summaryrefslogtreecommitdiffstats
path: root/efi-lockdown.patch
diff options
context:
space:
mode:
authorJeremy Cline <jcline@redhat.com>2019-09-30 20:00:17 +0000
committerJeremy Cline <jcline@redhat.com>2019-10-01 14:20:23 +0000
commite21e52b60843bc2c19b187cd6d25723686a610dc (patch)
tree2b88310af462707e2cc8f3b61768d555025e476f /efi-lockdown.patch
parentb82da9d02ca2eb7a3632ca276f5301a04e10d270 (diff)
downloadkernel-e21e52b60843bc2c19b187cd6d25723686a610dc.tar.gz
kernel-e21e52b60843bc2c19b187cd6d25723686a610dc.tar.xz
kernel-e21e52b60843bc2c19b187cd6d25723686a610dc.zip
Linux v5.3-13236-g97f9a3c4eee5
This is a first pass at getting the secureboot patches working with the upstream lockdown patches that got merged. The final patch from our lockdown set is the sysrq patch which also needs work. For the present it is not applied.
Diffstat (limited to 'efi-lockdown.patch')
-rw-r--r--efi-lockdown.patch1883
1 files changed, 0 insertions, 1883 deletions
diff --git a/efi-lockdown.patch b/efi-lockdown.patch
index c213cfce9..be4f35e07 100644
--- a/efi-lockdown.patch
+++ b/efi-lockdown.patch
@@ -1,1826 +1,3 @@
-From 4f426f922e12f0ffaed373536f68531e18d68495 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:44:57 +0000
-Subject: [PATCH 01/29] Add the ability to lock down access to the running
- kernel image
-
-Provide a single call to allow kernel code to determine whether the system
-should be locked down, thereby disallowing various accesses that might
-allow the running kernel image to be changed including the loading of
-modules that aren't validly signed with a key we recognise, fiddling with
-MSR registers and disallowing hibernation.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: James Morris <james.l.morris@oracle.com>
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- include/linux/kernel.h | 17 ++++++++++++
- include/linux/security.h | 9 +++++-
- security/Kconfig | 15 ++++++++++
- security/Makefile | 3 ++
- security/lock_down.c | 60 ++++++++++++++++++++++++++++++++++++++++
- 5 files changed, 103 insertions(+), 1 deletion(-)
- create mode 100644 security/lock_down.c
-
-diff --git a/include/linux/kernel.h b/include/linux/kernel.h
-index 0c9bc231107f..f71008b0a641 100644
---- a/include/linux/kernel.h
-+++ b/include/linux/kernel.h
-@@ -312,6 +312,23 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err)
- { }
- #endif
-
-+#ifdef CONFIG_LOCK_DOWN_KERNEL
-+extern bool __kernel_is_locked_down(const char *what, bool first);
-+#else
-+static inline bool __kernel_is_locked_down(const char *what, bool first)
-+{
-+ return false;
-+}
-+#endif
-+
-+#define kernel_is_locked_down(what) \
-+ ({ \
-+ static bool message_given; \
-+ bool locked_down = __kernel_is_locked_down(what, !message_given); \
-+ message_given = true; \
-+ locked_down; \
-+ })
-+
- /* Internal, do not use. */
- int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
- int __must_check _kstrtol(const char *s, unsigned int base, long *res);
-diff --git a/include/linux/security.h b/include/linux/security.h
-index 5f7441abbf42..fd7579c879a6 100644
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -1829,5 +1829,12 @@ static inline void security_bpf_prog_free(struct bpf_prog_aux *aux)
- #endif /* CONFIG_SECURITY */
- #endif /* CONFIG_BPF_SYSCALL */
-
--#endif /* ! __LINUX_SECURITY_H */
-+#ifdef CONFIG_LOCK_DOWN_KERNEL
-+extern void __init init_lockdown(void);
-+#else
-+static inline void __init init_lockdown(void)
-+{
-+}
-+#endif
-
-+#endif /* ! __LINUX_SECURITY_H */
-diff --git a/security/Kconfig b/security/Kconfig
-index 06a30851511a..720cf9dee2b4 100644
---- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -230,6 +230,21 @@ config STATIC_USERMODEHELPER_PATH
- If you wish for all usermode helper programs to be disabled,
- specify an empty string here (i.e. "").
-
-+config LOCK_DOWN_KERNEL
-+ bool "Allow the kernel to be 'locked down'"
-+ help
-+ Allow the kernel to be locked down. If lockdown support is enabled
-+ and activated, the kernel will impose additional restrictions
-+ intended to prevent uid 0 from being able to modify the running
-+ kernel. This may break userland applications that rely on low-level
-+ access to hardware.
-+
-+config LOCK_DOWN_KERNEL_FORCE
-+ bool "Enable kernel lockdown mode automatically"
-+ depends on LOCK_DOWN_KERNEL
-+ help
-+ Enable the kernel lock down functionality automatically at boot.
-+
- source "security/selinux/Kconfig"
- source "security/smack/Kconfig"
- source "security/tomoyo/Kconfig"
-diff --git a/security/Makefile b/security/Makefile
-index c598b904938f..5ff090149c88 100644
---- a/security/Makefile
-+++ b/security/Makefile
-@@ -32,3 +32,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
- # Object integrity file lists
- subdir-$(CONFIG_INTEGRITY) += integrity
- obj-$(CONFIG_INTEGRITY) += integrity/
-+
-+# Allow the kernel to be locked down
-+obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o
-diff --git a/security/lock_down.c b/security/lock_down.c
-new file mode 100644
-index 000000000000..18d8776a4d02
---- /dev/null
-+++ b/security/lock_down.c
-@@ -0,0 +1,60 @@
-+// SPDX-License-Identifier: GPL-2.0
-+/* Lock down the kernel
-+ *
-+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
-+ * Written by David Howells (dhowells@redhat.com)
-+ *
-+ * This program is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU General Public Licence
-+ * as published by the Free Software Foundation; either version
-+ * 2 of the Licence, or (at your option) any later version.
-+ */
-+
-+#include <linux/security.h>
-+#include <linux/export.h>
-+
-+static __ro_after_init bool kernel_locked_down;
-+
-+/*
-+ * Put the kernel into lock-down mode.
-+ */
-+static void __init lock_kernel_down(const char *where)
-+{
-+ if (!kernel_locked_down) {
-+ kernel_locked_down = true;
-+ pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",
-+ where);
-+ }
-+}
-+
-+static int __init lockdown_param(char *ignored)
-+{
-+ lock_kernel_down("command line");
-+ return 0;
-+}
-+
-+early_param("lockdown", lockdown_param);
-+
-+/*
-+ * Lock the kernel down from very early in the arch setup. This must happen
-+ * prior to things like ACPI being initialised.
-+ */
-+void __init init_lockdown(void)
-+{
-+#ifdef CONFIG_LOCK_DOWN_FORCE
-+ lock_kernel_down("Kernel configuration");
-+#endif
-+}
-+
-+/**
-+ * kernel_is_locked_down - Find out if the kernel is locked down
-+ * @what: Tag to use in notice generated if lockdown is in effect
-+ */
-+bool __kernel_is_locked_down(const char *what, bool first)
-+{
-+ if (what && first && kernel_locked_down)
-+ pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n",
-+ what);
-+ return kernel_locked_down;
-+}
-+EXPORT_SYMBOL(__kernel_is_locked_down);
---
-2.21.0
-
-
-From 7b3d34ce99e1db6152f3f350f7512ed67712d2bb Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:44:58 +0000
-Subject: [PATCH 02/29] Enforce module signatures if the kernel is locked down
-
-If the kernel is locked down, require that all modules have valid
-signatures that we can verify.
-
-I have adjusted the errors generated:
-
- (1) If there's no signature (ENODATA) or we can't check it (ENOPKG,
- ENOKEY), then:
-
- (a) If signatures are enforced then EKEYREJECTED is returned.
-
- (b) If there's no signature or we can't check it, but the kernel is
- locked down then EPERM is returned (this is then consistent with
- other lockdown cases).
-
- (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails
- the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we
- return the error we got.
-
-Note that the X.509 code doesn't check for key expiry as the RTC might not
-be valid or might not have been transferred to the kernel's clock yet.
-
- [Modified by Matthew Garrett to remove the IMA integration. This will
- be replaced with integration with the IMA architecture policy
- patchset.]
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Reviewed-by: Jiri Bohac <jbohac@suse.cz>
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
-Cc: Jessica Yu <jeyu@kernel.org>
----
- kernel/module.c | 39 ++++++++++++++++++++++++++++++++-------
- 1 file changed, 32 insertions(+), 7 deletions(-)
-
-diff --git a/kernel/module.c b/kernel/module.c
-index a2cee14a83f3..c771a183b741 100644
---- a/kernel/module.c
-+++ b/kernel/module.c
-@@ -2753,8 +2753,9 @@ static inline void kmemleak_load_module(const struct module *mod,
- #ifdef CONFIG_MODULE_SIG
- static int module_sig_check(struct load_info *info, int flags)
- {
-- int err = -ENOKEY;
-+ int err = -ENODATA;
- const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
-+ const char *reason;
- const void *mod = info->hdr;
-
- /*
-@@ -2769,16 +2770,40 @@ static int module_sig_check(struct load_info *info, int flags)
- err = mod_verify_sig(mod, info);
- }
-
-- if (!err) {
-+ switch (err) {
-+ case 0:
- info->sig_ok = true;
- return 0;
-- }
-
-- /* Not having a signature is only an error if we're strict. */
-- if (err == -ENOKEY && !is_module_sig_enforced())
-- err = 0;
-+ /* We don't permit modules to be loaded into trusted kernels
-+ * without a valid signature on them, but if we're not
-+ * enforcing, certain errors are non-fatal.
-+ */
-+ case -ENODATA:
-+ reason = "Loading of unsigned module";
-+ goto decide;
-+ case -ENOPKG:
-+ reason = "Loading of module with unsupported crypto";
-+ goto decide;
-+ case -ENOKEY:
-+ reason = "Loading of module with unavailable key";
-+ decide:
-+ if (is_module_sig_enforced()) {
-+ pr_notice("%s is rejected\n", reason);
-+ return -EKEYREJECTED;
-+ }
-
-- return err;
-+ if (kernel_is_locked_down(reason))
-+ return -EPERM;
-+ return 0;
-+
-+ /* All other errors are fatal, including nomem, unparseable
-+ * signatures and signature check failures - even if signatures
-+ * aren't required.
-+ */
-+ default:
-+ return err;
-+ }
- }
- #else /* !CONFIG_MODULE_SIG */
- static int module_sig_check(struct load_info *info, int flags)
---
-2.21.0
-
-
-From e6cee3fcc560211fbc3d1efaf048ad4b987a4b73 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@srcf.ucam.org>
-Date: Mon, 18 Feb 2019 12:44:58 +0000
-Subject: [PATCH 03/29] Restrict /dev/{mem,kmem,port} when the kernel is locked
- down
-
-Allowing users to read and write to core kernel memory makes it possible
-for the kernel to be subverted, avoiding module loading restrictions, and
-also to steal cryptographic information.
-
-Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
-been locked down to prevent this.
-
-Also disallow /dev/port from being opened to prevent raw ioport access and
-thus DMA from being used to accomplish the same thing.
-
-Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
-Cc: x86@kernel.org
----
- drivers/char/mem.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index b08dc50f9f26..0a2f2e75d5f4 100644
---- a/drivers/char/mem.c
-+++ b/drivers/char/mem.c
-@@ -786,6 +786,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
-
- static int open_port(struct inode *inode, struct file *filp)
- {
-+ if (kernel_is_locked_down("/dev/mem,kmem,port"))
-+ return -EPERM;
- return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
- }
-
---
-2.21.0
-
-
-From 1fe9d9809a7bedff1c0a043f5bcaf128d479fe24 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@srcf.ucam.org>
-Date: Mon, 18 Feb 2019 12:44:58 +0000
-Subject: [PATCH 04/29] kexec_load: Disable at runtime if the kernel is locked
- down
-
-The kexec_load() syscall permits the loading and execution of arbitrary
-code in ring 0, which is something that lock-down is meant to prevent. It
-makes sense to disable kexec_load() in this situation.
-
-This does not affect kexec_file_load() syscall which can check for a
-signature on the image to be booted.
-
-Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Dave Young <dyoung@redhat.com>
-cc: kexec@lists.infradead.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- kernel/kexec.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/kernel/kexec.c b/kernel/kexec.c
-index 1b018f1a6e0d..fc87f152c229 100644
---- a/kernel/kexec.c
-+++ b/kernel/kexec.c
-@@ -205,6 +205,13 @@ static inline int kexec_load_check(unsigned long nr_segments,
- if (result < 0)
- return result;
-
-+ /*
-+ * kexec can be used to circumvent module loading restrictions, so
-+ * prevent loading in that case
-+ */
-+ if (kernel_is_locked_down("kexec of unsigned images"))
-+ return -EPERM;
-+
- /*
- * Verify we have a legal set of flags
- * This leaves us room for future extensions.
---
-2.21.0
-
-
-From b1dbde991ca218ddc1b25e293e94e72907b2b2dc Mon Sep 17 00:00:00 2001
-From: Dave Young <dyoung@redhat.com>
-Date: Mon, 18 Feb 2019 12:44:58 +0000
-Subject: [PATCH 05/29] Copy secure_boot flag in boot params across kexec
- reboot
-
-Kexec reboot in case secure boot being enabled does not keep the secure
-boot mode in new kernel, so later one can load unsigned kernel via legacy
-kexec_load. In this state, the system is missing the protections provided
-by secure boot.
-
-Adding a patch to fix this by retain the secure_boot flag in original
-kernel.
-
-secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
-stub. Fixing this issue by copying secure_boot flag across kexec reboot.
-
-Signed-off-by: Dave Young <dyoung@redhat.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: kexec@lists.infradead.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- arch/x86/kernel/kexec-bzimage64.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
-index 5ebcd02cbca7..d2f4e706a428 100644
---- a/arch/x86/kernel/kexec-bzimage64.c
-+++ b/arch/x86/kernel/kexec-bzimage64.c
-@@ -180,6 +180,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
- if (efi_enabled(EFI_OLD_MEMMAP))
- return 0;
-
-+ params->secure_boot = boot_params.secure_boot;
- ei->efi_loader_signature = current_ei->efi_loader_signature;
- ei->efi_systab = current_ei->efi_systab;
- ei->efi_systab_hi = current_ei->efi_systab_hi;
---
-2.21.0
-
-
-From 054c9d4879b81dcf7c49c5815c30db59ad9356ea Mon Sep 17 00:00:00 2001
-From: Jiri Bohac <jbohac@suse.cz>
-Date: Mon, 18 Feb 2019 12:44:58 +0000
-Subject: [PATCH 06/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and
- KEXEC_SIG_FORCE
-
-This is a preparatory patch for kexec_file_load() lockdown. A locked down
-kernel needs to prevent unsigned kernel images from being loaded with
-kexec_file_load(). Currently, the only way to force the signature
-verification is compiling with KEXEC_VERIFY_SIG. This prevents loading
-usigned images even when the kernel is not locked down at runtime.
-
-This patch splits KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE.
-Analogous to the MODULE_SIG and MODULE_SIG_FORCE for modules, KEXEC_SIG
-turns on the signature verification but allows unsigned images to be
-loaded. KEXEC_SIG_FORCE disallows images without a valid signature.
-
-[Modified by David Howells such that:
-
- (1) verify_pefile_signature() differentiates between no-signature and
- sig-didn't-match in its returned errors.
-
- (2) kexec fails with EKEYREJECTED and logs an appropriate message if
- signature checking is enforced and an signature is not found, uses
- unsupported crypto or has no matching key.
-
- (3) kexec fails with EKEYREJECTED if there is a signature for which we
- have a key, but signature doesn't match - even if in non-forcing mode.
-
- (4) kexec fails with EBADMSG or some other error if there is a signature
- which cannot be parsed - even if in non-forcing mode.
-
- (5) kexec fails with ELIBBAD if the PE file cannot be parsed to extract
- the signature - even if in non-forcing mode.
-
-]
-
-Signed-off-by: Jiri Bohac <jbohac@suse.cz>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Reviewed-by: Jiri Bohac <jbohac@suse.cz>
-cc: kexec@lists.infradead.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- arch/x86/Kconfig | 20 ++++++++---
- crypto/asymmetric_keys/verify_pefile.c | 4 ++-
- include/linux/kexec.h | 4 +--
- kernel/kexec_file.c | 48 ++++++++++++++++++++++----
- 4 files changed, 61 insertions(+), 15 deletions(-)
-
-diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 879741336771..df9592ce8503 100644
---- a/arch/x86/Kconfig
-+++ b/arch/x86/Kconfig
-@@ -2026,20 +2026,30 @@ config KEXEC_FILE
- config ARCH_HAS_KEXEC_PURGATORY
- def_bool KEXEC_FILE
-
--config KEXEC_VERIFY_SIG
-+config KEXEC_SIG
- bool "Verify kernel signature during kexec_file_load() syscall"
- depends on KEXEC_FILE
- ---help---
-- This option makes kernel signature verification mandatory for
-- the kexec_file_load() syscall.
-
-- In addition to that option, you need to enable signature
-+ This option makes the kexec_file_load() syscall check for a valid
-+ signature of the kernel image. The image can still be loaded without
-+ a valid signature unless you also enable KEXEC_SIG_FORCE, though if
-+ there's a signature that we can check, then it must be valid.
-+
-+ In addition to this option, you need to enable signature
- verification for the corresponding kernel image type being
- loaded in order for this to work.
-
-+config KEXEC_SIG_FORCE
-+ bool "Require a valid signature in kexec_file_load() syscall"
-+ depends on KEXEC_SIG
-+ ---help---
-+ This option makes kernel signature verification mandatory for
-+ the kexec_file_load() syscall.
-+
- config KEXEC_BZIMAGE_VERIFY_SIG
- bool "Enable bzImage signature verification support"
-- depends on KEXEC_VERIFY_SIG
-+ depends on KEXEC_SIG
- depends on SIGNED_PE_FILE_VERIFICATION
- select SYSTEM_TRUSTED_KEYRING
- ---help---
-diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c
-index 3b303fe2f061..cc9dbcecaaca 100644
---- a/crypto/asymmetric_keys/verify_pefile.c
-+++ b/crypto/asymmetric_keys/verify_pefile.c
-@@ -96,7 +96,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen,
-
- if (!ddir->certs.virtual_address || !ddir->certs.size) {
- pr_debug("Unsigned PE binary\n");
-- return -EKEYREJECTED;
-+ return -ENODATA;
- }
-
- chkaddr(ctx->header_size, ddir->certs.virtual_address,
-@@ -403,6 +403,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen,
- * (*) 0 if at least one signature chain intersects with the keys in the trust
- * keyring, or:
- *
-+ * (*) -ENODATA if there is no signature present.
-+ *
- * (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a
- * chain.
- *
-diff --git a/include/linux/kexec.h b/include/linux/kexec.h
-index b9b1bc5f9669..58b27c7bdc2b 100644
---- a/include/linux/kexec.h
-+++ b/include/linux/kexec.h
-@@ -125,7 +125,7 @@ typedef void *(kexec_load_t)(struct kimage *image, char *kernel_buf,
- unsigned long cmdline_len);
- typedef int (kexec_cleanup_t)(void *loader_data);
-
--#ifdef CONFIG_KEXEC_VERIFY_SIG
-+#ifdef CONFIG_KEXEC_SIG
- typedef int (kexec_verify_sig_t)(const char *kernel_buf,
- unsigned long kernel_len);
- #endif
-@@ -134,7 +134,7 @@ struct kexec_file_ops {
- kexec_probe_t *probe;
- kexec_load_t *load;
- kexec_cleanup_t *cleanup;
--#ifdef CONFIG_KEXEC_VERIFY_SIG
-+#ifdef CONFIG_KEXEC_SIG
- kexec_verify_sig_t *verify_sig;
- #endif
- };
-diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
-index b8cc032d5620..5036bde1e5b3 100644
---- a/kernel/kexec_file.c
-+++ b/kernel/kexec_file.c
-@@ -88,7 +88,7 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image)
- return kexec_image_post_load_cleanup_default(image);
- }
-
--#ifdef CONFIG_KEXEC_VERIFY_SIG
-+#ifdef CONFIG_KEXEC_SIG
- static int kexec_image_verify_sig_default(struct kimage *image, void *buf,
- unsigned long buf_len)
- {
-@@ -186,7 +186,8 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
- const char __user *cmdline_ptr,
- unsigned long cmdline_len, unsigned flags)
- {
-- int ret = 0;
-+ const char *reason;
-+ int ret;
- void *ldata;
- loff_t size;
-
-@@ -202,15 +203,48 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
- if (ret)
- goto out;
-
--#ifdef CONFIG_KEXEC_VERIFY_SIG
-+#ifdef CONFIG_KEXEC_SIG
- ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
- image->kernel_buf_len);
-- if (ret) {
-- pr_debug("kernel signature verification failed.\n");
-+#else
-+ ret = -ENODATA;
-+#endif
-+
-+ switch (ret) {
-+ case 0:
-+ break;
-+
-+ /* Certain verification errors are non-fatal if we're not
-+ * checking errors, provided we aren't mandating that there
-+ * must be a valid signature.
-+ */
-+ case -ENODATA:
-+ reason = "kexec of unsigned image";
-+ goto decide;
-+ case -ENOPKG:
-+ reason = "kexec of image with unsupported crypto";
-+ goto decide;
-+ case -ENOKEY:
-+ reason = "kexec of image with unavailable key";
-+ decide:
-+ if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
-+ pr_notice("%s rejected\n", reason);
-+ ret = -EKEYREJECTED;
-+ goto out;
-+ }
-+
-+ ret = 0;
-+ break;
-+
-+ /* All other errors are fatal, including nomem, unparseable
-+ * signatures and signature check failures - even if signatures
-+ * aren't required.
-+ */
-+ default:
-+ pr_notice("kernel signature verification failed (%d).\n", ret);
- goto out;
- }
-- pr_debug("kernel signature verification successful.\n");
--#endif
-+
- /* It is possible that there no initramfs is being loaded */
- if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
- ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,
---
-2.21.0
-
-
-From d0ca8a6c26bfd6c8de7ed1d83326aae9b4bdfbf4 Mon Sep 17 00:00:00 2001
-From: Jiri Bohac <jbohac@suse.cz>
-Date: Mon, 18 Feb 2019 12:44:58 +0000
-Subject: [PATCH 07/29] kexec_file: Restrict at runtime if the kernel is locked
- down
-
-When KEXEC_SIG is not enabled, kernel should not load images through
-kexec_file systemcall if the kernel is locked down.
-
-[Modified by David Howells to fit with modifications to the previous patch
- and to return -EPERM if the kernel is locked down for consistency with
- other lockdowns. Modified by Matthew Garrett to remove the IMA
- integration, which will be replaced by integrating with the IMA
- architecture policy patches.]
-
-Signed-off-by: Jiri Bohac <jbohac@suse.cz>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Reviewed-by: Jiri Bohac <jbohac@suse.cz>
-cc: kexec@lists.infradead.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- kernel/kexec_file.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
-index 5036bde1e5b3..0668c29d2eaf 100644
---- a/kernel/kexec_file.c
-+++ b/kernel/kexec_file.c
-@@ -234,6 +234,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
- }
-
- ret = 0;
-+
-+ if (kernel_is_locked_down(reason)) {
-+ ret = -EPERM;
-+ goto out;
-+ }
-+
- break;
-
- /* All other errors are fatal, including nomem, unparseable
---
-2.21.0
-
-
-From 3754ff197e10abd8ef88875e069741025ea0dd84 Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@fedoraproject.org>
-Date: Mon, 18 Feb 2019 12:44:59 +0000
-Subject: [PATCH 08/29] hibernate: Disable when the kernel is locked down
-
-There is currently no way to verify the resume image when returning
-from hibernate. This might compromise the signed modules trust model,
-so until we can work with signed hibernate images we disable it when the
-kernel is locked down.
-
-Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Cc: rjw@rjwysocki.net
-Cc: pavel@ucw.cz
-cc: linux-pm@vger.kernel.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- kernel/power/hibernate.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
-index cd7434e6000d..0f30de4a712a 100644
---- a/kernel/power/hibernate.c
-+++ b/kernel/power/hibernate.c
-@@ -68,7 +68,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
-
- bool hibernation_available(void)
- {
-- return (nohibernate == 0);
-+ return nohibernate == 0 && !kernel_is_locked_down("Hibernation");
- }
-
- /**
---
-2.21.0
-
-
-From a144fd3bcc7fcbf55b608c89b8cf64abec72130c Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@srcf.ucam.org>
-Date: Mon, 18 Feb 2019 12:44:59 +0000
-Subject: [PATCH 09/29] uswsusp: Disable when the kernel is locked down
-
-uswsusp allows a user process to dump and then restore kernel state, which
-makes it possible to modify the running kernel. Disable this if the kernel
-is locked down.
-
-Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Reviewed-by: James Morris <james.l.morris@oracle.com>
-cc: linux-pm@vger.kernel.org
-Cc: pavel@ucw.cz
-Cc: rjw@rjwysocki.net
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- kernel/power/user.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/kernel/power/user.c b/kernel/power/user.c
-index 77438954cc2b..0caff429eb55 100644
---- a/kernel/power/user.c
-+++ b/kernel/power/user.c
-@@ -49,6 +49,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
- if (!hibernation_available())
- return -EPERM;
-
-+ if (kernel_is_locked_down("/dev/snapshot"))
-+ return -EPERM;
-+
- lock_system_sleep();
-
- if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
---
-2.21.0
-
-
-From 069af594117ee566597173886950d3577c523983 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@srcf.ucam.org>
-Date: Mon, 18 Feb 2019 12:44:59 +0000
-Subject: [PATCH 10/29] PCI: Lock down BAR access when the kernel is locked
- down
-
-Any hardware that can potentially generate DMA has to be locked down in
-order to avoid it being possible for an attacker to modify kernel code,
-allowing them to circumvent disabled module loading or module signing.
-Default to paranoid - in future we can potentially relax this for
-sufficiently IOMMU-isolated devices.
-
-Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Bjorn Helgaas <bhelgaas@google.com>
-cc: linux-pci@vger.kernel.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- drivers/pci/pci-sysfs.c | 9 +++++++++
- drivers/pci/proc.c | 9 ++++++++-
- drivers/pci/syscall.c | 3 ++-
- 3 files changed, 19 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
-index 965c72104150..f8cef3e348a3 100644
---- a/drivers/pci/pci-sysfs.c
-+++ b/drivers/pci/pci-sysfs.c
-@@ -907,6 +907,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
- loff_t init_off = off;
- u8 *data = (u8 *) buf;
-
-+ if (kernel_is_locked_down("Direct PCI access"))
-+ return -EPERM;
-+
- if (off > dev->cfg_size)
- return 0;
- if (off + count > dev->cfg_size) {
-@@ -1168,6 +1171,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
- enum pci_mmap_state mmap_type;
- struct resource *res = &pdev->resource[bar];
-
-+ if (kernel_is_locked_down("Direct PCI access"))
-+ return -EPERM;
-+
- if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
- return -EINVAL;
-
-@@ -1243,6 +1249,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
- struct bin_attribute *attr, char *buf,
- loff_t off, size_t count)
- {
-+ if (kernel_is_locked_down("Direct PCI access"))
-+ return -EPERM;
-+
- return pci_resource_io(filp, kobj, attr, buf, off, count, true);
- }
-
-diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
-index fe7fe678965b..23c9b5979f5d 100644
---- a/drivers/pci/proc.c
-+++ b/drivers/pci/proc.c
-@@ -117,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
- int size = dev->cfg_size;
- int cnt;
-
-+ if (kernel_is_locked_down("Direct PCI access"))
-+ return -EPERM;
-+
- if (pos >= size)
- return 0;
- if (nbytes >= size)
-@@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
- #endif /* HAVE_PCI_MMAP */
- int ret = 0;
-
-+ if (kernel_is_locked_down("Direct PCI access"))
-+ return -EPERM;
-+
- switch (cmd) {
- case PCIIOC_CONTROLLER:
- ret = pci_domain_nr(dev->bus);
-@@ -238,7 +244,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
- struct pci_filp_private *fpriv = file->private_data;
- int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM;
-
-- if (!capable(CAP_SYS_RAWIO))
-+ if (!capable(CAP_SYS_RAWIO) ||
-+ kernel_is_locked_down("Direct PCI access"))
- return -EPERM;
-
- if (fpriv->mmap_state == pci_mmap_io) {
-diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
-index d96626c614f5..b8a08d3166a1 100644
---- a/drivers/pci/syscall.c
-+++ b/drivers/pci/syscall.c
-@@ -90,7 +90,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
- u32 dword;
- int err = 0;
-
-- if (!capable(CAP_SYS_ADMIN))
-+ if (!capable(CAP_SYS_ADMIN) ||
-+ kernel_is_locked_down("Direct PCI access"))
- return -EPERM;
-
- dev = pci_get_domain_bus_and_slot(0, bus, dfn);
---
-2.21.0
-
-
-From 97f7b0338b58afd67817ca886de78ce9bba67f29 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@srcf.ucam.org>
-Date: Mon, 18 Feb 2019 12:44:59 +0000
-Subject: [PATCH 11/29] x86: Lock down IO port access when the kernel is locked
- down
-
-IO port access would permit users to gain access to PCI configuration
-registers, which in turn (on a lot of hardware) give access to MMIO
-register space. This would potentially permit root to trigger arbitrary
-DMA, so lock it down by default.
-
-This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
-KDDISABIO console ioctls.
-
-Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
-cc: x86@kernel.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- arch/x86/kernel/ioport.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
-index 0fe1c8782208..abc702a6ae9c 100644
---- a/arch/x86/kernel/ioport.c
-+++ b/arch/x86/kernel/ioport.c
-@@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on)
-
- if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
- return -EINVAL;
-- if (turn_on && !capable(CAP_SYS_RAWIO))
-+ if (turn_on && (!capable(CAP_SYS_RAWIO) ||
-+ kernel_is_locked_down("ioperm")))
- return -EPERM;
-
- /*
-@@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
- return -EINVAL;
- /* Trying to gain more privileges? */
- if (level > old) {
-- if (!capable(CAP_SYS_RAWIO))
-+ if (!capable(CAP_SYS_RAWIO) ||
-+ kernel_is_locked_down("iopl"))
- return -EPERM;
- }
- regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
---
-2.21.0
-
-
-From 65029f8df39eb1d0a48cbcb6686b21e844ff9b3c Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@srcf.ucam.org>
-Date: Mon, 18 Feb 2019 12:44:59 +0000
-Subject: [PATCH 12/29] x86/msr: Restrict MSR access when the kernel is locked
- down
-
-Writing to MSRs should not be allowed if the kernel is locked down, since
-it could lead to execution of arbitrary code in kernel mode. Based on a
-patch by Kees Cook.
-
-MSR accesses are logged for the purposes of building up a whitelist as per
-Alan Cox's suggestion.
-
-Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Kees Cook <keescook@chromium.org>
-Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
-cc: x86@kernel.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- arch/x86/kernel/msr.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
-index 3db2252b958d..5eed6530c223 100644
---- a/arch/x86/kernel/msr.c
-+++ b/arch/x86/kernel/msr.c
-@@ -79,6 +79,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
- int err = 0;
- ssize_t bytes = 0;
-
-+ if (kernel_is_locked_down("Direct MSR access")) {
-+ pr_info("Direct access to MSR %x\n", reg);
-+ return -EPERM;
-+ }
-+
- if (count % 8)
- return -EINVAL; /* Invalid chunk size */
-
-@@ -130,6 +135,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
- err = -EFAULT;
- break;
- }
-+ if (kernel_is_locked_down("Direct MSR access")) {
-+ pr_info("Direct access to MSR %x\n", regs[1]); /* Display %ecx */
-+ err = -EPERM;
-+ break;
-+ }
- err = wrmsr_safe_regs_on_cpu(cpu, regs);
- if (err)
- break;
---
-2.21.0
-
-
-From 0a0ad07ecc667dae61d7a1073559830184022be7 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@srcf.ucam.org>
-Date: Mon, 18 Feb 2019 12:44:59 +0000
-Subject: [PATCH 13/29] ACPI: Limit access to custom_method when the kernel is
- locked down
-
-custom_method effectively allows arbitrary access to system memory, making
-it possible for an attacker to circumvent restrictions on module loading.
-Disable it if the kernel is locked down.
-
-Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: linux-acpi@vger.kernel.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- drivers/acpi/custom_method.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
-index b2ef4c2ec955..33b821be0600 100644
---- a/drivers/acpi/custom_method.c
-+++ b/drivers/acpi/custom_method.c
-@@ -30,6 +30,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
- struct acpi_table_header table;
- acpi_status status;
-
-+ if (kernel_is_locked_down("ACPI custom methods"))
-+ return -EPERM;
-+
- if (!(*ppos)) {
- /* parse the table header to get the table length */
- if (count <= sizeof(struct acpi_table_header))
---
-2.21.0
-
-
-From ad843f3ba6d525cc47eb2c866de74a324d3a960c Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@redhat.com>
-Date: Mon, 18 Feb 2019 12:44:59 +0000
-Subject: [PATCH 14/29] acpi: Ignore acpi_rsdp kernel param when the kernel has
- been locked down
-
-This option allows userspace to pass the RSDP address to the kernel, which
-makes it possible for a user to modify the workings of hardware . Reject
-the option when the kernel is locked down.
-
-Signed-off-by: Josh Boyer <jwboyer@redhat.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: Dave Young <dyoung@redhat.com>
-cc: linux-acpi@vger.kernel.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- drivers/acpi/osl.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index 9c0edf2fc0dd..0c5c7b51fb72 100644
---- a/drivers/acpi/osl.c
-+++ b/drivers/acpi/osl.c
-@@ -180,7 +180,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
- acpi_physical_address pa;
-
- #ifdef CONFIG_KEXEC
-- if (acpi_rsdp)
-+ if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification"))
- return acpi_rsdp;
- #endif
- pa = acpi_arch_get_root_pointer();
---
-2.21.0
-
-
-From 146618cd3ae3556184f3ca94ca82809f4e7090b9 Mon Sep 17 00:00:00 2001
-From: Linn Crosetto <linn@hpe.com>
-Date: Mon, 18 Feb 2019 12:45:00 +0000
-Subject: [PATCH 15/29] acpi: Disable ACPI table override if the kernel is
- locked down
-
-From the kernel documentation (initrd_table_override.txt):
-
- If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
- to override nearly any ACPI table provided by the BIOS with an
- instrumented, modified one.
-
-When securelevel is set, the kernel should disallow any unauthenticated
-changes to kernel space. ACPI tables contain code invoked by the kernel,
-so do not allow ACPI tables to be overridden if the kernel is locked down.
-
-Signed-off-by: Linn Crosetto <linn@hpe.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: linux-acpi@vger.kernel.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- drivers/acpi/tables.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
-index b32327759380..6fd5c8328427 100644
---- a/drivers/acpi/tables.c
-+++ b/drivers/acpi/tables.c
-@@ -578,6 +578,11 @@ void __init acpi_table_upgrade(void)
- if (table_nr == 0)
- return;
-
-+ if (kernel_is_locked_down("ACPI table override")) {
-+ pr_notice("kernel is locked down, ignoring table override\n");
-+ return;
-+ }
-+
- acpi_tables_addr =
- memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
- all_tables_size, PAGE_SIZE);
---
-2.21.0
-
-
-From e183b69655b6069c7007ad911252dd681fb0083f Mon Sep 17 00:00:00 2001
-From: Linn Crosetto <linn@hpe.com>
-Date: Mon, 18 Feb 2019 12:45:00 +0000
-Subject: [PATCH 16/29] acpi: Disable APEI error injection if the kernel is
- locked down
-
-ACPI provides an error injection mechanism, EINJ, for debugging and testing
-the ACPI Platform Error Interface (APEI) and other RAS features. If
-supported by the firmware, ACPI specification 5.0 and later provide for a
-way to specify a physical memory address to which to inject the error.
-
-Injecting errors through EINJ can produce errors which to the platform are
-indistinguishable from real hardware errors. This can have undesirable
-side-effects, such as causing the platform to mark hardware as needing
-replacement.
-
-While it does not provide a method to load unauthenticated privileged code,
-the effect of these errors may persist across reboots and affect trust in
-the underlying hardware, so disable error injection through EINJ if
-the kernel is locked down.
-
-Signed-off-by: Linn Crosetto <linn@hpe.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: linux-acpi@vger.kernel.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- drivers/acpi/apei/einj.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c
-index e430cf4caec2..dde995f871d6 100644
---- a/drivers/acpi/apei/einj.c
-+++ b/drivers/acpi/apei/einj.c
-@@ -510,6 +510,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
- int rc;
- u64 base_addr, size;
-
-+ if (kernel_is_locked_down("ACPI error injection"))
-+ return -EPERM;
-+
- /* If user manually set "flags", make sure it is legal */
- if (flags && (flags &
- ~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
---
-2.21.0
-
-
-From 2c469f9240f58dce6049eae000d70dcef8025cfa Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:45:00 +0000
-Subject: [PATCH 17/29] Prohibit PCMCIA CIS storage when the kernel is locked
- down
-
-Prohibit replacement of the PCMCIA Card Information Structure when the
-kernel is locked down.
-
-Suggested-by: Dominik Brodowski <linux@dominikbrodowski.net>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: linux-pcmcia@lists.infradead.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- drivers/pcmcia/cistpl.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
-index abd029945cc8..77919fa3fb4a 100644
---- a/drivers/pcmcia/cistpl.c
-+++ b/drivers/pcmcia/cistpl.c
-@@ -1575,6 +1575,9 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
- struct pcmcia_socket *s;
- int error;
-
-+ if (kernel_is_locked_down("Direct PCMCIA CIS storage"))
-+ return -EPERM;
-+
- s = to_socket(container_of(kobj, struct device, kobj));
-
- if (off)
---
-2.21.0
-
-
-From 5f1bdf370484979c291e37cd6905480a12083b18 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:45:00 +0000
-Subject: [PATCH 18/29] Lock down TIOCSSERIAL
-
-Lock down TIOCSSERIAL as that can be used to change the ioport and irq
-settings on a serial port. This only appears to be an issue for the serial
-drivers that use the core serial code. All other drivers seem to either
-ignore attempts to change port/irq or give an error.
-
-Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: Jiri Slaby <jslaby@suse.com>
-Cc: linux-serial@vger.kernel.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- drivers/tty/serial/serial_core.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
-index 4223cb496764..4f3cd7bc1713 100644
---- a/drivers/tty/serial/serial_core.c
-+++ b/drivers/tty/serial/serial_core.c
-@@ -846,6 +846,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
- new_flags = (__force upf_t)new_info->flags;
- old_custom_divisor = uport->custom_divisor;
-
-+ if ((change_port || change_irq) &&
-+ kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels")) {
-+ retval = -EPERM;
-+ goto exit;
-+ }
-+
- if (!capable(CAP_SYS_ADMIN)) {
- retval = -EPERM;
- if (change_irq || change_port ||
---
-2.21.0
-
-
-From b07159ff6bc3345b49db17a82fa31013f398d4e5 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:45:01 +0000
-Subject: [PATCH 19/29] Lock down module params that specify hardware
- parameters (eg. ioport)
-
-Provided an annotation for module parameters that specify hardware
-parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
-dma buffers and other types).
-
-Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- kernel/params.c | 26 +++++++++++++++++++++-----
- 1 file changed, 21 insertions(+), 5 deletions(-)
-
-diff --git a/kernel/params.c b/kernel/params.c
-index cf448785d058..61a08a5da208 100644
---- a/kernel/params.c
-+++ b/kernel/params.c
-@@ -96,13 +96,19 @@ bool parameq(const char *a, const char *b)
- return parameqn(a, b, strlen(a)+1);
- }
-
--static void param_check_unsafe(const struct kernel_param *kp)
-+static bool param_check_unsafe(const struct kernel_param *kp,
-+ const char *doing)
- {
- if (kp->flags & KERNEL_PARAM_FL_UNSAFE) {
- pr_notice("Setting dangerous option %s - tainting kernel\n",
- kp->name);
- add_taint(TAINT_USER, LOCKDEP_STILL_OK);
- }
-+
-+ if (kp->flags & KERNEL_PARAM_FL_HWPARAM &&
-+ kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels"))
-+ return false;
-+ return true;
- }
-
- static int parse_one(char *param,
-@@ -132,8 +138,10 @@ static int parse_one(char *param,
- pr_debug("handling %s with %p\n", param,
- params[i].ops->set);
- kernel_param_lock(params[i].mod);
-- param_check_unsafe(&params[i]);
-- err = params[i].ops->set(val, &params[i]);
-+ if (param_check_unsafe(&params[i], doing))
-+ err = params[i].ops->set(val, &params[i]);
-+ else
-+ err = -EPERM;
- kernel_param_unlock(params[i].mod);
- return err;
- }
-@@ -541,6 +549,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr,
- return count;
- }
-
-+#ifdef CONFIG_MODULES
-+#define mod_name(mod) (mod)->name
-+#else
-+#define mod_name(mod) "unknown"
-+#endif
-+
- /* sysfs always hands a nul-terminated string in buf. We rely on that. */
- static ssize_t param_attr_store(struct module_attribute *mattr,
- struct module_kobject *mk,
-@@ -553,8 +567,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr,
- return -EPERM;
-
- kernel_param_lock(mk->mod);
-- param_check_unsafe(attribute->param);
-- err = attribute->param->ops->set(buf, attribute->param);
-+ if (param_check_unsafe(attribute->param, mod_name(mk->mod)))
-+ err = attribute->param->ops->set(buf, attribute->param);
-+ else
-+ err = -EPERM;
- kernel_param_unlock(mk->mod);
- if (!err)
- return len;
---
-2.21.0
-
-
-From 3e7fdce10f144b2a947f020bd0eeeb536c77153e Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:45:01 +0000
-Subject: [PATCH 20/29] x86/mmiotrace: Lock down the testmmiotrace module
-
-The testmmiotrace module shouldn't be permitted when the kernel is locked
-down as it can be used to arbitrarily read and write MMIO space.
-
-Suggested-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: David Howells <dhowells@redhat.com
-cc: Thomas Gleixner <tglx@linutronix.de>
-cc: Steven Rostedt <rostedt@goodmis.org>
-cc: Ingo Molnar <mingo@kernel.org>
-cc: "H. Peter Anvin" <hpa@zytor.com>
-cc: x86@kernel.org
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- arch/x86/mm/testmmiotrace.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c
-index 0881e1ff1e58..13f1da99ee5e 100644
---- a/arch/x86/mm/testmmiotrace.c
-+++ b/arch/x86/mm/testmmiotrace.c
-@@ -116,6 +116,9 @@ static int __init init(void)
- {
- unsigned long size = (read_far) ? (8 << 20) : (16 << 10);
-
-+ if (kernel_is_locked_down("MMIO trace testing"))
-+ return -EPERM;
-+
- if (mmio_address == 0) {
- pr_err("you have to use the module argument mmio_address.\n");
- pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n");
---
-2.21.0
-
-
-From 1e81a8fd6ed139113011e3b7d70aa8b5c59a97cb Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:45:02 +0000
-Subject: [PATCH 21/29] Lock down /proc/kcore
-
-Disallow access to /proc/kcore when the kernel is locked down to prevent
-access to cryptographic data.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Reviewed-by: James Morris <james.l.morris@oracle.com>
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- fs/proc/kcore.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
-index f5834488b67d..0639228c4904 100644
---- a/fs/proc/kcore.c
-+++ b/fs/proc/kcore.c
-@@ -545,6 +545,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
-
- static int open_kcore(struct inode *inode, struct file *filp)
- {
-+ if (kernel_is_locked_down("/proc/kcore"))
-+ return -EPERM;
- if (!capable(CAP_SYS_RAWIO))
- return -EPERM;
-
---
-2.21.0
-
-
-From 03a1ba6091a421ae40a17dc67f61a96733c8f0d2 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:45:02 +0000
-Subject: [PATCH 22/29] Lock down kprobes
-
-Disallow the creation of kprobes when the kernel is locked down by
-preventing their registration. This prevents kprobes from being used to
-access kernel memory, either to make modifications or to steal crypto data.
-
-Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
-Cc: Naveen N. Rao <naveen.n.rao@linux.ibm.com>
-Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
-Cc: davem@davemloft.net
-Cc: Masami Hiramatsu <mhiramat@kernel.org>
----
- kernel/kprobes.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/kernel/kprobes.c b/kernel/kprobes.c
-index 9f5433a52488..e54c7b70298a 100644
---- a/kernel/kprobes.c
-+++ b/kernel/kprobes.c
-@@ -1556,6 +1556,9 @@ int register_kprobe(struct kprobe *p)
- struct module *probed_mod;
- kprobe_opcode_t *addr;
-
-+ if (kernel_is_locked_down("Use of kprobes"))
-+ return -EPERM;
-+
- /* Adjust probe address from symbol */
- addr = kprobe_addr(p);
- if (IS_ERR(addr))
---
-2.21.0
-
-
-From d743cdf3a9508b9d9293acb3170b1d76f5556d1a Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:45:02 +0000
-Subject: [PATCH 23/29] bpf: Restrict kernel image access functions when the
- kernel is locked down
-
-There are some bpf functions can be used to read kernel memory:
-bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow
-private keys in kernel memory (e.g. the hibernation image signing key) to
-be read by an eBPF program and kernel memory to be altered without
-restriction.
-
-Completely prohibit the use of BPF when the kernel is locked down.
-
-Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: netdev@vger.kernel.org
-cc: Chun-Yi Lee <jlee@suse.com>
-cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
-Cc: Daniel Borkmann <daniel@iogearbox.net>
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- kernel/bpf/syscall.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
-index 5d141f16f6fa..cf9f0d069a2a 100644
---- a/kernel/bpf/syscall.c
-+++ b/kernel/bpf/syscall.c
-@@ -2813,6 +2813,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz
- if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
- return -EPERM;
-
-+ if (kernel_is_locked_down("BPF"))
-+ return -EPERM;
-+
- err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size);
- if (err)
- return err;
---
-2.21.0
-
-
-From 7ec8d8a7bc177bc54e627b04a6aa4520174965cd Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:45:02 +0000
-Subject: [PATCH 24/29] Lock down perf
-
-Disallow the use of certain perf facilities that might allow userspace to
-access kernel data.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Ingo Molnar <mingo@redhat.com>
-Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
----
- kernel/events/core.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/kernel/events/core.c b/kernel/events/core.c
-index eea9d52b010c..08f51f91d959 100644
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -10824,6 +10824,11 @@ SYSCALL_DEFINE5(perf_event_open,
- return -EINVAL;
- }
-
-+ if ((attr.sample_type & PERF_SAMPLE_REGS_INTR) &&
-+ kernel_is_locked_down("PERF_SAMPLE_REGS_INTR"))
-+ /* REGS_INTR can leak data, lockdown must prevent this */
-+ return -EPERM;
-+
- /* Only privileged users can get physical addresses */
- if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR) &&
- perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN))
---
-2.21.0
-
-
-From 98fa6aca64b1723db15cb1791b734aebb105433e Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Feb 2019 12:45:02 +0000
-Subject: [PATCH 25/29] debugfs: Restrict debugfs when the kernel is locked
- down
-
-Disallow opening of debugfs files that might be used to muck around when
-the kernel is locked down as various drivers give raw access to hardware
-through debugfs. Given the effort of auditing all 2000 or so files and
-manually fixing each one as necessary, I've chosen to apply a heuristic
-instead. The following changes are made:
-
- (1) chmod and chown are disallowed on debugfs objects (though the root dir
- can be modified by mount and remount, but I'm not worried about that).
-
- (2) When the kernel is locked down, only files with the following criteria
- are permitted to be opened:
-
- - The file must have mode 00444
- - The file must not have ioctl methods
- - The file must not have mmap
-
- (3) When the kernel is locked down, files may only be opened for reading.
-
-Normal device interaction should be done through configfs, sysfs or a
-miscdev, not debugfs.
-
-Note that this makes it unnecessary to specifically lock down show_dsts(),
-show_devs() and show_call() in the asus-wmi driver.
-
-I would actually prefer to lock down all files by default and have the
-the files unlocked by the creator. This is tricky to manage correctly,
-though, as there are 19 creation functions and ~1600 call sites (some of
-them in loops scanning tables).
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: Andy Shevchenko <andy.shevchenko@gmail.com>
-cc: acpi4asus-user@lists.sourceforge.net
-cc: platform-driver-x86@vger.kernel.org
-cc: Matthew Garrett <mjg59@srcf.ucam.org>
-cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- fs/debugfs/file.c | 28 ++++++++++++++++++++++++++++
- fs/debugfs/inode.c | 30 ++++++++++++++++++++++++++++--
- 2 files changed, 56 insertions(+), 2 deletions(-)
-
-diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
-index 93e4ca6b2ad7..8eeff9068228 100644
---- a/fs/debugfs/file.c
-+++ b/fs/debugfs/file.c
-@@ -136,6 +136,25 @@ void debugfs_file_put(struct dentry *dentry)
- }
- EXPORT_SYMBOL_GPL(debugfs_file_put);
-
-+/*
-+ * Only permit access to world-readable files when the kernel is locked down.
-+ * We also need to exclude any file that has ways to write or alter it as root
-+ * can bypass the permissions check.
-+ */
-+static bool debugfs_is_locked_down(struct inode *inode,
-+ struct file *filp,
-+ const struct file_operations *real_fops)
-+{
-+ if ((inode->i_mode & 07777) == 0444 &&
-+ !(filp->f_mode & FMODE_WRITE) &&
-+ !real_fops->unlocked_ioctl &&
-+ !real_fops->compat_ioctl &&
-+ !real_fops->mmap)
-+ return false;
-+
-+ return kernel_is_locked_down("debugfs");
-+}
-+
- static int open_proxy_open(struct inode *inode, struct file *filp)
- {
- struct dentry *dentry = F_DENTRY(filp);
-@@ -147,6 +166,11 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
- return r == -EIO ? -ENOENT : r;
-
- real_fops = debugfs_real_fops(filp);
-+
-+ r = -EPERM;
-+ if (debugfs_is_locked_down(inode, filp, real_fops))
-+ goto out;
-+
- real_fops = fops_get(real_fops);
- if (!real_fops) {
- /* Huh? Module did not clean up after itself at exit? */
-@@ -272,6 +296,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
- return r == -EIO ? -ENOENT : r;
-
- real_fops = debugfs_real_fops(filp);
-+ r = -EPERM;
-+ if (debugfs_is_locked_down(inode, filp, real_fops))
-+ goto out;
-+
- real_fops = fops_get(real_fops);
- if (!real_fops) {
- /* Huh? Module did not cleanup after itself at exit? */
-diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
-index 042b688ed124..cc0486ca1a11 100644
---- a/fs/debugfs/inode.c
-+++ b/fs/debugfs/inode.c
-@@ -35,6 +35,31 @@ static struct vfsmount *debugfs_mount;
- static int debugfs_mount_count;
- static bool debugfs_registered;
-
-+/*
-+ * Don't allow access attributes to be changed whilst the kernel is locked down
-+ * so that we can use the file mode as part of a heuristic to determine whether
-+ * to lock down individual files.
-+ */
-+static int debugfs_setattr(struct dentry *dentry, struct iattr *ia)
-+{
-+ if ((ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) &&
-+ kernel_is_locked_down("debugfs"))
-+ return -EPERM;
-+ return simple_setattr(dentry, ia);
-+}
-+
-+static const struct inode_operations debugfs_file_inode_operations = {
-+ .setattr = debugfs_setattr,
-+};
-+static const struct inode_operations debugfs_dir_inode_operations = {
-+ .lookup = simple_lookup,
-+ .setattr = debugfs_setattr,
-+};
-+static const struct inode_operations debugfs_symlink_inode_operations = {
-+ .get_link = simple_get_link,
-+ .setattr = debugfs_setattr,
-+};
-+
- static struct inode *debugfs_get_inode(struct super_block *sb)
- {
- struct inode *inode = new_inode(sb);
-@@ -369,6 +394,7 @@ static struct dentry *__debugfs_create_file(const char *name, umode_t mode,
- inode->i_mode = mode;
- inode->i_private = data;
-
-+ inode->i_op = &debugfs_file_inode_operations;
- inode->i_fop = proxy_fops;
- dentry->d_fsdata = (void *)((unsigned long)real_fops |
- DEBUGFS_FSDATA_IS_REAL_FOPS_BIT);
-@@ -532,7 +558,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
- }
-
- inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
-- inode->i_op = &simple_dir_inode_operations;
-+ inode->i_op = &debugfs_dir_inode_operations;
- inode->i_fop = &simple_dir_operations;
-
- /* directory inodes start off with i_nlink == 2 (for "." entry) */
-@@ -632,7 +658,7 @@ struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent,
- return failed_creating(dentry);
- }
- inode->i_mode = S_IFLNK | S_IRWXUGO;
-- inode->i_op = &simple_symlink_inode_operations;
-+ inode->i_op = &debugfs_symlink_inode_operations;
- inode->i_link = link;
- d_instantiate(dentry, inode);
- return end_creating(dentry);
---
-2.21.0
-
-
-From 39ffa9315f46123f0f1f66fb6fd0597211b43b1d Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Wed, 28 Feb 2018 14:43:03 +0000
-Subject: [PATCH 26/29] lockdown: Print current->comm in restriction messages
-
-Print the content of current->comm in messages generated by lockdown to
-indicate a restriction that was hit. This makes it a bit easier to find
-out what caused the message.
-
-The message now patterned something like:
-
- Lockdown: <comm>: <what> is restricted; see man kernel_lockdown.7
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
----
- security/lock_down.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/security/lock_down.c b/security/lock_down.c
-index 18d8776a4d02..ee00ca2677e7 100644
---- a/security/lock_down.c
-+++ b/security/lock_down.c
-@@ -53,8 +53,8 @@ void __init init_lockdown(void)
- bool __kernel_is_locked_down(const char *what, bool first)
- {
- if (what && first && kernel_locked_down)
-- pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n",
-- what);
-+ pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
-+ current->comm, what);
- return kernel_locked_down;
- }
- EXPORT_SYMBOL(__kernel_is_locked_down);
---
-2.21.0
-
-
-From 0086dbfaa88118636bc5d77f25bd578034a84075 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <matthewgarrett@google.com>
-Date: Tue, 12 Mar 2019 12:50:30 -0700
-Subject: [PATCH 27/29] kexec: Allow kexec_file() with appropriate IMA policy
- when locked down
-
-Systems in lockdown mode should block the kexec of untrusted kernels.
-For x86 and ARM we can ensure that a kernel is trustworthy by validating
-a PE signature, but this isn't possible on other architectures. On those
-platforms we can use IMA digital signatures instead. Add a function to
-determine whether IMA has or will verify signatures for a given event type,
-and if so permit kexec_file() even if the kernel is otherwise locked down.
-This is restricted to cases where CONFIG_INTEGRITY_TRUSTED_KEYRING is set
-in order to prevent an attacker from loading additional keys at runtime.
-
-Signed-off-by: Matthew Garrett <mjg59@google.com>
-Acked-by: Mimi Zohar <zohar@linux.ibm.com>
-Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
-Cc: linux-integrity@vger.kernel.org
----
- include/linux/ima.h | 9 ++++++
- kernel/kexec_file.c | 7 +++-
- security/integrity/ima/ima.h | 2 ++
- security/integrity/ima/ima_main.c | 2 +-
- security/integrity/ima/ima_policy.c | 50 +++++++++++++++++++++++++++++
- 5 files changed, 68 insertions(+), 2 deletions(-)
-
-diff --git a/include/linux/ima.h b/include/linux/ima.h
-index a20ad398d260..1c37f17f7203 100644
---- a/include/linux/ima.h
-+++ b/include/linux/ima.h
-@@ -131,4 +131,13 @@ static inline int ima_inode_removexattr(struct dentry *dentry,
- return 0;
- }
- #endif /* CONFIG_IMA_APPRAISE */
-+
-+#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
-+extern bool ima_appraise_signature(enum kernel_read_file_id func);
-+#else
-+static inline bool ima_appraise_signature(enum kernel_read_file_id func)
-+{
-+ return false;
-+}
-+#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
- #endif /* _LINUX_IMA_H */
-diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
-index 0668c29d2eaf..78728a0f16a7 100644
---- a/kernel/kexec_file.c
-+++ b/kernel/kexec_file.c
-@@ -235,7 +235,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
-
- ret = 0;
-
-- if (kernel_is_locked_down(reason)) {
-+ /* If IMA is guaranteed to appraise a signature on the kexec
-+ * image, permit it even if the kernel is otherwise locked
-+ * down.
-+ */
-+ if (!ima_appraise_signature(READING_KEXEC_IMAGE) &&
-+ kernel_is_locked_down(reason)) {
- ret = -EPERM;
- goto out;
- }
-diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
-index 011b91c79351..64dcb11cf444 100644
---- a/security/integrity/ima/ima.h
-+++ b/security/integrity/ima/ima.h
-@@ -113,6 +113,8 @@ struct ima_kexec_hdr {
- u64 count;
- };
-
-+extern const int read_idmap[];
-+
- #ifdef CONFIG_HAVE_IMA_KEXEC
- void ima_load_kexec_buffer(void);
- #else
-diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
-index 584019728660..b9f57503af2c 100644
---- a/security/integrity/ima/ima_main.c
-+++ b/security/integrity/ima/ima_main.c
-@@ -502,7 +502,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
- return 0;
- }
-
--static const int read_idmap[READING_MAX_ID] = {
-+const int read_idmap[READING_MAX_ID] = {
- [READING_FIRMWARE] = FIRMWARE_CHECK,
- [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK,
- [READING_MODULE] = MODULE_CHECK,
-diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
-index 6df7f641ff66..827f1e33fe86 100644
---- a/security/integrity/ima/ima_policy.c
-+++ b/security/integrity/ima/ima_policy.c
-@@ -1456,3 +1456,53 @@ int ima_policy_show(struct seq_file *m, void *v)
- return 0;
- }
- #endif /* CONFIG_IMA_READ_POLICY */
-+
-+#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
-+/*
-+ * ima_appraise_signature: whether IMA will appraise a given function using
-+ * an IMA digital signature. This is restricted to cases where the kernel
-+ * has a set of built-in trusted keys in order to avoid an attacker simply
-+ * loading additional keys.
-+ */
-+bool ima_appraise_signature(enum kernel_read_file_id id)
-+{
-+ struct ima_rule_entry *entry;
-+ bool found = false;
-+ enum ima_hooks func;
-+
-+ if (id >= READING_MAX_ID)
-+ return false;
-+
-+ func = read_idmap[id] ?: FILE_CHECK;
-+
-+ rcu_read_lock();
-+ list_for_each_entry_rcu(entry, ima_rules, list) {
-+ if (entry->action != APPRAISE)
-+ continue;
-+
-+ /*
-+ * A generic entry will match, but otherwise require that it
-+ * match the func we're looking for
-+ */
-+ if (entry->func && entry->func != func)
-+ continue;
-+
-+ /*
-+ * We require this to be a digital signature, not a raw IMA
-+ * hash.
-+ */
-+ if (entry->flags & IMA_DIGSIG_REQUIRED)
-+ found = true;
-+
-+ /*
-+ * We've found a rule that matches, so break now even if it
-+ * didn't require a digital signature - a later rule that does
-+ * won't override it, so would be a false positive.
-+ */
-+ break;
-+ }
-+
-+ rcu_read_unlock();
-+ return found;
-+}
-+#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
---
-2.21.0
-
-
From 4a84d19a10c31a363aa7d1f325bd212012263a98 Mon Sep 17 00:00:00 2001
From: Kyle McMartin <kyle@redhat.com>
Date: Mon, 9 Apr 2018 09:52:45 +0100
@@ -2107,63 +284,3 @@ index ee00ca2677e7..d68dff872ced 100644
+#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */
--
2.21.0
-
-
-From c3e9fb754f7603ae10a750f685f0174c5ae51ffa Mon Sep 17 00:00:00 2001
-From: Vasily Gorbik <gor@linux.ibm.com>
-Date: Wed, 21 Nov 2018 13:05:10 +0100
-Subject: [PATCH 29/29] debugfs: avoid EPERM when no open file operation
- defined
-
-With "debugfs: Restrict debugfs when the kernel is locked down"
-return code "r" is unconditionally set to -EPERM, which stays like that
-until function return if no "open" file operation defined, effectivelly
-resulting in "Operation not permitted" for all such files despite kernel
-lock down status or CONFIG_LOCK_DOWN_KERNEL being enabled.
-
-In particular this breaks 2 debugfs files on s390:
-/sys/kernel/debug/s390_hypfs/diag_304
-/sys/kernel/debug/s390_hypfs/diag_204
-
-To address that set EPERM return code only when debugfs_is_locked_down
-returns true.
-
-Fixes: 3fc322605158 ("debugfs: Restrict debugfs when the kernel is locked down")
-Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
----
- fs/debugfs/file.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
-index 8eeff9068228..9c56e1aa1f29 100644
---- a/fs/debugfs/file.c
-+++ b/fs/debugfs/file.c
-@@ -167,9 +167,10 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
-
- real_fops = debugfs_real_fops(filp);
-
-- r = -EPERM;
-- if (debugfs_is_locked_down(inode, filp, real_fops))
-+ if (debugfs_is_locked_down(inode, filp, real_fops)) {
-+ r = -EPERM;
- goto out;
-+ }
-
- real_fops = fops_get(real_fops);
- if (!real_fops) {
-@@ -296,9 +297,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
- return r == -EIO ? -ENOENT : r;
-
- real_fops = debugfs_real_fops(filp);
-- r = -EPERM;
-- if (debugfs_is_locked_down(inode, filp, real_fops))
-+ if (debugfs_is_locked_down(inode, filp, real_fops)) {
-+ r = -EPERM;
- goto out;
-+ }
-
- real_fops = fops_get(real_fops);
- if (!real_fops) {
---
-2.21.0
-
generated by cgit (git 2.34.1) at 2024-05-07 15:02:23 +0000