diff options
Diffstat (limited to 'secure-modules.patch')
| -rw-r--r-- | secure-modules.patch | 877 |
1 files changed, 0 insertions, 877 deletions
diff --git a/secure-modules.patch b/secure-modules.patch deleted file mode 100644 index e88d617ce..000000000 --- a/secure-modules.patch +++ /dev/null @@ -1,877 +0,0 @@ -Bugzilla: N/A -Upstream-status: Fedora mustard. Replaced by securelevels, but that was nak'd - -From c66361cce3b23ea9c7fa8010f55e1fe31c23d5b1 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <matthew.garrett@nebula.com> -Date: Fri, 9 Aug 2013 17:58:15 -0400 -Subject: [PATCH 01/14] Add secure_modules() call - -Provide a single call to allow kernel code to determine whether the system -has been configured to either disable module loading entirely or to load -only modules signed with a trusted key. - -Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> ---- - include/linux/module.h | 7 +++++++ - kernel/module.c | 10 ++++++++++ - 2 files changed, 17 insertions(+) - -diff --git a/include/linux/module.h b/include/linux/module.h -index f520a767c86c..fc9b54eb779e 100644 ---- a/include/linux/module.h -+++ b/include/linux/module.h -@@ -509,6 +509,8 @@ int unregister_module_notifier(struct notifier_block *nb); - - extern void print_modules(void); - -+extern bool secure_modules(void); -+ - #else /* !CONFIG_MODULES... */ - - /* Given an address, look for it in the exception tables. */ -@@ -619,6 +621,11 @@ static inline int unregister_module_notifier(struct notifier_block *nb) - static inline void print_modules(void) - { - } -+ -+static inline bool secure_modules(void) -+{ -+ return false; -+} - #endif /* CONFIG_MODULES */ - - #ifdef CONFIG_SYSFS -diff --git a/kernel/module.c b/kernel/module.c -index ae79ce615cb9..e8909e2a8b96 100644 ---- a/kernel/module.c -+++ b/kernel/module.c -@@ -3839,3 +3839,13 @@ void module_layout(struct module *mod, - } - EXPORT_SYMBOL(module_layout); - #endif -+ -+bool secure_modules(void) -+{ -+#ifdef CONFIG_MODULE_SIG -+ return (sig_enforce || modules_disabled); -+#else -+ return modules_disabled; -+#endif -+} -+EXPORT_SYMBOL(secure_modules); --- -2.0.4 - - -From eb614212bd2ad9acb2a279c669624a174899e0d5 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <matthew.garrett@nebula.com> -Date: Thu, 8 Mar 2012 10:10:38 -0500 -Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is - enabled - -Any hardware that can potentially generate DMA has to be locked down from -userspace in order to avoid it being possible for an attacker to modify -kernel code, allowing them to circumvent disabled module loading or module -signing. Default to paranoid - in future we can potentially relax this for -sufficiently IOMMU-isolated devices. - -Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> ---- - drivers/pci/pci-sysfs.c | 10 ++++++++++ - drivers/pci/proc.c | 8 +++++++- - drivers/pci/syscall.c | 3 ++- - 3 files changed, 19 insertions(+), 2 deletions(-) - -diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index 9ff0a901ecf7..8d0d5d92b8d9 100644 ---- a/drivers/pci/pci-sysfs.c -+++ b/drivers/pci/pci-sysfs.c -@@ -30,6 +30,7 @@ - #include <linux/vgaarb.h> - #include <linux/pm_runtime.h> - #include <linux/of.h> -+#include <linux/module.h> - #include "pci.h" - - static int sysfs_initialized; /* = 0 */ -@@ -704,6 +705,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, - loff_t init_off = off; - u8 *data = (u8 *) buf; - -+ if (secure_modules()) -+ return -EPERM; -+ - if (off > dev->cfg_size) - return 0; - if (off + count > dev->cfg_size) { -@@ -998,6 +1002,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, - resource_size_t start, end; - int i; - -+ if (secure_modules()) -+ return -EPERM; -+ - for (i = 0; i < PCI_ROM_RESOURCE; i++) - if (res == &pdev->resource[i]) - break; -@@ -1099,6 +1106,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, - struct bin_attribute *attr, char *buf, - loff_t off, size_t count) - { -+ if (secure_modules()) -+ return -EPERM; -+ - return pci_resource_io(filp, kobj, attr, buf, off, count, true); - } - -diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c -index 3f155e78513f..4265ea07e3b0 100644 ---- a/drivers/pci/proc.c -+++ b/drivers/pci/proc.c -@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, - int size = dev->cfg_size; - int cnt; - -+ if (secure_modules()) -+ return -EPERM; -+ - if (pos >= size) - return 0; - if (nbytes >= size) -@@ -195,6 +198,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, - #endif /* HAVE_PCI_MMAP */ - int ret = 0; - -+ if (secure_modules()) -+ return -EPERM; -+ - switch (cmd) { - case PCIIOC_CONTROLLER: - ret = pci_domain_nr(dev->bus); -@@ -233,7 +239,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) - struct pci_filp_private *fpriv = file->private_data; - int i, ret; - -- if (!capable(CAP_SYS_RAWIO)) -+ if (!capable(CAP_SYS_RAWIO) || secure_modules()) - return -EPERM; - - /* Make sure the caller is mapping a real resource for this device */ -diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c -index b91c4da68365..98f5637304d1 100644 ---- a/drivers/pci/syscall.c -+++ b/drivers/pci/syscall.c -@@ -10,6 +10,7 @@ - #include <linux/errno.h> - #include <linux/pci.h> - #include <linux/syscalls.h> -+#include <linux/module.h> - #include <asm/uaccess.h> - #include "pci.h" - -@@ -92,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, - u32 dword; - int err = 0; - -- if (!capable(CAP_SYS_ADMIN)) -+ if (!capable(CAP_SYS_ADMIN) || secure_modules()) - return -EPERM; - - dev = pci_get_bus_and_slot(bus, dfn); --- -2.0.4 - - -From 6774235b4571f527a2a101c291434f43fc8b668c Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <matthew.garrett@nebula.com> -Date: Thu, 8 Mar 2012 10:35:59 -0500 -Subject: [PATCH 03/14] x86: Lock down IO port access when module security is - enabled - -IO port access would permit users to gain access to PCI configuration -registers, which in turn (on a lot of hardware) give access to MMIO register -space. This would potentially permit root to trigger arbitrary DMA, so lock -it down by default. - -Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> ---- - arch/x86/kernel/ioport.c | 5 +++-- - drivers/char/mem.c | 4 ++++ - 2 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c -index 4ddaf66ea35f..00b440307419 100644 ---- a/arch/x86/kernel/ioport.c -+++ b/arch/x86/kernel/ioport.c -@@ -15,6 +15,7 @@ - #include <linux/thread_info.h> - #include <linux/syscalls.h> - #include <linux/bitmap.h> -+#include <linux/module.h> - #include <asm/syscalls.h> - - /* -@@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) - - if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) - return -EINVAL; -- if (turn_on && !capable(CAP_SYS_RAWIO)) -+ if (turn_on && (!capable(CAP_SYS_RAWIO) || secure_modules())) - return -EPERM; - - /* -@@ -103,7 +104,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) - return -EINVAL; - /* Trying to gain more privileges? */ - if (level > old) { -- if (!capable(CAP_SYS_RAWIO)) -+ if (!capable(CAP_SYS_RAWIO) || secure_modules()) - return -EPERM; - } - regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12); -diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index 917403fe10da..cdf839f9defe 100644 ---- a/drivers/char/mem.c -+++ b/drivers/char/mem.c -@@ -27,6 +27,7 @@ - #include <linux/export.h> - #include <linux/io.h> - #include <linux/aio.h> -+#include <linux/module.h> - - #include <asm/uaccess.h> - -@@ -568,6 +569,9 @@ static ssize_t write_port(struct file *file, const char __user *buf, - unsigned long i = *ppos; - const char __user *tmp = buf; - -+ if (secure_modules()) -+ return -EPERM; -+ - if (!access_ok(VERIFY_READ, buf, count)) - return -EFAULT; - while (count-- > 0 && i < 65536) { --- -2.0.4 - - -From 8693d39f3b0d3f43dbc45f9a1961e695e8a21373 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <matthew.garrett@nebula.com> -Date: Fri, 9 Mar 2012 08:39:37 -0500 -Subject: [PATCH 04/14] ACPI: Limit access to custom_method - -custom_method effectively allows arbitrary access to system memory, making -it possible for an attacker to circumvent restrictions on module loading. -Disable it if any such restrictions have been enabled. - -Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> ---- - drivers/acpi/custom_method.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c -index c68e72414a67..4277938af700 100644 ---- a/drivers/acpi/custom_method.c -+++ b/drivers/acpi/custom_method.c -@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, - struct acpi_table_header table; - acpi_status status; - -+ if (secure_modules()) -+ return -EPERM; -+ - if (!(*ppos)) { - /* parse the table header to get the table length */ - if (count <= sizeof(struct acpi_table_header)) --- -2.0.4 - - -From 7e5fa9a5109284bcd70c8ae2fc82265e2617a31c Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <matthew.garrett@nebula.com> -Date: Fri, 9 Mar 2012 08:46:50 -0500 -Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module - loading is restricted - -We have no way of validating what all of the Asus WMI methods do on a -given machine, and there's a risk that some will allow hardware state to -be manipulated in such a way that arbitrary code can be executed in the -kernel, circumventing module loading restrictions. Prevent that if any of -these features are enabled. - -Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> ---- - drivers/platform/x86/asus-wmi.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c -index 3c6ccedc82b6..960c46536c65 100644 ---- a/drivers/platform/x86/asus-wmi.c -+++ b/drivers/platform/x86/asus-wmi.c -@@ -1592,6 +1592,9 @@ static int show_dsts(struct seq_file *m, void *data) - int err; - u32 retval = -1; - -+ if (secure_modules()) -+ return -EPERM; -+ - err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval); - - if (err < 0) -@@ -1608,6 +1611,9 @@ static int show_devs(struct seq_file *m, void *data) - int err; - u32 retval = -1; - -+ if (secure_modules()) -+ return -EPERM; -+ - err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param, - &retval); - -@@ -1632,6 +1638,9 @@ static int show_call(struct seq_file *m, void *data) - union acpi_object *obj; - acpi_status status; - -+ if (secure_modules()) -+ return -EPERM; -+ - status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID, - 1, asus->debug.method_id, - &input, &output); --- -2.0.4 - - -From 7ed379a80612df99b1220869003522211d23bd96 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <matthew.garrett@nebula.com> -Date: Fri, 9 Mar 2012 09:28:15 -0500 -Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is - restricted - -Allowing users to write to address space makes it possible for the kernel -to be subverted, avoiding module loading restrictions. Prevent this when -any restrictions have been imposed on loading modules. - -Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> ---- - drivers/char/mem.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index cdf839f9defe..c63cf93b00eb 100644 ---- a/drivers/char/mem.c -+++ b/drivers/char/mem.c -@@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, - if (p != *ppos) - return -EFBIG; - -+ if (secure_modules()) -+ return -EPERM; -+ - if (!valid_phys_addr_range(p, count)) - return -EFAULT; - -@@ -502,6 +505,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, - char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ - int err = 0; - -+ if (secure_modules()) -+ return -EPERM; -+ - if (p < (unsigned long) high_memory) { - unsigned long to_write = min_t(unsigned long, count, - (unsigned long)high_memory - p); --- -2.0.4 - - -From c46f20cad9d85bbf467162dddb56759e7b02e0f2 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@redhat.com> -Date: Mon, 25 Jun 2012 19:57:30 -0400 -Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module - loading is restricted - -This option allows userspace to pass the RSDP address to the kernel, which -makes it possible for a user to circumvent any restrictions imposed on -loading modules. Disable it in that case. - -Signed-off-by: Josh Boyer <jwboyer@redhat.com> ---- - drivers/acpi/osl.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index bad25b070fe0..0606585e8b93 100644 ---- a/drivers/acpi/osl.c -+++ b/drivers/acpi/osl.c -@@ -44,6 +44,7 @@ - #include <linux/list.h> - #include <linux/jiffies.h> - #include <linux/semaphore.h> -+#include <linux/module.h> - - #include <asm/io.h> - #include <asm/uaccess.h> -@@ -245,7 +246,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); - acpi_physical_address __init acpi_os_get_root_pointer(void) - { - #ifdef CONFIG_KEXEC -- if (acpi_rsdp) -+ if (acpi_rsdp && !secure_modules()) - return acpi_rsdp; - #endif - --- -2.0.4 - - -From 8cb020222a1602bd196163d132b95bb1f69925b2 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <matthew.garrett@nebula.com> -Date: Fri, 9 Aug 2013 03:33:56 -0400 -Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module - loading restrictions - -kexec permits the loading and execution of arbitrary code in ring 0, which -is something that module signing enforcement is meant to prevent. It makes -sense to disable kexec in this situation. - -Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> ---- - kernel/kexec.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/kernel/kexec.c b/kernel/kexec.c -index 4b8f0c925884..df14daa323a9 100644 ---- a/kernel/kexec.c -+++ b/kernel/kexec.c -@@ -34,6 +34,7 @@ - #include <linux/syscore_ops.h> - #include <linux/compiler.h> - #include <linux/hugetlb.h> -+#include <linux/module.h> - - #include <asm/page.h> - #include <asm/uaccess.h> -@@ -947,6 +948,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, - return -EPERM; - - /* -+ * kexec can be used to circumvent module loading restrictions, so -+ * prevent loading in that case -+ */ -+ if (secure_modules()) -+ return -EPERM; -+ -+ /* - * Verify we have a legal set of flags - * This leaves us room for future extensions. - */ --- -2.0.4 - - -From 2e30f7a56dcccf68c9c62dfdc791664f07737e94 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <matthew.garrett@nebula.com> -Date: Fri, 8 Feb 2013 11:12:13 -0800 -Subject: [PATCH 09/14] x86: Restrict MSR access when module loading is - restricted - -Writing to MSRs should not be allowed if module loading is restricted, -since it could lead to execution of arbitrary code in kernel mode. Based -on a patch by Kees Cook. - -Cc: Kees Cook <keescook@chromium.org> -Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> ---- - arch/x86/kernel/msr.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index c9603ac80de5..8bef43fc3f40 100644 ---- a/arch/x86/kernel/msr.c -+++ b/arch/x86/kernel/msr.c -@@ -103,6 +103,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, - int err = 0; - ssize_t bytes = 0; - -+ if (secure_modules()) -+ return -EPERM; -+ - if (count % 8) - return -EINVAL; /* Invalid chunk size */ - -@@ -150,6 +153,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) - err = -EBADF; - break; - } -+ if (secure_modules()) { -+ err = -EPERM; -+ break; -+ } - if (copy_from_user(®s, uregs, sizeof regs)) { - err = -EFAULT; - break; --- -2.0.4 - - -From f3437ca79d1ddd12ebdff439c4c3931ba0081a1e Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <matthew.garrett@nebula.com> -Date: Fri, 9 Aug 2013 18:36:30 -0400 -Subject: [PATCH 10/14] Add option to automatically enforce module signatures - when in Secure Boot mode - -UEFI Secure Boot provides a mechanism for ensuring that the firmware will -only load signed bootloaders and kernels. Certain use cases may also -require that all kernel modules also be signed. Add a configuration option -that enforces this automatically when enabled. - -Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> ---- - Documentation/x86/zero-page.txt | 2 ++ - arch/x86/Kconfig | 10 ++++++++++ - arch/x86/boot/compressed/eboot.c | 36 +++++++++++++++++++++++++++++++++++ - arch/x86/include/uapi/asm/bootparam.h | 3 ++- - arch/x86/kernel/setup.c | 6 ++++++ - include/linux/module.h | 6 ++++++ - kernel/module.c | 7 +++++++ - 7 files changed, 69 insertions(+), 1 deletion(-) - -diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt -index 199f453cb4de..ec38acf00b40 100644 ---- a/Documentation/x86/zero-page.txt -+++ b/Documentation/x86/zero-page.txt -@@ -30,6 +30,8 @@ Offset Proto Name Meaning - 1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below) - 1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer - (below) -+1EB/001 ALL kbd_status Numlock is enabled -+1EC/001 ALL secure_boot Secure boot is enabled in the firmware - 1EF/001 ALL sentinel Used to detect broken bootloaders - 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures - 2D0/A00 ALL e820_map E820 memory map table -diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 6b71f0417293..67e25e3c8583 100644 ---- a/arch/x86/Kconfig -+++ b/arch/x86/Kconfig -@@ -1559,6 +1559,16 @@ config EFI_MIXED - - If unsure, say N. - -+config EFI_SECURE_BOOT_SIG_ENFORCE -+ def_bool n -+ prompt "Force module signing when UEFI Secure Boot is enabled" -+ ---help--- -+ UEFI Secure Boot provides a mechanism for ensuring that the -+ firmware will only load signed bootloaders and kernels. Certain -+ use cases may also require that all kernel modules also be signed. -+ Say Y here to automatically enable module signature enforcement -+ when a system boots with UEFI Secure Boot enabled. -+ - config SECCOMP - def_bool y - prompt "Enable seccomp to safely compute untrusted bytecode" -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index f277184e2ac1..88edd48f03e9 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -12,6 +12,7 @@ - #include <asm/efi.h> - #include <asm/setup.h> - #include <asm/desc.h> -+#include <asm/bootparam_utils.h> - - #undef memcpy /* Use memcpy from misc.c */ - -@@ -803,6 +804,37 @@ out: - return status; - } - -+static int get_secure_boot(void) -+{ -+ u8 sb, setup; -+ unsigned long datasize = sizeof(sb); -+ efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; -+ efi_status_t status; -+ -+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, -+ L"SecureBoot", &var_guid, NULL, &datasize, &sb); -+ -+ if (status != EFI_SUCCESS) -+ return 0; -+ -+ if (sb == 0) -+ return 0; -+ -+ -+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, -+ L"SetupMode", &var_guid, NULL, &datasize, -+ &setup); -+ -+ if (status != EFI_SUCCESS) -+ return 0; -+ -+ if (setup == 1) -+ return 0; -+ -+ return 1; -+} -+ -+ - /* - * See if we have Graphics Output Protocol - */ -@@ -1374,6 +1406,10 @@ struct boot_params *efi_main(struct efi_config *c, - else - setup_boot_services32(efi_early); - -+ sanitize_boot_params(boot_params); -+ -+ boot_params->secure_boot = get_secure_boot(); -+ - setup_graphics(boot_params); - - status = setup_efi_pci(boot_params); -diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h -index 225b0988043a..90dbfb73e11f 100644 ---- a/arch/x86/include/uapi/asm/bootparam.h -+++ b/arch/x86/include/uapi/asm/bootparam.h -@@ -133,7 +133,8 @@ struct boot_params { - __u8 eddbuf_entries; /* 0x1e9 */ - __u8 edd_mbr_sig_buf_entries; /* 0x1ea */ - __u8 kbd_status; /* 0x1eb */ -- __u8 _pad5[3]; /* 0x1ec */ -+ __u8 secure_boot; /* 0x1ec */ -+ __u8 _pad5[2]; /* 0x1ed */ - /* - * The sentinel is set to a nonzero value (0xff) in header.S. - * -diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 41ead8d3bc0b..5a5cf7395724 100644 ---- a/arch/x86/kernel/setup.c -+++ b/arch/x86/kernel/setup.c -@@ -1142,6 +1142,12 @@ void __init setup_arch(char **cmdline_p) - - io_delay_init(); - -+#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE -+ if (boot_params.secure_boot) { -+ enforce_signed_modules(); -+ } -+#endif -+ - /* - * Parse the ACPI tables for possible boot-time SMP configuration. - */ -diff --git a/include/linux/module.h b/include/linux/module.h -index fc9b54eb779e..7377bc851461 100644 ---- a/include/linux/module.h -+++ b/include/linux/module.h -@@ -188,6 +188,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); - - struct notifier_block; - -+#ifdef CONFIG_MODULE_SIG -+extern void enforce_signed_modules(void); -+#else -+static inline void enforce_signed_modules(void) {}; -+#endif -+ - #ifdef CONFIG_MODULES - - extern int modules_disabled; /* for sysctl */ -diff --git a/kernel/module.c b/kernel/module.c -index e8909e2a8b96..7d5b301efa01 100644 ---- a/kernel/module.c -+++ b/kernel/module.c -@@ -3840,6 +3840,13 @@ void module_layout(struct module *mod, - EXPORT_SYMBOL(module_layout); - #endif - -+#ifdef CONFIG_MODULE_SIG -+void enforce_signed_modules(void) -+{ -+ sig_enforce = true; -+} -+#endif -+ - bool secure_modules(void) - { - #ifdef CONFIG_MODULE_SIG --- -2.0.4 - - -From ad56618c3851b102d59bab12d946bcce41caa48f Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@fedoraproject.org> -Date: Tue, 5 Feb 2013 19:25:05 -0500 -Subject: [PATCH 11/14] efi: Disable secure boot if shim is in insecure mode - -A user can manually tell the shim boot loader to disable validation of -images it loads. When a user does this, it creates a UEFI variable called -MokSBState that does not have the runtime attribute set. Given that the -user explicitly disabled validation, we can honor that and not enable -secure boot mode if that variable is set. - -Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> ---- - arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++- - 1 file changed, 19 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 88edd48f03e9..3b18ef2b534c 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -806,8 +806,9 @@ out: - - static int get_secure_boot(void) - { -- u8 sb, setup; -+ u8 sb, setup, moksbstate; - unsigned long datasize = sizeof(sb); -+ u32 attr; - efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; - efi_status_t status; - -@@ -831,6 +832,23 @@ static int get_secure_boot(void) - if (setup == 1) - return 0; - -+ /* See if a user has put shim into insecure_mode. If so, and the variable -+ * doesn't have the runtime attribute set, we might as well honor that. -+ */ -+ var_guid = EFI_SHIM_LOCK_GUID; -+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, -+ L"MokSBState", &var_guid, &attr, &datasize, -+ &moksbstate); -+ -+ /* If it fails, we don't care why. Default to secure */ -+ if (status != EFI_SUCCESS) -+ return 1; -+ -+ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) { -+ if (moksbstate == 1) -+ return 0; -+ } -+ - return 1; - } - --- -2.0.4 - - -From d3bcd51e1e47252afa3b2bb4da781b358da7d3d0 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@fedoraproject.org> -Date: Tue, 27 Aug 2013 13:28:43 -0400 -Subject: [PATCH 12/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI - -The functionality of the config option is dependent upon the platform being -UEFI based. Reflect this in the config deps. - -Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> ---- - arch/x86/Kconfig | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 67e25e3c8583..a46be2f21b95 100644 ---- a/arch/x86/Kconfig -+++ b/arch/x86/Kconfig -@@ -1560,7 +1560,8 @@ config EFI_MIXED - If unsure, say N. - - config EFI_SECURE_BOOT_SIG_ENFORCE -- def_bool n -+ def_bool n -+ depends on EFI - prompt "Force module signing when UEFI Secure Boot is enabled" - ---help--- - UEFI Secure Boot provides a mechanism for ensuring that the --- -2.0.4 - - -From 3d30f2c07daac85befa76ac44b4dc4db3d64a018 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@fedoraproject.org> -Date: Tue, 27 Aug 2013 13:33:03 -0400 -Subject: [PATCH 13/14] efi: Add EFI_SECURE_BOOT bit - -UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit -for use with efi_enabled. - -Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> ---- - arch/x86/kernel/setup.c | 2 ++ - include/linux/efi.h | 1 + - 2 files changed, 3 insertions(+) - -diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 5a5cf7395724..fb282ff6a802 100644 ---- a/arch/x86/kernel/setup.c -+++ b/arch/x86/kernel/setup.c -@@ -1144,7 +1144,9 @@ void __init setup_arch(char **cmdline_p) - - #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE - if (boot_params.secure_boot) { -+ set_bit(EFI_SECURE_BOOT, &efi.flags); - enforce_signed_modules(); -+ pr_info("Secure boot enabled\n"); - } - #endif - -diff --git a/include/linux/efi.h b/include/linux/efi.h -index efc681fd5895..3f683a13d7aa 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -923,6 +923,7 @@ extern int __init efi_setup_pcdp_console(char *); - #define EFI_64BIT 5 /* Is the firmware 64-bit? */ - #define EFI_PARAVIRT 6 /* Access is via a paravirt interface */ - #define EFI_ARCH_1 7 /* First arch-specific bit */ -+#define EFI_SECURE_BOOT 8 /* Are we in Secure Boot mode? */ - - #ifdef CONFIG_EFI - /* --- -2.0.4 - - -From f19107379dbcfced86458de8ad9cf8a6443567e9 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@fedoraproject.org> -Date: Fri, 20 Jun 2014 08:53:24 -0400 -Subject: [PATCH 14/14] hibernate: Disable in a signed modules environment - -There is currently no way to verify the resume image when returning -from hibernate. This might compromise the signed modules trust model, -so until we can work with signed hibernate images we disable it in -a secure modules environment. - -Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> ---- - kernel/power/hibernate.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index a9dfa79b6bab..14c7356ff53a 100644 ---- a/kernel/power/hibernate.c -+++ b/kernel/power/hibernate.c -@@ -28,6 +28,7 @@ - #include <linux/syscore_ops.h> - #include <linux/ctype.h> - #include <linux/genhd.h> -+#include <linux/module.h> - #include <trace/events/power.h> - - #include "power.h" -@@ -65,7 +66,7 @@ static const struct platform_hibernation_ops *hibernation_ops; - - bool hibernation_available(void) - { -- return (nohibernate == 0); -+ return ((nohibernate == 0) && !secure_modules()); - } - - /** --- -2.0.4 - |