From 4f426f922e12f0ffaed373536f68531e18d68495 Mon Sep 17 00:00:00 2001

From: David Howells <dhowells@redhat.com>

Date: Mon, 18 Feb 2019 12:44:57 +0000

Subject: [PATCH 01/29] Add the ability to lock down access to the running

 kernel image

Provide a single call to allow kernel code to determine whether the system

should be locked down, thereby disallowing various accesses that might

allow the running kernel image to be changed including the loading of

modules that aren't validly signed with a key we recognise, fiddling with

MSR registers and disallowing hibernation.

Signed-off-by: David Howells <dhowells@redhat.com>

Acked-by: James Morris <james.l.morris@oracle.com>

Signed-off-by: Matthew Garrett <matthewgarrett@google.com>

---

 include/linux/kernel.h   | 17 ++++++++++++

 include/linux/security.h |  9 +++++-

 security/Kconfig         | 15 ++++++++++

 security/Makefile        |  3 ++

 security/lock_down.c     | 60 ++++++++++++++++++++++++++++++++++++++++

 5 files changed, 103 insertions(+), 1 deletion(-)

 create mode 100644 security/lock_down.c

diff --git a/include/linux/kernel.h b/include/linux/kernel.h

index 0c9bc231107f..f71008b0a641 100644

--- a/include/linux/kernel.h

+++ b/include/linux/kernel.h

@@ -312,6 +312,23 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err)

 { }

 #endif

+#ifdef CONFIG_LOCK_DOWN_KERNEL

+extern bool __kernel_is_locked_down(const char *what, bool first);

+#else

+static inline bool __kernel_is_locked_down(const char *what, bool first)

+{

+	return false;

+}

+#endif

+

+#define kernel_is_locked_down(what)					\

+	({								\

+		static bool message_given;				\

+		bool locked_down = __kernel_is_locked_down(what, !message_given); \

+		message_given = true;					\

+		locked_down;						\

+	})

+

 /* Internal, do not use. */

 int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);

 int __must_check _kstrtol(const char *s, unsigned int base, long *res);

diff --git a/include/linux/security.h b/include/linux/security.h

index 5f7441abbf42..fd7579c879a6 100644

--- a/include/linux/security.h

+++ b/include/linux/security.h

@@ -1829,5 +1829,12 @@ static inline void security_bpf_prog_free(struct bpf_prog_aux *aux)

 #endif /* CONFIG_SECURITY */

 #endif /* CONFIG_BPF_SYSCALL */

-#endif /* ! __LINUX_SECURITY_H */

+#ifdef CONFIG_LOCK_DOWN_KERNEL

+extern void __init init_lockdown(void);

+#else

+static inline void __init init_lockdown(void)

+{

+}

+#endif

+#endif /* ! __LINUX_SECURITY_H */

diff --git a/security/Kconfig b/security/Kconfig

index 06a30851511a..720cf9dee2b4 100644

--- a/security/Kconfig

+++ b/security/Kconfig

@@ -230,6 +230,21 @@ config STATIC_USERMODEHELPER_PATH

 	  If you wish for all usermode helper programs to be disabled,

 	  specify an empty string here (i.e. "").

+config LOCK_DOWN_KERNEL

+	bool "Allow the kernel to be 'locked down'"

+	help

+	  Allow the kernel to be locked down. If lockdown support is enabled

+	  and activated, the kernel will impose additional restrictions

+	  intended to prevent uid 0 from being able to modify the running

+	  kernel. This may break userland applications that rely on low-level

+	  access to hardware.

+

+config LOCK_DOWN_KERNEL_FORCE

+        bool "Enable kernel lockdown mode automatically"

+        depends on LOCK_DOWN_KERNEL

+        help

+          Enable the kernel lock down functionality automatically at boot.

+

 source "security/selinux/Kconfig"

 source "security/smack/Kconfig"

 source "security/tomoyo/Kconfig"

diff --git a/security/Makefile b/security/Makefile

index c598b904938f..5ff090149c88 100644

--- a/security/Makefile

+++ b/security/Makefile

@@ -32,3 +32,6 @@ obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o

 # Object integrity file lists

 subdir-$(CONFIG_INTEGRITY)		+= integrity

 obj-$(CONFIG_INTEGRITY)			+= integrity/

+

+# Allow the kernel to be locked down

+obj-$(CONFIG_LOCK_DOWN_KERNEL)		+= lock_down.o

diff --git a/security/lock_down.c b/security/lock_down.c

new file mode 100644

index 000000000000..18d8776a4d02

--- /dev/null

+++ b/security/lock_down.c

@@ -0,0 +1,60 @@

+// SPDX-License-Identifier: GPL-2.0

+/* Lock down the kernel

+ *

+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.

+ * Written by David Howells (dhowells@redhat.com)

+ *

+ * This program is free software; you can redistribute it and/or

+ * modify it under the terms of the GNU General Public Licence

+ * as published by the Free Software Foundation; either version

+ * 2 of the Licence, or (at your option) any later version.

+ */

+

+#include <linux/security.h>

+#include <linux/export.h>

+

+static __ro_after_init bool kernel_locked_down;

+

+/*

+ * Put the kernel into lock-down mode.

+ */

+static void __init lock_kernel_down(const char *where)

+{

+	if (!kernel_locked_down) {

+		kernel_locked_down = true;

+		pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",

+			  where);

+	}

+}

+

+static int __init lockdown_param(char *ignored)

+{

+	lock_kernel_down("command line");

+	return 0;

+}

+

+early_param("lockdown", lockdown_param);

+

+/*

+ * Lock the kernel down from very early in the arch setup.  This must happen

+ * prior to things like ACPI being initialised.

+ */

+void __init init_lockdown(void)

+{

+#ifdef CONFIG_LOCK_DOWN_FORCE

+	lock_kernel_down("Kernel configuration");

+#endif

+}

+

+/**

+ * kernel_is_locked_down - Find out if the kernel is locked down

+ * @what: Tag to use in notice generated if lockdown is in effect

+ */

+bool __kernel_is_locked_down(const char *what, bool first)

+{

+	if (what && first && kernel_locked_down)

+		pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n",

+			  what);

+	return kernel_locked_down;

+}

+EXPORT_SYMBOL(__kernel_is_locked_down);

-- 

2.21.0

From 7b3d34ce99e1db6152f3f350f7512ed67712d2bb Mon Sep 17 00:00:00 2001

From: David Howells <dhowells@redhat.com>

Date: Mon, 18 Feb 2019 12:44:58 +0000

Subject: [PATCH 02/29] Enforce module signatures if the kernel is locked down

If the kernel is locked down, require that all modules have valid

signatures that we can verify.

I have adjusted the errors generated:

 (1) If there's no signature (ENODATA) or we can't check it (ENOPKG,

     ENOKEY), then:

     (a) If signatures are enforced then EKEYREJECTED is returned.

     (b) If there's no signature or we can't check it, but the kernel is

	 locked down then EPERM is returned (this is then consistent with

	 other lockdown cases).

 (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails

     the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we

     return the error we got.

Note that the X.509 code doesn't check for key expiry as the RTC might not

be valid or might not have been transferred to the kernel's clock yet.

 [Modified by Matthew Garrett to remove the IMA integration. This will

  be replaced with integration with the IMA architecture policy

  patchset.]

Signed-off-by: David Howells <dhowells@redhat.com>

Reviewed-by: Jiri Bohac <jbohac@suse.cz>

Signed-off-by: Matthew Garrett <matthewgarrett@google.com>

Cc: Jessica Yu <jeyu@kernel.org>

---

 kernel/module.c | 39 ++++++++++++++++++++++++++++++++-------

 1 file changed, 32 insertions(+), 7 deletions(-)

diff --git a/kernel/module.c b/kernel/module.c

index a2cee14a83f3..c771a183b741 100644

--- a/kernel/module.c

+++ b/kernel/module.c

@@ -2753,8 +2753,9 @@ static inline void kmemleak_load_module(const struct module *mod,

 #ifdef CONFIG_MODULE_SIG

 static int module_sig_check(struct load_info *info, int flags)

 {

-	int err = -ENOKEY;

+	int err = -ENODATA;

 	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;

+	const char *reason;

 	const void *mod = info->hdr;

 	/*

@@ -2769,16 +2770,40 @@ static int module_sig_check(struct load_info *info, int flags)

 		err = mod_verify_sig(mod, info);

 	}

-	if (!err) {

+	switch (err) {

+	case 0:

 		info->sig_ok = true;

 		return 0;

-	}

-	/* Not having a signature is only an error if we're strict. */

-	if (err == -ENOKEY && !is_module_sig_enforced())

-		err = 0;

+		/* We don't permit modules to be loaded into trusted kernels

+		 * without a valid signature on them, but if we're not

+		 * enforcing, certain errors are non-fatal.

+		 */

+	case -ENODATA:

+		reason = "Loading of unsigned module";

+		goto decide;

+	case -ENOPKG:

+		reason = "Loading of module with unsupported crypto";

+		goto decide;

+	case -ENOKEY:

+		reason = "Loading of module with unavailable key";

+	decide:

+		if (is_module_sig_enforced()) {

+			pr_notice("%s is rejected\n", reason);

+			return -EKEYREJECTED;

+		}

-	return err;

+		if (kernel_is_locked_down(reason))

+			return -EPERM;

+		return 0;

+

+		/* All other errors are fatal, including nomem, unparseable

+		 * signatures and signature check failures - even if signatures

+		 * aren't required.

+		 */

+	default:

+		return err;

+	}

 }

 #else /* !CONFIG_MODULE_SIG */

 static int module_sig_check(struct load_info *info, int flags)

-- 

2.21.0

From e6cee3fcc560211fbc3d1efaf048ad4b987a4b73 Mon Sep 17 00:00:00 2001

From: Matthew Garrett <mjg59@srcf.ucam.org>

Date: Mon, 18 Feb 2019 12:44:58 +0000

Subject: [PATCH 03/29] Restrict /dev/{mem,kmem,port} when the kernel is locked

 down

Allowing users to read and write to core kernel memory makes it possible

for the kernel to be subverted, avoiding module loading restrictions, and

also to steal cryptographic information.

Disallow /dev/mem and /dev/kmem from being opened this when the kernel has

been locked down to prevent this.

Also disallow /dev/port from being opened to prevent raw ioport access and

thus DMA from being used to accomplish the same thing.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>

Signed-off-by: David Howells <dhowells@redhat.com>

Signed-off-by: Matthew Garrett <matthewgarrett@google.com>

Cc: x86@kernel.org

---

 drivers/char/mem.c | 2 ++

 1 file changed, 2 insertions(+)

diff --git a/drivers/char/mem.c b/drivers/char/mem.c

index b08dc50f9f26..0a2f2e75d5f4 100644

--- a/drivers/char/mem.c

+++ b/drivers/char/mem.c

@@ -786,6 +786,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)

 static int open_port(struct inode *inode, struct file *filp)

 {

+	if (kernel_is_locked_down("/dev/mem,kmem,port"))

+		return -EPERM;

 	return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;

 }

-- 

2.21.0

From 1fe9d9809a7bedff1c0a043f5bcaf128d479fe24 Mon Sep 17 00:00:00 2001

From: Matthew Garrett <mjg59@srcf.ucam.org>

Date: Mon, 18 Feb 2019 12:44:58 +0000

Subject: [PATCH 04/29] kexec_load: Disable at runtime if the kernel is locked

 down

The kexec_load() syscall permits the loading and execution of arbitrary

code in ring 0, which is something that lock-down is meant to prevent. It

makes sense to disable kexec_load() in this situation.

This does not affect kexec_file_load() syscall which can check for a

signature on the image to be booted.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>

Signed-off-by: David Howells <dhowells@redhat.com>

Acked-by: Dave Young <dyoung@redhat.com>

cc: kexec@lists.infradead.org

Signed-off-by: Matthew Garrett <matthewgarrett@google.com>

---

 kernel/kexec.c | 7 +++++++

 1 file changed, 7 insertions(+)

diff --git a/kernel/kexec.c b/kernel/kexec.c

index 1b018f1a6e0d..fc87f152c229 100644

--- a/kernel/kexec.c

+++ b/kernel/kexec.c

@@ -205,6 +205,13 @@ static inline int kexec_load_check(unsigned long nr_segments,

 	if (result < 0)

 		return result;

+	/*

+	 * kexec can be used to circumvent module loading restrictions, so

+	 * prevent loading in that case

+	 */

+	if (kernel_is_locked_down("kexec of unsigned images"))

+		return -EPERM;

+

 	/*

 	 * Verify we have a legal set of flags

 	 * This leaves us room for future extensions.

-- 

2.21.0

From b1dbde991ca218ddc1b25e293e94e72907b2b2dc Mon Sep 17 00:00:00 2001

From: Dave Young <dyoung@redhat.com>

Date: Mon, 18 Feb 2019 12:44:58 +0000

Subject: [PATCH 05/29] Copy secure_boot flag in boot params across kexec

 reboot

Kexec reboot in case secure boot being enabled does not keep the secure

boot mode in new kernel, so later one can load unsigned kernel via legacy

kexec_load.  In this state, the system is missing the protections provided

by secure boot.

Adding a patch to fix this by retain the secure_boot flag in original

kernel.

secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the

stub.  Fixing this issue by copying secure_boot flag across kexec reboot.

Signed-off-by: Dave Young <dyoung@redhat.com>

Signed-off-by: David Howells <dhowells@redhat.com>

cc: kexec@lists.infradead.org

Signed-off-by: Matthew Garrett <matthewgarrett@google.com>

---

 arch/x86/kernel/kexec-bzimage64.c | 1 +

 1 file changed, 1 insertion(+)

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c

index 5ebcd02cbca7..d2f4e706a428 100644

--- a/arch/x86/kernel/kexec-bzimage64.c

+++ b/arch/x86/kernel/kexec-bzimage64.c

@@ -180,6 +180,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,

 	if (efi_enabled(EFI_OLD_MEMMAP))

 		return 0;

+	params->secure_boot = boot_params.secure_boot;

 	ei->efi_loader_signature = current_ei->efi_loader_signature;

 	ei->efi_systab = current_ei->efi_systab;

 	ei->efi_systab_hi = current_ei->efi_systab_hi;

-- 

2.21.0

From 054c9d4879b81dcf7c49c5815c30db59ad9356ea Mon Sep 17 00:00:00 2001

From: Jiri Bohac <jbohac@suse.cz>

Date: Mon, 18 Feb 2019 12:44:58 +0000

Subject: [PATCH 06/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and

 KEXEC_SIG_FORCE

This is a preparatory patch for kexec_file_load() lockdown.  A locked down

kernel needs to prevent unsigned kernel images from being loaded with

kexec_file_load().  Currently, the only way to force the signature

verification is compiling with KEXEC_VERIFY_SIG.  This prevents loading

usigned images even when the kernel is not locked down at runtime.

This patch splits KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE.

Analogous to the MODULE_SIG and MODULE_SIG_FORCE for modules, KEXEC_SIG

turns on the signature verification but allows unsigned images to be

loaded.  KEXEC_SIG_FORCE disallows images without a valid signature.

[Modified by David Howells such that:

 (1) verify_pefile_signature() differentiates between no-signature and

     sig-didn't-match in its returned errors.

 (2) kexec fails with EKEYREJECTED and logs an appropriate message if

     signature checking is enforced and an signature is not found, uses

     unsupported crypto or has no matching key.

 (3) kexec fails with EKEYREJECTED if there is a signature for which we

     have a key, but signature doesn't match - even if in non-forcing mode.

 (4) kexec fails with EBADMSG or some other error if there is a signature

     which cannot be parsed - even if in non-forcing mode.

 (5) kexec fails with ELIBBAD if the PE file cannot be parsed to extract

     the signature - even if in non-forcing mode.

]

Signed-off-by: Jiri Bohac <jbohac@suse.cz>

Signed-off-by: David Howells <dhowells@redhat.com>

Reviewed-by: Jiri Bohac <jbohac@suse.cz>

cc: kexec@lists.infradead.org

Signed-off-by: Matthew Garrett <matthewgarrett@google.com>

---

 arch/x86/Kconfig                       | 20 ++++++++---

 crypto/asymmetric_keys/verify_pefile.c |  4 ++-

 include/linux/kexec.h                  |  4 +--

 kernel/kexec_file.c                    | 48 ++++++++++++++++++++++----

 4 files changed, 61 insertions(+), 15 deletions(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig

index 879741336771..df9592ce8503 100644

--- a/arch/x86/Kconfig

+++ b/arch/x86/Kconfig

@@ -2026,20 +2026,30 @@ config KEXEC_FILE

 config ARCH_HAS_KEXEC_PURGATORY

 	def_bool KEXEC_FILE

-config KEXEC_VERIFY_SIG

+config KEXEC_SIG

 	bool "Verify kernel signature during kexec_file_load() syscall"

 	depends on KEXEC_FILE

 	---help---

-	  This option makes kernel signature verification mandatory for

-	  the kexec_file_load() syscall.

-	  In addition to that option, you need to enable signature

+	  This option makes the kexec_file_load() syscall check for a valid

+	  signature of the kernel image.  The image can still be loaded without

+	  a valid signature unless you also enable KEXEC_SIG_FORCE, though if

+	  there's a signature that we can check, then it must be valid.

+

+	  In addition to this option, you need to enable signature

 	  verification for the corresponding kernel image type being

 	  loaded in order for this to work.

+config KEXEC_SIG_FORCE

+	bool "Require a valid signature in kexec_file_load() syscall"

+	depends on KEXEC_SIG

+	---help---

+	  This option makes kernel signature verification mandatory for

+	  the kexec_file_load() syscall.

+

 config KEXEC_BZIMAGE_VERIFY_SIG

 	bool "Enable bzImage signature verification support"

-	depends on KEXEC_VERIFY_SIG

+	depends on KEXEC_SIG

 	depends on SIGNED_PE_FILE_VERIFICATION

 	select SYSTEM_TRUSTED_KEYRING

 	---help---

diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c

index 3b303fe2f061..cc9dbcecaaca 100644

--- a/crypto/asymmetric_keys/verify_pefile.c

+++ b/crypto/asymmetric_keys/verify_pefile.c

@@ -96,7 +96,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen,

 	if (!ddir->certs.virtual_address || !ddir->certs.size) {

 		pr_debug("Unsigned PE binary\n");

-		return -EKEYREJECTED;

+		return -ENODATA;

 	}

 	chkaddr(ctx->header_size, ddir->certs.virtual_address,

@@ -403,6 +403,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen,

  *  (*) 0 if at least one signature chain intersects with the keys in the trust

  *	keyring, or:

  *

+ *  (*) -ENODATA if there is no signature present.

+ *

  *  (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a

  *	chain.

  *

diff --git a/include/linux/kexec.h b/include/linux/kexec.h

index b9b1bc5f9669..58b27c7bdc2b 100644

--- a/include/linux/kexec.h

+++ b/include/linux/kexec.h

@@ -125,7 +125,7 @@ typedef void *(kexec_load_t)(struct kimage *image, char *kernel_buf,

 			     unsigned long cmdline_len);

 typedef int (kexec_cleanup_t)(void *loader_data);

-#ifdef CONFIG_KEXEC_VERIFY_SIG

+#ifdef CONFIG_KEXEC_SIG

 typedef int (kexec_verify_sig_t)(const char *kernel_buf,

 				 unsigned long kernel_len);

 #endif

@@ -134,7 +134,7 @@ struct kexec_file_ops {

 	kexec_probe_t *probe;

 	kexec_load_t *load;

 	kexec_cleanup_t *cleanup;

-#ifdef CONFIG_KEXEC_VERIFY_SIG

+#ifdef CONFIG_KEXEC_SIG

 	kexec_verify_sig_t *verify_sig;

 #endif

 };

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c

index b8cc032d5620..5036bde1e5b3 100644

--- a/kernel/kexec_file.c

+++ b/kernel/kexec_file.c

@@ -88,7 +88,7 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image)

 	return kexec_image_post_load_cleanup_default(image);

 }

-#ifdef CONFIG_KEXEC_VERIFY_SIG

+#ifdef CONFIG_KEXEC_SIG

 static int kexec_image_verify_sig_default(struct kimage *image, void *buf,

 					  unsigned long buf_len)

 {

@@ -186,7 +186,8 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,

 			     const char __user *cmdline_ptr,

 			     unsigned long cmdline_len, unsigned flags)

 {

-	int ret = 0;

+	const char *reason;

+	int ret;

 	void *ldata;

 	loff_t size;

@@ -202,15 +203,48 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,

 	if (ret)

 		goto out;

-#ifdef CONFIG_KEXEC_VERIFY_SIG

+#ifdef CONFIG_KEXEC_SIG

 	ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,

 					   image->kernel_buf_len);

-	if (ret) {

-		pr_debug("kernel signature verification failed.\n");

+#else

+	ret = -ENODATA;

+#endif

+

+	switch (ret) {

+	case 0:

+		break;

+

+		/* Certain verification errors are non-fatal if we're not

+		 * checking errors, provided we aren't mandating that there

+		 * must be a valid signature.

+		 */

+	case -ENODATA:

+		reason = "kexec of unsigned image";

+		goto decide;

+	case -ENOPKG:

+		reason = "kexec of image with unsupported crypto";

+		goto decide;

+	case -ENOKEY:

+		reason = "kexec of image with unavailable key";

+	decide:

+		if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {

+			pr_notice("%s rejected\n", reason);

+			ret = -EKEYREJECTED;

+			goto out;

+		}

+

+		ret = 0;

+		break;

+

+		/* All other errors are fatal, including nomem, unparseable

+		 * signatures and signature check failures - even if signatures

+		 * aren't required.

+		 */

+	default:

+		pr_notice("kernel signature verification failed (%d).\n", ret);

 		goto out;

 	}

-	pr_debug("kernel signature verification successful.\n");

-#endif

+

 	/* It is possible that there no initramfs is being loaded */

 	if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {

 		ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,

-- 

2.21.0

From d0ca8a6c26bfd6c8de7ed1d83326aae9b4bdfbf4 Mon Sep 17 00:00:00 2001

From: Jiri Bohac <jbohac@suse.cz>

Date: Mon, 18 Feb 2019 12:44:58 +0000

Subject: [PATCH 07/29] kexec_file: Restrict at runtime if the kernel is locked

 down

When KEXEC_SIG is not enabled, kernel should not load images through

kexec_file systemcall if the kernel is locked down.

[Modified by David Howells to fit with modifications to the previous patch

 and to return -EPERM if the kernel is locked down for consistency with

 other lockdowns. Modified by Matthew Garrett to remove the IMA

 integration, which will be replaced by integrating with the IMA

 architecture policy patches.]

Signed-off-by: Jiri Bohac <jbohac@suse.cz>

Signed-off-by: David Howells <dhowells@redhat.com>

Reviewed-by: Jiri Bohac <jbohac@suse.cz>

cc: kexec@lists.infradead.org

Signed-off-by: Matthew Garrett <matthewgarrett@google.com>

---

 kernel/kexec_file.c | 6 ++++++

 1 file changed, 6 insertions(+)

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c

index 5036bde1e5b3..0668c29d2eaf 100644

--- a/kernel/kexec_file.c

+++ b/kernel/kexec_file.c

@@ -234,6 +234,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,

 		}

 		ret = 0;

+

+		if (kernel_is_locked_down(reason)) {

+			ret = -EPERM;

+			goto out;

+		}

+

 		break;

 		/* All other errors are fatal, including nomem, unparseable

-- 

2.21.0

From 3754ff197e10abd8ef88875e069741025ea0dd84 Mon Sep 17 00:00:00 2001

From: Josh Boyer <jwboyer@fedoraproject.org>

Date: Mon, 18 Feb 2019 12:44:59 +0000

Subject: [PATCH 08/29] hibernate: Disable when the kernel is locked down

There is currently no way to verify the resume image when returning

from hibernate.  This might compromise the signed modules trust model,

so until we can work with signed hibernate images we disable it when the

kernel is locked down.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>

Signed-off-by: David Howells <dhowells@redhat.com>

Cc: rjw@rjwysocki.net

Cc: pavel@ucw.cz

cc: linux-pm@vger.kernel.org

Signed-off-by: Matthew Garrett <matthewgarrett@google.com>

---

 kernel/power/hibernate.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c

index cd7434e6000d..0f30de4a712a 100644

--- a/kernel/power/hibernate.c

+++ b/kernel/power/hibernate.c

@@ -68,7 +68,7 @@ static const struct platform_hibernation_ops *hibernation_ops;

 bool hibernation_available(void)

 {

-	return (nohibernate == 0);

+	return nohibernate == 0 && !kernel_is_locked_down("Hibernation");

 }

 /**

-- 

2.21.0

From a144fd3bcc7fcbf55b608c89b8cf64abec72130c Mon Sep 17 00:00:00 2001

From: Matthew Garrett <mjg59@srcf.ucam.org>

Date: Mon, 18 Feb 2019 12:44:59 +0000

Subject: [PATCH 09/29] uswsusp: Disable when the kernel is locked down

uswsusp allows a user process to dump and then restore kernel state, which

makes it possible to modify the running kernel.  Disable this if the kernel

is locked down.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>

Signed-off-by: David Howells <dhowells@redhat.com>

Reviewed-by: James Morris <james.l.morris@oracle.com>

cc: linux-pm@vger.kernel.org

Cc: pavel@ucw.cz

Cc: rjw@rjwysocki.net

Signed-off-by: Matthew Garrett <matthewgarrett@google.com>

---

 kernel/power/user.c | 3 +++

 1 file changed, 3 insertions(+)

diff --git a/kernel/power/user.c b/kernel/power/user.c

index 77438954cc2b..0caff429eb55 100644

--- a/kernel/power/user.c

+++ b/kernel/power/user.c

@@ -49,6 +49,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)

 	if (!hibernation_available())

 		return -EPERM;

+	if (kernel_is_locked_down("/dev/snapshot"))

+		return -EPERM;

+

 	lock_system_sleep();

 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {

-- 

2.21.0

From 069af594117ee566597173886950d3577c523983 Mon Sep 17 00:00:00 2001

From: Matthew Garrett <mjg59@srcf.ucam.org>

Date: Mon, 18 Feb 2019 12:44:59 +0000

Subject: [PATCH 10/29] PCI: Lock down BAR access when the kernel is locked

 down

Any hardware that can potentially generate DMA has to be locked down in

order to avoid it being possible for an attacker to modify kernel code,

allowing them to circumvent disabled module loading or module signing.

Default to paranoid - in future we can potentially relax this for

sufficiently IOMMU-isolated devices.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>

Signed-off-by: David Howells <dhowells@redhat.com>

Acked-by: Bjorn Helgaas <bhelgaas@google.com>

cc: linux-pci@vger.kernel.org

Signed-off-by: Matthew Garrett <matthewgarrett@google.com>

---

 drivers/pci/pci-sysfs.c | 9 +++++++++

 drivers/pci/proc.c      | 9 ++++++++-

 drivers/pci/syscall.c   | 3 ++-

 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c

index 965c72104150..f8cef3e348a3 100644

--- a/drivers/pci/pci-sysfs.c

+++ b/drivers/pci/pci-sysfs.c

@@ -907,6 +907,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,

 	loff_t init_off = off;

 	u8 *data = (u8 *) buf;

+	if (kernel_is_locked_down("Direct PCI access"))

+		return -EPERM;

+

 	if (off > dev->cfg_size)

 		return 0;

 	if (off + count > dev->cfg_size) {

@@ -1168,6 +1171,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,

 	enum pci_mmap_state mmap_type;

 	struct resource *res = &pdev->resource[bar];

+	if (kernel_is_locked_down("Direct PCI access"))

+		return -EPERM;

+

 	if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))

 		return -EINVAL;

@@ -1243,6 +1249,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,

 				     struct bin_attribute *attr, char *buf,

 				     loff_t off, size_t count)

 {

+	if (kernel_is_locked_down("Direct PCI access"))

+		return -EPERM;

+

 	return pci_resource_io(filp, kobj, attr, buf, off, count, true);

 }

diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c

index fe7fe678965b..23c9b5979f5d 100644