From 007e505ae0ba5e967c5aebf29885a44263042654 Mon Sep 17 00:00:00 2001
From: Justin Forbes <jmforbes@xps.linuxtx.org>
Date: Mon, 30 Dec 2019 10:46:19 -0600
Subject: Linux v5.4.6 rebase

---
 efi-secureboot.patch | 254 +++++++++++++++++++++++++++++++--------------------
 1 file changed, 155 insertions(+), 99 deletions(-)

(limited to 'efi-secureboot.patch')

diff --git a/efi-secureboot.patch b/efi-secureboot.patch
index bb5b47b42..ee5382029 100644
--- a/efi-secureboot.patch
+++ b/efi-secureboot.patch
@@ -1,7 +1,109 @@
+From 478a0cff698409224330ea9e25eb332220b55dbb Mon Sep 17 00:00:00 2001
+From: Jeremy Cline <jcline@redhat.com>
+Date: Mon, 30 Sep 2019 21:22:47 +0000
+Subject: [PATCH 1/3] security: lockdown: expose a hook to lock the kernel down
+
+In order to automatically lock down kernels running on UEFI machines
+booted in Secure Boot mode, expose the lock_kernel_down() hook.
+
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+---
+ include/linux/lsm_hooks.h    | 8 ++++++++
+ include/linux/security.h     | 5 +++++
+ security/lockdown/lockdown.c | 1 +
+ security/security.c          | 6 ++++++
+ 4 files changed, 20 insertions(+)
+
+diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
+index a3763247547c..8d76d1f153ed 100644
+--- a/include/linux/lsm_hooks.h
++++ b/include/linux/lsm_hooks.h
+@@ -1454,6 +1454,12 @@
+  *     code execution in kernel space should be permitted.
+  *
+  *     @what: kernel feature being accessed
++ *
++ * @lock_kernel_down
++ *     Put the kernel into lock-down mode.
++ *
++ *     @where: Where the lock-down is originating from (e.g. command line option)
++ *     @level: The lock-down level (can only increase)
+  */
+ union security_list_options {
+ 	int (*binder_set_context_mgr)(struct task_struct *mgr);
+@@ -1818,6 +1824,7 @@ union security_list_options {
+ 	void (*bpf_prog_free_security)(struct bpf_prog_aux *aux);
+ #endif /* CONFIG_BPF_SYSCALL */
+ 	int (*locked_down)(enum lockdown_reason what);
++	int (*lock_kernel_down)(const char *where, enum lockdown_reason level);
+ };
+ 
+ struct security_hook_heads {
+@@ -2060,6 +2067,7 @@ struct security_hook_heads {
+ 	struct hlist_head bpf_prog_free_security;
+ #endif /* CONFIG_BPF_SYSCALL */
+ 	struct hlist_head locked_down;
++	struct hlist_head lock_kernel_down;
+ } __randomize_layout;
+ 
+ /*
+diff --git a/include/linux/security.h b/include/linux/security.h
+index a8d59d612d27..467b9ccdf993 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -442,6 +442,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
+ int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
+ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
+ int security_locked_down(enum lockdown_reason what);
++int security_lock_kernel_down(const char *where, enum lockdown_reason level);
+ #else /* CONFIG_SECURITY */
+ 
+ static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
+@@ -1269,6 +1270,10 @@ static inline int security_locked_down(enum lockdown_reason what)
+ {
+ 	return 0;
+ }
++static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level)
++{
++	return 0;
++}
+ #endif	/* CONFIG_SECURITY */
+ 
+ #ifdef CONFIG_SECURITY_NETWORK
+diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
+index 8a10b43daf74..72a623075749 100644
+--- a/security/lockdown/lockdown.c
++++ b/security/lockdown/lockdown.c
+@@ -97,6 +97,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
+ 
+ static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {
+ 	LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
++	LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down),
+ };
+ 
+ static int __init lockdown_lsm_init(void)
+diff --git a/security/security.c b/security/security.c
+index 1bc000f834e2..1506b95427cf 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -2404,3 +2404,9 @@ int security_locked_down(enum lockdown_reason what)
+ 	return call_int_hook(locked_down, 0, what);
+ }
+ EXPORT_SYMBOL(security_locked_down);
++
++int security_lock_kernel_down(const char *where, enum lockdown_reason level)
++{
++	return call_int_hook(lock_kernel_down, 0, where, level);
++}
++EXPORT_SYMBOL(security_lock_kernel_down);
+-- 
+2.21.0
+
+
 From b5123d0553f4ed5e734f6457696cdd30228d1eee Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 27 Feb 2018 10:04:55 +0000
-Subject: [PATCH 29/31] efi: Add an EFI_SECURE_BOOT flag to indicate secure
+Subject: [PATCH 2/3] efi: Add an EFI_SECURE_BOOT flag to indicate secure
  boot mode
 
 UEFI machines can be booted in Secure Boot mode.  Add an EFI_SECURE_BOOT
@@ -15,6 +117,7 @@ Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
 Signed-off-by: David Howells <dhowells@redhat.com>
 Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
 cc: linux-efi@vger.kernel.org
+[Rebased for context; efi_is_table_address was moved to arch/x86]
 Signed-off-by: Jeremy Cline <jcline@redhat.com>
 ---
  arch/x86/kernel/setup.c           | 14 +-----------
@@ -25,10 +128,10 @@ Signed-off-by: Jeremy Cline <jcline@redhat.com>
  create mode 100644 drivers/firmware/efi/secureboot.c
 
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index b74e7bfed6ab..7da1712c89c9 100644
+index bbe35bf879f5..7e528b6af86b 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1158,19 +1158,7 @@ void __init setup_arch(char **cmdline_p)
+@@ -1179,19 +1179,7 @@ void __init setup_arch(char **cmdline_p)
  	/* Allocate bigger log buffer */
  	setup_log_buf(1);
  
@@ -50,7 +153,7 @@ index b74e7bfed6ab..7da1712c89c9 100644
  	reserve_initrd();
  
 diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile
-index 5f9f5039de50..7a0a6378203e 100644
+index 4ac2de4dfa72..195b078a423c 100644
 --- a/drivers/firmware/efi/Makefile
 +++ b/drivers/firmware/efi/Makefile
 @@ -24,6 +24,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP)		+= fake_mem.o
@@ -59,8 +162,8 @@ index 5f9f5039de50..7a0a6378203e 100644
  obj-$(CONFIG_EFI_DEV_PATH_PARSER)	+= dev-path-parser.o
 +obj-$(CONFIG_EFI)			+= secureboot.o
  obj-$(CONFIG_APPLE_PROPERTIES)		+= apple-properties.o
+ obj-$(CONFIG_EFI_RCI2_TABLE)		+= rci2-table.o
  
- arm-obj-$(CONFIG_EFI)			:= arm-init.o arm-runtime.o
 diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
 new file mode 100644
 index 000000000000..9070055de0a1
@@ -106,10 +209,10 @@ index 000000000000..9070055de0a1
 +	}
 +}
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 100ce4a4aff6..62361b647a75 100644
+index 21d81021c1f4..758ec061d03b 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -1155,6 +1155,14 @@ extern int __init efi_setup_pcdp_console(char *);
+@@ -1204,6 +1204,14 @@ extern int __init efi_setup_pcdp_console(char *);
  #define EFI_DBG			8	/* Print additional debug info at runtime */
  #define EFI_NX_PE_DATA		9	/* Can runtime data regions be mapped non-executable? */
  #define EFI_MEM_ATTR		10	/* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
@@ -124,16 +227,16 @@ index 100ce4a4aff6..62361b647a75 100644
  
  #ifdef CONFIG_EFI
  /*
-@@ -1198,6 +1206,8 @@ static inline bool efi_enabled(int feature)
+@@ -1214,6 +1222,8 @@ static inline bool efi_enabled(int feature)
+ 	return test_bit(feature, &efi.flags) != 0;
+ }
  extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused);
-
- extern bool efi_is_table_address(unsigned long phys_addr);
 +
 +extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode);
  #else
  static inline bool efi_enabled(int feature)
  {
-@@ -1216,6 +1226,8 @@ static inline bool efi_is_table_address(unsigned long phys_addr)
+@@ -1227,6 +1237,8 @@ efi_capsule_pending(int *reset_type)
  {
  	return false;
  }
@@ -142,9 +245,7 @@ index 100ce4a4aff6..62361b647a75 100644
  #endif
  
  extern int efi_status_to_err(efi_status_t status);
-@@ -1577,12 +1589,6 @@ efi_status_t efi_setup_gop(efi_system_table_t *sys_table_arg,
- #endif
- 
+@@ -1619,12 +1631,6 @@ static inline bool efi_runtime_disabled(void) { return true; }
  extern void efi_call_virt_check_flags(unsigned long flags, const char *call);
  extern unsigned long efi_call_virt_save_flags(void);
  
@@ -158,121 +259,76 @@ index 100ce4a4aff6..62361b647a75 100644
  
  #ifdef CONFIG_RESET_ATTACK_MITIGATION
 -- 
-2.19.1
+2.21.0
+
 
-From d78bf678059f83e22bec8ada1a448e22b9b90203 Mon Sep 17 00:00:00 2001
+From 15368f76d4997912318d35c52bfeb9041d85098e Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
-Date: Tue, 27 Feb 2018 10:04:55 +0000
-Subject: [PATCH 30/31] efi: Lock down the kernel if booted in secure boot mode
+Date: Mon, 30 Sep 2019 21:28:16 +0000
+Subject: [PATCH 3/3] efi: Lock down the kernel if booted in secure boot mode
 
-UEFI Secure Boot provides a mechanism for ensuring that the firmware will
-only load signed bootloaders and kernels.  Certain use cases may also
-require that all kernel modules also be signed.  Add a configuration option
-that to lock down the kernel - which includes requiring validly signed
-modules - if the kernel is secure-booted.
+UEFI Secure Boot provides a mechanism for ensuring that the firmware
+will only load signed bootloaders and kernels.  Certain use cases may
+also require that all kernel modules also be signed.  Add a
+configuration option that to lock down the kernel - which includes
+requiring validly signed modules - if the kernel is secure-booted.
 
 Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-cc: linux-efi@vger.kernel.org
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
 ---
- arch/x86/kernel/setup.c |  6 ++++--
- fs/debugfs/inode.c      |  2 +-
- security/Kconfig        | 14 ++++++++++++++
- security/lock_down.c    |  5 +++++
- 4 files changed, 20 insertions(+), 3 deletions(-)
+ arch/x86/kernel/setup.c   |  8 ++++++++
+ security/lockdown/Kconfig | 13 +++++++++++++
+ 2 files changed, 21 insertions(+)
 
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index adeee6329f55..27a54ec878bd 100644
+index 77ea96b794bd..a119e1bc9623 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -65,6 +65,7 @@
- #include <linux/dma-mapping.h>
- #include <linux/ctype.h>
- #include <linux/uaccess.h>
+@@ -73,6 +73,7 @@
+ #include <linux/jiffies.h>
+ #include <linux/mem_encrypt.h>
+ #include <linux/sizes.h>
 +#include <linux/security.h>
  
- #include <linux/percpu.h>
- #include <linux/crash_dump.h>
-@@ -1005,6 +1006,10 @@ void __init setup_arch(char **cmdline_p)
+ #include <linux/usb/xhci-dbgp.h>
+ #include <video/edid.h>
+@@ -1027,6 +1028,13 @@ void __init setup_arch(char **cmdline_p)
  	if (efi_enabled(EFI_BOOT))
  		efi_init();
  
 +	efi_set_secure_boot(boot_params.secure_boot);
 +
-+	init_lockdown();
++#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
++	if (efi_enabled(EFI_SECURE_BOOT))
++		security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_CONFIDENTIALITY_MAX);
++#endif
 +
  	dmi_setup();
  
  	/*
-@@ -1159,8 +1164,6 @@ void __init setup_arch(char **cmdline_p)
- 	/* Allocate bigger log buffer */
- 	setup_log_buf(1);
- 
--	efi_set_secure_boot(boot_params.secure_boot);
--
- 	reserve_initrd();
- 
- 	acpi_table_upgrade();
-diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
-index ce261e1765ff..7aff55b309a6 100644
---- a/fs/debugfs/inode.c
-+++ b/fs/debugfs/inode.c
-@@ -40,7 +40,7 @@ static bool debugfs_registered;
- static int debugfs_setattr(struct dentry *dentry, struct iattr *ia)
- {
- 	if ((ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) &&
--	    kernel_is_locked_down("debugfs"))
-+	    kernel_is_locked_down("changing perms in debugfs"))
- 		return -EPERM;
- 	return simple_setattr(dentry, ia);
- }
-diff --git a/security/Kconfig b/security/Kconfig
-index 9c343f262bdd..30788bc47863 100644
---- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -244,6 +244,20 @@ config LOCK_DOWN_KERNEL_FORCE
-           Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
-           combination on a wired keyboard.  On x86, this is SysRq+x.
+diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
+index e84ddf484010..d0501353a4b9 100644
+--- a/security/lockdown/Kconfig
++++ b/security/lockdown/Kconfig
+@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY
+ 	  subsystem is fully initialised. If enabled, lockdown will
+ 	  unconditionally be called before any other LSMs.
  
 +config LOCK_DOWN_IN_EFI_SECURE_BOOT
 +	bool "Lock down the kernel in EFI Secure Boot mode"
 +	default n
-+	select LOCK_DOWN_KERNEL
-+	depends on EFI
++	depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY
 +	help
 +	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
 +	  will only load signed bootloaders and kernels.  Secure boot mode may
 +	  be determined from EFI variables provided by the system firmware if
 +	  not indicated by the boot parameters.
 +
-+	  Enabling this option turns on results in kernel lockdown being
-+	  triggered if EFI Secure Boot is set.
++	  Enabling this option results in kernel lockdown being triggered if
++	  EFI Secure Boot is set.
 +
- source "security/selinux/Kconfig"
- source "security/smack/Kconfig"
- source "security/tomoyo/Kconfig"
-diff --git a/security/lock_down.c b/security/lock_down.c
-index ee00ca2677e7..bb4dc7838f3e 100644
---- a/security/lock_down.c
-+++ b/security/lock_down.c
-@@ -12,6 +12,7 @@
- 
- #include <linux/security.h>
- #include <linux/export.h>
-+#include <linux/efi.h>
- #include <linux/sysrq.h>
- #include <asm/setup.h>
- 
-@@ -44,6 +45,10 @@ void __init init_lockdown(void)
- #ifdef CONFIG_LOCK_DOWN_FORCE
- 	lock_kernel_down("Kernel configuration");
- #endif
-+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
-+	if (efi_enabled(EFI_SECURE_BOOT))
-+		lock_kernel_down("EFI secure boot");
-+#endif
- }
- 
- /**
+ choice
+ 	prompt "Kernel default lockdown mode"
+ 	default LOCK_DOWN_KERNEL_FORCE_NONE
 -- 
-2.14.3
+2.21.0
-- 
cgit