Linux v5.3-13236-g97f9a3c4eee5

This is a first pass at getting the secureboot patches working with the upstream lockdown patches that got merged. The final patch from our lockdown set is the sysrq patch which also needs work. For the present it is not applied.
author: Jeremy Cline <jcline@redhat.com> 2019-09-30 20:00:17 +0000
committer: Jeremy Cline <jcline@redhat.com> 2019-10-01 14:20:23 +0000
commit: e21e52b60843bc2c19b187cd6d25723686a610dc (patch)
tree: 2b88310af462707e2cc8f3b61768d555025e476f /efi-secureboot.patch
parent: b82da9d02ca2eb7a3632ca276f5301a04e10d270 (diff)
download: kernel-e21e52b60843bc2c19b187cd6d25723686a610dc.tar.gz
kernel-e21e52b60843bc2c19b187cd6d25723686a610dc.tar.xz
kernel-e21e52b60843bc2c19b187cd6d25723686a610dc.zip
1 files changed, 141 insertions, 85 deletions
diff --git a/efi-secureboot.patch b/efi-secureboot.patch
index 4f8a97bcf..de6f5eef9 100644
--- a/efi-secureboot.patch
+++ b/efi-secureboot.patch
@@ -1,7 +1,109 @@
+From 478a0cff698409224330ea9e25eb332220b55dbb Mon Sep 17 00:00:00 2001
+From: Jeremy Cline <jcline@redhat.com>
+Date: Mon, 30 Sep 2019 21:22:47 +0000
+Subject: [PATCH 1/3] security: lockdown: expose a hook to lock the kernel down
+
+In order to automatically lock down kernels running on UEFI machines
+booted in Secure Boot mode, expose the lock_kernel_down() hook.
+
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+---
+ include/linux/lsm_hooks.h    | 8 ++++++++
+ include/linux/security.h     | 5 +++++
+ security/lockdown/lockdown.c | 1 +
+ security/security.c          | 6 ++++++
+ 4 files changed, 20 insertions(+)
+
+diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
+index a3763247547c..8d76d1f153ed 100644
+--- a/include/linux/lsm_hooks.h
++++ b/include/linux/lsm_hooks.h
+@@ -1454,6 +1454,12 @@
+  *     code execution in kernel space should be permitted.
+  *
+  *     @what: kernel feature being accessed
++ *
++ * @lock_kernel_down
++ *     Put the kernel into lock-down mode.
++ *
++ *     @where: Where the lock-down is originating from (e.g. command line option)
++ *     @level: The lock-down level (can only increase)
+  */
+ union security_list_options {
+ 	int (*binder_set_context_mgr)(struct task_struct *mgr);
+@@ -1818,6 +1824,7 @@ union security_list_options {
+ 	void (*bpf_prog_free_security)(struct bpf_prog_aux *aux);
+ #endif /* CONFIG_BPF_SYSCALL */
+ 	int (*locked_down)(enum lockdown_reason what);
++	int (*lock_kernel_down)(const char *where, enum lockdown_reason level);
+ };
+ 
+ struct security_hook_heads {
+@@ -2060,6 +2067,7 @@ struct security_hook_heads {
+ 	struct hlist_head bpf_prog_free_security;
+ #endif /* CONFIG_BPF_SYSCALL */
+ 	struct hlist_head locked_down;
++	struct hlist_head lock_kernel_down;
+ } __randomize_layout;
+ 
+ /*
+diff --git a/include/linux/security.h b/include/linux/security.h
+index a8d59d612d27..467b9ccdf993 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -442,6 +442,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
+ int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
+ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
+ int security_locked_down(enum lockdown_reason what);
++int security_lock_kernel_down(const char *where, enum lockdown_reason level);
+ #else /* CONFIG_SECURITY */
+ 
+ static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
+@@ -1269,6 +1270,10 @@ static inline int security_locked_down(enum lockdown_reason what)
+ {
+ 	return 0;
+ }
++static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level);
++{
++	return 0;
++}
+ #endif	/* CONFIG_SECURITY */
+ 
+ #ifdef CONFIG_SECURITY_NETWORK
+diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
+index 8a10b43daf74..72a623075749 100644
+--- a/security/lockdown/lockdown.c
++++ b/security/lockdown/lockdown.c
+@@ -97,6 +97,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
+ 
+ static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {
+ 	LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
++	LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down),
+ };
+ 
+ static int __init lockdown_lsm_init(void)
+diff --git a/security/security.c b/security/security.c
+index 1bc000f834e2..1506b95427cf 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -2404,3 +2404,9 @@ int security_locked_down(enum lockdown_reason what)
+ 	return call_int_hook(locked_down, 0, what);
+ }
+ EXPORT_SYMBOL(security_locked_down);
++
++int security_lock_kernel_down(const char *where, enum lockdown_reason level)
++{
++	return call_int_hook(lock_kernel_down, 0, where, level);
++}
++EXPORT_SYMBOL(security_lock_kernel_down);
+-- 
+2.21.0
+
+
 From b5123d0553f4ed5e734f6457696cdd30228d1eee Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 27 Feb 2018 10:04:55 +0000
-Subject: [PATCH 29/31] efi: Add an EFI_SECURE_BOOT flag to indicate secure
+Subject: [PATCH 2/3] efi: Add an EFI_SECURE_BOOT flag to indicate secure
  boot mode
 
 UEFI machines can be booted in Secure Boot mode.  Add an EFI_SECURE_BOOT
@@ -160,119 +262,73 @@ index 21d81021c1f4..758ec061d03b 100644
 2.21.0
 
 
-From d78bf678059f83e22bec8ada1a448e22b9b90203 Mon Sep 17 00:00:00 2001
+From 15368f76d4997912318d35c52bfeb9041d85098e Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
-Date: Tue, 27 Feb 2018 10:04:55 +0000
-Subject: [PATCH 30/31] efi: Lock down the kernel if booted in secure boot mode
+Date: Mon, 30 Sep 2019 21:28:16 +0000
+Subject: [PATCH 3/3] efi: Lock down the kernel if booted in secure boot mode
 
-UEFI Secure Boot provides a mechanism for ensuring that the firmware will
-only load signed bootloaders and kernels.  Certain use cases may also
-require that all kernel modules also be signed.  Add a configuration option
-that to lock down the kernel - which includes requiring validly signed
-modules - if the kernel is secure-booted.
+UEFI Secure Boot provides a mechanism for ensuring that the firmware
+will only load signed bootloaders and kernels.  Certain use cases may
+also require that all kernel modules also be signed.  Add a
+configuration option that to lock down the kernel - which includes
+requiring validly signed modules - if the kernel is secure-booted.
 
 Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-cc: linux-efi@vger.kernel.org
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
 ---
- arch/x86/kernel/setup.c |  6 ++++--
- fs/debugfs/inode.c      |  2 +-
- security/Kconfig        | 14 ++++++++++++++
- security/lock_down.c    |  5 +++++
- 4 files changed, 20 insertions(+), 3 deletions(-)
+ arch/x86/kernel/setup.c   |  8 ++++++++
+ security/lockdown/Kconfig | 13 +++++++++++++
+ 2 files changed, 21 insertions(+)
 
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index adeee6329f55..27a54ec878bd 100644
+index 77ea96b794bd..a119e1bc9623 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -65,6 +65,7 @@
- #include <linux/dma-mapping.h>
- #include <linux/ctype.h>
- #include <linux/uaccess.h>
+@@ -73,6 +73,7 @@
+ #include <linux/jiffies.h>
+ #include <linux/mem_encrypt.h>
+ #include <linux/sizes.h>
 +#include <linux/security.h>
  
- #include <linux/percpu.h>
- #include <linux/crash_dump.h>
-@@ -1005,6 +1006,10 @@ void __init setup_arch(char **cmdline_p)
+ #include <linux/usb/xhci-dbgp.h>
+ #include <video/edid.h>
+@@ -1027,6 +1028,13 @@ void __init setup_arch(char **cmdline_p)
  	if (efi_enabled(EFI_BOOT))
  		efi_init();
  
 +	efi_set_secure_boot(boot_params.secure_boot);
 +
-+	init_lockdown();
++#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
++	if (efi_enabled(EFI_SECURE_BOOT))
++		security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_CONFIDENTIALITY_MAX);
++#endif
 +
  	dmi_setup();
  
  	/*
-@@ -1159,8 +1164,6 @@ void __init setup_arch(char **cmdline_p)
- 	/* Allocate bigger log buffer */
- 	setup_log_buf(1);
- 
--	efi_set_secure_boot(boot_params.secure_boot);
--
- 	reserve_initrd();
- 
- 	acpi_table_upgrade();
-diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
-index ce261e1765ff..7aff55b309a6 100644
---- a/fs/debugfs/inode.c
-+++ b/fs/debugfs/inode.c
-@@ -40,7 +40,7 @@ static bool debugfs_registered;
- static int debugfs_setattr(struct dentry *dentry, struct iattr *ia)
- {
- 	if ((ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) &&
--	    kernel_is_locked_down("debugfs"))
-+	    kernel_is_locked_down("changing perms in debugfs"))
- 		return -EPERM;
- 	return simple_setattr(dentry, ia);
- }
-diff --git a/security/Kconfig b/security/Kconfig
-index 9c343f262bdd..30788bc47863 100644
---- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -244,6 +244,20 @@ config LOCK_DOWN_KERNEL_FORCE
-           Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
-           combination on a wired keyboard.  On x86, this is SysRq+x.
+diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
+index e84ddf484010..d0501353a4b9 100644
+--- a/security/lockdown/Kconfig
++++ b/security/lockdown/Kconfig
+@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY
+ 	  subsystem is fully initialised. If enabled, lockdown will
+ 	  unconditionally be called before any other LSMs.
  
 +config LOCK_DOWN_IN_EFI_SECURE_BOOT
 +	bool "Lock down the kernel in EFI Secure Boot mode"
 +	default n
-+	select LOCK_DOWN_KERNEL
-+	depends on EFI
++	depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY
 +	help
 +	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
 +	  will only load signed bootloaders and kernels.  Secure boot mode may
 +	  be determined from EFI variables provided by the system firmware if
 +	  not indicated by the boot parameters.
 +
-+	  Enabling this option turns on results in kernel lockdown being
-+	  triggered if EFI Secure Boot is set.
++	  Enabling this option results in kernel lockdown being triggered if
++	  EFI Secure Boot is set.
 +
- source "security/selinux/Kconfig"
- source "security/smack/Kconfig"
- source "security/tomoyo/Kconfig"
-diff --git a/security/lock_down.c b/security/lock_down.c
-index ee00ca2677e7..bb4dc7838f3e 100644
---- a/security/lock_down.c
-+++ b/security/lock_down.c
-@@ -12,6 +12,7 @@
- 
- #include <linux/security.h>
- #include <linux/export.h>
-+#include <linux/efi.h>
- #include <linux/sysrq.h>
- #include <asm/setup.h>
- 
-@@ -44,6 +45,10 @@ void __init init_lockdown(void)
- #ifdef CONFIG_LOCK_DOWN_FORCE
- 	lock_kernel_down("Kernel configuration");
- #endif
-+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
-+	if (efi_enabled(EFI_SECURE_BOOT))
-+		lock_kernel_down("EFI secure boot");
-+#endif
- }
- 
- /**
+ choice
+ 	prompt "Kernel default lockdown mode"
+ 	default LOCK_DOWN_KERNEL_FORCE_NONE
 -- 
-2.14.3
+2.21.0
author	Jeremy Cline <jcline@redhat.com>	2019-09-30 20:00:17 +0000
committer	Jeremy Cline <jcline@redhat.com>	2019-10-01 14:20:23 +0000
commit	e21e52b60843bc2c19b187cd6d25723686a610dc (patch)
tree	2b88310af462707e2cc8f3b61768d555025e476f /efi-secureboot.patch
parent	b82da9d02ca2eb7a3632ca276f5301a04e10d270 (diff)
download	kernel-e21e52b60843bc2c19b187cd6d25723686a610dc.tar.gz kernel-e21e52b60843bc2c19b187cd6d25723686a610dc.tar.xz kernel-e21e52b60843bc2c19b187cd6d25723686a610dc.zip