diff options
Diffstat (limited to 'efi-lockdown.patch')
| -rw-r--r-- | efi-lockdown.patch | 245 |
1 files changed, 6 insertions, 239 deletions
diff --git a/efi-lockdown.patch b/efi-lockdown.patch index 2fbc40e63..a4b602b2a 100644 --- a/efi-lockdown.patch +++ b/efi-lockdown.patch @@ -136,9 +136,9 @@ index c4302067a3ad..a68e5bdebad5 100644 + Makes the lockdown non-negotiable. It is always on and cannot be + disabled. + - source security/selinux/Kconfig - source security/smack/Kconfig - source security/tomoyo/Kconfig + source "security/selinux/Kconfig" + source "security/smack/Kconfig" + source "security/tomoyo/Kconfig" @@ -278,4 +300,3 @@ config DEFAULT_SECURITY default "" if DEFAULT_SECURITY_DAC @@ -447,9 +447,9 @@ index a68e5bdebad5..46967ee77dfd 100644 + combination on a wired keyboard. On x86, this is SysRq+x. + + - source security/selinux/Kconfig - source security/smack/Kconfig - source security/tomoyo/Kconfig + source "security/selinux/Kconfig" + source "security/smack/Kconfig" + source "security/tomoyo/Kconfig" diff --git a/security/lock_down.c b/security/lock_down.c index f35ffdd096ad..2615669dbf03 100644 --- a/security/lock_down.c @@ -518,239 +518,6 @@ index f35ffdd096ad..2615669dbf03 100644 -- 2.14.3 -From 2d534703537af95f601d3bdab11ee6ba8b3bc2dc Mon Sep 17 00:00:00 2001 -From: Mimi Zohar <zohar@linux.vnet.ibm.com> -Date: Mon, 9 Apr 2018 09:52:45 +0100 -Subject: [PATCH 03/24] ima: require secure_boot rules in lockdown mode - -Require the "secure_boot" rules, whether or not it is specified -on the boot command line, for both the builtin and custom policies -in secure boot lockdown mode. - -Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> -Signed-off-by: David Howells <dhowells@redhat.com> ---- - security/integrity/ima/ima_policy.c | 34 +++++++++++++++++++++++------ - 1 file changed, 27 insertions(+), 7 deletions(-) - -diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c -index 8c9499867c91..f8428f579924 100644 ---- a/security/integrity/ima/ima_policy.c -+++ b/security/integrity/ima/ima_policy.c -@@ -481,14 +481,21 @@ static int ima_appraise_flag(enum ima_hooks func) - */ - void __init ima_init_policy(void) - { -- int i, measure_entries, appraise_entries, secure_boot_entries; -+ int i; -+ int measure_entries = 0; -+ int appraise_entries = 0; -+ int secure_boot_entries = 0; -+ bool kernel_locked_down = __kernel_is_locked_down(NULL, false); - - /* if !ima_policy set entries = 0 so we load NO default rules */ -- measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0; -- appraise_entries = ima_use_appraise_tcb ? -- ARRAY_SIZE(default_appraise_rules) : 0; -- secure_boot_entries = ima_use_secure_boot ? -- ARRAY_SIZE(secure_boot_rules) : 0; -+ if (ima_policy) -+ measure_entries = ARRAY_SIZE(dont_measure_rules); -+ -+ if (ima_use_appraise_tcb) -+ appraise_entries = ARRAY_SIZE(default_appraise_rules); -+ -+ if (ima_use_secure_boot || kernel_locked_down) -+ secure_boot_entries = ARRAY_SIZE(secure_boot_rules); - - for (i = 0; i < measure_entries; i++) - list_add_tail(&dont_measure_rules[i].list, &ima_default_rules); -@@ -509,12 +516,25 @@ void __init ima_init_policy(void) - - /* - * Insert the builtin "secure_boot" policy rules requiring file -- * signatures, prior to any other appraise rules. -+ * signatures, prior to any other appraise rules. In secure boot -+ * lock-down mode, also require these appraise rules for custom -+ * policies. - */ - for (i = 0; i < secure_boot_entries; i++) { -+ struct ima_rule_entry *entry; -+ -+ /* Include for builtin policies */ - list_add_tail(&secure_boot_rules[i].list, &ima_default_rules); - temp_ima_appraise |= - ima_appraise_flag(secure_boot_rules[i].func); -+ -+ /* Include for custom policies */ -+ if (kernel_locked_down) { -+ entry = kmemdup(&secure_boot_rules[i], sizeof(*entry), -+ GFP_KERNEL); -+ if (entry) -+ list_add_tail(&entry->list, &ima_policy_rules); -+ } - } - - /* --- -2.17.1 - -From 980a380dc973c5a7745e4833aba368637a99df2e Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Mon, 9 Apr 2018 09:52:46 +0100 -Subject: [PATCH] Enforce module signatures if the kernel is locked down - -If the kernel is locked down, require that all modules have valid -signatures that we can verify or that IMA can validate the file. - -I have adjusted the errors generated: - - (1) If there's no signature (ENODATA) or we can't check it (ENOPKG, - ENOKEY), then: - - (a) If signatures are enforced then EKEYREJECTED is returned. - - (b) If IMA will have validated the image, return 0 (okay). - - (c) If there's no signature or we can't check it, but the kernel is - locked down then EPERM is returned (this is then consistent with - other lockdown cases). - - (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails - the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we - return the error we got. - -Note that the X.509 code doesn't check for key expiry as the RTC might not -be valid or might not have been transferred to the kernel's clock yet. - -Signed-off-by: David Howells <dhowells@redhat.com> -Reviewed-by: Jiri Bohac <jbohac@suse.cz> -cc: "Lee, Chun-Yi" <jlee@suse.com> -cc: James Morris <james.l.morris@oracle.com> ---- - kernel/module.c | 56 +++++++++++++++++++++++++++++++++++++------------ - 1 file changed, 43 insertions(+), 13 deletions(-) - -diff --git a/kernel/module.c b/kernel/module.c -index b046a32520d8..3bb0722c106e 100644 ---- a/kernel/module.c -+++ b/kernel/module.c -@@ -64,6 +64,7 @@ - #include <linux/bsearch.h> - #include <linux/dynamic_debug.h> - #include <linux/audit.h> -+#include <linux/ima.h> - #include <uapi/linux/module.h> - #include "module-internal.h" - -@@ -2741,10 +2742,12 @@ static inline void kmemleak_load_module(const struct module *mod, - #endif - - #ifdef CONFIG_MODULE_SIG --static int module_sig_check(struct load_info *info, int flags) -+static int module_sig_check(struct load_info *info, int flags, -+ bool can_do_ima_check) - { -- int err = -ENOKEY; -+ int err = -ENODATA; - const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; -+ const char *reason; - const void *mod = info->hdr; - - /* -@@ -2759,19 +2762,46 @@ static int module_sig_check(struct load_info *info, int flags) - err = mod_verify_sig(mod, info); - } - -- if (!err) { -+ switch (err) { -+ case 0: - info->sig_ok = true; - return 0; -- } - -- /* Not having a signature is only an error if we're strict. */ -- if (err == -ENOKEY && !is_module_sig_enforced()) -- err = 0; -+ /* We don't permit modules to be loaded into trusted kernels -+ * without a valid signature on them, but if we're not -+ * enforcing, certain errors are non-fatal. -+ */ -+ case -ENODATA: -+ reason = "Loading of unsigned module"; -+ goto decide; -+ case -ENOPKG: -+ reason = "Loading of module with unsupported crypto"; -+ goto decide; -+ case -ENOKEY: -+ reason = "Loading of module with unavailable key"; -+ decide: -+ if (sig_enforce) { -+ pr_notice("%s is rejected\n", reason); -+ return -EKEYREJECTED; -+ } - -- return err; -+ if (can_do_ima_check && is_ima_appraise_enabled()) -+ return 0; -+ if (kernel_is_locked_down(reason)) -+ return -EPERM; -+ return 0; -+ -+ /* All other errors are fatal, including nomem, unparseable -+ * signatures and signature check failures - even if signatures -+ * aren't required. -+ */ -+ default: -+ return err; -+ } - } - #else /* !CONFIG_MODULE_SIG */ --static int module_sig_check(struct load_info *info, int flags) -+static int module_sig_check(struct load_info *info, int flags, -+ bool can_do_ima_check) - { - return 0; - } -@@ -3620,7 +3650,7 @@ static int unknown_module_param_cb(char *param, char *val, const char *modname, - /* Allocate and load the module: note that size of section 0 is always - zero, and we rely on this for optional sections. */ - static int load_module(struct load_info *info, const char __user *uargs, -- int flags) -+ int flags, bool can_do_ima_check) - { - struct module *mod; - long err = 0; -@@ -3639,7 +3669,7 @@ static int load_module(struct load_info *info, const char __user *uargs, - goto free_copy; - } - -- err = module_sig_check(info, flags); -+ err = module_sig_check(info, flags, can_do_ima_check); - if (err) - goto free_copy; - -@@ -3834,7 +3864,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, - if (err) - return err; - -- return load_module(&info, uargs, 0); -+ return load_module(&info, uargs, 0, false); - } - - SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) -@@ -3861,7 +3891,7 @@ SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) - info.hdr = hdr; - info.len = size; - -- return load_module(&info, uargs, flags); -+ return load_module(&info, uargs, flags, true); - } - - static inline int within(unsigned long addr, void *start, unsigned long size) --- -2.17.1 - From 7948946e19294e7560c81b177b2788d21ed79f59 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <mjg59@srcf.ucam.org> Date: Mon, 9 Apr 2018 09:52:46 +0100 |