59566d
From patchwork Thu Oct 19 14:50:40 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [01/27] Add the ability to lock down access to the running kernel
59566d
 image
962ea4
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017331
59566d
Message-Id: <150842463996.7923.6815305873334959305.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:50:40 +0100
962ea4
962ea4
Provide a single call to allow kernel code to determine whether the system
962ea4
should be locked down, thereby disallowing various accesses that might
962ea4
allow the running kernel image to be changed including the loading of
962ea4
modules that aren't validly signed with a key we recognise, fiddling with
962ea4
MSR registers and disallowing hibernation,
962ea4
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
962ea4
---
59566d
59566d
 include/linux/kernel.h   |   17 +++++++++++++
59566d
 include/linux/security.h |    8 ++++++
59566d
 security/Kconfig         |    8 ++++++
59566d
 security/Makefile        |    3 ++
59566d
 security/lock_down.c     |   60 ++++++++++++++++++++++++++++++++++++++++++++++
59566d
 5 files changed, 96 insertions(+)
962ea4
 create mode 100644 security/lock_down.c
962ea4
962ea4
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
59566d
index 0ad4c3044cf9..362da2e4bf53 100644
962ea4
--- a/include/linux/kernel.h
962ea4
+++ b/include/linux/kernel.h
59566d
@@ -287,6 +287,23 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err)
59566d
 { }
59566d
 #endif
c796f8
 
962ea4
+#ifdef CONFIG_LOCK_DOWN_KERNEL
59566d
+extern bool __kernel_is_locked_down(const char *what, bool first);
962ea4
+#else
59566d
+static inline bool __kernel_is_locked_down(const char *what, bool first)
962ea4
+{
962ea4
+	return false;
962ea4
+}
962ea4
+#endif
962ea4
+
59566d
+#define kernel_is_locked_down(what)					\
59566d
+	({								\
59566d
+		static bool message_given;				\
59566d
+		bool locked_down = __kernel_is_locked_down(what, !message_given); \
59566d
+		message_given = true;					\
59566d
+		locked_down;						\
59566d
+	})
59566d
+
59566d
 /* Internal, do not use. */
59566d
 int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
59566d
 int __must_check _kstrtol(const char *s, unsigned int base, long *res);
962ea4
diff --git a/include/linux/security.h b/include/linux/security.h
59566d
index ce6265960d6c..f9a894b42d4c 100644
962ea4
--- a/include/linux/security.h
962ea4
+++ b/include/linux/security.h
59566d
@@ -1753,5 +1753,13 @@ static inline void free_secdata(void *secdata)
962ea4
 { }
962ea4
 #endif /* CONFIG_SECURITY */
c796f8
 
962ea4
+#ifdef CONFIG_LOCK_DOWN_KERNEL
59566d
+extern void __init init_lockdown(void);
962ea4
+#else
59566d
+static inline void __init init_lockdown(void);
962ea4
+{
962ea4
+}
962ea4
+#endif
962ea4
+
962ea4
 #endif /* ! __LINUX_SECURITY_H */
c796f8
 
962ea4
diff --git a/security/Kconfig b/security/Kconfig
59566d
index e8e449444e65..8e01fd59ae7e 100644
962ea4
--- a/security/Kconfig
962ea4
+++ b/security/Kconfig
59566d
@@ -205,6 +205,14 @@ config STATIC_USERMODEHELPER_PATH
c796f8
 	  If you wish for all usermode helper programs to be disabled,
c796f8
 	  specify an empty string here (i.e. "").
c796f8
 
962ea4
+config LOCK_DOWN_KERNEL
962ea4
+	bool "Allow the kernel to be 'locked down'"
962ea4
+	help
962ea4
+	  Allow the kernel to be locked down under certain circumstances, for
962ea4
+	  instance if UEFI secure boot is enabled.  Locking down the kernel
962ea4
+	  turns off various features that might otherwise allow access to the
962ea4
+	  kernel image (eg. setting MSR registers).
962ea4
+
962ea4
 source security/selinux/Kconfig
962ea4
 source security/smack/Kconfig
962ea4
 source security/tomoyo/Kconfig
962ea4
diff --git a/security/Makefile b/security/Makefile
59566d
index f2d71cdb8e19..8c4a43e3d4e0 100644
962ea4
--- a/security/Makefile
962ea4
+++ b/security/Makefile
962ea4
@@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
962ea4
 # Object integrity file lists
962ea4
 subdir-$(CONFIG_INTEGRITY)		+= integrity
962ea4
 obj-$(CONFIG_INTEGRITY)			+= integrity/
962ea4
+
962ea4
+# Allow the kernel to be locked down
962ea4
+obj-$(CONFIG_LOCK_DOWN_KERNEL)		+= lock_down.o
962ea4
diff --git a/security/lock_down.c b/security/lock_down.c
962ea4
new file mode 100644
59566d
index 000000000000..d8595c0e6673
962ea4
--- /dev/null
962ea4
+++ b/security/lock_down.c
59566d
@@ -0,0 +1,60 @@
962ea4
+/* Lock down the kernel
962ea4
+ *
962ea4
+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
962ea4
+ * Written by David Howells (dhowells@redhat.com)
962ea4
+ *
962ea4
+ * This program is free software; you can redistribute it and/or
962ea4
+ * modify it under the terms of the GNU General Public Licence
962ea4
+ * as published by the Free Software Foundation; either version
962ea4
+ * 2 of the Licence, or (at your option) any later version.
962ea4
+ */
962ea4
+
962ea4
+#include <linux/security.h>
962ea4
+#include <linux/export.h>
962ea4
+
59566d
+static __ro_after_init bool kernel_locked_down;
962ea4
+
962ea4
+/*
962ea4
+ * Put the kernel into lock-down mode.
962ea4
+ */
59566d
+static void __init lock_kernel_down(const char *where)
59566d
+{
59566d
+	if (!kernel_locked_down) {
59566d
+		kernel_locked_down = true;
59566d
+		pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",
59566d
+			  where);
59566d
+	}
59566d
+}
59566d
+
59566d
+static int __init lockdown_param(char *ignored)
962ea4
+{
59566d
+	lock_kernel_down("command line");
59566d
+	return 0;
962ea4
+}
962ea4
+
59566d
+early_param("lockdown", lockdown_param);
59566d
+
962ea4
+/*
59566d
+ * Lock the kernel down from very early in the arch setup.  This must happen
59566d
+ * prior to things like ACPI being initialised.
962ea4
+ */
59566d
+void __init init_lockdown(void)
962ea4
+{
59566d
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
59566d
+	if (efi_enabled(EFI_SECURE_BOOT))
59566d
+		lock_kernel_down("EFI secure boot");
59566d
+#endif
962ea4
+}
962ea4
+
962ea4
+/**
962ea4
+ * kernel_is_locked_down - Find out if the kernel is locked down
59566d
+ * @what: Tag to use in notice generated if lockdown is in effect
962ea4
+ */
59566d
+bool __kernel_is_locked_down(const char *what, bool first)
962ea4
+{
59566d
+	if (what && first && kernel_locked_down)
59566d
+		pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n",
59566d
+			  what);
962ea4
+	return kernel_locked_down;
962ea4
+}
59566d
+EXPORT_SYMBOL(__kernel_is_locked_down);
962ea4
59566d
From patchwork Thu Oct 19 14:50:47 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [02/27] Add a SysRq option to lift kernel lockdown
962ea4
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017333
59566d
Message-Id: <150842464774.7923.7951986297563109339.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:50:47 +0100
962ea4
59566d
From: Kyle McMartin <kyle@redhat.com>
962ea4
59566d
Make an option to provide a sysrq key that will lift the kernel lockdown,
59566d
thereby allowing the running kernel image to be accessed and modified.
962ea4
59566d
On x86_64 this is triggered with SysRq+x, but this key may not be available
59566d
on all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h.
962ea4
59566d
Signed-off-by: Kyle McMartin <kyle@redhat.com>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: x86@kernel.org
962ea4
---
962ea4
59566d
 arch/x86/include/asm/setup.h |    2 ++
59566d
 drivers/input/misc/uinput.c  |    1 +
59566d
 drivers/tty/sysrq.c          |   19 +++++++++++------
59566d
 include/linux/input.h        |    5 ++++
59566d
 include/linux/sysrq.h        |    8 ++++++-
59566d
 kernel/debug/kdb/kdb_main.c  |    2 +-
59566d
 security/Kconfig             |   15 +++++++++++++
59566d
 security/lock_down.c         |   48 ++++++++++++++++++++++++++++++++++++++++++
59566d
 8 files changed, 92 insertions(+), 8 deletions(-)
59566d
59566d
diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h
59566d
index a65cf544686a..863f77582c09 100644
59566d
--- a/arch/x86/include/asm/setup.h
59566d
+++ b/arch/x86/include/asm/setup.h
59566d
@@ -8,6 +8,8 @@
59566d
 #include <linux/linkage.h>
59566d
 #include <asm/page_types.h>
59566d
 
59566d
+#define LOCKDOWN_LIFT_KEY 'x'
962ea4
+
59566d
 #ifdef __i386__
c796f8
 
59566d
 #include <linux/pfn.h>
962ea4
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
59566d
index 443151de90c6..45a1f5460805 100644
962ea4
--- a/drivers/input/misc/uinput.c
962ea4
+++ b/drivers/input/misc/uinput.c
59566d
@@ -408,6 +408,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
962ea4
 	if (!udev->dev)
962ea4
 		return -ENOMEM;
c796f8
 
962ea4
+	udev->dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;
962ea4
 	udev->dev->event = uinput_dev_event;
962ea4
 	input_set_drvdata(udev->dev, udev);
c796f8
 
962ea4
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
59566d
index 3ffc1ce29023..8b766dbad6dd 100644
962ea4
--- a/drivers/tty/sysrq.c
962ea4
+++ b/drivers/tty/sysrq.c
59566d
@@ -481,6 +481,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
962ea4
 	/* x: May be registered on mips for TLB dump */
962ea4
 	/* x: May be registered on ppc/powerpc for xmon */
962ea4
 	/* x: May be registered on sparc64 for global PMU dump */
962ea4
+	/* x: May be registered on x86_64 for disabling secure boot */
962ea4
 	NULL,				/* x */
962ea4
 	/* y: May be registered on sparc64 for global register dump */
962ea4
 	NULL,				/* y */
59566d
@@ -524,7 +525,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
962ea4
                 sysrq_key_table[i] = op_p;
962ea4
 }
c796f8
 
962ea4
-void __handle_sysrq(int key, bool check_mask)
962ea4
+void __handle_sysrq(int key, unsigned int from)
962ea4
 {
962ea4
 	struct sysrq_key_op *op_p;
962ea4
 	int orig_log_level;
59566d
@@ -544,11 +545,15 @@ void __handle_sysrq(int key, bool check_mask)
c796f8
 
962ea4
         op_p = __sysrq_get_key_op(key);
962ea4
         if (op_p) {
962ea4
+		/* Ban synthetic events from some sysrq functionality */
962ea4
+		if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
962ea4
+		    op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
962ea4
+			printk("This sysrq operation is disabled from userspace.\n");
962ea4
 		/*
962ea4
 		 * Should we check for enabled operations (/proc/sysrq-trigger
962ea4
 		 * should not) and is the invoked operation enabled?
962ea4
 		 */
962ea4
-		if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
962ea4
+		if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
962ea4
 			pr_cont("%s\n", op_p->action_msg);
962ea4
 			console_loglevel = orig_log_level;
962ea4
 			op_p->handler(key);
59566d
@@ -580,7 +585,7 @@ void __handle_sysrq(int key, bool check_mask)
962ea4
 void handle_sysrq(int key)
962ea4
 {
962ea4
 	if (sysrq_on())
962ea4
-		__handle_sysrq(key, true);
962ea4
+		__handle_sysrq(key, SYSRQ_FROM_KERNEL);
962ea4
 }
962ea4
 EXPORT_SYMBOL(handle_sysrq);
c796f8
 
59566d
@@ -661,7 +666,7 @@ static void sysrq_do_reset(unsigned long _state)
962ea4
 static void sysrq_handle_reset_request(struct sysrq_state *state)
962ea4
 {
962ea4
 	if (state->reset_requested)
962ea4
-		__handle_sysrq(sysrq_xlate[KEY_B], false);
962ea4
+		__handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL);
c796f8
 
962ea4
 	if (sysrq_reset_downtime_ms)
962ea4
 		mod_timer(&state->keyreset_timer,
59566d
@@ -812,8 +817,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
c796f8
 
962ea4
 	default:
962ea4
 		if (sysrq->active && value && value != 2) {
962ea4
+			int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ?
962ea4
+					SYSRQ_FROM_SYNTHETIC : 0;
962ea4
 			sysrq->need_reinject = false;
962ea4
-			__handle_sysrq(sysrq_xlate[code], true);
962ea4
+			__handle_sysrq(sysrq_xlate[code], from);
962ea4
 		}
962ea4
 		break;
962ea4
 	}
59566d
@@ -1097,7 +1104,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
c796f8
 
962ea4
 		if (get_user(c, buf))
962ea4
 			return -EFAULT;
962ea4
-		__handle_sysrq(c, false);
962ea4
+		__handle_sysrq(c, SYSRQ_FROM_PROC);
962ea4
 	}
c796f8
 
962ea4
 	return count;
962ea4
diff --git a/include/linux/input.h b/include/linux/input.h
59566d
index fb5e23c7ed98..9d2b45a21ade 100644
962ea4
--- a/include/linux/input.h
962ea4
+++ b/include/linux/input.h
962ea4
@@ -42,6 +42,7 @@ struct input_value {
962ea4
  * @phys: physical path to the device in the system hierarchy
962ea4
  * @uniq: unique identification code for the device (if device has it)
962ea4
  * @id: id of the device (struct input_id)
962ea4
+ * @flags: input device flags (SYNTHETIC, etc.)
962ea4
  * @propbit: bitmap of device properties and quirks
962ea4
  * @evbit: bitmap of types of events supported by the device (EV_KEY,
962ea4
  *	EV_REL, etc.)
962ea4
@@ -124,6 +125,8 @@ struct input_dev {
962ea4
 	const char *uniq;
962ea4
 	struct input_id id;
c796f8
 
962ea4
+	unsigned int flags;
962ea4
+
962ea4
 	unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)];
c796f8
 
962ea4
 	unsigned long evbit[BITS_TO_LONGS(EV_CNT)];
962ea4
@@ -190,6 +193,8 @@ struct input_dev {
962ea4
 };
962ea4
 #define to_input_dev(d) container_of(d, struct input_dev, dev)
c796f8
 
962ea4
+#define	INPUTDEV_FLAGS_SYNTHETIC	0x000000001
962ea4
+
962ea4
 /*
962ea4
  * Verify that we are in sync with input_device_id mod_devicetable.h #defines
962ea4
  */
962ea4
diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
59566d
index 387fa7d05c98..f7c52a9ea394 100644
962ea4
--- a/include/linux/sysrq.h
962ea4
+++ b/include/linux/sysrq.h
962ea4
@@ -28,6 +28,8 @@
962ea4
 #define SYSRQ_ENABLE_BOOT	0x0080
962ea4
 #define SYSRQ_ENABLE_RTNICE	0x0100
c796f8
 
962ea4
+#define SYSRQ_DISABLE_USERSPACE	0x00010000
962ea4
+
962ea4
 struct sysrq_key_op {
962ea4
 	void (*handler)(int);
962ea4
 	char *help_msg;
962ea4
@@ -42,8 +44,12 @@ struct sysrq_key_op {
962ea4
  * are available -- else NULL's).
962ea4
  */
c796f8
 
962ea4
+#define SYSRQ_FROM_KERNEL	0x0001
962ea4
+#define SYSRQ_FROM_PROC		0x0002
962ea4
+#define SYSRQ_FROM_SYNTHETIC	0x0004
962ea4
+
962ea4
 void handle_sysrq(int key);
962ea4
-void __handle_sysrq(int key, bool check_mask);
962ea4
+void __handle_sysrq(int key, unsigned int from);
962ea4
 int register_sysrq_key(int key, struct sysrq_key_op *op);
962ea4
 int unregister_sysrq_key(int key, struct sysrq_key_op *op);
962ea4
 struct sysrq_key_op *__sysrq_get_key_op(int key);
962ea4
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
59566d
index c8146d53ca67..b480cadf9272 100644
962ea4
--- a/kernel/debug/kdb/kdb_main.c
962ea4
+++ b/kernel/debug/kdb/kdb_main.c
59566d
@@ -1970,7 +1970,7 @@ static int kdb_sr(int argc, const char **argv)
962ea4
 		return KDB_ARGCOUNT;
c796f8
 
962ea4
 	kdb_trap_printk++;
962ea4
-	__handle_sysrq(*argv[1], check_mask);
962ea4
+	__handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0);
962ea4
 	kdb_trap_printk--;
c796f8
 
962ea4
 	return 0;
59566d
diff --git a/security/Kconfig b/security/Kconfig
59566d
index 8e01fd59ae7e..4be6be71e075 100644
59566d
--- a/security/Kconfig
59566d
+++ b/security/Kconfig
59566d
@@ -213,6 +213,21 @@ config LOCK_DOWN_KERNEL
59566d
 	  turns off various features that might otherwise allow access to the
59566d
 	  kernel image (eg. setting MSR registers).
59566d
 
59566d
+config ALLOW_LOCKDOWN_LIFT
59566d
+	bool
59566d
+	help
59566d
+	  Allow the lockdown on a kernel to be lifted, thereby restoring the
59566d
+	  ability of userspace to access the kernel image (eg. by SysRq+x under
59566d
+	  x86).
59566d
+
59566d
+config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
59566d
+	bool "Allow the kernel lockdown to be lifted by SysRq"
59566d
+	depends on MAGIC_SYSRQ
59566d
+	help
59566d
+	  Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
59566d
+	  combination on a wired keyboard.
59566d
+
59566d
+
59566d
 source security/selinux/Kconfig
59566d
 source security/smack/Kconfig
59566d
 source security/tomoyo/Kconfig
59566d
diff --git a/security/lock_down.c b/security/lock_down.c
59566d
index d8595c0e6673..f71118c340d2 100644
59566d
--- a/security/lock_down.c
59566d
+++ b/security/lock_down.c
59566d
@@ -11,8 +11,13 @@
59566d
 
59566d
 #include <linux/security.h>
59566d
 #include <linux/export.h>
59566d
+#include <linux/sysrq.h>
59566d
 
59566d
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT
59566d
+static __read_mostly bool kernel_locked_down;
59566d
+#else
59566d
 static __ro_after_init bool kernel_locked_down;
59566d
+#endif
59566d
 
59566d
 /*
59566d
  * Put the kernel into lock-down mode.
59566d
@@ -58,3 +63,46 @@ bool __kernel_is_locked_down(const char *what, bool first)
59566d
 	return kernel_locked_down;
59566d
 }
59566d
 EXPORT_SYMBOL(__kernel_is_locked_down);
59566d
+
59566d
+/*
59566d
+ * Take the kernel out of lockdown mode.
59566d
+ */
59566d
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT
59566d
+static void lift_kernel_lockdown(void)
59566d
+{
59566d
+	pr_notice("Lifting lockdown\n");
59566d
+	kernel_locked_down = false;
59566d
+}
59566d
+#endif
59566d
+
59566d
+/*
59566d
+ * Allow lockdown to be lifted by pressing something like SysRq+x (and not by
59566d
+ * echoing the appropriate letter into the sysrq-trigger file).
59566d
+ */
59566d
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_KEY
59566d
+
59566d
+static void sysrq_handle_lockdown_lift(int key)
59566d
+{
59566d
+	if (kernel_locked_down)
59566d
+		lift_kernel_lockdown();
59566d
+}
59566d
+
59566d
+static struct sysrq_key_op lockdown_lift_sysrq_op = {
59566d
+	.handler	= sysrq_handle_lockdown_lift,
59566d
+	.help_msg	= "unSB(x)",
59566d
+	.action_msg	= "Disabling Secure Boot restrictions",
59566d
+	.enable_mask	= SYSRQ_DISABLE_USERSPACE,
59566d
+};
59566d
+
59566d
+static int __init lockdown_lift_sysrq(void)
59566d
+{
59566d
+	if (kernel_locked_down) {
59566d
+		lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;
59566d
+		register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);
59566d
+	}
59566d
+	return 0;
59566d
+}
59566d
+
59566d
+late_initcall(lockdown_lift_sysrq);
59566d
+
59566d
+#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_KEY */
59566d
59566d
From patchwork Thu Oct 19 14:50:55 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [03/27] Enforce module signatures if the kernel is locked down
59566d
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017335
59566d
Message-Id: <150842465546.7923.6762214527898273559.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:50:55 +0100
59566d
59566d
If the kernel is locked down, require that all modules have valid
59566d
signatures that we can verify.
59566d
59566d
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
---
59566d
59566d
 kernel/module.c |    3 ++-
59566d
 1 file changed, 2 insertions(+), 1 deletion(-)
59566d
59566d
diff --git a/kernel/module.c b/kernel/module.c
59566d
index de66ec825992..3d9a3270c179 100644
59566d
--- a/kernel/module.c
59566d
+++ b/kernel/module.c
59566d
@@ -2781,7 +2781,8 @@ static int module_sig_check(struct load_info *info, int flags)
59566d
 	}
59566d
 
59566d
 	/* Not having a signature is only an error if we're strict. */
59566d
-	if (err == -ENOKEY && !sig_enforce)
59566d
+	if (err == -ENOKEY && !sig_enforce &&
59566d
+	    !kernel_is_locked_down("Loading of unsigned modules"))
59566d
 		err = 0;
59566d
 
59566d
 	return err;
59566d
59566d
From patchwork Thu Oct 19 14:51:02 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down
59566d
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017337
59566d
Message-Id: <150842466261.7923.14359746674406637357.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:51:02 +0100
59566d
59566d
From: Matthew Garrett <matthew.garrett@nebula.com>
59566d
59566d
Allowing users to write to address space makes it possible for the kernel to
59566d
be subverted, avoiding module loading restrictions.  Prevent this when the
59566d
kernel has been locked down.
59566d
59566d
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
59566d
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
---
59566d
59566d
 drivers/char/mem.c |    6 ++++++
59566d
 1 file changed, 6 insertions(+)
59566d
59566d
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
59566d
index 593a8818aca9..b7c36898b689 100644
59566d
--- a/drivers/char/mem.c
59566d
+++ b/drivers/char/mem.c
59566d
@@ -179,6 +179,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
59566d
 	if (p != *ppos)
59566d
 		return -EFBIG;
59566d
 
59566d
+	if (kernel_is_locked_down("/dev/mem"))
59566d
+		return -EPERM;
59566d
+
59566d
 	if (!valid_phys_addr_range(p, count))
59566d
 		return -EFAULT;
59566d
 
59566d
@@ -540,6 +543,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
59566d
 	char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
59566d
 	int err = 0;
59566d
 
59566d
+	if (kernel_is_locked_down("/dev/kmem"))
59566d
+		return -EPERM;
59566d
+
59566d
 	if (p < (unsigned long) high_memory) {
59566d
 		unsigned long to_write = min_t(unsigned long, count,
59566d
 					       (unsigned long)high_memory - p);
59566d
59566d
From patchwork Thu Oct 19 14:51:09 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [05/27] kexec: Disable at runtime if the kernel is locked down
59566d
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017339
59566d
Message-Id: <150842466996.7923.17995994984545441369.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:51:09 +0100
962ea4
962ea4
From: Matthew Garrett <matthew.garrett@nebula.com>
962ea4
962ea4
kexec permits the loading and execution of arbitrary code in ring 0, which
962ea4
is something that lock-down is meant to prevent. It makes sense to disable
962ea4
kexec in this situation.
962ea4
962ea4
This does not affect kexec_file_load() which can check for a signature on the
962ea4
image to be booted.
962ea4
962ea4
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
Acked-by: Dave Young <dyoung@redhat.com>
59566d
cc: kexec@lists.infradead.org
962ea4
---
59566d
59566d
 kernel/kexec.c |    7 +++++++
962ea4
 1 file changed, 7 insertions(+)
962ea4
962ea4
diff --git a/kernel/kexec.c b/kernel/kexec.c
59566d
index e62ec4dc6620..7dadfed9b676 100644
962ea4
--- a/kernel/kexec.c
962ea4
+++ b/kernel/kexec.c
59566d
@@ -202,6 +202,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
962ea4
 		return -EPERM;
c796f8
 
962ea4
 	/*
962ea4
+	 * kexec can be used to circumvent module loading restrictions, so
962ea4
+	 * prevent loading in that case
962ea4
+	 */
59566d
+	if (kernel_is_locked_down("kexec of unsigned images"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
+	/*
962ea4
 	 * Verify we have a legal set of flags
962ea4
 	 * This leaves us room for future extensions.
962ea4
 	 */
962ea4
59566d
From patchwork Thu Oct 19 14:51:20 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [06/27] Copy secure_boot flag in boot params across kexec reboot
59566d
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017341
59566d
Message-Id: <150842468009.7923.5512653689857540199.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:51:20 +0100
59566d
962ea4
From: Dave Young <dyoung@redhat.com>
962ea4
962ea4
Kexec reboot in case secure boot being enabled does not keep the secure
962ea4
boot mode in new kernel, so later one can load unsigned kernel via legacy
962ea4
kexec_load.  In this state, the system is missing the protections provided
962ea4
by secure boot.
962ea4
962ea4
Adding a patch to fix this by retain the secure_boot flag in original
962ea4
kernel.
962ea4
962ea4
secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
962ea4
stub.  Fixing this issue by copying secure_boot flag across kexec reboot.
962ea4
962ea4
Signed-off-by: Dave Young <dyoung@redhat.com>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: kexec@lists.infradead.org
962ea4
---
59566d
59566d
 arch/x86/kernel/kexec-bzimage64.c |    1 +
962ea4
 1 file changed, 1 insertion(+)
962ea4
962ea4
diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
59566d
index fb095ba0c02f..7d0fac5bcbbe 100644
962ea4
--- a/arch/x86/kernel/kexec-bzimage64.c
962ea4
+++ b/arch/x86/kernel/kexec-bzimage64.c
962ea4
@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
962ea4
 	if (efi_enabled(EFI_OLD_MEMMAP))
962ea4
 		return 0;
c796f8
 
962ea4
+	params->secure_boot = boot_params.secure_boot;
962ea4
 	ei->efi_loader_signature = current_ei->efi_loader_signature;
962ea4
 	ei->efi_systab = current_ei->efi_systab;
962ea4
 	ei->efi_systab_hi = current_ei->efi_systab_hi;
962ea4
59566d
From patchwork Thu Oct 19 14:51:27 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [07/27] kexec_file: Disable at runtime if securelevel has been set
59566d
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017343
59566d
Message-Id: <150842468754.7923.10037578333644594134.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:51:27 +0100
59566d
59566d
From: Chun-Yi Lee <joeyli.kernel@gmail.com>
962ea4
962ea4
When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
962ea4
through kexec_file systemcall if securelevel has been set.
962ea4
962ea4
This code was showed in Matthew's patch but not in git:
962ea4
https://lkml.org/lkml/2015/3/13/778
962ea4
962ea4
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
59566d
Signed-off-by: Chun-Yi Lee <jlee@suse.com>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: kexec@lists.infradead.org
962ea4
---
59566d
59566d
 kernel/kexec_file.c |    7 +++++++
59566d
 1 file changed, 7 insertions(+)
962ea4
962ea4
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
59566d
index 9f48f4412297..ff6523f2dcc2 100644
962ea4
--- a/kernel/kexec_file.c
962ea4
+++ b/kernel/kexec_file.c
59566d
@@ -255,6 +255,13 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
962ea4
 	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
962ea4
 		return -EPERM;
c796f8
 
962ea4
+	/* Don't permit images to be loaded into trusted kernels if we're not
962ea4
+	 * going to verify the signature on them
962ea4
+	 */
59566d
+	if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) &&
59566d
+	    kernel_is_locked_down("kexec of unsigned images"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	/* Make sure we have a legal set of flags */
962ea4
 	if (flags != (flags & KEXEC_FILE_FLAGS))
962ea4
 		return -EINVAL;
962ea4
59566d
From patchwork Thu Oct 19 14:51:34 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [08/27] hibernate: Disable when the kernel is locked down
59566d
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017345
59566d
Message-Id: <150842469486.7923.10376463083069013490.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:51:34 +0100
59566d
962ea4
From: Josh Boyer <jwboyer@fedoraproject.org>
962ea4
962ea4
There is currently no way to verify the resume image when returning
962ea4
from hibernate.  This might compromise the signed modules trust model,
962ea4
so until we can work with signed hibernate images we disable it when the
962ea4
kernel is locked down.
962ea4
962ea4
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: linux-pm@vger.kernel.org
962ea4
---
59566d
59566d
 kernel/power/hibernate.c |    2 +-
962ea4
 1 file changed, 1 insertion(+), 1 deletion(-)
962ea4
962ea4
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
59566d
index a5c36e9c56a6..f2eafefeec50 100644
962ea4
--- a/kernel/power/hibernate.c
962ea4
+++ b/kernel/power/hibernate.c
59566d
@@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
c796f8
 
962ea4
 bool hibernation_available(void)
962ea4
 {
962ea4
-	return (nohibernate == 0);
59566d
+	return nohibernate == 0 && !kernel_is_locked_down("Hibernation");
962ea4
 }
c796f8
 
962ea4
 /**
962ea4
59566d
From patchwork Thu Oct 19 14:51:42 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [09/27] uswsusp: Disable when the kernel is locked down
59566d
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017347
59566d
Message-Id: <150842470227.7923.15293760935442172683.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:51:42 +0100
59566d
962ea4
From: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4
962ea4
uswsusp allows a user process to dump and then restore kernel state, which
962ea4
makes it possible to modify the running kernel.  Disable this if the kernel
962ea4
is locked down.
962ea4
962ea4
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: linux-pm@vger.kernel.org
962ea4
---
59566d
59566d
 kernel/power/user.c |    3 +++
962ea4
 1 file changed, 3 insertions(+)
962ea4
962ea4
diff --git a/kernel/power/user.c b/kernel/power/user.c
59566d
index 22df9f7ff672..678ade9decfe 100644
962ea4
--- a/kernel/power/user.c
962ea4
+++ b/kernel/power/user.c
962ea4
@@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
962ea4
 	if (!hibernation_available())
962ea4
 		return -EPERM;
c796f8
 
59566d
+	if (kernel_is_locked_down("/dev/snapshot"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	lock_system_sleep();
c796f8
 
962ea4
 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
962ea4
59566d
From patchwork Thu Oct 19 14:51:49 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [10/27] PCI: Lock down BAR access when the kernel is locked down
59566d
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017349
59566d
Message-Id: <150842470945.7923.134066103094708461.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:51:49 +0100
59566d
962ea4
From: Matthew Garrett <matthew.garrett@nebula.com>
962ea4
962ea4
Any hardware that can potentially generate DMA has to be locked down in
962ea4
order to avoid it being possible for an attacker to modify kernel code,
962ea4
allowing them to circumvent disabled module loading or module signing.
962ea4
Default to paranoid - in future we can potentially relax this for
962ea4
sufficiently IOMMU-isolated devices.
962ea4
962ea4
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
59566d
cc: linux-pci@vger.kernel.org
962ea4
---
59566d
59566d
 drivers/pci/pci-sysfs.c |    9 +++++++++
59566d
 drivers/pci/proc.c      |    9 ++++++++-
59566d
 drivers/pci/syscall.c   |    3 ++-
59566d
 3 files changed, 19 insertions(+), 2 deletions(-)
962ea4
962ea4
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
59566d
index 1eecfa301f7f..e1a3b0e765c2 100644
962ea4
--- a/drivers/pci/pci-sysfs.c
962ea4
+++ b/drivers/pci/pci-sysfs.c
59566d
@@ -881,6 +881,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
962ea4
 	loff_t init_off = off;
962ea4
 	u8 *data = (u8 *) buf;
c796f8
 
59566d
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	if (off > dev->cfg_size)
962ea4
 		return 0;
962ea4
 	if (off + count > dev->cfg_size) {
59566d
@@ -1175,6 +1178,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
bd3278
 	enum pci_mmap_state mmap_type;
bd3278
 	struct resource *res = &pdev->resource[bar];
c796f8
 
59566d
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4
+		return -EPERM;
962ea4
+
bd3278
 	if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
bd3278
 		return -EINVAL;
bd3278
 
59566d
@@ -1255,6 +1261,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
962ea4
 				     struct bin_attribute *attr, char *buf,
962ea4
 				     loff_t off, size_t count)
962ea4
 {
59566d
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	return pci_resource_io(filp, kobj, attr, buf, off, count, true);
962ea4
 }
c796f8
 
962ea4
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
59566d
index 098360d7ff81..a6c53d855daa 100644
962ea4
--- a/drivers/pci/proc.c
962ea4
+++ b/drivers/pci/proc.c
962ea4
@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
962ea4
 	int size = dev->cfg_size;
962ea4
 	int cnt;
c796f8
 
59566d
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	if (pos >= size)
962ea4
 		return 0;
962ea4
 	if (nbytes >= size)
962ea4
@@ -195,6 +198,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
962ea4
 #endif /* HAVE_PCI_MMAP */
962ea4
 	int ret = 0;
c796f8
 
59566d
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	switch (cmd) {
962ea4
 	case PCIIOC_CONTROLLER:
962ea4
 		ret = pci_domain_nr(dev->bus);
59566d
@@ -236,7 +242,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
962ea4
 	struct pci_filp_private *fpriv = file->private_data;
bd3278
 	int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM;
c796f8
 
962ea4
-	if (!capable(CAP_SYS_RAWIO))
59566d
+	if (!capable(CAP_SYS_RAWIO) ||
59566d
+	    kernel_is_locked_down("Direct PCI access"))
962ea4
 		return -EPERM;
c796f8
 
bd3278
 	if (fpriv->mmap_state == pci_mmap_io) {
962ea4
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
59566d
index 9bf993e1f71e..afa01cc3ceec 100644
962ea4
--- a/drivers/pci/syscall.c
962ea4
+++ b/drivers/pci/syscall.c
59566d
@@ -92,7 +92,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
962ea4
 	u32 dword;
962ea4
 	int err = 0;
c796f8
 
962ea4
-	if (!capable(CAP_SYS_ADMIN))
59566d
+	if (!capable(CAP_SYS_ADMIN) ||
59566d
+	    kernel_is_locked_down("Direct PCI access"))
962ea4
 		return -EPERM;
c796f8
 
962ea4
 	dev = pci_get_bus_and_slot(bus, dfn);
962ea4
59566d
From patchwork Thu Oct 19 14:51:56 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [11/27] x86: Lock down IO port access when the kernel is locked down
59566d
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017351
59566d
Message-Id: <150842471673.7923.7676307847318724274.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:51:56 +0100
59566d
962ea4
From: Matthew Garrett <matthew.garrett@nebula.com>
962ea4
962ea4
IO port access would permit users to gain access to PCI configuration
962ea4
registers, which in turn (on a lot of hardware) give access to MMIO
962ea4
register space. This would potentially permit root to trigger arbitrary
962ea4
DMA, so lock it down by default.
962ea4
962ea4
This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
962ea4
KDDISABIO console ioctls.
962ea4
962ea4
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
59566d
cc: x86@kernel.org
962ea4
---
59566d
59566d
 arch/x86/kernel/ioport.c |    6 ++++--
59566d
 drivers/char/mem.c       |    2 ++
59566d
 2 files changed, 6 insertions(+), 2 deletions(-)
962ea4
962ea4
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
59566d
index 9c3cf0944bce..2c0f058651c5 100644
962ea4
--- a/arch/x86/kernel/ioport.c
962ea4
+++ b/arch/x86/kernel/ioport.c
59566d
@@ -30,7 +30,8 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
c796f8
 
962ea4
 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
962ea4
 		return -EINVAL;
962ea4
-	if (turn_on && !capable(CAP_SYS_RAWIO))
59566d
+	if (turn_on && (!capable(CAP_SYS_RAWIO) ||
59566d
+			kernel_is_locked_down("ioperm")))
962ea4
 		return -EPERM;
c796f8
 
962ea4
 	/*
59566d
@@ -120,7 +121,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
962ea4
 		return -EINVAL;
962ea4
 	/* Trying to gain more privileges? */
962ea4
 	if (level > old) {
962ea4
-		if (!capable(CAP_SYS_RAWIO))
59566d
+		if (!capable(CAP_SYS_RAWIO) ||
59566d
+		    kernel_is_locked_down("iopl"))
962ea4
 			return -EPERM;
962ea4
 	}
962ea4
 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
962ea4
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
59566d
index b7c36898b689..0875b3d47773 100644
962ea4
--- a/drivers/char/mem.c
962ea4
+++ b/drivers/char/mem.c
59566d
@@ -768,6 +768,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
c796f8
 
962ea4
 static int open_port(struct inode *inode, struct file *filp)
962ea4
 {
59566d
+	if (kernel_is_locked_down("Direct ioport access"))
962ea4
+		return -EPERM;
962ea4
 	return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
962ea4
 }
c796f8
 
962ea4
59566d
From patchwork Thu Oct 19 14:52:04 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [12/27] x86/msr: Restrict MSR access when the kernel is locked down
59566d
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017353
59566d
Message-Id: <150842472452.7923.2592278090192179002.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:52:04 +0100
59566d
962ea4
From: Matthew Garrett <matthew.garrett@nebula.com>
962ea4
962ea4
Writing to MSRs should not be allowed if the kernel is locked down, since
962ea4
it could lead to execution of arbitrary code in kernel mode.  Based on a
962ea4
patch by Kees Cook.
962ea4
962ea4
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
Acked-by: Kees Cook <keescook@chromium.org>
59566d
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
59566d
cc: x86@kernel.org
962ea4
---
59566d
59566d
 arch/x86/kernel/msr.c |    7 +++++++
962ea4
 1 file changed, 7 insertions(+)
962ea4
962ea4
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
59566d
index ef688804f80d..a05a97863286 100644
962ea4
--- a/arch/x86/kernel/msr.c
962ea4
+++ b/arch/x86/kernel/msr.c
c796f8
@@ -84,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
962ea4
 	int err = 0;
962ea4
 	ssize_t bytes = 0;
c796f8
 
59566d
+	if (kernel_is_locked_down("Direct MSR access"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	if (count % 8)
962ea4
 		return -EINVAL;	/* Invalid chunk size */
c796f8
 
c796f8
@@ -131,6 +134,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
962ea4
 			err = -EBADF;
962ea4
 			break;
962ea4
 		}
59566d
+		if (kernel_is_locked_down("Direct MSR access")) {
962ea4
+			err = -EPERM;
962ea4
+			break;
962ea4
+		}
962ea4
 		if (copy_from_user(&regs, uregs, sizeof regs)) {
962ea4
 			err = -EFAULT;
962ea4
 			break;
962ea4
59566d
From patchwork Thu Oct 19 14:52:11 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [13/27] asus-wmi: Restrict debugfs interface when the kernel is
962ea4
 locked down
59566d
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017355
59566d
Message-Id: <150842473184.7923.9538070958624850416.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:52:11 +0100
59566d
59566d
From: Matthew Garrett <matthew.garrett@nebula.com>
962ea4
962ea4
We have no way of validating what all of the Asus WMI methods do on a given
962ea4
machine - and there's a risk that some will allow hardware state to be
962ea4
manipulated in such a way that arbitrary code can be executed in the
962ea4
kernel, circumventing module loading restrictions.  Prevent that if the
962ea4
kernel is locked down.
962ea4
962ea4
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: acpi4asus-user@lists.sourceforge.net
59566d
cc: platform-driver-x86@vger.kernel.org
962ea4
---
59566d
59566d
 drivers/platform/x86/asus-wmi.c |    9 +++++++++
962ea4
 1 file changed, 9 insertions(+)
962ea4
962ea4
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
59566d
index 48e1541dc8d4..ef5587469337 100644
962ea4
--- a/drivers/platform/x86/asus-wmi.c
962ea4
+++ b/drivers/platform/x86/asus-wmi.c
59566d
@@ -1905,6 +1905,9 @@ static int show_dsts(struct seq_file *m, void *data)
962ea4
 	int err;
962ea4
 	u32 retval = -1;
c796f8
 
59566d
+	if (kernel_is_locked_down("Asus WMI"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
c796f8
 
962ea4
 	if (err < 0)
59566d
@@ -1921,6 +1924,9 @@ static int show_devs(struct seq_file *m, void *data)
962ea4
 	int err;
962ea4
 	u32 retval = -1;
c796f8
 
59566d
+	if (kernel_is_locked_down("Asus WMI"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
962ea4
 				    &retval);
c796f8
 
59566d
@@ -1945,6 +1951,9 @@ static int show_call(struct seq_file *m, void *data)
962ea4
 	union acpi_object *obj;
962ea4
 	acpi_status status;
c796f8
 
59566d
+	if (kernel_is_locked_down("Asus WMI"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
21e4b8
 				     0, asus->debug.method_id,
962ea4
 				     &input, &output);
962ea4
59566d
From patchwork Thu Oct 19 14:52:19 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [14/27] ACPI: Limit access to custom_method when the kernel is locked
59566d
 down
59566d
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017357
59566d
Message-Id: <150842473899.7923.6590815561953001126.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:52:19 +0100
59566d
962ea4
From: Matthew Garrett <matthew.garrett@nebula.com>
962ea4
962ea4
custom_method effectively allows arbitrary access to system memory, making
962ea4
it possible for an attacker to circumvent restrictions on module loading.
962ea4
Disable it if the kernel is locked down.
962ea4
962ea4
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: linux-acpi@vger.kernel.org
962ea4
---
59566d
59566d
 drivers/acpi/custom_method.c |    3 +++
962ea4
 1 file changed, 3 insertions(+)
962ea4
962ea4
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
59566d
index c68e72414a67..b33fba70ec51 100644
962ea4
--- a/drivers/acpi/custom_method.c
962ea4
+++ b/drivers/acpi/custom_method.c
962ea4
@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
962ea4
 	struct acpi_table_header table;
962ea4
 	acpi_status status;
c796f8
 
59566d
+	if (kernel_is_locked_down("ACPI custom methods"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	if (!(*ppos)) {
962ea4
 		/* parse the table header to get the table length */
962ea4
 		if (count <= sizeof(struct acpi_table_header))
962ea4
59566d
From patchwork Thu Oct 19 14:52:27 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been
59566d
 locked down
59566d
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017359
59566d
Message-Id: <150842474713.7923.4851355698276917280.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:52:27 +0100
59566d
962ea4
From: Josh Boyer <jwboyer@redhat.com>
962ea4
962ea4
This option allows userspace to pass the RSDP address to the kernel, which
59566d
makes it possible for a user to modify the workings of hardware .  Reject
59566d
the option when the kernel is locked down.
962ea4
962ea4
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: Dave Young <dyoung@redhat.com>
59566d
cc: linux-acpi@vger.kernel.org
962ea4
---
59566d
59566d
 drivers/acpi/osl.c |    2 +-
962ea4
 1 file changed, 1 insertion(+), 1 deletion(-)
962ea4
962ea4
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
59566d
index db78d353bab1..36c6527c1b0a 100644
962ea4
--- a/drivers/acpi/osl.c
962ea4
+++ b/drivers/acpi/osl.c
c796f8
@@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
962ea4
 	acpi_physical_address pa = 0;
962ea4
 
962ea4
 #ifdef CONFIG_KEXEC
962ea4
-	if (acpi_rsdp)
59566d
+	if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification"))
962ea4
 		return acpi_rsdp;
962ea4
 #endif
c796f8
 
962ea4
59566d
From patchwork Thu Oct 19 14:52:34 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [16/27] acpi: Disable ACPI table override if the kernel is locked down
59566d
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017361
59566d
Message-Id: <150842475442.7923.12198790224494561644.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:52:34 +0100
59566d
962ea4
From: Linn Crosetto <linn@hpe.com>
962ea4
59566d
>From the kernel documentation (initrd_table_override.txt):
962ea4
962ea4
  If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
962ea4
  to override nearly any ACPI table provided by the BIOS with an
962ea4
  instrumented, modified one.
962ea4
962ea4
When securelevel is set, the kernel should disallow any unauthenticated
962ea4
changes to kernel space.  ACPI tables contain code invoked by the kernel,
962ea4
so do not allow ACPI tables to be overridden if the kernel is locked down.
962ea4
962ea4
Signed-off-by: Linn Crosetto <linn@hpe.com>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: linux-acpi@vger.kernel.org
962ea4
---
59566d
59566d
 drivers/acpi/tables.c |    5 +++++
962ea4
 1 file changed, 5 insertions(+)
962ea4
962ea4
diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
59566d
index 80ce2a7d224b..5cc13c42daf9 100644
962ea4
--- a/drivers/acpi/tables.c
962ea4
+++ b/drivers/acpi/tables.c
59566d
@@ -526,6 +526,11 @@ void __init acpi_table_upgrade(void)
962ea4
 	if (table_nr == 0)
962ea4
 		return;
c796f8
 
59566d
+	if (kernel_is_locked_down("ACPI table override")) {
962ea4
+		pr_notice("kernel is locked down, ignoring table override\n");
962ea4
+		return;
962ea4
+	}
962ea4
+
962ea4
 	acpi_tables_addr =
962ea4
 		memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
962ea4
 				       all_tables_size, PAGE_SIZE);
962ea4
59566d
From patchwork Thu Oct 19 14:52:41 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [17/27] acpi: Disable APEI error injection if the kernel is locked
59566d
 down
59566d
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017363
59566d
Message-Id: <150842476188.7923.14340260837257633120.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:52:41 +0100
59566d
962ea4
From: Linn Crosetto <linn@hpe.com>
962ea4
962ea4
ACPI provides an error injection mechanism, EINJ, for debugging and testing
962ea4
the ACPI Platform Error Interface (APEI) and other RAS features.  If
962ea4
supported by the firmware, ACPI specification 5.0 and later provide for a
962ea4
way to specify a physical memory address to which to inject the error.
962ea4
962ea4
Injecting errors through EINJ can produce errors which to the platform are
962ea4
indistinguishable from real hardware errors.  This can have undesirable
962ea4
side-effects, such as causing the platform to mark hardware as needing
962ea4
replacement.
962ea4
962ea4
While it does not provide a method to load unauthenticated privileged code,
962ea4
the effect of these errors may persist across reboots and affect trust in
962ea4
the underlying hardware, so disable error injection through EINJ if
962ea4
the kernel is locked down.
962ea4
962ea4
Signed-off-by: Linn Crosetto <linn@hpe.com>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: linux-acpi@vger.kernel.org
962ea4
---
59566d
59566d
 drivers/acpi/apei/einj.c |    3 +++
962ea4
 1 file changed, 3 insertions(+)
962ea4
962ea4
diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c
59566d
index b38737c83a24..6d71e1e97b20 100644
962ea4
--- a/drivers/acpi/apei/einj.c
962ea4
+++ b/drivers/acpi/apei/einj.c
962ea4
@@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
962ea4
 	int rc;
962ea4
 	u64 base_addr, size;
c796f8
 
59566d
+	if (kernel_is_locked_down("ACPI error injection"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	/* If user manually set "flags", make sure it is legal */
962ea4
 	if (flags && (flags &
962ea4
 		~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
962ea4
59566d
From patchwork Thu Oct 19 14:52:49 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [18/27] bpf: Restrict kernel image access functions when the kernel
59566d
 is locked down
59566d
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017365
59566d
Message-Id: <150842476953.7923.18174368926573855810.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:52:49 +0100
962ea4
59566d
From: Chun-Yi Lee <jlee@suse.com>
962ea4
962ea4
There are some bpf functions can be used to read kernel memory:
962ea4
bpf_probe_read, bpf_probe_write_user and bpf_trace_printk.  These allow
962ea4
private keys in kernel memory (e.g. the hibernation image signing key) to
962ea4
be read by an eBPF program.  Prohibit those functions when the kernel is
962ea4
locked down.
962ea4
59566d
Signed-off-by: Chun-Yi Lee <jlee@suse.com>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: netdev@vger.kernel.org
962ea4
---
59566d
59566d
 kernel/trace/bpf_trace.c |   11 +++++++++++
962ea4
 1 file changed, 11 insertions(+)
962ea4
962ea4
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
59566d
index dc498b605d5d..35e85a3fdb37 100644
962ea4
--- a/kernel/trace/bpf_trace.c
962ea4
+++ b/kernel/trace/bpf_trace.c
962ea4
@@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr)
962ea4
 {
962ea4
 	int ret;
c796f8
 
59566d
+	if (kernel_is_locked_down("BPF")) {
962ea4
+		memset(dst, 0, size);
962ea4
+		return -EPERM;
962ea4
+	}
962ea4
+
962ea4
 	ret = probe_kernel_read(dst, unsafe_ptr, size);
962ea4
 	if (unlikely(ret < 0))
962ea4
 		memset(dst, 0, size);
962ea4
@@ -84,6 +89,9 @@ static const struct bpf_func_proto bpf_probe_read_proto = {
962ea4
 BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src,
962ea4
 	   u32, size)
962ea4
 {
59566d
+	if (kernel_is_locked_down("BPF"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	/*
962ea4
 	 * Ensure we're in user context which is safe for the helper to
962ea4
 	 * run. This helper has no business in a kthread.
962ea4
@@ -143,6 +151,9 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1,
962ea4
 	if (fmt[--fmt_size] != 0)
962ea4
 		return -EINVAL;
c796f8
 
59566d
+	if (kernel_is_locked_down("BPF"))
962ea4
+		return __trace_printk(1, fmt, 0, 0, 0);
962ea4
+
962ea4
 	/* check format string for allowed specifiers */
962ea4
 	for (i = 0; i < fmt_size; i++) {
962ea4
 		if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i]))
962ea4
59566d
From patchwork Thu Oct 19 14:52:57 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [19/27] scsi: Lock down the eata driver
962ea4
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017367
59566d
Message-Id: <150842477698.7923.15570916285929038112.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:52:57 +0100
962ea4
962ea4
When the kernel is running in secure boot mode, we lock down the kernel to
962ea4
prevent userspace from modifying the running kernel image.  Whilst this
962ea4
includes prohibiting access to things like /dev/mem, it must also prevent
962ea4
access by means of configuring driver modules in such a way as to cause a
962ea4
device to access or modify the kernel image.
962ea4
962ea4
The eata driver takes a single string parameter that contains a slew of
962ea4
settings, including hardware resource configuration.  Prohibit use of the
962ea4
parameter if the kernel is locked down.
962ea4
59566d
Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
962ea4
cc: Dario Ballabio <ballabio_dario@emc.com>
962ea4
cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>
962ea4
cc: "Martin K. Petersen" <martin.petersen@oracle.com>
962ea4
cc: linux-scsi@vger.kernel.org
962ea4
---
59566d
59566d
 drivers/scsi/eata.c |    5 ++++-
59566d
 1 file changed, 4 insertions(+), 1 deletion(-)
962ea4
962ea4
diff --git a/drivers/scsi/eata.c b/drivers/scsi/eata.c
59566d
index 6501c330d8c8..72fceaa8f3da 100644
962ea4
--- a/drivers/scsi/eata.c
962ea4
+++ b/drivers/scsi/eata.c
59566d
@@ -1552,8 +1552,11 @@ static int eata2x_detect(struct scsi_host_template *tpnt)
c796f8
 
962ea4
 	tpnt->proc_name = "eata2x";
c796f8
 
962ea4
-	if (strlen(boot_options))
962ea4
+	if (strlen(boot_options)) {
59566d
+		if (kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels"))
962ea4
+			return -EPERM;
962ea4
 		option_setup(boot_options);
962ea4
+	}
c796f8
 
962ea4
 #if defined(MODULE)
962ea4
 	/* io_port could have been modified when loading as a module */
962ea4
59566d
From patchwork Thu Oct 19 14:53:04 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [20/27] Prohibit PCMCIA CIS storage when the kernel is locked down
962ea4
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017369
59566d
Message-Id: <150842478444.7923.5111743275510836636.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:53:04 +0100
962ea4
962ea4
Prohibit replacement of the PCMCIA Card Information Structure when the
962ea4
kernel is locked down.
962ea4
59566d
Suggested-by: Dominik Brodowski <linux@dominikbrodowski.net>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: linux-pcmcia@lists.infradead.org
962ea4
---
59566d
59566d
 drivers/pcmcia/cistpl.c |    3 +++
59566d
 1 file changed, 3 insertions(+)
962ea4
962ea4
diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
59566d
index 55ef7d1fd8da..b7a0e42eeb25 100644
962ea4
--- a/drivers/pcmcia/cistpl.c
962ea4
+++ b/drivers/pcmcia/cistpl.c
59566d
@@ -1578,6 +1578,9 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
962ea4
 	struct pcmcia_socket *s;
962ea4
 	int error;
c796f8
 
59566d
+	if (kernel_is_locked_down("Direct PCMCIA CIS storage"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	s = to_socket(container_of(kobj, struct device, kobj));
c796f8
 
962ea4
 	if (off)
962ea4
59566d
From patchwork Thu Oct 19 14:53:12 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [21/27] Lock down TIOCSSERIAL
962ea4
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017371
59566d
Message-Id: <150842479208.7923.3429065489239605709.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:53:12 +0100
962ea4
962ea4
Lock down TIOCSSERIAL as that can be used to change the ioport and irq
962ea4
settings on a serial port.  This only appears to be an issue for the serial
962ea4
drivers that use the core serial code.  All other drivers seem to either
962ea4
ignore attempts to change port/irq or give an error.
962ea4
962ea4
Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: Jiri Slaby <jslaby@suse.com>
962ea4
---
59566d
59566d
 drivers/tty/serial/serial_core.c |    6 ++++++
962ea4
 1 file changed, 6 insertions(+)
962ea4
962ea4
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
59566d
index 3a14cccbd7ff..41f0922ad842 100644
962ea4
--- a/drivers/tty/serial/serial_core.c
962ea4
+++ b/drivers/tty/serial/serial_core.c
59566d
@@ -842,6 +842,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
7c0c57
 	new_flags = (__force upf_t)new_info->flags;
962ea4
 	old_custom_divisor = uport->custom_divisor;
c796f8
 
59566d
+	if ((change_port || change_irq) &&
59566d
+	    kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels")) {
962ea4
+		retval = -EPERM;
962ea4
+		goto exit;
962ea4
+	}
962ea4
+
962ea4
 	if (!capable(CAP_SYS_ADMIN)) {
962ea4
 		retval = -EPERM;
962ea4
 		if (change_irq || change_port ||
c796f8
59566d
From patchwork Thu Oct 19 14:53:19 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [22/27] Lock down module params that specify hardware parameters (eg.
59566d
 ioport)
59566d
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017373
59566d
Message-Id: <150842479932.7923.8106830872069353117.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:53:19 +0100
59566d
59566d
Provided an annotation for module parameters that specify hardware
59566d
parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
59566d
dma buffers and other types).
59566d
59566d
Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
59566d
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
---
59566d
59566d
 kernel/params.c |   26 +++++++++++++++++++++-----
59566d
 1 file changed, 21 insertions(+), 5 deletions(-)
59566d
59566d
diff --git a/kernel/params.c b/kernel/params.c
59566d
index 60b2d8101355..422979adb60a 100644
59566d
--- a/kernel/params.c
59566d
+++ b/kernel/params.c
59566d
@@ -108,13 +108,19 @@ bool parameq(const char *a, const char *b)
59566d
 	return parameqn(a, b, strlen(a)+1);
59566d
 }
59566d
 
59566d
-static void param_check_unsafe(const struct kernel_param *kp)
59566d
+static bool param_check_unsafe(const struct kernel_param *kp,
59566d
+			       const char *doing)
59566d
 {
59566d
 	if (kp->flags & KERNEL_PARAM_FL_UNSAFE) {
59566d
 		pr_warn("Setting dangerous option %s - tainting kernel\n",
59566d
 			kp->name);
59566d
 		add_taint(TAINT_USER, LOCKDEP_STILL_OK);
59566d
 	}
59566d
+
59566d
+	if (kp->flags & KERNEL_PARAM_FL_HWPARAM &&
59566d
+	    kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels"))
59566d
+		return false;
59566d
+	return true;
59566d
 }
59566d
 
59566d
 static int parse_one(char *param,
59566d
@@ -144,8 +150,10 @@ static int parse_one(char *param,
59566d
 			pr_debug("handling %s with %p\n", param,
59566d
 				params[i].ops->set);
59566d
 			kernel_param_lock(params[i].mod);
59566d
-			param_check_unsafe(&params[i]);
59566d
-			err = params[i].ops->set(val, &params[i]);
59566d
+			if (param_check_unsafe(&params[i], doing))
59566d
+				err = params[i].ops->set(val, &params[i]);
59566d
+			else
59566d
+				err = -EPERM;
59566d
 			kernel_param_unlock(params[i].mod);
59566d
 			return err;
59566d
 		}
59566d
@@ -556,6 +564,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr,
59566d
 	return count;
59566d
 }
59566d
 
59566d
+#ifdef CONFIG_MODULES
59566d
+#define mod_name(mod) (mod)->name
59566d
+#else
59566d
+#define mod_name(mod) "unknown"
59566d
+#endif
59566d
+
59566d
 /* sysfs always hands a nul-terminated string in buf.  We rely on that. */
59566d
 static ssize_t param_attr_store(struct module_attribute *mattr,
59566d
 				struct module_kobject *mk,
59566d
@@ -568,8 +582,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr,
59566d
 		return -EPERM;
59566d
 
59566d
 	kernel_param_lock(mk->mod);
59566d
-	param_check_unsafe(attribute->param);
59566d
-	err = attribute->param->ops->set(buf, attribute->param);
59566d
+	if (param_check_unsafe(attribute->param, mod_name(mk->mod)))
59566d
+		err = attribute->param->ops->set(buf, attribute->param);
59566d
+	else
59566d
+		err = -EPERM;
59566d
 	kernel_param_unlock(mk->mod);
59566d
 	if (!err)
59566d
 		return len;
59566d
59566d
From patchwork Thu Oct 19 14:53:26 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [23/27] x86/mmiotrace: Lock down the testmmiotrace module
59566d
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017375
59566d
Message-Id: <150842480649.7923.13997201431299349211.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:53:26 +0100
59566d
59566d
The testmmiotrace module shouldn't be permitted when the kernel is locked
59566d
down as it can be used to arbitrarily read and write MMIO space.
59566d
59566d
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
59566d
Signed-off-by: David Howells 
59566d
cc: Thomas Gleixner <tglx@linutronix.de>
59566d
cc: Steven Rostedt <rostedt@goodmis.org>
59566d
cc: Ingo Molnar <mingo@kernel.org>
59566d
cc: "H. Peter Anvin" <hpa@zytor.com>
59566d
cc: x86@kernel.org
59566d
---
59566d
59566d
 arch/x86/mm/testmmiotrace.c |    3 +++
59566d
 1 file changed, 3 insertions(+)
59566d
59566d
diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c
59566d
index f6ae6830b341..bbaad357f5d7 100644
59566d
--- a/arch/x86/mm/testmmiotrace.c
59566d
+++ b/arch/x86/mm/testmmiotrace.c
59566d
@@ -115,6 +115,9 @@ static int __init init(void)
59566d
 {
59566d
 	unsigned long size = (read_far) ? (8 << 20) : (16 << 10);
59566d
 
59566d
+	if (kernel_is_locked_down("MMIO trace testing"))
59566d
+		return -EPERM;
59566d
+
59566d
 	if (mmio_address == 0) {
59566d
 		pr_err("you have to use the module argument mmio_address.\n");
59566d
 		pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n");
59566d
59566d
From patchwork Thu Oct 19 14:53:33 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [24/27] debugfs: Disallow use of debugfs files when the kernel is
59566d
 locked down
59566d
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017379
59566d
Message-Id: <150842481363.7923.13021827051686067882.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:53:33 +0100
59566d
59566d
Disallow opening of debugfs files when the kernel is locked down as various
59566d
drivers give raw access to hardware through debugfs.
59566d
59566d
Accesses to tracefs should use /sys/kernel/tracing/ rather than
59566d
/sys/kernel/debug/tracing/.  Possibly a symlink should be emplaced.
59566d
59566d
Normal device interaction should be done through configfs or a miscdev, not
59566d
debugfs.
59566d
59566d
Note that this makes it unnecessary to specifically lock down show_dsts(),
59566d
show_devs() and show_call() in the asus-wmi driver.
59566d
59566d
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: Andy Shevchenko <andy.shevchenko@gmail.com>
59566d
cc: acpi4asus-user@lists.sourceforge.net
59566d
cc: platform-driver-x86@vger.kernel.org
59566d
cc: Matthew Garrett <matthew.garrett@nebula.com>
59566d
cc: Thomas Gleixner <tglx@linutronix.de>
59566d
---
59566d
59566d
 fs/debugfs/file.c |    6 ++++++
59566d
 1 file changed, 6 insertions(+)
59566d
59566d
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
59566d
index 6dabc4a10396..32b5168a7e91 100644
59566d
--- a/fs/debugfs/file.c
59566d
+++ b/fs/debugfs/file.c
59566d
@@ -103,6 +103,9 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
59566d
 	const struct file_operations *real_fops = NULL;
59566d
 	int srcu_idx, r;
59566d
 
59566d
+	if (kernel_is_locked_down("debugfs"))
59566d
+		return -EPERM;
59566d
+
59566d
 	r = debugfs_use_file_start(dentry, &srcu_idx);
59566d
 	if (r) {
59566d
 		r = -ENOENT;
59566d
@@ -232,6 +235,9 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
59566d
 	struct file_operations *proxy_fops = NULL;
59566d
 	int srcu_idx, r;
59566d
 
59566d
+	if (kernel_is_locked_down("debugfs"))
59566d
+		return -EPERM;
59566d
+
59566d
 	r = debugfs_use_file_start(dentry, &srcu_idx);
59566d
 	if (r) {
59566d
 		r = -ENOENT;
59566d
59566d
From patchwork Thu Oct 19 14:53:42 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [25/27] Lock down /proc/kcore
59566d
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017381
59566d
Message-Id: <150842482228.7923.9630520914833154257.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:53:42 +0100
59566d
59566d
Disallow access to /proc/kcore when the kernel is locked down to prevent
59566d
access to cryptographic data.
59566d
59566d
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
---
59566d
59566d
 fs/proc/kcore.c |    2 ++
59566d
 1 file changed, 2 insertions(+)
59566d
59566d
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
59566d
index 45629f4b5402..176cf749e650 100644
59566d
--- a/fs/proc/kcore.c
59566d
+++ b/fs/proc/kcore.c
59566d
@@ -549,6 +549,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
59566d
 
59566d
 static int open_kcore(struct inode *inode, struct file *filp)
59566d
 {
59566d
+	if (kernel_is_locked_down("/proc/kcore"))
59566d
+		return -EPERM;
59566d
 	if (!capable(CAP_SYS_RAWIO))
59566d
 		return -EPERM;
59566d
 
59566d
59566d
From patchwork Thu Oct 19 14:53:51 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
59566d
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017383
59566d
Message-Id: <150842483172.7923.2791223614506312745.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:53:51 +0100
59566d
59566d
UEFI machines can be booted in Secure Boot mode.  Add an EFI_SECURE_BOOT
59566d
flag that can be passed to efi_enabled() to find out whether secure boot is
59566d
enabled.
59566d
59566d
Move the switch-statement in x86's setup_arch() that inteprets the
59566d
secure_boot boot parameter to generic code and set the bit there.
59566d
59566d
Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
59566d
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
59566d
cc: linux-efi@vger.kernel.org
59566d
---
59566d
59566d
 arch/x86/kernel/setup.c           |   14 +-------------
59566d
 drivers/firmware/efi/Makefile     |    1 +
59566d
 drivers/firmware/efi/secureboot.c |   37 +++++++++++++++++++++++++++++++++++++
59566d
 include/linux/efi.h               |   16 ++++++++++------
59566d
 4 files changed, 49 insertions(+), 19 deletions(-)
59566d
 create mode 100644 drivers/firmware/efi/secureboot.c
59566d
59566d
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
59566d
index 0957dd73d127..7c2162f9e769 100644
59566d
--- a/arch/x86/kernel/setup.c
59566d
+++ b/arch/x86/kernel/setup.c
59566d
@@ -1197,19 +1197,7 @@ void __init setup_arch(char **cmdline_p)
59566d
 	/* Allocate bigger log buffer */
59566d
 	setup_log_buf(1);
59566d
 
59566d
-	if (efi_enabled(EFI_BOOT)) {
59566d
-		switch (boot_params.secure_boot) {
59566d
-		case efi_secureboot_mode_disabled:
59566d
-			pr_info("Secure boot disabled\n");
59566d
-			break;
59566d
-		case efi_secureboot_mode_enabled:
59566d
-			pr_info("Secure boot enabled\n");
59566d
-			break;
59566d
-		default:
59566d
-			pr_info("Secure boot could not be determined\n");
59566d
-			break;
59566d
-		}
59566d
-	}
59566d
+	efi_set_secure_boot(boot_params.secure_boot);
59566d
 
59566d
 	reserve_initrd();
59566d
 
59566d
diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile
59566d
index 0329d319d89a..883f9f7eefc6 100644
59566d
--- a/drivers/firmware/efi/Makefile
59566d
+++ b/drivers/firmware/efi/Makefile
59566d
@@ -23,6 +23,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP)		+= fake_mem.o
59566d
 obj-$(CONFIG_EFI_BOOTLOADER_CONTROL)	+= efibc.o
59566d
 obj-$(CONFIG_EFI_TEST)			+= test/
59566d
 obj-$(CONFIG_EFI_DEV_PATH_PARSER)	+= dev-path-parser.o
59566d
+obj-$(CONFIG_EFI)			+= secureboot.o
59566d
 obj-$(CONFIG_APPLE_PROPERTIES)		+= apple-properties.o
59566d
 
59566d
 arm-obj-$(CONFIG_EFI)			:= arm-init.o arm-runtime.o
59566d
diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
59566d
new file mode 100644
59566d
index 000000000000..674dcc01bb0b
59566d
--- /dev/null
59566d
+++ b/drivers/firmware/efi/secureboot.c
59566d
@@ -0,0 +1,37 @@
59566d
+/* Core kernel secure boot support.
59566d
+ *
59566d
+ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
59566d
+ * Written by David Howells (dhowells@redhat.com)
59566d
+ *
59566d
+ * This program is free software; you can redistribute it and/or
59566d
+ * modify it under the terms of the GNU General Public Licence
59566d
+ * as published by the Free Software Foundation; either version
59566d
+ * 2 of the Licence, or (at your option) any later version.
59566d
+ */
59566d
+
59566d
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
59566d
+
59566d
+#include <linux/efi.h>
59566d
+#include <linux/kernel.h>
59566d
+#include <linux/printk.h>
59566d
+
59566d
+/*
59566d
+ * Decide what to do when UEFI secure boot mode is enabled.
59566d
+ */
59566d
+void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
59566d
+{
59566d
+	if (efi_enabled(EFI_BOOT)) {
59566d
+		switch (mode) {
59566d
+		case efi_secureboot_mode_disabled:
59566d
+			pr_info("Secure boot disabled\n");
59566d
+			break;
59566d
+		case efi_secureboot_mode_enabled:
59566d
+			set_bit(EFI_SECURE_BOOT, &efi.flags);
59566d
+			pr_info("Secure boot enabled\n");
59566d
+			break;
59566d
+		default:
59566d
+			pr_info("Secure boot could not be determined\n");
59566d
+			break;
59566d
+		}
59566d
+	}
59566d
+}
59566d
diff --git a/include/linux/efi.h b/include/linux/efi.h
59566d
index 66f4a4e79f4b..7c7a7e33e4d1 100644
59566d
--- a/include/linux/efi.h
59566d
+++ b/include/linux/efi.h
59566d
@@ -1103,6 +1103,14 @@ extern int __init efi_setup_pcdp_console(char *);
59566d
 #define EFI_DBG			8	/* Print additional debug info at runtime */
59566d
 #define EFI_NX_PE_DATA		9	/* Can runtime data regions be mapped non-executable? */
59566d
 #define EFI_MEM_ATTR		10	/* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
59566d
+#define EFI_SECURE_BOOT		11	/* Are we in Secure Boot mode? */
59566d
+
59566d
+enum efi_secureboot_mode {
59566d
+	efi_secureboot_mode_unset,
59566d
+	efi_secureboot_mode_unknown,
59566d
+	efi_secureboot_mode_disabled,
59566d
+	efi_secureboot_mode_enabled,
59566d
+};
59566d
 
59566d
 #ifdef CONFIG_EFI
59566d
 /*
59566d
@@ -1115,6 +1123,7 @@ static inline bool efi_enabled(int feature)
59566d
 extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused);
59566d
 
59566d
 extern bool efi_is_table_address(unsigned long phys_addr);
59566d
+extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode);
59566d
 #else
59566d
 static inline bool efi_enabled(int feature)
59566d
 {
59566d
@@ -1133,6 +1142,7 @@ static inline bool efi_is_table_address(unsigned long phys_addr)
59566d
 {
59566d
 	return false;
59566d
 }
59566d
+static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {}
59566d
 #endif
59566d
 
59566d
 extern int efi_status_to_err(efi_status_t status);
59566d
@@ -1518,12 +1528,6 @@ efi_status_t efi_setup_gop(efi_system_table_t *sys_table_arg,
59566d
 bool efi_runtime_disabled(void);
59566d
 extern void efi_call_virt_check_flags(unsigned long flags, const char *call);
59566d
 
59566d
-enum efi_secureboot_mode {
59566d
-	efi_secureboot_mode_unset,
59566d
-	efi_secureboot_mode_unknown,
59566d
-	efi_secureboot_mode_disabled,
59566d
-	efi_secureboot_mode_enabled,
59566d
-};
59566d
 enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table);
59566d
 
59566d
 #ifdef CONFIG_RESET_ATTACK_MITIGATION
59566d
59566d
From patchwork Thu Oct 19 14:53:59 2017
59566d
Content-Type: text/plain; charset="utf-8"
59566d
MIME-Version: 1.0
59566d
Content-Transfer-Encoding: 7bit
59566d
Subject: [27/27] efi: Lock down the kernel if booted in secure boot mode
59566d
From: David Howells <dhowells@redhat.com>
59566d
X-Patchwork-Id: 10017385
59566d
Message-Id: <150842483945.7923.12778302394414653081.stgit@warthog.procyon.org.uk>
59566d
To: linux-security-module@vger.kernel.org
59566d
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
59566d
 matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
59566d
 linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com
59566d
Date: Thu, 19 Oct 2017 15:53:59 +0100
59566d
59566d
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
59566d
only load signed bootloaders and kernels.  Certain use cases may also
59566d
require that all kernel modules also be signed.  Add a configuration option
59566d
that to lock down the kernel - which includes requiring validly signed
59566d
modules - if the kernel is secure-booted.
59566d
59566d
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
59566d
cc: linux-efi@vger.kernel.org
59566d
---
59566d
59566d
 arch/x86/kernel/setup.c |    6 ++++--
59566d
 security/Kconfig        |   14 ++++++++++++++
59566d
 security/lock_down.c    |    1 +
59566d
 3 files changed, 19 insertions(+), 2 deletions(-)
59566d
59566d
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
59566d
index 7c2162f9e769..4e38327efb2e 100644
59566d
--- a/arch/x86/kernel/setup.c
59566d
+++ b/arch/x86/kernel/setup.c
59566d
@@ -64,6 +64,7 @@
59566d
 #include <linux/dma-mapping.h>
59566d
 #include <linux/ctype.h>
59566d
 #include <linux/uaccess.h>
59566d
+#include <linux/security.h>
59566d
 
59566d
 #include <linux/percpu.h>
59566d
 #include <linux/crash_dump.h>
59566d
@@ -1039,6 +1040,9 @@ void __init setup_arch(char **cmdline_p)
59566d
 	if (efi_enabled(EFI_BOOT))
59566d
 		efi_init();
59566d
 
59566d
+	efi_set_secure_boot(boot_params.secure_boot);
59566d
+	init_lockdown();
59566d
+
59566d
 	dmi_scan_machine();
59566d
 	dmi_memdev_walk();
59566d
 	dmi_set_dump_stack_arch_desc();
59566d
@@ -1197,8 +1201,6 @@ void __init setup_arch(char **cmdline_p)
59566d
 	/* Allocate bigger log buffer */
59566d
 	setup_log_buf(1);
59566d
 
59566d
-	efi_set_secure_boot(boot_params.secure_boot);
59566d
-
59566d
 	reserve_initrd();
59566d
 
59566d
 	acpi_table_upgrade();
59566d
diff --git a/security/Kconfig b/security/Kconfig
59566d
index 4be6be71e075..e1756039dc0a 100644
59566d
--- a/security/Kconfig
59566d
+++ b/security/Kconfig
59566d
@@ -227,6 +227,20 @@ config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
59566d
 	  Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
59566d
 	  combination on a wired keyboard.
59566d
 
59566d
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
59566d
+	bool "Lock down the kernel in EFI Secure Boot mode"
59566d
+	default n
59566d
+	select LOCK_DOWN_KERNEL
59566d
+	depends on EFI
59566d
+	help
59566d
+	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
59566d
+	  will only load signed bootloaders and kernels.  Secure boot mode may
59566d
+	  be determined from EFI variables provided by the system firmware if
59566d
+	  not indicated by the boot parameters.
59566d
+
59566d
+	  Enabling this option turns on results in kernel lockdown being
59566d
+	  triggered if EFI Secure Boot is set.
59566d
+
59566d
 
59566d
 source security/selinux/Kconfig
59566d
 source security/smack/Kconfig
59566d
diff --git a/security/lock_down.c b/security/lock_down.c
59566d
index f71118c340d2..12c3bc204c4e 100644
59566d
--- a/security/lock_down.c
59566d
+++ b/security/lock_down.c
59566d
@@ -12,6 +12,7 @@
59566d
 #include <linux/security.h>
59566d
 #include <linux/export.h>
59566d
 #include <linux/sysrq.h>
59566d
+#include <linux/efi.h>
59566d
 
59566d
 #ifdef CONFIG_ALLOW_LOCKDOWN_LIFT
59566d
 static __read_mostly bool kernel_locked_down;