From df7d76ae50f18d4465e59fdf7f19d3df44906cb5 Mon Sep 17 00:00:00 2001

From: Josh Boyer <jwboyer@fedoraproject.org>

Date: Mon, 21 Nov 2016 23:55:55 +0000

Subject: [PATCH 07/32] efi: Add EFI_SECURE_BOOT bit

UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit

that can be passed to efi_enabled() to find out whether secure boot is

enabled.

This will be used by the SysRq+x handler, registered by the x86 arch, to find

out whether secure boot mode is enabled so that it can be disabled.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>

Signed-off-by: David Howells <dhowells@redhat.com>

---

 arch/x86/kernel/setup.c | 1 +

 include/linux/efi.h     | 1 +

 2 files changed, 2 insertions(+)

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c

index 69780ed..447905e 100644

--- a/arch/x86/kernel/setup.c

+++ b/arch/x86/kernel/setup.c

@@ -1182,6 +1182,7 @@ void __init setup_arch(char **cmdline_p)

 			pr_info("Secure boot disabled\n");

 			break;

 		case efi_secureboot_mode_enabled:

+			set_bit(EFI_SECURE_BOOT, &efi.flags);

 			pr_info("Secure boot enabled\n");

 			break;

 		default:

diff --git a/include/linux/efi.h b/include/linux/efi.h

index 94d34e0..6049600 100644

--- a/include/linux/efi.h

+++ b/include/linux/efi.h

@@ -1069,6 +1069,7 @@ extern int __init efi_setup_pcdp_console(char *);

 #define EFI_DBG			8	/* Print additional debug info at runtime */

 #define EFI_NX_PE_DATA		9	/* Can runtime data regions be mapped non-executable? */

 #define EFI_MEM_ATTR		10	/* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */

+#define EFI_SECURE_BOOT		11	/* Are we in Secure Boot mode? */

 #ifdef CONFIG_EFI

 /*

-- 

2.7.4

From f05a90c19a9613d8d50597319ed91f691e25b689 Mon Sep 17 00:00:00 2001

From: David Howells <dhowells@redhat.com>

Date: Mon, 21 Nov 2016 23:36:17 +0000

Subject: [PATCH 09/32] Add the ability to lock down access to the running

 kernel image

Provide a single call to allow kernel code to determine whether the system

should be locked down, thereby disallowing various accesses that might

allow the running kernel image to be changed including the loading of

modules that aren't validly signed with a key we recognise, fiddling with

MSR registers and disallowing hibernation,

Signed-off-by: David Howells <dhowells@redhat.com>

---

 include/linux/kernel.h   |  9 +++++++++

 include/linux/security.h | 11 +++++++++++

 security/Kconfig         | 15 +++++++++++++++

 security/Makefile        |  3 +++

 security/lock_down.c     | 40 ++++++++++++++++++++++++++++++++++++++++

 5 files changed, 78 insertions(+)

 create mode 100644 security/lock_down.c

diff --git a/include/linux/kernel.h b/include/linux/kernel.h

index cb09238..3cd3be9 100644

--- a/include/linux/kernel.h

+++ b/include/linux/kernel.h

@@ -273,6 +273,15 @@ extern int oops_may_print(void);

 void do_exit(long error_code) __noreturn;

 void complete_and_exit(struct completion *, long) __noreturn;

+#ifdef CONFIG_LOCK_DOWN_KERNEL

+extern bool kernel_is_locked_down(void);

+#else

+static inline bool kernel_is_locked_down(void)

+{

+	return false;

+}

+#endif

+

 /* Internal, do not use. */

 int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);

 int __must_check _kstrtol(const char *s, unsigned int base, long *res);

diff --git a/include/linux/security.h b/include/linux/security.h

index d3868f2..187b74b 100644

--- a/include/linux/security.h

+++ b/include/linux/security.h

@@ -1679,5 +1679,16 @@ static inline void free_secdata(void *secdata)

 { }

 #endif /* CONFIG_SECURITY */

+#ifdef CONFIG_LOCK_DOWN_KERNEL

+extern void lock_kernel_down(void);

+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT

+extern void lift_kernel_lockdown(void);

+#endif

+#else

+static inline void lock_kernel_down(void)

+{

+}

+#endif

+

 #endif /* ! __LINUX_SECURITY_H */

diff --git a/security/Kconfig b/security/Kconfig

index d900f47..d9b391d 100644

--- a/security/Kconfig

+++ b/security/Kconfig

@@ -193,6 +193,21 @@ config STATIC_USERMODEHELPER_PATH

 	  If you wish for all usermode helper programs to be disabled,

 	  specify an empty string here (i.e. "").

+config LOCK_DOWN_KERNEL

+	bool "Allow the kernel to be 'locked down'"

+	help

+	  Allow the kernel to be locked down under certain circumstances, for

+	  instance if UEFI secure boot is enabled.  Locking down the kernel

+	  turns off various features that might otherwise allow access to the

+	  kernel image (eg. setting MSR registers).

+

+config ALLOW_LOCKDOWN_LIFT

+	bool

+	help

+	  Allow the lockdown on a kernel to be lifted, thereby restoring the

+	  ability of userspace to access the kernel image (eg. by SysRq+x under

+	  x86).

+

 source security/selinux/Kconfig

 source security/smack/Kconfig

 source security/tomoyo/Kconfig

diff --git a/security/Makefile b/security/Makefile

index f2d71cd..8c4a43e 100644

--- a/security/Makefile

+++ b/security/Makefile

@@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o

 # Object integrity file lists

 subdir-$(CONFIG_INTEGRITY)		+= integrity

 obj-$(CONFIG_INTEGRITY)			+= integrity/

+

+# Allow the kernel to be locked down

+obj-$(CONFIG_LOCK_DOWN_KERNEL)		+= lock_down.o

diff --git a/security/lock_down.c b/security/lock_down.c

new file mode 100644

index 0000000..5788c60

--- /dev/null

+++ b/security/lock_down.c

@@ -0,0 +1,40 @@

+/* Lock down the kernel

+ *

+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.

+ * Written by David Howells (dhowells@redhat.com)

+ *

+ * This program is free software; you can redistribute it and/or

+ * modify it under the terms of the GNU General Public Licence

+ * as published by the Free Software Foundation; either version

+ * 2 of the Licence, or (at your option) any later version.

+ */

+

+#include <linux/security.h>

+#include <linux/export.h>

+

+static __read_mostly bool kernel_locked_down;

+

+/*

+ * Put the kernel into lock-down mode.

+ */

+void lock_kernel_down(void)

+{

+	kernel_locked_down = true;

+}

+

+/*

+ * Take the kernel out of lockdown mode.

+ */

+void lift_kernel_lockdown(void)

+{

+	kernel_locked_down = false;

+}

+

+/**

+ * kernel_is_locked_down - Find out if the kernel is locked down

+ */

+bool kernel_is_locked_down(void)

+{

+	return kernel_locked_down;

+}

+EXPORT_SYMBOL(kernel_is_locked_down);

-- 

2.7.4

From fb6feb38e297260d050fc477c72683ac51d07ae3 Mon Sep 17 00:00:00 2001

From: David Howells <dhowells@redhat.com>

Date: Mon, 21 Nov 2016 23:55:55 +0000

Subject: [PATCH 10/32] efi: Lock down the kernel if booted in secure boot mode

UEFI Secure Boot provides a mechanism for ensuring that the firmware will

only load signed bootloaders and kernels.  Certain use cases may also

require that all kernel modules also be signed.  Add a configuration option

that to lock down the kernel - which includes requiring validly signed

modules - if the kernel is secure-booted.

Signed-off-by: David Howells <dhowells@redhat.com>

---

 arch/x86/Kconfig        | 12 ++++++++++++

 arch/x86/kernel/setup.c |  8 +++++++-

 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig

index 874c123..a315974 100644

--- a/arch/x86/Kconfig

+++ b/arch/x86/Kconfig

@@ -1816,6 +1816,18 @@ config EFI_MIXED

 	   If unsure, say N.

+config EFI_SECURE_BOOT_LOCK_DOWN

+	def_bool n

+	depends on EFI

+	prompt "Lock down the kernel when UEFI Secure Boot is enabled"

+	---help---

+	  UEFI Secure Boot provides a mechanism for ensuring that the firmware

+	  will only load signed bootloaders and kernels.  Certain use cases may

+	  also require that all kernel modules also be signed and that

+	  userspace is prevented from directly changing the running kernel

+	  image.  Say Y here to automatically lock down the kernel when a

+	  system boots with UEFI Secure Boot enabled.

+

 config SECCOMP

 	def_bool y

 	prompt "Enable seccomp to safely compute untrusted bytecode"

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c

index 447905e..d44e60e 100644

--- a/arch/x86/kernel/setup.c

+++ b/arch/x86/kernel/setup.c

@@ -69,6 +69,7 @@

 #include <linux/crash_dump.h>

 #include <linux/tboot.h>

 #include <linux/jiffies.h>

+#include <linux/security.h>

 #include <linux/usb/xhci-dbgp.h>

 #include <video/edid.h>

@@ -1183,7 +1184,12 @@ void __init setup_arch(char **cmdline_p)

 			break;

 		case efi_secureboot_mode_enabled:

 			set_bit(EFI_SECURE_BOOT, &efi.flags);

-			pr_info("Secure boot enabled\n");

+			if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT_LOCK_DOWN)) {

+				lock_kernel_down();

+				pr_info("Secure boot enabled and kernel locked down\n");

+			} else {

+				pr_info("Secure boot enabled\n");

+			}

 			break;

 		default:

 			pr_info("Secure boot could not be determined\n");

-- 

2.7.4

From 7182f2f5b254d6dc6d3105d2f99219a76adf9de0 Mon Sep 17 00:00:00 2001

From: David Howells <dhowells@redhat.com>

Date: Wed, 23 Nov 2016 13:22:22 +0000

Subject: [PATCH 11/32] Enforce module signatures if the kernel is locked down

If the kernel is locked down, require that all modules have valid

signatures that we can verify.

Signed-off-by: David Howells <dhowells@redhat.com>

---

 kernel/module.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/module.c b/kernel/module.c

index 7eba6de..3331f2e 100644

--- a/kernel/module.c

+++ b/kernel/module.c

@@ -2756,7 +2756,7 @@ static int module_sig_check(struct load_info *info, int flags)

 	}

 	/* Not having a signature is only an error if we're strict. */

-	if (err == -ENOKEY && !sig_enforce)

+	if (err == -ENOKEY && !sig_enforce && !kernel_is_locked_down())

 		err = 0;

 	return err;

-- 

2.7.4

From 7e97c58bcd0b4c082b889fb093a2779147532b9f Mon Sep 17 00:00:00 2001

From: Matthew Garrett <matthew.garrett@nebula.com>

Date: Tue, 22 Nov 2016 08:46:16 +0000

Subject: [PATCH 12/32] Restrict /dev/mem and /dev/kmem when the kernel is

 locked down

Allowing users to write to address space makes it possible for the kernel to

be subverted, avoiding module loading restrictions.  Prevent this when the

kernel has been locked down.

Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>

Signed-off-by: David Howells <dhowells@redhat.com>

---

 drivers/char/mem.c | 6 ++++++

 1 file changed, 6 insertions(+)

diff --git a/drivers/char/mem.c b/drivers/char/mem.c

index 6d9cc2d..f814404 100644

--- a/drivers/char/mem.c

+++ b/drivers/char/mem.c

@@ -163,6 +163,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,

 	if (p != *ppos)

 		return -EFBIG;

+	if (kernel_is_locked_down())

+		return -EPERM;

+

 	if (!valid_phys_addr_range(p, count))

 		return -EFAULT;

@@ -513,6 +516,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,

 	char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */

 	int err = 0;

+	if (kernel_is_locked_down())

+		return -EPERM;

+

 	if (p < (unsigned long) high_memory) {

 		unsigned long to_write = min_t(unsigned long, count,

 					       (unsigned long)high_memory - p);

-- 

2.7.4

From b83b68a9a13120664eaabf21a7b3ff0b065bd5b2 Mon Sep 17 00:00:00 2001

From: Kyle McMartin <kyle@redhat.com>

Date: Mon, 21 Nov 2016 23:55:56 +0000

Subject: [PATCH 13/32] Add a sysrq option to exit secure boot mode

Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running

kernel image to be modified.  This lifts the lockdown.

Signed-off-by: David Howells <dhowells@redhat.com>

---

 arch/x86/Kconfig            | 10 ++++++++++

 arch/x86/kernel/setup.c     | 31 +++++++++++++++++++++++++++++++

 drivers/input/misc/uinput.c |  1 +

 drivers/tty/sysrq.c         | 19 +++++++++++++------

 include/linux/input.h       |  5 +++++

 include/linux/sysrq.h       |  8 +++++++-

 kernel/debug/kdb/kdb_main.c |  2 +-

 7 files changed, 68 insertions(+), 8 deletions(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig

index a315974..6931e68 100644

--- a/arch/x86/Kconfig

+++ b/arch/x86/Kconfig

@@ -1828,6 +1828,16 @@ config EFI_SECURE_BOOT_LOCK_DOWN

 	  image.  Say Y here to automatically lock down the kernel when a

 	  system boots with UEFI Secure Boot enabled.

+config EFI_ALLOW_SECURE_BOOT_EXIT

+	def_bool n

+	depends on EFI_SECURE_BOOT_LOCK_DOWN && MAGIC_SYSRQ

+	select ALLOW_LOCKDOWN_LIFT

+	prompt "Allow secure boot mode to be exited with SysRq+x on a keyboard"

+	---help---

+	  Allow secure boot mode to be exited and the kernel lockdown lifted by

+	  typing SysRq+x on a keyboard attached to the system (not permitted

+	  through procfs).

+

 config SECCOMP

 	def_bool y

 	prompt "Enable seccomp to safely compute untrusted bytecode"

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c

index d44e60e..f7635d0 100644

--- a/arch/x86/kernel/setup.c

+++ b/arch/x86/kernel/setup.c

@@ -71,6 +71,11 @@

 #include <linux/jiffies.h>

 #include <linux/security.h>

+#include <linux/fips.h>

+#include <linux/cred.h>

+#include <linux/sysrq.h>

+#include <linux/init_task.h>

+

 #include <linux/usb/xhci-dbgp.h>

 #include <video/edid.h>

@@ -1328,6 +1333,32 @@ void __init i386_reserve_resources(void)

 #endif /* CONFIG_X86_32 */

+#ifdef CONFIG_EFI_ALLOW_SECURE_BOOT_EXIT

+

+static void sysrq_handle_secure_boot(int key)

+{

+	if (!efi_enabled(EFI_SECURE_BOOT))

+		return;

+

+	pr_info("Secure boot disabled\n");

+	lift_kernel_lockdown();

+}

+static struct sysrq_key_op secure_boot_sysrq_op = {

+	.handler	=	sysrq_handle_secure_boot,

+	.help_msg	=	"unSB(x)",

+	.action_msg	=	"Disabling Secure Boot restrictions",

+	.enable_mask	=	SYSRQ_DISABLE_USERSPACE,

+};

+static int __init secure_boot_sysrq(void)

+{

+	if (efi_enabled(EFI_SECURE_BOOT))

+		register_sysrq_key('x', &secure_boot_sysrq_op);

+	return 0;

+}

+late_initcall(secure_boot_sysrq);

+#endif /*CONFIG_EFI_ALLOW_SECURE_BOOT_EXIT*/

+

+

 static struct notifier_block kernel_offset_notifier = {

 	.notifier_call = dump_kernel_offset

 };

diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c

index 022be0e..4a054a5 100644

--- a/drivers/input/misc/uinput.c

+++ b/drivers/input/misc/uinput.c

@@ -387,6 +387,7 @@ static int uinput_allocate_device(struct uinput_device *udev)

 	if (!udev->dev)

 		return -ENOMEM;

+	udev->dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;

 	udev->dev->event = uinput_dev_event;

 	input_set_drvdata(udev->dev, udev);

diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c

index 7113674..e1addc3 100644

--- a/drivers/tty/sysrq.c

+++ b/drivers/tty/sysrq.c

@@ -479,6 +479,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {

 	/* x: May be registered on mips for TLB dump */

 	/* x: May be registered on ppc/powerpc for xmon */

 	/* x: May be registered on sparc64 for global PMU dump */

+	/* x: May be registered on x86_64 for disabling secure boot */

 	NULL,				/* x */

 	/* y: May be registered on sparc64 for global register dump */

 	NULL,				/* y */

@@ -522,7 +523,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)

                 sysrq_key_table[i] = op_p;

 }

-void __handle_sysrq(int key, bool check_mask)

+void __handle_sysrq(int key, unsigned int from)

 {

 	struct sysrq_key_op *op_p;

 	int orig_log_level;

@@ -542,11 +543,15 @@ void __handle_sysrq(int key, bool check_mask)

         op_p = __sysrq_get_key_op(key);

         if (op_p) {

+		/* Ban synthetic events from some sysrq functionality */

+		if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&

+		    op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)

+			printk("This sysrq operation is disabled from userspace.\n");

 		/*

 		 * Should we check for enabled operations (/proc/sysrq-trigger

 		 * should not) and is the invoked operation enabled?

 		 */

-		if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {

+		if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {

 			pr_cont("%s\n", op_p->action_msg);

 			console_loglevel = orig_log_level;

 			op_p->handler(key);

@@ -578,7 +583,7 @@ void __handle_sysrq(int key, bool check_mask)

 void handle_sysrq(int key)

 {

 	if (sysrq_on())

-		__handle_sysrq(key, true);

+		__handle_sysrq(key, SYSRQ_FROM_KERNEL);

 }

 EXPORT_SYMBOL(handle_sysrq);

@@ -659,7 +664,7 @@ static void sysrq_do_reset(unsigned long _state)

 static void sysrq_handle_reset_request(struct sysrq_state *state)

 {

 	if (state->reset_requested)

-		__handle_sysrq(sysrq_xlate[KEY_B], false);

+		__handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL);

 	if (sysrq_reset_downtime_ms)

 		mod_timer(&state->keyreset_timer,

@@ -810,8 +815,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,

 	default:

 		if (sysrq->active && value && value != 2) {

+			int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ?

+					SYSRQ_FROM_SYNTHETIC : 0;

 			sysrq->need_reinject = false;

-			__handle_sysrq(sysrq_xlate[code], true);

+			__handle_sysrq(sysrq_xlate[code], from);

 		}

 		break;

 	}

@@ -1095,7 +1102,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,

 		if (get_user(c, buf))

 			return -EFAULT;

-		__handle_sysrq(c, false);

+		__handle_sysrq(c, SYSRQ_FROM_PROC);

 	}

 	return count;

diff --git a/include/linux/input.h b/include/linux/input.h

index a65e3b2..8b03571 100644

--- a/include/linux/input.h

+++ b/include/linux/input.h

@@ -42,6 +42,7 @@ struct input_value {

  * @phys: physical path to the device in the system hierarchy

  * @uniq: unique identification code for the device (if device has it)

  * @id: id of the device (struct input_id)

+ * @flags: input device flags (SYNTHETIC, etc.)

  * @propbit: bitmap of device properties and quirks

  * @evbit: bitmap of types of events supported by the device (EV_KEY,

  *	EV_REL, etc.)

@@ -124,6 +125,8 @@ struct input_dev {

 	const char *uniq;

 	struct input_id id;

+	unsigned int flags;

+

 	unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)];

 	unsigned long evbit[BITS_TO_LONGS(EV_CNT)];

@@ -190,6 +193,8 @@ struct input_dev {

 };

 #define to_input_dev(d) container_of(d, struct input_dev, dev)

+#define	INPUTDEV_FLAGS_SYNTHETIC	0x000000001

+

 /*

  * Verify that we are in sync with input_device_id mod_devicetable.h #defines

  */

diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h

index 387fa7d..f7c52a9 100644

--- a/include/linux/sysrq.h

+++ b/include/linux/sysrq.h

@@ -28,6 +28,8 @@

 #define SYSRQ_ENABLE_BOOT	0x0080

 #define SYSRQ_ENABLE_RTNICE	0x0100

+#define SYSRQ_DISABLE_USERSPACE	0x00010000

+

 struct sysrq_key_op {

 	void (*handler)(int);

 	char *help_msg;

@@ -42,8 +44,12 @@ struct sysrq_key_op {

  * are available -- else NULL's).

  */

+#define SYSRQ_FROM_KERNEL	0x0001

+#define SYSRQ_FROM_PROC		0x0002

+#define SYSRQ_FROM_SYNTHETIC	0x0004

+

 void handle_sysrq(int key);

-void __handle_sysrq(int key, bool check_mask);

+void __handle_sysrq(int key, unsigned int from);

 int register_sysrq_key(int key, struct sysrq_key_op *op);

 int unregister_sysrq_key(int key, struct sysrq_key_op *op);

 struct sysrq_key_op *__sysrq_get_key_op(int key);

diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c

index ca18391..c4524b8 100644

--- a/kernel/debug/kdb/kdb_main.c

+++ b/kernel/debug/kdb/kdb_main.c

@@ -1967,7 +1967,7 @@ static int kdb_sr(int argc, const char **argv)

 		return KDB_ARGCOUNT;

 	kdb_trap_printk++;

-	__handle_sysrq(*argv[1], check_mask);

+	__handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0);

 	kdb_trap_printk--;

 	return 0;

-- 

2.7.4

From 8884bd44932e595323fcddfb09c2a2a586134cdf Mon Sep 17 00:00:00 2001

From: Matthew Garrett <matthew.garrett@nebula.com>

Date: Tue, 22 Nov 2016 08:46:15 +0000

Subject: [PATCH 14/32] kexec: Disable at runtime if the kernel is locked down

kexec permits the loading and execution of arbitrary code in ring 0, which

is something that lock-down is meant to prevent. It makes sense to disable

kexec in this situation.

This does not affect kexec_file_load() which can check for a signature on the

image to be booted.

Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>

Signed-off-by: David Howells <dhowells@redhat.com>

---

 kernel/kexec.c | 7 +++++++

 1 file changed, 7 insertions(+)

diff --git a/kernel/kexec.c b/kernel/kexec.c

index 980936a..46de8e6 100644

--- a/kernel/kexec.c

+++ b/kernel/kexec.c

@@ -194,6 +194,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,

 		return -EPERM;

 	/*

+	 * kexec can be used to circumvent module loading restrictions, so

+	 * prevent loading in that case

+	 */

+	if (kernel_is_locked_down())

+		return -EPERM;

+

+	/*

 	 * Verify we have a legal set of flags

 	 * This leaves us room for future extensions.

 	 */

-- 

2.7.4

From cace563d1743c3d2faf1e46bd4df8e63e2310207 Mon Sep 17 00:00:00 2001

From: Dave Young <dyoung@redhat.com>

Date: Tue, 22 Nov 2016 08:46:15 +0000

Subject: [PATCH 15/32] Copy secure_boot flag in boot params across kexec

 reboot

Kexec reboot in case secure boot being enabled does not keep the secure

boot mode in new kernel, so later one can load unsigned kernel via legacy

kexec_load.  In this state, the system is missing the protections provided

by secure boot.

Adding a patch to fix this by retain the secure_boot flag in original

kernel.

secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the

stub.  Fixing this issue by copying secure_boot flag across kexec reboot.

Signed-off-by: Dave Young <dyoung@redhat.com>

Signed-off-by: David Howells <dhowells@redhat.com>

---

 arch/x86/kernel/kexec-bzimage64.c | 1 +

 1 file changed, 1 insertion(+)

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c

index d0a814a..3551bca 100644

--- a/arch/x86/kernel/kexec-bzimage64.c

+++ b/arch/x86/kernel/kexec-bzimage64.c

@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,

 	if (efi_enabled(EFI_OLD_MEMMAP))

 		return 0;

+	params->secure_boot = boot_params.secure_boot;

 	ei->efi_loader_signature = current_ei->efi_loader_signature;

 	ei->efi_systab = current_ei->efi_systab;

 	ei->efi_systab_hi = current_ei->efi_systab_hi;

-- 

2.7.4

From 08a3467acbc28bb469d1eebd0f5fd40b944d984a Mon Sep 17 00:00:00 2001

From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>

Date: Wed, 23 Nov 2016 13:49:19 +0000

Subject: [PATCH 16/32] kexec_file: Disable at runtime if securelevel has been

 set

When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image

through kexec_file systemcall if securelevel has been set.

This code was showed in Matthew's patch but not in git:

https://lkml.org/lkml/2015/3/13/778

Cc: Matthew Garrett <mjg59@srcf.ucam.org>

Signed-off-by: Lee, Chun-Yi <jlee@suse.com>

Signed-off-by: David Howells <dhowells@redhat.com>

---

 kernel/kexec_file.c | 6 ++++++

 1 file changed, 6 insertions(+)

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c

index b56a558..003cade 100644

--- a/kernel/kexec_file.c

+++ b/kernel/kexec_file.c

@@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,

 	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)

 		return -EPERM;

+	/* Don't permit images to be loaded into trusted kernels if we're not

+	 * going to verify the signature on them

+	 */

+	if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())

+		return -EPERM;

+

 	/* Make sure we have a legal set of flags */

 	if (flags != (flags & KEXEC_FILE_FLAGS))

 		return -EINVAL;

-- 

2.7.4

From 925fd10d7a99a6f999dde76daf2b1ef1238b251a Mon Sep 17 00:00:00 2001

From: Josh Boyer <jwboyer@fedoraproject.org>

Date: Tue, 22 Nov 2016 08:46:15 +0000

Subject: [PATCH 17/32] hibernate: Disable when the kernel is locked down

There is currently no way to verify the resume image when returning

from hibernate.  This might compromise the signed modules trust model,

so until we can work with signed hibernate images we disable it when the

kernel is locked down.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>

Signed-off-by: David Howells <dhowells@redhat.com>