diff options
Diffstat (limited to 'efi-secureboot.patch')
| -rw-r--r-- | efi-secureboot.patch | 254 |
1 files changed, 155 insertions, 99 deletions
diff --git a/efi-secureboot.patch b/efi-secureboot.patch index bb5b47b42..ee5382029 100644 --- a/efi-secureboot.patch +++ b/efi-secureboot.patch @@ -1,7 +1,109 @@ +From 478a0cff698409224330ea9e25eb332220b55dbb Mon Sep 17 00:00:00 2001 +From: Jeremy Cline <jcline@redhat.com> +Date: Mon, 30 Sep 2019 21:22:47 +0000 +Subject: [PATCH 1/3] security: lockdown: expose a hook to lock the kernel down + +In order to automatically lock down kernels running on UEFI machines +booted in Secure Boot mode, expose the lock_kernel_down() hook. + +Signed-off-by: Jeremy Cline <jcline@redhat.com> +--- + include/linux/lsm_hooks.h | 8 ++++++++ + include/linux/security.h | 5 +++++ + security/lockdown/lockdown.c | 1 + + security/security.c | 6 ++++++ + 4 files changed, 20 insertions(+) + +diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h +index a3763247547c..8d76d1f153ed 100644 +--- a/include/linux/lsm_hooks.h ++++ b/include/linux/lsm_hooks.h +@@ -1454,6 +1454,12 @@ + * code execution in kernel space should be permitted. + * + * @what: kernel feature being accessed ++ * ++ * @lock_kernel_down ++ * Put the kernel into lock-down mode. ++ * ++ * @where: Where the lock-down is originating from (e.g. command line option) ++ * @level: The lock-down level (can only increase) + */ + union security_list_options { + int (*binder_set_context_mgr)(struct task_struct *mgr); +@@ -1818,6 +1824,7 @@ union security_list_options { + void (*bpf_prog_free_security)(struct bpf_prog_aux *aux); + #endif /* CONFIG_BPF_SYSCALL */ + int (*locked_down)(enum lockdown_reason what); ++ int (*lock_kernel_down)(const char *where, enum lockdown_reason level); + }; + + struct security_hook_heads { +@@ -2060,6 +2067,7 @@ struct security_hook_heads { + struct hlist_head bpf_prog_free_security; + #endif /* CONFIG_BPF_SYSCALL */ + struct hlist_head locked_down; ++ struct hlist_head lock_kernel_down; + } __randomize_layout; + + /* +diff --git a/include/linux/security.h b/include/linux/security.h +index a8d59d612d27..467b9ccdf993 100644 +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -442,6 +442,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); + int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); + int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); + int security_locked_down(enum lockdown_reason what); ++int security_lock_kernel_down(const char *where, enum lockdown_reason level); + #else /* CONFIG_SECURITY */ + + static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) +@@ -1269,6 +1270,10 @@ static inline int security_locked_down(enum lockdown_reason what) + { + return 0; + } ++static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level) ++{ ++ return 0; ++} + #endif /* CONFIG_SECURITY */ + + #ifdef CONFIG_SECURITY_NETWORK +diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c +index 8a10b43daf74..72a623075749 100644 +--- a/security/lockdown/lockdown.c ++++ b/security/lockdown/lockdown.c +@@ -97,6 +97,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what) + + static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(locked_down, lockdown_is_locked_down), ++ LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down), + }; + + static int __init lockdown_lsm_init(void) +diff --git a/security/security.c b/security/security.c +index 1bc000f834e2..1506b95427cf 100644 +--- a/security/security.c ++++ b/security/security.c +@@ -2404,3 +2404,9 @@ int security_locked_down(enum lockdown_reason what) + return call_int_hook(locked_down, 0, what); + } + EXPORT_SYMBOL(security_locked_down); ++ ++int security_lock_kernel_down(const char *where, enum lockdown_reason level) ++{ ++ return call_int_hook(lock_kernel_down, 0, where, level); ++} ++EXPORT_SYMBOL(security_lock_kernel_down); +-- +2.21.0 + + From b5123d0553f4ed5e734f6457696cdd30228d1eee Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> Date: Tue, 27 Feb 2018 10:04:55 +0000 -Subject: [PATCH 29/31] efi: Add an EFI_SECURE_BOOT flag to indicate secure +Subject: [PATCH 2/3] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT @@ -15,6 +117,7 @@ Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> cc: linux-efi@vger.kernel.org +[Rebased for context; efi_is_table_address was moved to arch/x86] Signed-off-by: Jeremy Cline <jcline@redhat.com> --- arch/x86/kernel/setup.c | 14 +----------- @@ -25,10 +128,10 @@ Signed-off-by: Jeremy Cline <jcline@redhat.com> create mode 100644 drivers/firmware/efi/secureboot.c diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index b74e7bfed6ab..7da1712c89c9 100644 +index bbe35bf879f5..7e528b6af86b 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1158,19 +1158,7 @@ void __init setup_arch(char **cmdline_p) +@@ -1179,19 +1179,7 @@ void __init setup_arch(char **cmdline_p) /* Allocate bigger log buffer */ setup_log_buf(1); @@ -50,7 +153,7 @@ index b74e7bfed6ab..7da1712c89c9 100644 reserve_initrd(); diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile -index 5f9f5039de50..7a0a6378203e 100644 +index 4ac2de4dfa72..195b078a423c 100644 --- a/drivers/firmware/efi/Makefile +++ b/drivers/firmware/efi/Makefile @@ -24,6 +24,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP) += fake_mem.o @@ -59,8 +162,8 @@ index 5f9f5039de50..7a0a6378203e 100644 obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o +obj-$(CONFIG_EFI) += secureboot.o obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o + obj-$(CONFIG_EFI_RCI2_TABLE) += rci2-table.o - arm-obj-$(CONFIG_EFI) := arm-init.o arm-runtime.o diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c new file mode 100644 index 000000000000..9070055de0a1 @@ -106,10 +209,10 @@ index 000000000000..9070055de0a1 + } +} diff --git a/include/linux/efi.h b/include/linux/efi.h -index 100ce4a4aff6..62361b647a75 100644 +index 21d81021c1f4..758ec061d03b 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -1155,6 +1155,14 @@ extern int __init efi_setup_pcdp_console(char *); +@@ -1204,6 +1204,14 @@ extern int __init efi_setup_pcdp_console(char *); #define EFI_DBG 8 /* Print additional debug info at runtime */ #define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */ #define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */ @@ -124,16 +227,16 @@ index 100ce4a4aff6..62361b647a75 100644 #ifdef CONFIG_EFI /* -@@ -1198,6 +1206,8 @@ static inline bool efi_enabled(int feature) +@@ -1214,6 +1222,8 @@ static inline bool efi_enabled(int feature) + return test_bit(feature, &efi.flags) != 0; + } extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused); - - extern bool efi_is_table_address(unsigned long phys_addr); + +extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode); #else static inline bool efi_enabled(int feature) { -@@ -1216,6 +1226,8 @@ static inline bool efi_is_table_address(unsigned long phys_addr) +@@ -1227,6 +1237,8 @@ efi_capsule_pending(int *reset_type) { return false; } @@ -142,9 +245,7 @@ index 100ce4a4aff6..62361b647a75 100644 #endif extern int efi_status_to_err(efi_status_t status); -@@ -1577,12 +1589,6 @@ efi_status_t efi_setup_gop(efi_system_table_t *sys_table_arg, - #endif - +@@ -1619,12 +1631,6 @@ static inline bool efi_runtime_disabled(void) { return true; } extern void efi_call_virt_check_flags(unsigned long flags, const char *call); extern unsigned long efi_call_virt_save_flags(void); @@ -158,121 +259,76 @@ index 100ce4a4aff6..62361b647a75 100644 #ifdef CONFIG_RESET_ATTACK_MITIGATION -- -2.19.1 +2.21.0 + -From d78bf678059f83e22bec8ada1a448e22b9b90203 Mon Sep 17 00:00:00 2001 +From 15368f76d4997912318d35c52bfeb9041d85098e Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> -Date: Tue, 27 Feb 2018 10:04:55 +0000 -Subject: [PATCH 30/31] efi: Lock down the kernel if booted in secure boot mode +Date: Mon, 30 Sep 2019 21:28:16 +0000 +Subject: [PATCH 3/3] efi: Lock down the kernel if booted in secure boot mode -UEFI Secure Boot provides a mechanism for ensuring that the firmware will -only load signed bootloaders and kernels. Certain use cases may also -require that all kernel modules also be signed. Add a configuration option -that to lock down the kernel - which includes requiring validly signed -modules - if the kernel is secure-booted. +UEFI Secure Boot provides a mechanism for ensuring that the firmware +will only load signed bootloaders and kernels. Certain use cases may +also require that all kernel modules also be signed. Add a +configuration option that to lock down the kernel - which includes +requiring validly signed modules - if the kernel is secure-booted. Signed-off-by: David Howells <dhowells@redhat.com> -Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> -cc: linux-efi@vger.kernel.org +Signed-off-by: Jeremy Cline <jcline@redhat.com> --- - arch/x86/kernel/setup.c | 6 ++++-- - fs/debugfs/inode.c | 2 +- - security/Kconfig | 14 ++++++++++++++ - security/lock_down.c | 5 +++++ - 4 files changed, 20 insertions(+), 3 deletions(-) + arch/x86/kernel/setup.c | 8 ++++++++ + security/lockdown/Kconfig | 13 +++++++++++++ + 2 files changed, 21 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index adeee6329f55..27a54ec878bd 100644 +index 77ea96b794bd..a119e1bc9623 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -65,6 +65,7 @@ - #include <linux/dma-mapping.h> - #include <linux/ctype.h> - #include <linux/uaccess.h> +@@ -73,6 +73,7 @@ + #include <linux/jiffies.h> + #include <linux/mem_encrypt.h> + #include <linux/sizes.h> +#include <linux/security.h> - #include <linux/percpu.h> - #include <linux/crash_dump.h> -@@ -1005,6 +1006,10 @@ void __init setup_arch(char **cmdline_p) + #include <linux/usb/xhci-dbgp.h> + #include <video/edid.h> +@@ -1027,6 +1028,13 @@ void __init setup_arch(char **cmdline_p) if (efi_enabled(EFI_BOOT)) efi_init(); + efi_set_secure_boot(boot_params.secure_boot); + -+ init_lockdown(); ++#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT ++ if (efi_enabled(EFI_SECURE_BOOT)) ++ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_CONFIDENTIALITY_MAX); ++#endif + dmi_setup(); /* -@@ -1159,8 +1164,6 @@ void __init setup_arch(char **cmdline_p) - /* Allocate bigger log buffer */ - setup_log_buf(1); - -- efi_set_secure_boot(boot_params.secure_boot); -- - reserve_initrd(); - - acpi_table_upgrade(); -diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c -index ce261e1765ff..7aff55b309a6 100644 ---- a/fs/debugfs/inode.c -+++ b/fs/debugfs/inode.c -@@ -40,7 +40,7 @@ static bool debugfs_registered; - static int debugfs_setattr(struct dentry *dentry, struct iattr *ia) - { - if ((ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) && -- kernel_is_locked_down("debugfs")) -+ kernel_is_locked_down("changing perms in debugfs")) - return -EPERM; - return simple_setattr(dentry, ia); - } -diff --git a/security/Kconfig b/security/Kconfig -index 9c343f262bdd..30788bc47863 100644 ---- a/security/Kconfig -+++ b/security/Kconfig -@@ -244,6 +244,20 @@ config LOCK_DOWN_KERNEL_FORCE - Allow the lockdown on a kernel to be lifted, by pressing a SysRq key - combination on a wired keyboard. On x86, this is SysRq+x. +diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig +index e84ddf484010..d0501353a4b9 100644 +--- a/security/lockdown/Kconfig ++++ b/security/lockdown/Kconfig +@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY + subsystem is fully initialised. If enabled, lockdown will + unconditionally be called before any other LSMs. +config LOCK_DOWN_IN_EFI_SECURE_BOOT + bool "Lock down the kernel in EFI Secure Boot mode" + default n -+ select LOCK_DOWN_KERNEL -+ depends on EFI ++ depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY + help + UEFI Secure Boot provides a mechanism for ensuring that the firmware + will only load signed bootloaders and kernels. Secure boot mode may + be determined from EFI variables provided by the system firmware if + not indicated by the boot parameters. + -+ Enabling this option turns on results in kernel lockdown being -+ triggered if EFI Secure Boot is set. ++ Enabling this option results in kernel lockdown being triggered if ++ EFI Secure Boot is set. + - source "security/selinux/Kconfig" - source "security/smack/Kconfig" - source "security/tomoyo/Kconfig" -diff --git a/security/lock_down.c b/security/lock_down.c -index ee00ca2677e7..bb4dc7838f3e 100644 ---- a/security/lock_down.c -+++ b/security/lock_down.c -@@ -12,6 +12,7 @@ - - #include <linux/security.h> - #include <linux/export.h> -+#include <linux/efi.h> - #include <linux/sysrq.h> - #include <asm/setup.h> - -@@ -44,6 +45,10 @@ void __init init_lockdown(void) - #ifdef CONFIG_LOCK_DOWN_FORCE - lock_kernel_down("Kernel configuration"); - #endif -+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT -+ if (efi_enabled(EFI_SECURE_BOOT)) -+ lock_kernel_down("EFI secure boot"); -+#endif - } - - /** + choice + prompt "Kernel default lockdown mode" + default LOCK_DOWN_KERNEL_FORCE_NONE -- -2.14.3 +2.21.0 |