9627988cb7 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017371
-Message-Id: <150842479208.7923.3429065489239605709.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:53:12 +0100
+Date: Wed, 24 May 2017 14:56:06 +0100
+Subject: [PATCH 19/25] Lock down TIOCSSERIAL
Lock down TIOCSSERIAL as that can be used to change the ioport and irq
settings on a serial port. This only appears to be an issue for the serial
@@ -1488,8 +1243,7 @@ Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Jiri Slaby <jslaby@suse.com>
---
-
- drivers/tty/serial/serial_core.c | 6 ++++++
+ drivers/tty/serial/serial_core.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
@@ -1499,7 +1253,7 @@ index 3a14cccbd7ff..41f0922ad842 100644
@@ -842,6 +842,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
new_flags = (__force upf_t)new_info->flags;
old_custom_divisor = uport->custom_divisor;
-
+
+ if ((change_port || change_irq) &&
+ kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels")) {
+ retval = -EPERM;
@@ -1509,21 +1263,14 @@ index 3a14cccbd7ff..41f0922ad842 100644
if (!capable(CAP_SYS_ADMIN)) {
retval = -EPERM;
if (change_irq || change_port ||
+--
+2.13.5
-From patchwork Thu Oct 19 14:53:19 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [22/27] Lock down module params that specify hardware parameters (eg.
- ioport)
+From f2b94788dc56591fb3b422187de511bfc7039468 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017373
-Message-Id: <150842479932.7923.8106830872069353117.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:53:19 +0100
+Date: Wed, 24 May 2017 14:56:06 +0100
+Subject: [PATCH 20/25] Lock down module params that specify hardware
+ parameters (eg. ioport)
Provided an annotation for module parameters that specify hardware
parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
@@ -1532,8 +1279,7 @@ dma buffers and other types).
Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
Signed-off-by: David Howells <dhowells@redhat.com>
---
-
- kernel/params.c | 26 +++++++++++++++++++++-----
+ kernel/params.c | 26 +++++++++++++++++++++-----
1 file changed, 21 insertions(+), 5 deletions(-)
diff --git a/kernel/params.c b/kernel/params.c
@@ -1543,7 +1289,7 @@ index 60b2d8101355..422979adb60a 100644
@@ -108,13 +108,19 @@ bool parameq(const char *a, const char *b)
return parameqn(a, b, strlen(a)+1);
}
-
+
-static void param_check_unsafe(const struct kernel_param *kp)
+static bool param_check_unsafe(const struct kernel_param *kp,
+ const char *doing)
@@ -1559,7 +1305,7 @@ index 60b2d8101355..422979adb60a 100644
+ return false;
+ return true;
}
-
+
static int parse_one(char *param,
@@ -144,8 +150,10 @@ static int parse_one(char *param,
pr_debug("handling %s with %p\n", param,
@@ -1577,7 +1323,7 @@ index 60b2d8101355..422979adb60a 100644
@@ -556,6 +564,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr,
return count;
}
-
+
+#ifdef CONFIG_MODULES
+#define mod_name(mod) (mod)->name
+#else
@@ -1589,7 +1335,7 @@ index 60b2d8101355..422979adb60a 100644
struct module_kobject *mk,
@@ -568,8 +582,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr,
return -EPERM;
-
+
kernel_param_lock(mk->mod);
- param_check_unsafe(attribute->param);
- err = attribute->param->ops->set(buf, attribute->param);
@@ -1600,20 +1346,13 @@ index 60b2d8101355..422979adb60a 100644
kernel_param_unlock(mk->mod);
if (!err)
return len;
+--
+2.13.5
-From patchwork Thu Oct 19 14:53:26 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [23/27] x86/mmiotrace: Lock down the testmmiotrace module
+From a07442e78c95f0169e18198cd5be997aa6db6b7d Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017375
-Message-Id: <150842480649.7923.13997201431299349211.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:53:26 +0100
+Date: Wed, 24 May 2017 14:56:07 +0100
+Subject: [PATCH 21/25] x86/mmiotrace: Lock down the testmmiotrace module
The testmmiotrace module shouldn't be permitted when the kernel is locked
down as it can be used to arbitrarily read and write MMIO space.
@@ -1626,8 +1365,7 @@ cc: Ingo Molnar <mingo@kernel.org>
cc: "H. Peter Anvin" <hpa@zytor.com>
cc: x86@kernel.org
---
-
- arch/x86/mm/testmmiotrace.c | 3 +++
+ arch/x86/mm/testmmiotrace.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c
@@ -1637,28 +1375,21 @@ index f6ae6830b341..bbaad357f5d7 100644
@@ -115,6 +115,9 @@ static int __init init(void)
{
unsigned long size = (read_far) ? (8 << 20) : (16 << 10);
-
+
+ if (kernel_is_locked_down("MMIO trace testing"))
+ return -EPERM;
+
if (mmio_address == 0) {
pr_err("you have to use the module argument mmio_address.\n");
pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n");
+--
+2.13.5
-From patchwork Thu Oct 19 14:53:33 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [24/27] debugfs: Disallow use of debugfs files when the kernel is
- locked down
+From 1f3edea46a5e15484369bbda67bcee1b91c269a0 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017379
-Message-Id: <150842481363.7923.13021827051686067882.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:53:33 +0100
+Date: Wed, 18 Oct 2017 17:28:02 +0100
+Subject: [PATCH 22/25] debugfs: Disallow use of debugfs files when the kernel
+ is locked down
Disallow opening of debugfs files when the kernel is locked down as various
drivers give raw access to hardware through debugfs.
@@ -1679,8 +1410,7 @@ cc: platform-driver-x86@vger.kernel.org
cc: Matthew Garrett <matthew.garrett@nebula.com>
cc: Thomas Gleixner <tglx@linutronix.de>
---
-
- fs/debugfs/file.c | 6 ++++++
+ fs/debugfs/file.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
@@ -1690,7 +1420,7 @@ index 6dabc4a10396..32b5168a7e91 100644
@@ -103,6 +103,9 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
const struct file_operations *real_fops = NULL;
int srcu_idx, r;
-
+
+ if (kernel_is_locked_down("debugfs"))
+ return -EPERM;
+
@@ -1700,35 +1430,27 @@ index 6dabc4a10396..32b5168a7e91 100644
@@ -232,6 +235,9 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
struct file_operations *proxy_fops = NULL;
int srcu_idx, r;
-
+
+ if (kernel_is_locked_down("debugfs"))
+ return -EPERM;
+
r = debugfs_use_file_start(dentry, &srcu_idx);
if (r) {
r = -ENOENT;
+--
+2.13.5
-From patchwork Thu Oct 19 14:53:42 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [25/27] Lock down /proc/kcore
+From e54bd739a12f56ca39cf106bae995f59c5e40447 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017381
-Message-Id: <150842482228.7923.9630520914833154257.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:53:42 +0100
+Date: Thu, 19 Oct 2017 13:58:19 +0100
+Subject: [PATCH 23/25] Lock down /proc/kcore
Disallow access to /proc/kcore when the kernel is locked down to prevent
access to cryptographic data.
Signed-off-by: David Howells <dhowells@redhat.com>
---
-
- fs/proc/kcore.c | 2 ++
+ fs/proc/kcore.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
@@ -1736,28 +1458,22 @@ index 45629f4b5402..176cf749e650 100644
--- a/fs/proc/kcore.c
+++ b/fs/proc/kcore.c
@@ -549,6 +549,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
-
+
static int open_kcore(struct inode *inode, struct file *filp)
{
+ if (kernel_is_locked_down("/proc/kcore"))
+ return -EPERM;
if (!capable(CAP_SYS_RAWIO))
return -EPERM;
-
-From patchwork Thu Oct 19 14:53:51 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
+--
+2.13.5
+
+From 8294fa5b470e1736f0f54f97154d83883522e09a Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017383
-Message-Id: <150842483172.7923.2791223614506312745.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:53:51 +0100
+Date: Thu, 19 Oct 2017 14:18:53 +0100
+Subject: [PATCH 24/25] efi: Add an EFI_SECURE_BOOT flag to indicate secure
+ boot mode
UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT
flag that can be passed to efi_enabled() to find out whether secure boot is
@@ -1771,11 +1487,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
cc: linux-efi@vger.kernel.org
---
-
- arch/x86/kernel/setup.c | 14 +-------------
- drivers/firmware/efi/Makefile | 1 +
- drivers/firmware/efi/secureboot.c | 37 +++++++++++++++++++++++++++++++++++++
- include/linux/efi.h | 16 ++++++++++------
+ arch/x86/kernel/setup.c | 14 +-------------
+ drivers/firmware/efi/Makefile | 1 +
+ drivers/firmware/efi/secureboot.c | 37 +++++++++++++++++++++++++++++++++++++
+ include/linux/efi.h | 16 ++++++++++------
4 files changed, 49 insertions(+), 19 deletions(-)
create mode 100644 drivers/firmware/efi/secureboot.c
@@ -1786,7 +1501,7 @@ index 0957dd73d127..7c2162f9e769 100644
@@ -1197,19 +1197,7 @@ void __init setup_arch(char **cmdline_p)
/* Allocate bigger log buffer */
setup_log_buf(1);
-
+
- if (efi_enabled(EFI_BOOT)) {
- switch (boot_params.secure_boot) {
- case efi_secureboot_mode_disabled:
@@ -1801,9 +1516,9 @@ index 0957dd73d127..7c2162f9e769 100644
- }
- }
+ efi_set_secure_boot(boot_params.secure_boot);
-
+
reserve_initrd();
-
+
diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile
index 0329d319d89a..883f9f7eefc6 100644
--- a/drivers/firmware/efi/Makefile
@@ -1814,7 +1529,7 @@ index 0329d319d89a..883f9f7eefc6 100644
obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o
+obj-$(CONFIG_EFI) += secureboot.o
obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o
-
+
arm-obj-$(CONFIG_EFI) := arm-init.o arm-runtime.o
diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
new file mode 100644
@@ -1875,12 +1590,12 @@ index 66f4a4e79f4b..7c7a7e33e4d1 100644
+ efi_secureboot_mode_disabled,
+ efi_secureboot_mode_enabled,
+};
-
+
#ifdef CONFIG_EFI
/*
@@ -1115,6 +1123,7 @@ static inline bool efi_enabled(int feature)
extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused);
-
+
extern bool efi_is_table_address(unsigned long phys_addr);
+extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode);
#else
@@ -1892,12 +1607,12 @@ index 66f4a4e79f4b..7c7a7e33e4d1 100644
}
+static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {}
#endif
-
+
extern int efi_status_to_err(efi_status_t status);
@@ -1518,12 +1528,6 @@ efi_status_t efi_setup_gop(efi_system_table_t *sys_table_arg,
bool efi_runtime_disabled(void);
extern void efi_call_virt_check_flags(unsigned long flags, const char *call);
-
+
-enum efi_secureboot_mode {
- efi_secureboot_mode_unset,
- efi_secureboot_mode_unknown,
@@ -1905,22 +1620,15 @@ index 66f4a4e79f4b..7c7a7e33e4d1 100644
- efi_secureboot_mode_enabled,
-};
enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table);
-
+
#ifdef CONFIG_RESET_ATTACK_MITIGATION
+--
+2.13.5
-From patchwork Thu Oct 19 14:53:59 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [27/27] efi: Lock down the kernel if booted in secure boot mode
+From 49f2160cce8c14a53eb09f052064921a93eb9fb5 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
-X-Patchwork-Id: 10017385
-Message-Id: <150842483945.7923.12778302394414653081.stgit@warthog.procyon.org.uk>
-To: linux-security-module@vger.kernel.org
-Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
- matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
- linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
-Date: Thu, 19 Oct 2017 15:53:59 +0100
+Date: Thu, 19 Oct 2017 14:05:02 +0100
+Subject: [PATCH 25/25] efi: Lock down the kernel if booted in secure boot mode
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
only load signed bootloaders and kernels. Certain use cases may also
@@ -1932,10 +1640,9 @@ Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
cc: linux-efi@vger.kernel.org
---
-
- arch/x86/kernel/setup.c | 6 ++++--
- security/Kconfig | 14 ++++++++++++++
- security/lock_down.c | 1 +
+ arch/x86/kernel/setup.c | 6 ++++--
+ security/Kconfig | 14 ++++++++++++++
+ security/lock_down.c | 1 +
3 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
@@ -1947,13 +1654,13 @@ index 7c2162f9e769..4e38327efb2e 100644
#include <linux/ctype.h>
#include <linux/uaccess.h>
+#include <linux/security.h>
-
+
#include <linux/percpu.h>
#include <linux/crash_dump.h>
@@ -1039,6 +1040,9 @@ void __init setup_arch(char **cmdline_p)
if (efi_enabled(EFI_BOOT))
efi_init();
-
+
+ efi_set_secure_boot(boot_params.secure_boot);
+ init_lockdown();
+
@@ -1963,20 +1670,20 @@ index 7c2162f9e769..4e38327efb2e 100644
@@ -1197,8 +1201,6 @@ void __init setup_arch(char **cmdline_p)
/* Allocate bigger log buffer */
setup_log_buf(1);
-
+
- efi_set_secure_boot(boot_params.secure_boot);
-
reserve_initrd();
-
+
acpi_table_upgrade();
diff --git a/security/Kconfig b/security/Kconfig
-index 4be6be71e075..e1756039dc0a 100644
+index 453cc89c198a..974731ac4f85 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -227,6 +227,20 @@ config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
+@@ -220,6 +220,20 @@ config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
combination on a wired keyboard.
-
+
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
+ bool "Lock down the kernel in EFI Secure Boot mode"
+ default n
@@ -1991,11 +1698,11 @@ index 4be6be71e075..e1756039dc0a 100644
+ Enabling this option turns on results in kernel lockdown being
+ triggered if EFI Secure Boot is set.
+
-
+
source security/selinux/Kconfig
source security/smack/Kconfig
diff --git a/security/lock_down.c b/security/lock_down.c
-index f71118c340d2..12c3bc204c4e 100644
+index 2c6b00f0c229..527f7e51dc8d 100644
--- a/security/lock_down.c
+++ b/security/lock_down.c
@@ -12,6 +12,7 @@
@@ -2003,6 +1710,9 @@ index f71118c340d2..12c3bc204c4e 100644
#include <linux/export.h>
#include <linux/sysrq.h>
+#include <linux/efi.h>
-
- #ifdef CONFIG_ALLOW_LOCKDOWN_LIFT
- static __read_mostly bool kernel_locked_down;
+ #include <asm/setup.h>
+
+ #ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
+--
+2.13.5
+