4cbd7a
From 4f426f922e12f0ffaed373536f68531e18d68495 Mon Sep 17 00:00:00 2001
962ea4
From: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:44:57 +0000
4cbd7a
Subject: [PATCH 01/29] Add the ability to lock down access to the running
006f5b
 kernel image
962ea4
962ea4
Provide a single call to allow kernel code to determine whether the system
962ea4
should be locked down, thereby disallowing various accesses that might
Jeremy Cline 4b5e42
allow the running kernel image to be changed including the loading of
Jeremy Cline 4b5e42
modules that aren't validly signed with a key we recognise, fiddling with
Jeremy Cline 4b5e42
MSR registers and disallowing hibernation.
962ea4
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
Acked-by: James Morris <james.l.morris@oracle.com>
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
962ea4
---
Jeremy Cline 4b5e42
 include/linux/kernel.h   | 17 ++++++++++++
Jeremy Cline 4b5e42
 include/linux/security.h |  9 +++++-
Jeremy Cline 4b5e42
 security/Kconfig         | 15 ++++++++++
Jeremy Cline 4b5e42
 security/Makefile        |  3 ++
Jeremy Cline 4b5e42
 security/lock_down.c     | 60 ++++++++++++++++++++++++++++++++++++++++
Jeremy Cline 4b5e42
 5 files changed, 103 insertions(+), 1 deletion(-)
962ea4
 create mode 100644 security/lock_down.c
962ea4
962ea4
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
4cbd7a
index 0c9bc231107f..f71008b0a641 100644
962ea4
--- a/include/linux/kernel.h
962ea4
+++ b/include/linux/kernel.h
4cbd7a
@@ -312,6 +312,23 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err)
59566d
 { }
59566d
 #endif
Jeremy Cline 6c72c6
 
962ea4
+#ifdef CONFIG_LOCK_DOWN_KERNEL
59566d
+extern bool __kernel_is_locked_down(const char *what, bool first);
Jeremy Cline 4b5e42
+#else
Jeremy Cline 4b5e42
+static inline bool __kernel_is_locked_down(const char *what, bool first)
Jeremy Cline 4b5e42
+{
Jeremy Cline 4b5e42
+	return false;
Jeremy Cline 4b5e42
+}
Jeremy Cline 4b5e42
+#endif
962ea4
+
59566d
+#define kernel_is_locked_down(what)					\
59566d
+	({								\
59566d
+		static bool message_given;				\
59566d
+		bool locked_down = __kernel_is_locked_down(what, !message_given); \
59566d
+		message_given = true;					\
59566d
+		locked_down;						\
59566d
+	})
Jeremy Cline 4b5e42
+
Jeremy Cline 4b5e42
 /* Internal, do not use. */
Jeremy Cline 4b5e42
 int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
Jeremy Cline 4b5e42
 int __must_check _kstrtol(const char *s, unsigned int base, long *res);
Jeremy Cline 4b5e42
diff --git a/include/linux/security.h b/include/linux/security.h
4cbd7a
index 5f7441abbf42..fd7579c879a6 100644
Jeremy Cline 4b5e42
--- a/include/linux/security.h
Jeremy Cline 4b5e42
+++ b/include/linux/security.h
4cbd7a
@@ -1829,5 +1829,12 @@ static inline void security_bpf_prog_free(struct bpf_prog_aux *aux)
Jeremy Cline 4b5e42
 #endif /* CONFIG_SECURITY */
Jeremy Cline 4b5e42
 #endif /* CONFIG_BPF_SYSCALL */
Jeremy Cline 4b5e42
 
Jeremy Cline 4b5e42
-#endif /* ! __LINUX_SECURITY_H */
Jeremy Cline 4b5e42
+#ifdef CONFIG_LOCK_DOWN_KERNEL
Jeremy Cline 4b5e42
+extern void __init init_lockdown(void);
962ea4
+#else
135abd
+static inline void __init init_lockdown(void)
962ea4
+{
962ea4
+}
962ea4
+#endif
Jeremy Cline 4b5e42
 
Jeremy Cline 4b5e42
+#endif /* ! __LINUX_SECURITY_H */
962ea4
diff --git a/security/Kconfig b/security/Kconfig
4cbd7a
index 06a30851511a..720cf9dee2b4 100644
962ea4
--- a/security/Kconfig
962ea4
+++ b/security/Kconfig
4cbd7a
@@ -230,6 +230,21 @@ config STATIC_USERMODEHELPER_PATH
c796f8
 	  If you wish for all usermode helper programs to be disabled,
c796f8
 	  specify an empty string here (i.e. "").
Jeremy Cline 6c72c6
 
962ea4
+config LOCK_DOWN_KERNEL
962ea4
+	bool "Allow the kernel to be 'locked down'"
962ea4
+	help
Jeremy Cline 4b5e42
+	  Allow the kernel to be locked down. If lockdown support is enabled
Jeremy Cline 4b5e42
+	  and activated, the kernel will impose additional restrictions
Jeremy Cline 4b5e42
+	  intended to prevent uid 0 from being able to modify the running
Jeremy Cline 4b5e42
+	  kernel. This may break userland applications that rely on low-level
Jeremy Cline 4b5e42
+	  access to hardware.
8cf006
+
Jeremy Cline 4b5e42
+config LOCK_DOWN_KERNEL_FORCE
Jeremy Cline 4b5e42
+        bool "Enable kernel lockdown mode automatically"
Jeremy Cline 4b5e42
+        depends on LOCK_DOWN_KERNEL
Jeremy Cline 4b5e42
+        help
Jeremy Cline 4b5e42
+          Enable the kernel lock down functionality automatically at boot.
962ea4
+
c97d3b
 source "security/selinux/Kconfig"
c97d3b
 source "security/smack/Kconfig"
c97d3b
 source "security/tomoyo/Kconfig"
962ea4
diff --git a/security/Makefile b/security/Makefile
Jeremy Cline 6c72c6
index c598b904938f..5ff090149c88 100644
962ea4
--- a/security/Makefile
962ea4
+++ b/security/Makefile
Jeremy Cline 6c72c6
@@ -32,3 +32,6 @@ obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
962ea4
 # Object integrity file lists
962ea4
 subdir-$(CONFIG_INTEGRITY)		+= integrity
962ea4
 obj-$(CONFIG_INTEGRITY)			+= integrity/
962ea4
+
962ea4
+# Allow the kernel to be locked down
962ea4
+obj-$(CONFIG_LOCK_DOWN_KERNEL)		+= lock_down.o
962ea4
diff --git a/security/lock_down.c b/security/lock_down.c
962ea4
new file mode 100644
Jeremy Cline 4b5e42
index 000000000000..18d8776a4d02
962ea4
--- /dev/null
962ea4
+++ b/security/lock_down.c
Jeremy Cline 4b5e42
@@ -0,0 +1,60 @@
Jeremy Cline 4b5e42
+// SPDX-License-Identifier: GPL-2.0
962ea4
+/* Lock down the kernel
962ea4
+ *
962ea4
+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
962ea4
+ * Written by David Howells (dhowells@redhat.com)
962ea4
+ *
962ea4
+ * This program is free software; you can redistribute it and/or
962ea4
+ * modify it under the terms of the GNU General Public Licence
962ea4
+ * as published by the Free Software Foundation; either version
962ea4
+ * 2 of the Licence, or (at your option) any later version.
962ea4
+ */
962ea4
+
Jeremy Cline 4b5e42
+#include <linux/security.h>
962ea4
+#include <linux/export.h>
962ea4
+
59566d
+static __ro_after_init bool kernel_locked_down;
962ea4
+
962ea4
+/*
962ea4
+ * Put the kernel into lock-down mode.
962ea4
+ */
59566d
+static void __init lock_kernel_down(const char *where)
59566d
+{
59566d
+	if (!kernel_locked_down) {
59566d
+		kernel_locked_down = true;
59566d
+		pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",
59566d
+			  where);
59566d
+	}
59566d
+}
59566d
+
59566d
+static int __init lockdown_param(char *ignored)
962ea4
+{
59566d
+	lock_kernel_down("command line");
59566d
+	return 0;
962ea4
+}
962ea4
+
59566d
+early_param("lockdown", lockdown_param);
59566d
+
962ea4
+/*
59566d
+ * Lock the kernel down from very early in the arch setup.  This must happen
59566d
+ * prior to things like ACPI being initialised.
962ea4
+ */
59566d
+void __init init_lockdown(void)
962ea4
+{
Jeremy Cline 4b5e42
+#ifdef CONFIG_LOCK_DOWN_FORCE
Jeremy Cline 4b5e42
+	lock_kernel_down("Kernel configuration");
59566d
+#endif
962ea4
+}
962ea4
+
962ea4
+/**
962ea4
+ * kernel_is_locked_down - Find out if the kernel is locked down
59566d
+ * @what: Tag to use in notice generated if lockdown is in effect
962ea4
+ */
59566d
+bool __kernel_is_locked_down(const char *what, bool first)
962ea4
+{
59566d
+	if (what && first && kernel_locked_down)
Jeremy Cline 4b5e42
+		pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n",
Jeremy Cline 4b5e42
+			  what);
962ea4
+	return kernel_locked_down;
962ea4
+}
59566d
+EXPORT_SYMBOL(__kernel_is_locked_down);
135abd
-- 
Jeremy Cline 4b5e42
2.21.0
962ea4
4cbd7a
4cbd7a
From 7b3d34ce99e1db6152f3f350f7512ed67712d2bb Mon Sep 17 00:00:00 2001
Jeremy Cline 4b5e42
From: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:44:58 +0000
4cbd7a
Subject: [PATCH 02/29] Enforce module signatures if the kernel is locked down
962ea4
Jeremy Cline 4b5e42
If the kernel is locked down, require that all modules have valid
Jeremy Cline 4b5e42
signatures that we can verify.
962ea4
Jeremy Cline 4b5e42
I have adjusted the errors generated:
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
 (1) If there's no signature (ENODATA) or we can't check it (ENOPKG,
Jeremy Cline 4b5e42
     ENOKEY), then:
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
     (a) If signatures are enforced then EKEYREJECTED is returned.
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
     (b) If there's no signature or we can't check it, but the kernel is
Jeremy Cline 4b5e42
	 locked down then EPERM is returned (this is then consistent with
Jeremy Cline 4b5e42
	 other lockdown cases).
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
 (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails
Jeremy Cline 4b5e42
     the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we
Jeremy Cline 4b5e42
     return the error we got.
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
Note that the X.509 code doesn't check for key expiry as the RTC might not
Jeremy Cline 4b5e42
be valid or might not have been transferred to the kernel's clock yet.
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
 [Modified by Matthew Garrett to remove the IMA integration. This will
Jeremy Cline 4b5e42
  be replaced with integration with the IMA architecture policy
Jeremy Cline 4b5e42
  patchset.]
962ea4
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
Reviewed-by: Jiri Bohac <jbohac@suse.cz>
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
Jeremy Cline 4b5e42
Cc: Jessica Yu <jeyu@kernel.org>
962ea4
---
Jeremy Cline 4b5e42
 kernel/module.c | 39 ++++++++++++++++++++++++++++++++-------
Jeremy Cline 4b5e42
 1 file changed, 32 insertions(+), 7 deletions(-)
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
diff --git a/kernel/module.c b/kernel/module.c
4cbd7a
index a2cee14a83f3..c771a183b741 100644
Jeremy Cline 4b5e42
--- a/kernel/module.c
Jeremy Cline 4b5e42
+++ b/kernel/module.c
4cbd7a
@@ -2753,8 +2753,9 @@ static inline void kmemleak_load_module(const struct module *mod,
Jeremy Cline 4b5e42
 #ifdef CONFIG_MODULE_SIG
Jeremy Cline 4b5e42
 static int module_sig_check(struct load_info *info, int flags)
962ea4
 {
Jeremy Cline 4b5e42
-	int err = -ENOKEY;
Jeremy Cline 4b5e42
+	int err = -ENODATA;
Jeremy Cline 4b5e42
 	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
Jeremy Cline 4b5e42
+	const char *reason;
Jeremy Cline 4b5e42
 	const void *mod = info->hdr;
Jeremy Cline 6c72c6
 
Jeremy Cline 4b5e42
 	/*
4cbd7a
@@ -2769,16 +2770,40 @@ static int module_sig_check(struct load_info *info, int flags)
Jeremy Cline 4b5e42
 		err = mod_verify_sig(mod, info);
962ea4
 	}
Jeremy Cline 6c72c6
 
Jeremy Cline 4b5e42
-	if (!err) {
Jeremy Cline 4b5e42
+	switch (err) {
Jeremy Cline 4b5e42
+	case 0:
Jeremy Cline 4b5e42
 		info->sig_ok = true;
Jeremy Cline 4b5e42
 		return 0;
Jeremy Cline 4b5e42
-	}
Jeremy Cline 4b5e42
 
Jeremy Cline 4b5e42
-	/* Not having a signature is only an error if we're strict. */
Jeremy Cline 4b5e42
-	if (err == -ENOKEY && !is_module_sig_enforced())
Jeremy Cline 4b5e42
-		err = 0;
Jeremy Cline 4b5e42
+		/* We don't permit modules to be loaded into trusted kernels
Jeremy Cline 4b5e42
+		 * without a valid signature on them, but if we're not
Jeremy Cline 4b5e42
+		 * enforcing, certain errors are non-fatal.
Jeremy Cline 4b5e42
+		 */
Jeremy Cline 4b5e42
+	case -ENODATA:
Jeremy Cline 4b5e42
+		reason = "Loading of unsigned module";
Jeremy Cline 4b5e42
+		goto decide;
Jeremy Cline 4b5e42
+	case -ENOPKG:
Jeremy Cline 4b5e42
+		reason = "Loading of module with unsupported crypto";
Jeremy Cline 4b5e42
+		goto decide;
Jeremy Cline 4b5e42
+	case -ENOKEY:
Jeremy Cline 4b5e42
+		reason = "Loading of module with unavailable key";
Jeremy Cline 4b5e42
+	decide:
Jeremy Cline 4b5e42
+		if (is_module_sig_enforced()) {
Jeremy Cline 4b5e42
+			pr_notice("%s is rejected\n", reason);
Jeremy Cline 4b5e42
+			return -EKEYREJECTED;
Jeremy Cline 4b5e42
+		}
Jeremy Cline 6c72c6
 
Jeremy Cline 4b5e42
-	return err;
Jeremy Cline 4b5e42
+		if (kernel_is_locked_down(reason))
Jeremy Cline 4b5e42
+			return -EPERM;
Jeremy Cline 4b5e42
+		return 0;
59566d
+
Jeremy Cline 4b5e42
+		/* All other errors are fatal, including nomem, unparseable
Jeremy Cline 4b5e42
+		 * signatures and signature check failures - even if signatures
Jeremy Cline 4b5e42
+		 * aren't required.
Jeremy Cline 4b5e42
+		 */
Jeremy Cline 4b5e42
+	default:
Jeremy Cline 4b5e42
+		return err;
59566d
+	}
Jeremy Cline 4b5e42
 }
Jeremy Cline 4b5e42
 #else /* !CONFIG_MODULE_SIG */
Jeremy Cline 4b5e42
 static int module_sig_check(struct load_info *info, int flags)
135abd
-- 
Jeremy Cline 4b5e42
2.21.0
f20e0a
4cbd7a
4cbd7a
From e6cee3fcc560211fbc3d1efaf048ad4b987a4b73 Mon Sep 17 00:00:00 2001
f20e0a
From: Matthew Garrett <mjg59@srcf.ucam.org>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:44:58 +0000
4cbd7a
Subject: [PATCH 03/29] Restrict /dev/{mem,kmem,port} when the kernel is locked
006f5b
 down
006f5b
006f5b
Allowing users to read and write to core kernel memory makes it possible
006f5b
for the kernel to be subverted, avoiding module loading restrictions, and
006f5b
also to steal cryptographic information.
006f5b
006f5b
Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
006f5b
been locked down to prevent this.
59566d
006f5b
Also disallow /dev/port from being opened to prevent raw ioport access and
006f5b
thus DMA from being used to accomplish the same thing.
59566d
f20e0a
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
59566d
Signed-off-by: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
Jeremy Cline 4b5e42
Cc: x86@kernel.org
59566d
---
006f5b
 drivers/char/mem.c | 2 ++
006f5b
 1 file changed, 2 insertions(+)
59566d
59566d
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
Jeremy Cline 6c72c6
index b08dc50f9f26..0a2f2e75d5f4 100644
59566d
--- a/drivers/char/mem.c
59566d
+++ b/drivers/char/mem.c
Jeremy Cline 6c72c6
@@ -786,6 +786,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
Jeremy Cline 6c72c6
 
006f5b
 static int open_port(struct inode *inode, struct file *filp)
006f5b
 {
006f5b
+	if (kernel_is_locked_down("/dev/mem,kmem,port"))
59566d
+		return -EPERM;
006f5b
 	return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
006f5b
 }
Jeremy Cline 6c72c6
 
135abd
-- 
Jeremy Cline 4b5e42
2.21.0
59566d
4cbd7a
4cbd7a
From 1fe9d9809a7bedff1c0a043f5bcaf128d479fe24 Mon Sep 17 00:00:00 2001
f20e0a
From: Matthew Garrett <mjg59@srcf.ucam.org>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:44:58 +0000
4cbd7a
Subject: [PATCH 04/29] kexec_load: Disable at runtime if the kernel is locked
f20e0a
 down
962ea4
f20e0a
The kexec_load() syscall permits the loading and execution of arbitrary
f20e0a
code in ring 0, which is something that lock-down is meant to prevent. It
f20e0a
makes sense to disable kexec_load() in this situation.
962ea4
f20e0a
This does not affect kexec_file_load() syscall which can check for a
f20e0a
signature on the image to be booted.
962ea4
f20e0a
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
Acked-by: Dave Young <dyoung@redhat.com>
59566d
cc: kexec@lists.infradead.org
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
962ea4
---
135abd
 kernel/kexec.c | 7 +++++++
962ea4
 1 file changed, 7 insertions(+)
962ea4
962ea4
diff --git a/kernel/kexec.c b/kernel/kexec.c
4cbd7a
index 1b018f1a6e0d..fc87f152c229 100644
962ea4
--- a/kernel/kexec.c
962ea4
+++ b/kernel/kexec.c
4cbd7a
@@ -205,6 +205,13 @@ static inline int kexec_load_check(unsigned long nr_segments,
Jeremy Cline 4b5e42
 	if (result < 0)
Jeremy Cline 4b5e42
 		return result;
Jeremy Cline a23ced
 
f20e0a
+	/*
962ea4
+	 * kexec can be used to circumvent module loading restrictions, so
962ea4
+	 * prevent loading in that case
962ea4
+	 */
59566d
+	if (kernel_is_locked_down("kexec of unsigned images"))
962ea4
+		return -EPERM;
962ea4
+
Jeremy Cline 4b5e42
 	/*
Jeremy Cline 4b5e42
 	 * Verify we have a legal set of flags
Jeremy Cline 4b5e42
 	 * This leaves us room for future extensions.
Jeremy Cline 4b5e42
-- 
Jeremy Cline 4b5e42
2.21.0
Jeremy Cline 4b5e42
4cbd7a
4cbd7a
From b1dbde991ca218ddc1b25e293e94e72907b2b2dc Mon Sep 17 00:00:00 2001
Jeremy Cline 4b5e42
From: Dave Young <dyoung@redhat.com>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:44:58 +0000
4cbd7a
Subject: [PATCH 05/29] Copy secure_boot flag in boot params across kexec
Jeremy Cline 4b5e42
 reboot
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
Kexec reboot in case secure boot being enabled does not keep the secure
Jeremy Cline 4b5e42
boot mode in new kernel, so later one can load unsigned kernel via legacy
Jeremy Cline 4b5e42
kexec_load.  In this state, the system is missing the protections provided
Jeremy Cline 4b5e42
by secure boot.
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
Adding a patch to fix this by retain the secure_boot flag in original
Jeremy Cline 4b5e42
kernel.
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
Jeremy Cline 4b5e42
stub.  Fixing this issue by copying secure_boot flag across kexec reboot.
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
Signed-off-by: Dave Young <dyoung@redhat.com>
Jeremy Cline 4b5e42
Signed-off-by: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
cc: kexec@lists.infradead.org
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
Jeremy Cline 4b5e42
---
Jeremy Cline 4b5e42
 arch/x86/kernel/kexec-bzimage64.c | 1 +
Jeremy Cline 4b5e42
 1 file changed, 1 insertion(+)
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
4cbd7a
index 5ebcd02cbca7..d2f4e706a428 100644
Jeremy Cline 4b5e42
--- a/arch/x86/kernel/kexec-bzimage64.c
Jeremy Cline 4b5e42
+++ b/arch/x86/kernel/kexec-bzimage64.c
4cbd7a
@@ -180,6 +180,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
Jeremy Cline 4b5e42
 	if (efi_enabled(EFI_OLD_MEMMAP))
Jeremy Cline 4b5e42
 		return 0;
Jeremy Cline 4b5e42
 
Jeremy Cline 4b5e42
+	params->secure_boot = boot_params.secure_boot;
Jeremy Cline 4b5e42
 	ei->efi_loader_signature = current_ei->efi_loader_signature;
Jeremy Cline 4b5e42
 	ei->efi_systab = current_ei->efi_systab;
Jeremy Cline 4b5e42
 	ei->efi_systab_hi = current_ei->efi_systab_hi;
135abd
-- 
Jeremy Cline 4b5e42
2.21.0
Jeremy Cline 4b5e42
4cbd7a
4cbd7a
From 054c9d4879b81dcf7c49c5815c30db59ad9356ea Mon Sep 17 00:00:00 2001
Jeremy Cline 4b5e42
From: Jiri Bohac <jbohac@suse.cz>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:44:58 +0000
4cbd7a
Subject: [PATCH 06/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and
Jeremy Cline 4b5e42
 KEXEC_SIG_FORCE
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
This is a preparatory patch for kexec_file_load() lockdown.  A locked down
Jeremy Cline 4b5e42
kernel needs to prevent unsigned kernel images from being loaded with
Jeremy Cline 4b5e42
kexec_file_load().  Currently, the only way to force the signature
Jeremy Cline 4b5e42
verification is compiling with KEXEC_VERIFY_SIG.  This prevents loading
Jeremy Cline 4b5e42
usigned images even when the kernel is not locked down at runtime.
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
This patch splits KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE.
Jeremy Cline 4b5e42
Analogous to the MODULE_SIG and MODULE_SIG_FORCE for modules, KEXEC_SIG
Jeremy Cline 4b5e42
turns on the signature verification but allows unsigned images to be
Jeremy Cline 4b5e42
loaded.  KEXEC_SIG_FORCE disallows images without a valid signature.
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
[Modified by David Howells such that:
962ea4
Jeremy Cline 4b5e42
 (1) verify_pefile_signature() differentiates between no-signature and
Jeremy Cline 4b5e42
     sig-didn't-match in its returned errors.
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
 (2) kexec fails with EKEYREJECTED and logs an appropriate message if
Jeremy Cline 4b5e42
     signature checking is enforced and an signature is not found, uses
Jeremy Cline 4b5e42
     unsupported crypto or has no matching key.
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
 (3) kexec fails with EKEYREJECTED if there is a signature for which we
Jeremy Cline 4b5e42
     have a key, but signature doesn't match - even if in non-forcing mode.
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
 (4) kexec fails with EBADMSG or some other error if there is a signature
Jeremy Cline 4b5e42
     which cannot be parsed - even if in non-forcing mode.
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
 (5) kexec fails with ELIBBAD if the PE file cannot be parsed to extract
Jeremy Cline 4b5e42
     the signature - even if in non-forcing mode.
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
]
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
Signed-off-by: Jiri Bohac <jbohac@suse.cz>
Jeremy Cline 4b5e42
Signed-off-by: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
Reviewed-by: Jiri Bohac <jbohac@suse.cz>
Jeremy Cline 4b5e42
cc: kexec@lists.infradead.org
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
Jeremy Cline 4b5e42
---
Jeremy Cline 4b5e42
 arch/x86/Kconfig                       | 20 ++++++++---
Jeremy Cline 4b5e42
 crypto/asymmetric_keys/verify_pefile.c |  4 ++-
Jeremy Cline 4b5e42
 include/linux/kexec.h                  |  4 +--
Jeremy Cline 4b5e42
 kernel/kexec_file.c                    | 48 ++++++++++++++++++++++----
Jeremy Cline 4b5e42
 4 files changed, 61 insertions(+), 15 deletions(-)
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
4cbd7a
index 879741336771..df9592ce8503 100644
Jeremy Cline 4b5e42
--- a/arch/x86/Kconfig
Jeremy Cline 4b5e42
+++ b/arch/x86/Kconfig
4cbd7a
@@ -2026,20 +2026,30 @@ config KEXEC_FILE
Jeremy Cline 4b5e42
 config ARCH_HAS_KEXEC_PURGATORY
Jeremy Cline 4b5e42
 	def_bool KEXEC_FILE
Jeremy Cline 4b5e42
 
Jeremy Cline 4b5e42
-config KEXEC_VERIFY_SIG
Jeremy Cline 4b5e42
+config KEXEC_SIG
Jeremy Cline 4b5e42
 	bool "Verify kernel signature during kexec_file_load() syscall"
Jeremy Cline 4b5e42
 	depends on KEXEC_FILE
Jeremy Cline 4b5e42
 	---help---
Jeremy Cline 4b5e42
-	  This option makes kernel signature verification mandatory for
Jeremy Cline 4b5e42
-	  the kexec_file_load() syscall.
Jeremy Cline 4b5e42
 
Jeremy Cline 4b5e42
-	  In addition to that option, you need to enable signature
Jeremy Cline 4b5e42
+	  This option makes the kexec_file_load() syscall check for a valid
Jeremy Cline 4b5e42
+	  signature of the kernel image.  The image can still be loaded without
Jeremy Cline 4b5e42
+	  a valid signature unless you also enable KEXEC_SIG_FORCE, though if
Jeremy Cline 4b5e42
+	  there's a signature that we can check, then it must be valid.
Jeremy Cline 4b5e42
+
Jeremy Cline 4b5e42
+	  In addition to this option, you need to enable signature
Jeremy Cline 4b5e42
 	  verification for the corresponding kernel image type being
Jeremy Cline 4b5e42
 	  loaded in order for this to work.
Jeremy Cline 4b5e42
 
Jeremy Cline 4b5e42
+config KEXEC_SIG_FORCE
Jeremy Cline 4b5e42
+	bool "Require a valid signature in kexec_file_load() syscall"
Jeremy Cline 4b5e42
+	depends on KEXEC_SIG
Jeremy Cline 4b5e42
+	---help---
Jeremy Cline 4b5e42
+	  This option makes kernel signature verification mandatory for
Jeremy Cline 4b5e42
+	  the kexec_file_load() syscall.
Jeremy Cline 4b5e42
+
Jeremy Cline 4b5e42
 config KEXEC_BZIMAGE_VERIFY_SIG
Jeremy Cline 4b5e42
 	bool "Enable bzImage signature verification support"
Jeremy Cline 4b5e42
-	depends on KEXEC_VERIFY_SIG
Jeremy Cline 4b5e42
+	depends on KEXEC_SIG
Jeremy Cline 4b5e42
 	depends on SIGNED_PE_FILE_VERIFICATION
Jeremy Cline 4b5e42
 	select SYSTEM_TRUSTED_KEYRING
Jeremy Cline 4b5e42
 	---help---
Jeremy Cline 4b5e42
diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c
4cbd7a
index 3b303fe2f061..cc9dbcecaaca 100644
Jeremy Cline 4b5e42
--- a/crypto/asymmetric_keys/verify_pefile.c
Jeremy Cline 4b5e42
+++ b/crypto/asymmetric_keys/verify_pefile.c
4cbd7a
@@ -96,7 +96,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen,
Jeremy Cline 4b5e42
 
Jeremy Cline 4b5e42
 	if (!ddir->certs.virtual_address || !ddir->certs.size) {
Jeremy Cline 4b5e42
 		pr_debug("Unsigned PE binary\n");
Jeremy Cline 4b5e42
-		return -EKEYREJECTED;
Jeremy Cline 4b5e42
+		return -ENODATA;
Jeremy Cline 4b5e42
 	}
Jeremy Cline 4b5e42
 
Jeremy Cline 4b5e42
 	chkaddr(ctx->header_size, ddir->certs.virtual_address,
4cbd7a
@@ -403,6 +403,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen,
Jeremy Cline 4b5e42
  *  (*) 0 if at least one signature chain intersects with the keys in the trust
Jeremy Cline 4b5e42
  *	keyring, or:
Jeremy Cline 4b5e42
  *
Jeremy Cline 4b5e42
+ *  (*) -ENODATA if there is no signature present.
Jeremy Cline 4b5e42
+ *
Jeremy Cline 4b5e42
  *  (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a
Jeremy Cline 4b5e42
  *	chain.
Jeremy Cline 4b5e42
  *
Jeremy Cline 4b5e42
diff --git a/include/linux/kexec.h b/include/linux/kexec.h
Jeremy Cline 4b5e42
index b9b1bc5f9669..58b27c7bdc2b 100644
Jeremy Cline 4b5e42
--- a/include/linux/kexec.h
Jeremy Cline 4b5e42
+++ b/include/linux/kexec.h
Jeremy Cline 4b5e42
@@ -125,7 +125,7 @@ typedef void *(kexec_load_t)(struct kimage *image, char *kernel_buf,
Jeremy Cline 4b5e42
 			     unsigned long cmdline_len);
Jeremy Cline 4b5e42
 typedef int (kexec_cleanup_t)(void *loader_data);
Jeremy Cline 4b5e42
 
Jeremy Cline 4b5e42
-#ifdef CONFIG_KEXEC_VERIFY_SIG
Jeremy Cline 4b5e42
+#ifdef CONFIG_KEXEC_SIG
Jeremy Cline 4b5e42
 typedef int (kexec_verify_sig_t)(const char *kernel_buf,
Jeremy Cline 4b5e42
 				 unsigned long kernel_len);
Jeremy Cline 4b5e42
 #endif
Jeremy Cline 4b5e42
@@ -134,7 +134,7 @@ struct kexec_file_ops {
Jeremy Cline 4b5e42
 	kexec_probe_t *probe;
Jeremy Cline 4b5e42
 	kexec_load_t *load;
Jeremy Cline 4b5e42
 	kexec_cleanup_t *cleanup;
Jeremy Cline 4b5e42
-#ifdef CONFIG_KEXEC_VERIFY_SIG
Jeremy Cline 4b5e42
+#ifdef CONFIG_KEXEC_SIG
Jeremy Cline 4b5e42
 	kexec_verify_sig_t *verify_sig;
Jeremy Cline 4b5e42
 #endif
Jeremy Cline 4b5e42
 };
Jeremy Cline 4b5e42
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
4cbd7a
index b8cc032d5620..5036bde1e5b3 100644
Jeremy Cline 4b5e42
--- a/kernel/kexec_file.c
Jeremy Cline 4b5e42
+++ b/kernel/kexec_file.c
4cbd7a
@@ -88,7 +88,7 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image)
Jeremy Cline 4b5e42
 	return kexec_image_post_load_cleanup_default(image);
Jeremy Cline 4b5e42
 }
Jeremy Cline 4b5e42
 
Jeremy Cline 4b5e42
-#ifdef CONFIG_KEXEC_VERIFY_SIG
Jeremy Cline 4b5e42
+#ifdef CONFIG_KEXEC_SIG
Jeremy Cline 4b5e42
 static int kexec_image_verify_sig_default(struct kimage *image, void *buf,
Jeremy Cline 4b5e42
 					  unsigned long buf_len)
Jeremy Cline 4b5e42
 {
4cbd7a
@@ -186,7 +186,8 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
Jeremy Cline 4b5e42
 			     const char __user *cmdline_ptr,
Jeremy Cline 4b5e42
 			     unsigned long cmdline_len, unsigned flags)
Jeremy Cline 4b5e42
 {
Jeremy Cline 4b5e42
-	int ret = 0;
Jeremy Cline 4b5e42
+	const char *reason;
Jeremy Cline 4b5e42
+	int ret;
Jeremy Cline 4b5e42
 	void *ldata;
Jeremy Cline 4b5e42
 	loff_t size;
Jeremy Cline 4b5e42
 
4cbd7a
@@ -202,15 +203,48 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
Jeremy Cline 4b5e42
 	if (ret)
Jeremy Cline 4b5e42
 		goto out;
Jeremy Cline 4b5e42
 
Jeremy Cline 4b5e42
-#ifdef CONFIG_KEXEC_VERIFY_SIG
Jeremy Cline 4b5e42
+#ifdef CONFIG_KEXEC_SIG
Jeremy Cline 4b5e42
 	ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
Jeremy Cline 4b5e42
 					   image->kernel_buf_len);
Jeremy Cline 4b5e42
-	if (ret) {
Jeremy Cline 4b5e42
-		pr_debug("kernel signature verification failed.\n");
Jeremy Cline 4b5e42
+#else
Jeremy Cline 4b5e42
+	ret = -ENODATA;
Jeremy Cline 4b5e42
+#endif
Jeremy Cline 4b5e42
+
Jeremy Cline 4b5e42
+	switch (ret) {
Jeremy Cline 4b5e42
+	case 0:
Jeremy Cline 4b5e42
+		break;
Jeremy Cline 4b5e42
+
Jeremy Cline 4b5e42
+		/* Certain verification errors are non-fatal if we're not
Jeremy Cline 4b5e42
+		 * checking errors, provided we aren't mandating that there
Jeremy Cline 4b5e42
+		 * must be a valid signature.
Jeremy Cline 4b5e42
+		 */
Jeremy Cline 4b5e42
+	case -ENODATA:
Jeremy Cline 4b5e42
+		reason = "kexec of unsigned image";
Jeremy Cline 4b5e42
+		goto decide;
Jeremy Cline 4b5e42
+	case -ENOPKG:
Jeremy Cline 4b5e42
+		reason = "kexec of image with unsupported crypto";
Jeremy Cline 4b5e42
+		goto decide;
Jeremy Cline 4b5e42
+	case -ENOKEY:
Jeremy Cline 4b5e42
+		reason = "kexec of image with unavailable key";
Jeremy Cline 4b5e42
+	decide:
Jeremy Cline 4b5e42
+		if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
Jeremy Cline 4b5e42
+			pr_notice("%s rejected\n", reason);
Jeremy Cline 4b5e42
+			ret = -EKEYREJECTED;
Jeremy Cline 4b5e42
+			goto out;
Jeremy Cline 4b5e42
+		}
Jeremy Cline 4b5e42
+
Jeremy Cline 4b5e42
+		ret = 0;
Jeremy Cline 4b5e42
+		break;
Jeremy Cline 4b5e42
+
Jeremy Cline 4b5e42
+		/* All other errors are fatal, including nomem, unparseable
Jeremy Cline 4b5e42
+		 * signatures and signature check failures - even if signatures
Jeremy Cline 4b5e42
+		 * aren't required.
Jeremy Cline 4b5e42
+		 */
Jeremy Cline 4b5e42
+	default:
Jeremy Cline 4b5e42
+		pr_notice("kernel signature verification failed (%d).\n", ret);
Jeremy Cline 4b5e42
 		goto out;
Jeremy Cline 4b5e42
 	}
Jeremy Cline 4b5e42
-	pr_debug("kernel signature verification successful.\n");
Jeremy Cline 4b5e42
-#endif
Jeremy Cline 4b5e42
+
Jeremy Cline 4b5e42
 	/* It is possible that there no initramfs is being loaded */
Jeremy Cline 4b5e42
 	if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
Jeremy Cline 4b5e42
 		ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,
Jeremy Cline 4b5e42
-- 
Jeremy Cline 4b5e42
2.21.0
Jeremy Cline 4b5e42
4cbd7a
4cbd7a
From d0ca8a6c26bfd6c8de7ed1d83326aae9b4bdfbf4 Mon Sep 17 00:00:00 2001
Jeremy Cline 4b5e42
From: Jiri Bohac <jbohac@suse.cz>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:44:58 +0000
4cbd7a
Subject: [PATCH 07/29] kexec_file: Restrict at runtime if the kernel is locked
Jeremy Cline 4b5e42
 down
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
When KEXEC_SIG is not enabled, kernel should not load images through
Jeremy Cline 4b5e42
kexec_file systemcall if the kernel is locked down.
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
[Modified by David Howells to fit with modifications to the previous patch
Jeremy Cline 4b5e42
 and to return -EPERM if the kernel is locked down for consistency with
Jeremy Cline 4b5e42
 other lockdowns. Modified by Matthew Garrett to remove the IMA
Jeremy Cline 4b5e42
 integration, which will be replaced by integrating with the IMA
Jeremy Cline 4b5e42
 architecture policy patches.]
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
Signed-off-by: Jiri Bohac <jbohac@suse.cz>
Jeremy Cline 4b5e42
Signed-off-by: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
Reviewed-by: Jiri Bohac <jbohac@suse.cz>
Jeremy Cline 4b5e42
cc: kexec@lists.infradead.org
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
Jeremy Cline 4b5e42
---
Jeremy Cline 4b5e42
 kernel/kexec_file.c | 6 ++++++
Jeremy Cline 4b5e42
 1 file changed, 6 insertions(+)
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
4cbd7a
index 5036bde1e5b3..0668c29d2eaf 100644
Jeremy Cline 4b5e42
--- a/kernel/kexec_file.c
Jeremy Cline 4b5e42
+++ b/kernel/kexec_file.c
4cbd7a
@@ -234,6 +234,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
Jeremy Cline 4b5e42
 		}
Jeremy Cline 4b5e42
 
Jeremy Cline 4b5e42
 		ret = 0;
Jeremy Cline 4b5e42
+
Jeremy Cline 4b5e42
+		if (kernel_is_locked_down(reason)) {
Jeremy Cline 4b5e42
+			ret = -EPERM;
Jeremy Cline 4b5e42
+			goto out;
Jeremy Cline 4b5e42
+		}
Jeremy Cline 4b5e42
+
Jeremy Cline 4b5e42
 		break;
Jeremy Cline 4b5e42
 
Jeremy Cline 4b5e42
 		/* All other errors are fatal, including nomem, unparseable
Jeremy Cline 4b5e42
-- 
Jeremy Cline 4b5e42
2.21.0
Jeremy Cline 4b5e42
4cbd7a
4cbd7a
From 3754ff197e10abd8ef88875e069741025ea0dd84 Mon Sep 17 00:00:00 2001
962ea4
From: Josh Boyer <jwboyer@fedoraproject.org>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:44:59 +0000
4cbd7a
Subject: [PATCH 08/29] hibernate: Disable when the kernel is locked down
962ea4
962ea4
There is currently no way to verify the resume image when returning
962ea4
from hibernate.  This might compromise the signed modules trust model,
962ea4
so until we can work with signed hibernate images we disable it when the
962ea4
kernel is locked down.
962ea4
962ea4
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
Cc: rjw@rjwysocki.net
Jeremy Cline 4b5e42
Cc: pavel@ucw.cz
59566d
cc: linux-pm@vger.kernel.org
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
962ea4
---
135abd
 kernel/power/hibernate.c | 2 +-
962ea4
 1 file changed, 1 insertion(+), 1 deletion(-)
962ea4
962ea4
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
4cbd7a
index cd7434e6000d..0f30de4a712a 100644
962ea4
--- a/kernel/power/hibernate.c
962ea4
+++ b/kernel/power/hibernate.c
4cbd7a
@@ -68,7 +68,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
Jeremy Cline 6c72c6
 
962ea4
 bool hibernation_available(void)
962ea4
 {
962ea4
-	return (nohibernate == 0);
59566d
+	return nohibernate == 0 && !kernel_is_locked_down("Hibernation");
962ea4
 }
Jeremy Cline 6c72c6
 
135abd
 /**
135abd
-- 
Jeremy Cline 4b5e42
2.21.0
59566d
4cbd7a
4cbd7a
From a144fd3bcc7fcbf55b608c89b8cf64abec72130c Mon Sep 17 00:00:00 2001
962ea4
From: Matthew Garrett <mjg59@srcf.ucam.org>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:44:59 +0000
4cbd7a
Subject: [PATCH 09/29] uswsusp: Disable when the kernel is locked down
962ea4
962ea4
uswsusp allows a user process to dump and then restore kernel state, which
962ea4
makes it possible to modify the running kernel.  Disable this if the kernel
962ea4
is locked down.
962ea4
962ea4
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
006f5b
Reviewed-by: James Morris <james.l.morris@oracle.com>
59566d
cc: linux-pm@vger.kernel.org
Jeremy Cline 4b5e42
Cc: pavel@ucw.cz
Jeremy Cline 4b5e42
Cc: rjw@rjwysocki.net
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
962ea4
---
135abd
 kernel/power/user.c | 3 +++
962ea4
 1 file changed, 3 insertions(+)
962ea4
962ea4
diff --git a/kernel/power/user.c b/kernel/power/user.c
4cbd7a
index 77438954cc2b..0caff429eb55 100644
962ea4
--- a/kernel/power/user.c
962ea4
+++ b/kernel/power/user.c
4cbd7a
@@ -49,6 +49,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
962ea4
 	if (!hibernation_available())
962ea4
 		return -EPERM;
Jeremy Cline 6c72c6
 
59566d
+	if (kernel_is_locked_down("/dev/snapshot"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	lock_system_sleep();
Jeremy Cline 6c72c6
 
135abd
 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
135abd
-- 
Jeremy Cline 4b5e42
2.21.0
59566d
4cbd7a
4cbd7a
From 069af594117ee566597173886950d3577c523983 Mon Sep 17 00:00:00 2001
f20e0a
From: Matthew Garrett <mjg59@srcf.ucam.org>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:44:59 +0000
4cbd7a
Subject: [PATCH 10/29] PCI: Lock down BAR access when the kernel is locked
135abd
 down
962ea4
962ea4
Any hardware that can potentially generate DMA has to be locked down in
962ea4
order to avoid it being possible for an attacker to modify kernel code,
962ea4
allowing them to circumvent disabled module loading or module signing.
962ea4
Default to paranoid - in future we can potentially relax this for
962ea4
sufficiently IOMMU-isolated devices.
962ea4
f20e0a
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
59566d
cc: linux-pci@vger.kernel.org
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
962ea4
---
135abd
 drivers/pci/pci-sysfs.c | 9 +++++++++
135abd
 drivers/pci/proc.c      | 9 ++++++++-
135abd
 drivers/pci/syscall.c   | 3 ++-
59566d
 3 files changed, 19 insertions(+), 2 deletions(-)
962ea4
962ea4
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
4cbd7a
index 965c72104150..f8cef3e348a3 100644
962ea4
--- a/drivers/pci/pci-sysfs.c
962ea4
+++ b/drivers/pci/pci-sysfs.c
4cbd7a
@@ -907,6 +907,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
962ea4
 	loff_t init_off = off;
962ea4
 	u8 *data = (u8 *) buf;
Jeremy Cline 6c72c6
 
59566d
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	if (off > dev->cfg_size)
962ea4
 		return 0;
962ea4
 	if (off + count > dev->cfg_size) {
4cbd7a
@@ -1168,6 +1171,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
bd3278
 	enum pci_mmap_state mmap_type;
bd3278
 	struct resource *res = &pdev->resource[bar];
Jeremy Cline 6c72c6
 
59566d
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4
+		return -EPERM;
962ea4
+
bd3278
 	if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
bd3278
 		return -EINVAL;
Jeremy Cline 6c72c6
 
4cbd7a
@@ -1243,6 +1249,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
962ea4
 				     struct bin_attribute *attr, char *buf,
962ea4
 				     loff_t off, size_t count)
962ea4
 {
59566d
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	return pci_resource_io(filp, kobj, attr, buf, off, count, true);
962ea4
 }
Jeremy Cline 6c72c6
 
962ea4
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
4cbd7a
index fe7fe678965b..23c9b5979f5d 100644
962ea4
--- a/drivers/pci/proc.c
962ea4
+++ b/drivers/pci/proc.c
f20e0a
@@ -117,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
962ea4
 	int size = dev->cfg_size;
962ea4
 	int cnt;
Jeremy Cline 6c72c6
 
59566d
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	if (pos >= size)
962ea4
 		return 0;
962ea4
 	if (nbytes >= size)
f20e0a
@@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
962ea4
 #endif /* HAVE_PCI_MMAP */
962ea4
 	int ret = 0;
Jeremy Cline 6c72c6
 
59566d
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	switch (cmd) {
962ea4
 	case PCIIOC_CONTROLLER:
962ea4
 		ret = pci_domain_nr(dev->bus);
4cbd7a
@@ -238,7 +244,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
962ea4
 	struct pci_filp_private *fpriv = file->private_data;
bd3278
 	int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM;
Jeremy Cline 6c72c6
 
962ea4
-	if (!capable(CAP_SYS_RAWIO))
59566d
+	if (!capable(CAP_SYS_RAWIO) ||
59566d
+	    kernel_is_locked_down("Direct PCI access"))
962ea4
 		return -EPERM;
Jeremy Cline 6c72c6
 
bd3278
 	if (fpriv->mmap_state == pci_mmap_io) {
962ea4
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
8cf006
index d96626c614f5..b8a08d3166a1 100644
962ea4
--- a/drivers/pci/syscall.c
962ea4
+++ b/drivers/pci/syscall.c
8cf006
@@ -90,7 +90,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
962ea4
 	u32 dword;
962ea4
 	int err = 0;
Jeremy Cline 6c72c6
 
962ea4
-	if (!capable(CAP_SYS_ADMIN))
59566d
+	if (!capable(CAP_SYS_ADMIN) ||
59566d
+	    kernel_is_locked_down("Direct PCI access"))
962ea4
 		return -EPERM;
Jeremy Cline 6c72c6
 
bf681f
 	dev = pci_get_domain_bus_and_slot(0, bus, dfn);
135abd
-- 
Jeremy Cline 4b5e42
2.21.0
59566d
4cbd7a
4cbd7a
From 97f7b0338b58afd67817ca886de78ce9bba67f29 Mon Sep 17 00:00:00 2001
f20e0a
From: Matthew Garrett <mjg59@srcf.ucam.org>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:44:59 +0000
4cbd7a
Subject: [PATCH 11/29] x86: Lock down IO port access when the kernel is locked
135abd
 down
962ea4
962ea4
IO port access would permit users to gain access to PCI configuration
962ea4
registers, which in turn (on a lot of hardware) give access to MMIO
962ea4
register space. This would potentially permit root to trigger arbitrary
962ea4
DMA, so lock it down by default.
962ea4
962ea4
This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
962ea4
KDDISABIO console ioctls.
962ea4
f20e0a
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
59566d
cc: x86@kernel.org
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
962ea4
---
135abd
 arch/x86/kernel/ioport.c | 6 ++++--
006f5b
 1 file changed, 4 insertions(+), 2 deletions(-)
962ea4
962ea4
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
8cf006
index 0fe1c8782208..abc702a6ae9c 100644
962ea4
--- a/arch/x86/kernel/ioport.c
962ea4
+++ b/arch/x86/kernel/ioport.c
8cf006
@@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on)
Jeremy Cline 6c72c6
 
962ea4
 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
962ea4
 		return -EINVAL;
962ea4
-	if (turn_on && !capable(CAP_SYS_RAWIO))
59566d
+	if (turn_on && (!capable(CAP_SYS_RAWIO) ||
59566d
+			kernel_is_locked_down("ioperm")))
962ea4
 		return -EPERM;
Jeremy Cline 6c72c6
 
962ea4
 	/*
8cf006
@@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
962ea4
 		return -EINVAL;
962ea4
 	/* Trying to gain more privileges? */
962ea4
 	if (level > old) {
962ea4
-		if (!capable(CAP_SYS_RAWIO))
59566d
+		if (!capable(CAP_SYS_RAWIO) ||
59566d
+		    kernel_is_locked_down("iopl"))
962ea4
 			return -EPERM;
962ea4
 	}
962ea4
 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
135abd
-- 
Jeremy Cline 4b5e42
2.21.0
59566d
4cbd7a
4cbd7a
From 65029f8df39eb1d0a48cbcb6686b21e844ff9b3c Mon Sep 17 00:00:00 2001
f20e0a
From: Matthew Garrett <mjg59@srcf.ucam.org>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:44:59 +0000
4cbd7a
Subject: [PATCH 12/29] x86/msr: Restrict MSR access when the kernel is locked
135abd
 down
962ea4
962ea4
Writing to MSRs should not be allowed if the kernel is locked down, since
962ea4
it could lead to execution of arbitrary code in kernel mode.  Based on a
962ea4
patch by Kees Cook.
962ea4
006f5b
MSR accesses are logged for the purposes of building up a whitelist as per
006f5b
Alan Cox's suggestion.
006f5b
f20e0a
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
Acked-by: Kees Cook <keescook@chromium.org>
59566d
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
59566d
cc: x86@kernel.org
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
962ea4
---
006f5b
 arch/x86/kernel/msr.c | 10 ++++++++++
006f5b
 1 file changed, 10 insertions(+)
962ea4
962ea4
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
4cbd7a
index 3db2252b958d..5eed6530c223 100644
962ea4
--- a/arch/x86/kernel/msr.c
962ea4
+++ b/arch/x86/kernel/msr.c
4cbd7a
@@ -79,6 +79,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
962ea4
 	int err = 0;
962ea4
 	ssize_t bytes = 0;
Jeremy Cline 6c72c6
 
006f5b
+	if (kernel_is_locked_down("Direct MSR access")) {
006f5b
+		pr_info("Direct access to MSR %x\n", reg);
962ea4
+		return -EPERM;
006f5b
+	}
962ea4
+
962ea4
 	if (count % 8)
962ea4
 		return -EINVAL;	/* Invalid chunk size */
Jeremy Cline 6c72c6
 
4cbd7a
@@ -130,6 +135,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
006f5b
 			err = -EFAULT;
962ea4
 			break;
962ea4
 		}
59566d
+		if (kernel_is_locked_down("Direct MSR access")) {
006f5b
+			pr_info("Direct access to MSR %x\n", regs[1]); /* Display %ecx */
962ea4
+			err = -EPERM;
962ea4
+			break;
962ea4
+		}
006f5b
 		err = wrmsr_safe_regs_on_cpu(cpu, regs);
006f5b
 		if (err)
962ea4
 			break;
135abd
-- 
Jeremy Cline 4b5e42
2.21.0
135abd
4cbd7a
4cbd7a
From 0a0ad07ecc667dae61d7a1073559830184022be7 Mon Sep 17 00:00:00 2001
f20e0a
From: Matthew Garrett <mjg59@srcf.ucam.org>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:44:59 +0000
4cbd7a
Subject: [PATCH 13/29] ACPI: Limit access to custom_method when the kernel is
135abd
 locked down
962ea4
962ea4
custom_method effectively allows arbitrary access to system memory, making
962ea4
it possible for an attacker to circumvent restrictions on module loading.
962ea4
Disable it if the kernel is locked down.
962ea4
f20e0a
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: linux-acpi@vger.kernel.org
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
962ea4
---
135abd
 drivers/acpi/custom_method.c | 3 +++
962ea4
 1 file changed, 3 insertions(+)
962ea4
962ea4
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
4cbd7a
index b2ef4c2ec955..33b821be0600 100644
962ea4
--- a/drivers/acpi/custom_method.c
962ea4
+++ b/drivers/acpi/custom_method.c
4cbd7a
@@ -30,6 +30,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
962ea4
 	struct acpi_table_header table;
962ea4
 	acpi_status status;
Jeremy Cline 6c72c6
 
59566d
+	if (kernel_is_locked_down("ACPI custom methods"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	if (!(*ppos)) {
962ea4
 		/* parse the table header to get the table length */
962ea4
 		if (count <= sizeof(struct acpi_table_header))
135abd
-- 
Jeremy Cline 4b5e42
2.21.0
962ea4
4cbd7a
4cbd7a
From ad843f3ba6d525cc47eb2c866de74a324d3a960c Mon Sep 17 00:00:00 2001
962ea4
From: Josh Boyer <jwboyer@redhat.com>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:44:59 +0000
4cbd7a
Subject: [PATCH 14/29] acpi: Ignore acpi_rsdp kernel param when the kernel has
135abd
 been locked down
962ea4
962ea4
This option allows userspace to pass the RSDP address to the kernel, which
59566d
makes it possible for a user to modify the workings of hardware .  Reject
59566d
the option when the kernel is locked down.
962ea4
962ea4
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: Dave Young <dyoung@redhat.com>
59566d
cc: linux-acpi@vger.kernel.org
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
962ea4
---
135abd
 drivers/acpi/osl.c | 2 +-
962ea4
 1 file changed, 1 insertion(+), 1 deletion(-)
962ea4
962ea4
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
4cbd7a
index 9c0edf2fc0dd..0c5c7b51fb72 100644
962ea4
--- a/drivers/acpi/osl.c
962ea4
+++ b/drivers/acpi/osl.c
4cbd7a
@@ -180,7 +180,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
71c4e8
 	acpi_physical_address pa;
Jeremy Cline 6c72c6
 
962ea4
 #ifdef CONFIG_KEXEC
962ea4
-	if (acpi_rsdp)
59566d
+	if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification"))
962ea4
 		return acpi_rsdp;
962ea4
 #endif
71c4e8
 	pa = acpi_arch_get_root_pointer();
135abd
-- 
Jeremy Cline 4b5e42
2.21.0
59566d
4cbd7a
4cbd7a
From 146618cd3ae3556184f3ca94ca82809f4e7090b9 Mon Sep 17 00:00:00 2001
962ea4
From: Linn Crosetto <linn@hpe.com>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:45:00 +0000
4cbd7a
Subject: [PATCH 15/29] acpi: Disable ACPI table override if the kernel is
135abd
 locked down
962ea4
135abd
From the kernel documentation (initrd_table_override.txt):
962ea4
962ea4
  If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
962ea4
  to override nearly any ACPI table provided by the BIOS with an
962ea4
  instrumented, modified one.
962ea4
962ea4
When securelevel is set, the kernel should disallow any unauthenticated
962ea4
changes to kernel space.  ACPI tables contain code invoked by the kernel,
962ea4
so do not allow ACPI tables to be overridden if the kernel is locked down.
962ea4
962ea4
Signed-off-by: Linn Crosetto <linn@hpe.com>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: linux-acpi@vger.kernel.org
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
962ea4
---
135abd
 drivers/acpi/tables.c | 5 +++++
962ea4
 1 file changed, 5 insertions(+)
962ea4
962ea4
diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
4cbd7a
index b32327759380..6fd5c8328427 100644
962ea4
--- a/drivers/acpi/tables.c
962ea4
+++ b/drivers/acpi/tables.c
4cbd7a
@@ -578,6 +578,11 @@ void __init acpi_table_upgrade(void)
962ea4
 	if (table_nr == 0)
962ea4
 		return;
Jeremy Cline 6c72c6
 
59566d
+	if (kernel_is_locked_down("ACPI table override")) {
962ea4
+		pr_notice("kernel is locked down, ignoring table override\n");
962ea4
+		return;
962ea4
+	}
962ea4
+
962ea4
 	acpi_tables_addr =
962ea4
 		memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
962ea4
 				       all_tables_size, PAGE_SIZE);
135abd
-- 
Jeremy Cline 4b5e42
2.21.0
962ea4
4cbd7a
4cbd7a
From e183b69655b6069c7007ad911252dd681fb0083f Mon Sep 17 00:00:00 2001
962ea4
From: Linn Crosetto <linn@hpe.com>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:45:00 +0000
4cbd7a
Subject: [PATCH 16/29] acpi: Disable APEI error injection if the kernel is
135abd
 locked down
962ea4
962ea4
ACPI provides an error injection mechanism, EINJ, for debugging and testing
962ea4
the ACPI Platform Error Interface (APEI) and other RAS features.  If
962ea4
supported by the firmware, ACPI specification 5.0 and later provide for a
962ea4
way to specify a physical memory address to which to inject the error.
962ea4
962ea4
Injecting errors through EINJ can produce errors which to the platform are
962ea4
indistinguishable from real hardware errors.  This can have undesirable
962ea4
side-effects, such as causing the platform to mark hardware as needing
962ea4
replacement.
962ea4
962ea4
While it does not provide a method to load unauthenticated privileged code,
962ea4
the effect of these errors may persist across reboots and affect trust in
962ea4
the underlying hardware, so disable error injection through EINJ if
962ea4
the kernel is locked down.
962ea4
962ea4
Signed-off-by: Linn Crosetto <linn@hpe.com>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: linux-acpi@vger.kernel.org
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
962ea4
---
135abd
 drivers/acpi/apei/einj.c | 3 +++
962ea4
 1 file changed, 3 insertions(+)
962ea4
962ea4
diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c
4cbd7a
index e430cf4caec2..dde995f871d6 100644
962ea4
--- a/drivers/acpi/apei/einj.c
962ea4
+++ b/drivers/acpi/apei/einj.c
4cbd7a
@@ -510,6 +510,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
962ea4
 	int rc;
962ea4
 	u64 base_addr, size;
Jeremy Cline 6c72c6
 
59566d
+	if (kernel_is_locked_down("ACPI error injection"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	/* If user manually set "flags", make sure it is legal */
962ea4
 	if (flags && (flags &
962ea4
 		~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
135abd
-- 
Jeremy Cline 4b5e42
2.21.0
962ea4
4cbd7a
4cbd7a
From 2c469f9240f58dce6049eae000d70dcef8025cfa Mon Sep 17 00:00:00 2001
962ea4
From: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:45:00 +0000
4cbd7a
Subject: [PATCH 17/29] Prohibit PCMCIA CIS storage when the kernel is locked
135abd
 down
962ea4
962ea4
Prohibit replacement of the PCMCIA Card Information Structure when the
962ea4
kernel is locked down.
962ea4
59566d
Suggested-by: Dominik Brodowski <linux@dominikbrodowski.net>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: linux-pcmcia@lists.infradead.org
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
962ea4
---
135abd
 drivers/pcmcia/cistpl.c | 3 +++
59566d
 1 file changed, 3 insertions(+)
962ea4
962ea4
diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
4cbd7a
index abd029945cc8..77919fa3fb4a 100644
962ea4
--- a/drivers/pcmcia/cistpl.c
962ea4
+++ b/drivers/pcmcia/cistpl.c
4cbd7a
@@ -1575,6 +1575,9 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
962ea4
 	struct pcmcia_socket *s;
962ea4
 	int error;
Jeremy Cline 6c72c6
 
59566d
+	if (kernel_is_locked_down("Direct PCMCIA CIS storage"))
962ea4
+		return -EPERM;
962ea4
+
962ea4
 	s = to_socket(container_of(kobj, struct device, kobj));
Jeremy Cline 6c72c6
 
962ea4
 	if (off)
135abd
-- 
Jeremy Cline 4b5e42
2.21.0
962ea4
4cbd7a
4cbd7a
From 5f1bdf370484979c291e37cd6905480a12083b18 Mon Sep 17 00:00:00 2001
962ea4
From: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:45:00 +0000
4cbd7a
Subject: [PATCH 18/29] Lock down TIOCSSERIAL
962ea4
962ea4
Lock down TIOCSSERIAL as that can be used to change the ioport and irq
962ea4
settings on a serial port.  This only appears to be an issue for the serial
962ea4
drivers that use the core serial code.  All other drivers seem to either
962ea4
ignore attempts to change port/irq or give an error.
962ea4
962ea4
Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
962ea4
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: Jiri Slaby <jslaby@suse.com>
Jeremy Cline 4b5e42
Cc: linux-serial@vger.kernel.org
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
962ea4
---
135abd
 drivers/tty/serial/serial_core.c | 6 ++++++
962ea4
 1 file changed, 6 insertions(+)
962ea4
962ea4
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
4cbd7a
index 4223cb496764..4f3cd7bc1713 100644
962ea4
--- a/drivers/tty/serial/serial_core.c
962ea4
+++ b/drivers/tty/serial/serial_core.c
4cbd7a
@@ -846,6 +846,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
7c0c57
 	new_flags = (__force upf_t)new_info->flags;
962ea4
 	old_custom_divisor = uport->custom_divisor;
Jeremy Cline 6c72c6
 
59566d
+	if ((change_port || change_irq) &&
59566d
+	    kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels")) {
962ea4
+		retval = -EPERM;
962ea4
+		goto exit;
962ea4
+	}
962ea4
+
962ea4
 	if (!capable(CAP_SYS_ADMIN)) {
962ea4
 		retval = -EPERM;
962ea4
 		if (change_irq || change_port ||
135abd
-- 
Jeremy Cline 4b5e42
2.21.0
c796f8
4cbd7a
4cbd7a
From b07159ff6bc3345b49db17a82fa31013f398d4e5 Mon Sep 17 00:00:00 2001
59566d
From: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:45:01 +0000
4cbd7a
Subject: [PATCH 19/29] Lock down module params that specify hardware
135abd
 parameters (eg. ioport)
59566d
59566d
Provided an annotation for module parameters that specify hardware
59566d
parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
59566d
dma buffers and other types).
59566d
59566d
Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
59566d
Signed-off-by: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
59566d
---
135abd
 kernel/params.c | 26 +++++++++++++++++++++-----
59566d
 1 file changed, 21 insertions(+), 5 deletions(-)
59566d
59566d
diff --git a/kernel/params.c b/kernel/params.c
4cbd7a
index cf448785d058..61a08a5da208 100644
59566d
--- a/kernel/params.c
59566d
+++ b/kernel/params.c
4cbd7a
@@ -96,13 +96,19 @@ bool parameq(const char *a, const char *b)
59566d
 	return parameqn(a, b, strlen(a)+1);
59566d
 }
Jeremy Cline 6c72c6
 
59566d
-static void param_check_unsafe(const struct kernel_param *kp)
59566d
+static bool param_check_unsafe(const struct kernel_param *kp,
59566d
+			       const char *doing)
59566d
 {
59566d
 	if (kp->flags & KERNEL_PARAM_FL_UNSAFE) {
df0ed2
 		pr_notice("Setting dangerous option %s - tainting kernel\n",
df0ed2
 			  kp->name);
59566d
 		add_taint(TAINT_USER, LOCKDEP_STILL_OK);
59566d
 	}
59566d
+
59566d
+	if (kp->flags & KERNEL_PARAM_FL_HWPARAM &&
59566d
+	    kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels"))
59566d
+		return false;
59566d
+	return true;
59566d
 }
Jeremy Cline 6c72c6
 
59566d
 static int parse_one(char *param,
4cbd7a
@@ -132,8 +138,10 @@ static int parse_one(char *param,
59566d
 			pr_debug("handling %s with %p\n", param,
59566d
 				params[i].ops->set);
59566d
 			kernel_param_lock(params[i].mod);
59566d
-			param_check_unsafe(&params[i]);
59566d
-			err = params[i].ops->set(val, &params[i]);
59566d
+			if (param_check_unsafe(&params[i], doing))
59566d
+				err = params[i].ops->set(val, &params[i]);
59566d
+			else
59566d
+				err = -EPERM;
59566d
 			kernel_param_unlock(params[i].mod);
59566d
 			return err;
59566d
 		}
4cbd7a
@@ -541,6 +549,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr,
59566d
 	return count;
59566d
 }
Jeremy Cline 6c72c6
 
59566d
+#ifdef CONFIG_MODULES
59566d
+#define mod_name(mod) (mod)->name
59566d
+#else
59566d
+#define mod_name(mod) "unknown"
59566d
+#endif
59566d
+
59566d
 /* sysfs always hands a nul-terminated string in buf.  We rely on that. */
59566d
 static ssize_t param_attr_store(struct module_attribute *mattr,
59566d
 				struct module_kobject *mk,
4cbd7a
@@ -553,8 +567,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr,
59566d
 		return -EPERM;
Jeremy Cline 6c72c6
 
59566d
 	kernel_param_lock(mk->mod);
59566d
-	param_check_unsafe(attribute->param);
59566d
-	err = attribute->param->ops->set(buf, attribute->param);
59566d
+	if (param_check_unsafe(attribute->param, mod_name(mk->mod)))
59566d
+		err = attribute->param->ops->set(buf, attribute->param);
59566d
+	else
59566d
+		err = -EPERM;
59566d
 	kernel_param_unlock(mk->mod);
59566d
 	if (!err)
59566d
 		return len;
135abd
-- 
Jeremy Cline 4b5e42
2.21.0
59566d
4cbd7a
4cbd7a
From 3e7fdce10f144b2a947f020bd0eeeb536c77153e Mon Sep 17 00:00:00 2001
59566d
From: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:45:01 +0000
4cbd7a
Subject: [PATCH 20/29] x86/mmiotrace: Lock down the testmmiotrace module
59566d
59566d
The testmmiotrace module shouldn't be permitted when the kernel is locked
59566d
down as it can be used to arbitrarily read and write MMIO space.
59566d
59566d
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
59566d
Signed-off-by: David Howells 
59566d
cc: Thomas Gleixner <tglx@linutronix.de>
59566d
cc: Steven Rostedt <rostedt@goodmis.org>
59566d
cc: Ingo Molnar <mingo@kernel.org>
59566d
cc: "H. Peter Anvin" <hpa@zytor.com>
59566d
cc: x86@kernel.org
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
59566d
---
135abd
 arch/x86/mm/testmmiotrace.c | 3 +++
59566d
 1 file changed, 3 insertions(+)
59566d
59566d
diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c
4cbd7a
index 0881e1ff1e58..13f1da99ee5e 100644
59566d
--- a/arch/x86/mm/testmmiotrace.c
59566d
+++ b/arch/x86/mm/testmmiotrace.c
4cbd7a
@@ -116,6 +116,9 @@ static int __init init(void)
59566d
 {
59566d
 	unsigned long size = (read_far) ? (8 << 20) : (16 << 10);
Jeremy Cline 6c72c6
 
59566d
+	if (kernel_is_locked_down("MMIO trace testing"))
59566d
+		return -EPERM;
59566d
+
59566d
 	if (mmio_address == 0) {
59566d
 		pr_err("you have to use the module argument mmio_address.\n");
59566d
 		pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n");
135abd
-- 
Jeremy Cline 4b5e42
2.21.0
f20e0a
4cbd7a
4cbd7a
From 1e81a8fd6ed139113011e3b7d70aa8b5c59a97cb Mon Sep 17 00:00:00 2001
f20e0a
From: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:45:02 +0000
4cbd7a
Subject: [PATCH 21/29] Lock down /proc/kcore
f20e0a
f20e0a
Disallow access to /proc/kcore when the kernel is locked down to prevent
f20e0a
access to cryptographic data.
f20e0a
f20e0a
Signed-off-by: David Howells <dhowells@redhat.com>
f20e0a
Reviewed-by: James Morris <james.l.morris@oracle.com>
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
f20e0a
---
f20e0a
 fs/proc/kcore.c | 2 ++
f20e0a
 1 file changed, 2 insertions(+)
f20e0a
f20e0a
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
4cbd7a
index f5834488b67d..0639228c4904 100644
f20e0a
--- a/fs/proc/kcore.c
f20e0a
+++ b/fs/proc/kcore.c
4cbd7a
@@ -545,6 +545,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
Jeremy Cline 6c72c6
 
f20e0a
 static int open_kcore(struct inode *inode, struct file *filp)
f20e0a
 {
f20e0a
+	if (kernel_is_locked_down("/proc/kcore"))
f20e0a
+		return -EPERM;
f20e0a
 	if (!capable(CAP_SYS_RAWIO))
f20e0a
 		return -EPERM;
Jeremy Cline 6c72c6
 
f20e0a
-- 
Jeremy Cline 4b5e42
2.21.0
f20e0a
4cbd7a
4cbd7a
From 03a1ba6091a421ae40a17dc67f61a96733c8f0d2 Mon Sep 17 00:00:00 2001
f20e0a
From: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:45:02 +0000
4cbd7a
Subject: [PATCH 22/29] Lock down kprobes
f20e0a
f20e0a
Disallow the creation of kprobes when the kernel is locked down by
f20e0a
preventing their registration.  This prevents kprobes from being used to
f20e0a
access kernel memory, either to make modifications or to steal crypto data.
f20e0a
f20e0a
Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
f20e0a
Signed-off-by: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
Jeremy Cline 4b5e42
Cc: Naveen N. Rao <naveen.n.rao@linux.ibm.com>
Jeremy Cline 4b5e42
Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
Jeremy Cline 4b5e42
Cc: davem@davemloft.net
Jeremy Cline 4b5e42
Cc: Masami Hiramatsu <mhiramat@kernel.org>
f20e0a
---
f20e0a
 kernel/kprobes.c | 3 +++
f20e0a
 1 file changed, 3 insertions(+)
f20e0a
f20e0a
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
4cbd7a
index 9f5433a52488..e54c7b70298a 100644
f20e0a
--- a/kernel/kprobes.c
f20e0a
+++ b/kernel/kprobes.c
4cbd7a
@@ -1556,6 +1556,9 @@ int register_kprobe(struct kprobe *p)
f20e0a
 	struct module *probed_mod;
f20e0a
 	kprobe_opcode_t *addr;
Jeremy Cline 6c72c6
 
f20e0a
+	if (kernel_is_locked_down("Use of kprobes"))
f20e0a
+		return -EPERM;
f20e0a
+
f20e0a
 	/* Adjust probe address from symbol */
f20e0a
 	addr = kprobe_addr(p);
f20e0a
 	if (IS_ERR(addr))
f20e0a
-- 
Jeremy Cline 4b5e42
2.21.0
f20e0a
4cbd7a
4cbd7a
From d743cdf3a9508b9d9293acb3170b1d76f5556d1a Mon Sep 17 00:00:00 2001
f20e0a
From: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:45:02 +0000
4cbd7a
Subject: [PATCH 23/29] bpf: Restrict kernel image access functions when the
Jeremy Cline 4b5e42
 kernel is locked down
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
There are some bpf functions can be used to read kernel memory:
Jeremy Cline 4b5e42
bpf_probe_read, bpf_probe_write_user and bpf_trace_printk.  These allow
Jeremy Cline 4b5e42
private keys in kernel memory (e.g. the hibernation image signing key) to
Jeremy Cline 4b5e42
be read by an eBPF program and kernel memory to be altered without
Jeremy Cline 4b5e42
restriction.
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
Completely prohibit the use of BPF when the kernel is locked down.
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Jeremy Cline 4b5e42
Signed-off-by: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
cc: netdev@vger.kernel.org
Jeremy Cline 4b5e42
cc: Chun-Yi Lee <jlee@suse.com>
Jeremy Cline 4b5e42
cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Jeremy Cline 4b5e42
Cc: Daniel Borkmann <daniel@iogearbox.net>
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
Jeremy Cline 4b5e42
---
Jeremy Cline 4b5e42
 kernel/bpf/syscall.c | 3 +++
Jeremy Cline 4b5e42
 1 file changed, 3 insertions(+)
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
4cbd7a
index 5d141f16f6fa..cf9f0d069a2a 100644
Jeremy Cline 4b5e42
--- a/kernel/bpf/syscall.c
Jeremy Cline 4b5e42
+++ b/kernel/bpf/syscall.c
4cbd7a
@@ -2813,6 +2813,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz
Jeremy Cline 4b5e42
 	if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
Jeremy Cline 4b5e42
 		return -EPERM;
Jeremy Cline 4b5e42
 
Jeremy Cline 4b5e42
+	if (kernel_is_locked_down("BPF"))
Jeremy Cline 4b5e42
+		return -EPERM;
Jeremy Cline 4b5e42
+
Jeremy Cline 4b5e42
 	err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size);
Jeremy Cline 4b5e42
 	if (err)
Jeremy Cline 4b5e42
 		return err;
Jeremy Cline 4b5e42
-- 
Jeremy Cline 4b5e42
2.21.0
Jeremy Cline 4b5e42
4cbd7a
4cbd7a
From 7ec8d8a7bc177bc54e627b04a6aa4520174965cd Mon Sep 17 00:00:00 2001
Jeremy Cline 4b5e42
From: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:45:02 +0000
4cbd7a
Subject: [PATCH 24/29] Lock down perf
f20e0a
f20e0a
Disallow the use of certain perf facilities that might allow userspace to
f20e0a
access kernel data.
f20e0a
f20e0a
Signed-off-by: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
Jeremy Cline 4b5e42
Cc: Peter Zijlstra <peterz@infradead.org>
Jeremy Cline 4b5e42
Cc: Ingo Molnar <mingo@redhat.com>
Jeremy Cline 4b5e42
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
f20e0a
---
f20e0a
 kernel/events/core.c | 5 +++++
f20e0a
 1 file changed, 5 insertions(+)
f20e0a
f20e0a
diff --git a/kernel/events/core.c b/kernel/events/core.c
4cbd7a
index eea9d52b010c..08f51f91d959 100644
f20e0a
--- a/kernel/events/core.c
f20e0a
+++ b/kernel/events/core.c
4cbd7a
@@ -10824,6 +10824,11 @@ SYSCALL_DEFINE5(perf_event_open,
f20e0a
 			return -EINVAL;
f20e0a
 	}
Jeremy Cline 6c72c6
 
f20e0a
+	if ((attr.sample_type & PERF_SAMPLE_REGS_INTR) &&
f20e0a
+	    kernel_is_locked_down("PERF_SAMPLE_REGS_INTR"))
f20e0a
+		/* REGS_INTR can leak data, lockdown must prevent this */
f20e0a
+		return -EPERM;
f20e0a
+
f20e0a
 	/* Only privileged users can get physical addresses */
f20e0a
 	if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR) &&
f20e0a
 	    perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN))
f20e0a
-- 
Jeremy Cline 4b5e42
2.21.0
59566d
4cbd7a
4cbd7a
From 98fa6aca64b1723db15cb1791b734aebb105433e Mon Sep 17 00:00:00 2001
59566d
From: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
Date: Mon, 18 Feb 2019 12:45:02 +0000
4cbd7a
Subject: [PATCH 25/29] debugfs: Restrict debugfs when the kernel is locked
f20e0a
 down
f20e0a
f20e0a
Disallow opening of debugfs files that might be used to muck around when
f20e0a
the kernel is locked down as various drivers give raw access to hardware
f20e0a
through debugfs.  Given the effort of auditing all 2000 or so files and
f20e0a
manually fixing each one as necessary, I've chosen to apply a heuristic
f20e0a
instead.  The following changes are made:
f20e0a
f20e0a
 (1) chmod and chown are disallowed on debugfs objects (though the root dir
f20e0a
     can be modified by mount and remount, but I'm not worried about that).
59566d
f20e0a
 (2) When the kernel is locked down, only files with the following criteria
f20e0a
     are permitted to be opened:
59566d
f20e0a
	- The file must have mode 00444
f20e0a
	- The file must not have ioctl methods
f20e0a
	- The file must not have mmap
59566d
f20e0a
 (3) When the kernel is locked down, files may only be opened for reading.
f20e0a
f20e0a
Normal device interaction should be done through configfs, sysfs or a
f20e0a
miscdev, not debugfs.
59566d
59566d
Note that this makes it unnecessary to specifically lock down show_dsts(),
59566d
show_devs() and show_call() in the asus-wmi driver.
59566d
f20e0a
I would actually prefer to lock down all files by default and have the
f20e0a
the files unlocked by the creator.  This is tricky to manage correctly,
f20e0a
though, as there are 19 creation functions and ~1600 call sites (some of
f20e0a
them in loops scanning tables).
f20e0a
59566d
Signed-off-by: David Howells <dhowells@redhat.com>
59566d
cc: Andy Shevchenko <andy.shevchenko@gmail.com>
59566d
cc: acpi4asus-user@lists.sourceforge.net
59566d
cc: platform-driver-x86@vger.kernel.org
f20e0a
cc: Matthew Garrett <mjg59@srcf.ucam.org>
59566d
cc: Thomas Gleixner <tglx@linutronix.de>
Jeremy Cline 4b5e42
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
59566d
---
f20e0a
 fs/debugfs/file.c  | 28 ++++++++++++++++++++++++++++
f20e0a
 fs/debugfs/inode.c | 30 ++++++++++++++++++++++++++++--
f20e0a
 2 files changed, 56 insertions(+), 2 deletions(-)
59566d
59566d
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
4cbd7a
index 93e4ca6b2ad7..8eeff9068228 100644
59566d
--- a/fs/debugfs/file.c
59566d
+++ b/fs/debugfs/file.c
f20e0a
@@ -136,6 +136,25 @@ void debugfs_file_put(struct dentry *dentry)
f20e0a
 }
f20e0a
 EXPORT_SYMBOL_GPL(debugfs_file_put);
Jeremy Cline 6c72c6
 
f20e0a
+/*
f20e0a
+ * Only permit access to world-readable files when the kernel is locked down.
f20e0a
+ * We also need to exclude any file that has ways to write or alter it as root
f20e0a
+ * can bypass the permissions check.
f20e0a
+ */
f20e0a
+static bool debugfs_is_locked_down(struct inode *inode,
f20e0a
+				   struct file *filp,
f20e0a
+				   const struct file_operations *real_fops)
f20e0a
+{
f20e0a
+	if ((inode->i_mode & 07777) == 0444 &&
f20e0a
+	    !(filp->f_mode & FMODE_WRITE) &&
f20e0a
+	    !real_fops->unlocked_ioctl &&
f20e0a
+	    !real_fops->compat_ioctl &&
f20e0a
+	    !real_fops->mmap)
f20e0a
+		return false;
59566d
+
f20e0a
+	return kernel_is_locked_down("debugfs");
f20e0a
+}
8221dd
+
f20e0a
 static int open_proxy_open(struct inode *inode, struct file *filp)
f20e0a
 {
f20e0a
 	struct dentry *dentry = F_DENTRY(filp);
f20e0a
@@ -147,6 +166,11 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
8221dd
 		return r == -EIO ? -ENOENT : r;
Jeremy Cline 6c72c6
 
f20e0a
 	real_fops = debugfs_real_fops(filp);
f20e0a
+
f20e0a
+	r = -EPERM;
f20e0a
+	if (debugfs_is_locked_down(inode, filp, real_fops))
f20e0a
+		goto out;
59566d
+
f20e0a
 	real_fops = fops_get(real_fops);
f20e0a
 	if (!real_fops) {
f20e0a
 		/* Huh? Module did not clean up after itself at exit? */
f20e0a
@@ -272,6 +296,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
8221dd
 		return r == -EIO ? -ENOENT : r;
Jeremy Cline 6c72c6
 
f20e0a
 	real_fops = debugfs_real_fops(filp);
f20e0a
+	r = -EPERM;
f20e0a
+	if (debugfs_is_locked_down(inode, filp, real_fops))
f20e0a
+		goto out;
f20e0a
+
f20e0a
 	real_fops = fops_get(real_fops);
f20e0a
 	if (!real_fops) {
f20e0a
 		/* Huh? Module did not cleanup after itself at exit? */
f20e0a
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
4cbd7a
index 042b688ed124..cc0486ca1a11 100644
f20e0a
--- a/fs/debugfs/inode.c
f20e0a
+++ b/fs/debugfs/inode.c
4cbd7a
@@ -35,6 +35,31 @@ static struct vfsmount *debugfs_mount;
f20e0a
 static int debugfs_mount_count;
f20e0a
 static bool debugfs_registered;
Jeremy Cline 6c72c6
 
f20e0a
+/*
f20e0a
+ * Don't allow access attributes to be changed whilst the kernel is locked down
f20e0a
+ * so that we can use the file mode as part of a heuristic to determine whether
f20e0a
+ * to lock down individual files.
f20e0a
+ */
f20e0a
+static int debugfs_setattr(struct dentry *dentry, struct iattr *ia)
f20e0a
+{
f20e0a
+	if ((ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) &&
f20e0a
+	    kernel_is_locked_down("debugfs"))
59566d
+		return -EPERM;
f20e0a
+	return simple_setattr(dentry, ia);
f20e0a
+}
f20e0a
+
f20e0a
+static const struct inode_operations debugfs_file_inode_operations = {
f20e0a
+	.setattr	= debugfs_setattr,
f20e0a
+};
f20e0a
+static const struct inode_operations debugfs_dir_inode_operations = {
f20e0a
+	.lookup		= simple_lookup,
f20e0a
+	.setattr	= debugfs_setattr,
f20e0a
+};
f20e0a
+static const struct inode_operations debugfs_symlink_inode_operations = {
f20e0a
+	.get_link	= simple_get_link,
f20e0a
+	.setattr	= debugfs_setattr,
f20e0a
+};
f20e0a
+
f20e0a
 static struct inode *debugfs_get_inode(struct super_block *sb)
f20e0a
 {
f20e0a
 	struct inode *inode = new_inode(sb);
4cbd7a
@@ -369,6 +394,7 @@ static struct dentry *__debugfs_create_file(const char *name, umode_t mode,
f20e0a
 	inode->i_mode = mode;
f20e0a
 	inode->i_private = data;
Jeremy Cline 6c72c6
 
f20e0a
+	inode->i_op = &debugfs_file_inode_operations;
f20e0a
 	inode->i_fop = proxy_fops;
f20e0a
 	dentry->d_fsdata = (void *)((unsigned long)real_fops |
f20e0a
 				DEBUGFS_FSDATA_IS_REAL_FOPS_BIT);
4cbd7a
@@ -532,7 +558,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
4cbd7a
 	}
5f1fb0
 
5f1fb0
 	inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
f20e0a
-	inode->i_op = &simple_dir_inode_operations;
f20e0a
+	inode->i_op = &debugfs_dir_inode_operations;
f20e0a
 	inode->i_fop = &simple_dir_operations;
Jeremy Cline 6c72c6
 
f20e0a
 	/* directory inodes start off with i_nlink == 2 (for "." entry) */
4cbd7a
@@ -632,7 +658,7 @@ struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent,
f20e0a
 		return failed_creating(dentry);
f20e0a
 	}
f20e0a
 	inode->i_mode = S_IFLNK | S_IRWXUGO;
f20e0a
-	inode->i_op = &simple_symlink_inode_operations;
f20e0a
+	inode->i_op = &debugfs_symlink_inode_operations;
f20e0a
 	inode->i_link = link;
f20e0a
 	d_instantiate(dentry, inode);
f20e0a
 	return end_creating(dentry);
135abd
-- 
Jeremy Cline 4b5e42
2.21.0
Jeremy Cline 6c72c6
4cbd7a
4cbd7a
From 39ffa9315f46123f0f1f66fb6fd0597211b43b1d Mon Sep 17 00:00:00 2001
Jeremy Cline 4b5e42
From: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
Date: Wed, 28 Feb 2018 14:43:03 +0000
4cbd7a
Subject: [PATCH 26/29] lockdown: Print current->comm in restriction messages
dc45af
Jeremy Cline 4b5e42
Print the content of current->comm in messages generated by lockdown to
Jeremy Cline 4b5e42
indicate a restriction that was hit.  This makes it a bit easier to find
Jeremy Cline 4b5e42
out what caused the message.
dc45af
Jeremy Cline 4b5e42
The message now patterned something like:
dc45af
Jeremy Cline 4b5e42
	Lockdown: <comm>: <what> is restricted; see man kernel_lockdown.7
dc45af
Jeremy Cline 4b5e42
Signed-off-by: David Howells <dhowells@redhat.com>
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
dc45af
---
Jeremy Cline 4b5e42
 security/lock_down.c | 4 ++--
Jeremy Cline 4b5e42
 1 file changed, 2 insertions(+), 2 deletions(-)
dc45af
Jeremy Cline 4b5e42
diff --git a/security/lock_down.c b/security/lock_down.c
Jeremy Cline 4b5e42
index 18d8776a4d02..ee00ca2677e7 100644
Jeremy Cline 4b5e42
--- a/security/lock_down.c
Jeremy Cline 4b5e42
+++ b/security/lock_down.c
Jeremy Cline 4b5e42
@@ -53,8 +53,8 @@ void __init init_lockdown(void)
Jeremy Cline 4b5e42
 bool __kernel_is_locked_down(const char *what, bool first)
Jeremy Cline 4b5e42
 {
Jeremy Cline 4b5e42
 	if (what && first && kernel_locked_down)
Jeremy Cline 4b5e42
-		pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n",
Jeremy Cline 4b5e42
-			  what);
Jeremy Cline 4b5e42
+		pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
Jeremy Cline 4b5e42
+			  current->comm, what);
Jeremy Cline 4b5e42
 	return kernel_locked_down;
Jeremy Cline 4b5e42
 }
Jeremy Cline 4b5e42
 EXPORT_SYMBOL(__kernel_is_locked_down);
Jeremy Cline 4b5e42
-- 
Jeremy Cline 4b5e42
2.21.0
Jeremy Cline 4b5e42
4cbd7a
4cbd7a
From 0086dbfaa88118636bc5d77f25bd578034a84075 Mon Sep 17 00:00:00 2001
Jeremy Cline 4b5e42
From: Matthew Garrett <matthewgarrett@google.com>
Jeremy Cline 4b5e42
Date: Tue, 12 Mar 2019 12:50:30 -0700
4cbd7a
Subject: [PATCH 27/29] kexec: Allow kexec_file() with appropriate IMA policy
Jeremy Cline 4b5e42
 when locked down
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
Systems in lockdown mode should block the kexec of untrusted kernels.
Jeremy Cline 4b5e42
For x86 and ARM we can ensure that a kernel is trustworthy by validating
Jeremy Cline 4b5e42
a PE signature, but this isn't possible on other architectures. On those
Jeremy Cline 4b5e42
platforms we can use IMA digital signatures instead. Add a function to
Jeremy Cline 4b5e42
determine whether IMA has or will verify signatures for a given event type,
Jeremy Cline 4b5e42
and if so permit kexec_file() even if the kernel is otherwise locked down.
Jeremy Cline 4b5e42
This is restricted to cases where CONFIG_INTEGRITY_TRUSTED_KEYRING is set
Jeremy Cline 4b5e42
in order to prevent an attacker from loading additional keys at runtime.
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
Signed-off-by: Matthew Garrett <mjg59@google.com>
Jeremy Cline 26a346
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Jeremy Cline 4b5e42
Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Jeremy Cline 4b5e42
Cc: linux-integrity@vger.kernel.org
Jeremy Cline 4b5e42
---
Jeremy Cline 4b5e42
 include/linux/ima.h                 |  9 ++++++
Jeremy Cline 4b5e42
 kernel/kexec_file.c                 |  7 +++-
Jeremy Cline 4b5e42
 security/integrity/ima/ima.h        |  2 ++
Jeremy Cline 4b5e42
 security/integrity/ima/ima_main.c   |  2 +-
Jeremy Cline 4b5e42
 security/integrity/ima/ima_policy.c | 50 +++++++++++++++++++++++++++++
Jeremy Cline 4b5e42
 5 files changed, 68 insertions(+), 2 deletions(-)
Jeremy Cline 4b5e42
Jeremy Cline 4b5e42
diff --git a/include/linux/ima.h b/include/linux/ima.h
4cbd7a
index a20ad398d260..1c37f17f7203 100644
Jeremy Cline 4b5e42
--- a/include/linux/ima.h
Jeremy Cline 4b5e42
+++ b/include/linux/ima.h
4cbd7a
@@ -131,4 +131,13 @@ static inline int ima_inode_removexattr(struct dentry *dentry,
Jeremy Cline 4b5e42
 	return 0;
Jeremy Cline 4b5e42
 }
Jeremy Cline 4b5e42
 #endif /* CONFIG_IMA_APPRAISE */
Jeremy Cline 4b5e42
+
Jeremy Cline 4b5e42
+#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
Jeremy Cline 4b5e42
+extern bool ima_appraise_signature(enum kernel_read_file_id func);
Jeremy Cline 4b5e42
+#else
Jeremy Cline 26a346
+static inline bool ima_appraise_signature(enum kernel_read_file_id func)
Jeremy Cline 4b5e42
+{
Jeremy Cline 4b5e42
+	return false;
Jeremy Cline 4b5e42
+}
Jeremy Cline 4b5e42
+#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
Jeremy Cline 4b5e42
 #endif /* _LINUX_IMA_H */
Jeremy Cline 4b5e42
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
4cbd7a
index 0668c29d2eaf..78728a0f16a7 100644
Jeremy Cline 4b5e42
--- a/kernel/kexec_file.c
Jeremy Cline 4b5e42
+++ b/kernel/kexec_file.c
4cbd7a
@@ -235,7 +235,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
Jeremy Cline 4b5e42
 
Jeremy Cline 4b5e42
 		ret = 0;
Jeremy Cline 4b5e42
 
Jeremy Cline 4b5e42
-		if (kernel_is_locked_down(reason)) {
Jeremy Cline 4b5e42
+		/* If IMA is guaranteed to appraise a signature on the kexec
Jeremy Cline 4b5e42
+		 * image, permit it even if the kernel is otherwise locked
Jeremy Cline 4b5e42
+		 * down.
Jeremy Cline 4b5e42
+		 */
Jeremy Cline 4b5e42
+		if (!ima_appraise_signature(READING_KEXEC_IMAGE) &&
Jeremy Cline 4b5e42
+		    kernel_is_locked_down(reason)) {
Jeremy Cline 4b5e42
 			ret = -EPERM;
Jeremy Cline 4b5e42
 			goto out;
Jeremy Cline 4b5e42
 		}
Jeremy Cline 4b5e42
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
4cbd7a
index 011b91c79351..64dcb11cf444 100644
Jeremy Cline 4b5e42
--- a/security/integrity/ima/ima.h
Jeremy Cline 4b5e42
+++ b/security/integrity/ima/ima.h
4cbd7a
@@ -113,6 +113,8 @@ struct ima_kexec_hdr {
Jeremy Cline 4b5e42
 	u64 count;
Jeremy Cline 4b5e42
 };
dc45af
 
Jeremy Cline 4b5e42
+extern const int read_idmap[];
Jeremy Cline 4b5e42
+
Jeremy Cline 4b5e42
 #ifdef CONFIG_HAVE_IMA_KEXEC
Jeremy Cline 4b5e42
 void ima_load_kexec_buffer(void);
Jeremy Cline 4b5e42
 #else
Jeremy Cline 4b5e42
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
4cbd7a
index 584019728660..b9f57503af2c 100644
Jeremy Cline 4b5e42
--- a/security/integrity/ima/ima_main.c
Jeremy Cline 4b5e42
+++ b/security/integrity/ima/ima_main.c
4cbd7a
@@ -502,7 +502,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
Jeremy Cline 4b5e42
 	return 0;
Jeremy Cline 4b5e42
 }
dc45af
 
Jeremy Cline 4b5e42
-static const int read_idmap[READING_MAX_ID] = {
Jeremy Cline 4b5e42
+const int read_idmap[READING_MAX_ID] = {
Jeremy Cline 4b5e42
 	[READING_FIRMWARE] = FIRMWARE_CHECK,
Jeremy Cline 4b5e42
 	[READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK,
Jeremy Cline 4b5e42
 	[READING_MODULE] = MODULE_CHECK,
Jeremy Cline 4b5e42
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
4cbd7a
index 6df7f641ff66..827f1e33fe86 100644
Jeremy Cline 4b5e42
--- a/security/integrity/ima/ima_policy.c
Jeremy Cline 4b5e42
+++ b/security/integrity/ima/ima_policy.c
4cbd7a
@@ -1456,3 +1456,53 @@ int ima_policy_show(struct seq_file *m, void *v)
Jeremy Cline 4b5e42
 	return 0;
Jeremy Cline 4b5e42
 }
Jeremy Cline 4b5e42
 #endif	/* CONFIG_IMA_READ_POLICY */
Jeremy Cline 4b5e42
+
Jeremy Cline 4b5e42
+#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
Jeremy Cline 4b5e42
+/*
Jeremy Cline 4b5e42
+ * ima_appraise_signature: whether IMA will appraise a given function using
Jeremy Cline 4b5e42
+ * an IMA digital signature. This is restricted to cases where the kernel
Jeremy Cline 4b5e42
+ * has a set of built-in trusted keys in order to avoid an attacker simply
Jeremy Cline 4b5e42
+ * loading additional keys.
Jeremy Cline 4b5e42
+ */
Jeremy Cline 4b5e42
+bool ima_appraise_signature(enum kernel_read_file_id id)
Jeremy Cline 4b5e42
+{
Jeremy Cline 4b5e42
+	struct ima_rule_entry *entry;
Jeremy Cline 4b5e42
+	bool found = false;
Jeremy Cline 4b5e42
+	enum ima_hooks func;
Jeremy Cline 4b5e42
+
Jeremy Cline 4b5e42
+	if (id >= READING_MAX_ID)
Jeremy Cline 4b5e42
+		return false;
Jeremy Cline 4b5e42
+
Jeremy Cline 4b5e42
+	func = read_idmap[id] ?: FILE_CHECK;
Jeremy Cline 4b5e42
+
Jeremy Cline 4b5e42
+	rcu_read_lock();
Jeremy Cline 4b5e42
+	list_for_each_entry_rcu(entry, ima_rules, list) {
Jeremy Cline 4b5e42
+		if (entry->action != APPRAISE)
Jeremy Cline 4b5e42
+			continue;
Jeremy Cline 4b5e42
+
Jeremy Cline 4b5e42
+		/*
Jeremy Cline 4b5e42
+		 * A generic entry will match, but otherwise require that it
Jeremy Cline 4b5e42
+		 * match the func we're looking for
Jeremy Cline 4b5e42
+		 */
Jeremy Cline 4b5e42
+		if (entry->func && entry->func != func)
Jeremy Cline 4b5e42
+			continue;
Jeremy Cline 4b5e42
+
Jeremy Cline 4b5e42
+		/*
Jeremy Cline 4b5e42
+		 * We require this to be a digital signature, not a raw IMA
Jeremy Cline 4b5e42
+		 * hash.
Jeremy Cline 4b5e42
+		 */
Jeremy Cline 4b5e42
+		if (entry->flags & IMA_DIGSIG_REQUIRED)
Jeremy Cline 4b5e42
+			found = true;
Jeremy Cline 4b5e42
+
Jeremy Cline 4b5e42
+		/*
Jeremy Cline 4b5e42
+		 * We've found a rule that matches, so break now even if it
Jeremy Cline 4b5e42
+		 * didn't require a digital signature - a later rule that does
Jeremy Cline 4b5e42
+		 * won't override it, so would be a false positive.
Jeremy Cline 4b5e42
+		 */
Jeremy Cline 4b5e42
+		break;
dc45af
+	}
Jeremy Cline 4b5e42
+
Jeremy Cline 4b5e42
+	rcu_read_unlock();
Jeremy Cline 4b5e42
+	return found;
Jeremy Cline 4b5e42
+}
Jeremy Cline 4b5e42
+#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
Jeremy Cline 6c72c6
-- 
Jeremy Cline 4b5e42
2.21.0
Jeremy Cline 6c72c6
4cbd7a
4cbd7a
From 4a84d19a10c31a363aa7d1f325bd212012263a98 Mon Sep 17 00:00:00 2001
ead55f
From: Kyle McMartin <kyle@redhat.com>
ead55f
Date: Mon, 9 Apr 2018 09:52:45 +0100
4cbd7a
Subject: [PATCH 28/29] Add a SysRq option to lift kernel lockdown
ead55f
ead55f
Make an option to provide a sysrq key that will lift the kernel lockdown,
ead55f
thereby allowing the running kernel image to be accessed and modified.
ead55f
ead55f
On x86 this is triggered with SysRq+x, but this key may not be available on
ead55f
all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h.
ead55f
Since this macro must be defined in an arch to be able to use this facility
ead55f
for that arch, the Kconfig option is restricted to arches that support it.
ead55f
ead55f
Signed-off-by: Kyle McMartin <kyle@redhat.com>
ead55f
Signed-off-by: David Howells <dhowells@redhat.com>
ead55f
cc: x86@kernel.org
ead55f
---
ead55f
 arch/x86/include/asm/setup.h |  2 ++
ead55f
 drivers/input/misc/uinput.c  |  1 +
ead55f
 drivers/tty/sysrq.c          | 19 ++++++++++-----
ead55f
 include/linux/input.h        |  5 ++++
ead55f
 include/linux/sysrq.h        |  8 +++++-
ead55f
 kernel/debug/kdb/kdb_main.c  |  2 +-
4cbd7a
 security/Kconfig             | 10 ++++++++
ead55f
 security/lock_down.c         | 47 ++++++++++++++++++++++++++++++++++++
4cbd7a
 8 files changed, 86 insertions(+), 8 deletions(-)
ead55f
ead55f
diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h
ead55f
index ed8ec011a9fd..8daf633a5347 100644
ead55f
--- a/arch/x86/include/asm/setup.h
ead55f
+++ b/arch/x86/include/asm/setup.h
ead55f
@@ -9,6 +9,8 @@
ead55f
 #include <linux/linkage.h>
ead55f
 #include <asm/page_types.h>
ead55f
 
ead55f
+#define LOCKDOWN_LIFT_KEY 'x'
ead55f
+
ead55f
 #ifdef __i386__
ead55f
 
ead55f
 #include <linux/pfn.h>
ead55f
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
4cbd7a
index 84051f20b18a..583ab2bc1916 100644
ead55f
--- a/drivers/input/misc/uinput.c
ead55f
+++ b/drivers/input/misc/uinput.c
4cbd7a
@@ -353,6 +353,7 @@ static int uinput_create_device(struct uinput_device *udev)
ead55f
 		dev->flush = uinput_dev_flush;
ead55f
 	}
ead55f
 
ead55f
+	dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;
ead55f
 	dev->event = uinput_dev_event;
ead55f
 
ead55f
 	input_set_drvdata(udev->dev, udev);
ead55f
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
4cbd7a
index 573b2055173c..7cc95a8bdf8d 100644
ead55f
--- a/drivers/tty/sysrq.c
ead55f
+++ b/drivers/tty/sysrq.c
ead55f
@@ -480,6 +480,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
ead55f
 	/* x: May be registered on mips for TLB dump */
ead55f
 	/* x: May be registered on ppc/powerpc for xmon */
ead55f
 	/* x: May be registered on sparc64 for global PMU dump */
ead55f
+	/* x: May be registered on x86_64 for disabling secure boot */
ead55f
 	NULL,				/* x */
ead55f
 	/* y: May be registered on sparc64 for global register dump */
ead55f
 	NULL,				/* y */
ead55f
@@ -523,7 +524,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
ead55f
                 sysrq_key_table[i] = op_p;
ead55f
 }
ead55f
 
ead55f
-void __handle_sysrq(int key, bool check_mask)
ead55f
+void __handle_sysrq(int key, unsigned int from)
ead55f
 {
ead55f
 	struct sysrq_key_op *op_p;
ead55f
 	int orig_log_level;
4cbd7a
@@ -546,11 +547,15 @@ void __handle_sysrq(int key, bool check_mask)
ead55f
 
ead55f
         op_p = __sysrq_get_key_op(key);
ead55f
         if (op_p) {
ead55f
+		/* Ban synthetic events from some sysrq functionality */
ead55f
+		if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
ead55f
+		    op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
ead55f
+			printk("This sysrq operation is disabled from userspace.\n");
ead55f
 		/*
ead55f
 		 * Should we check for enabled operations (/proc/sysrq-trigger
ead55f
 		 * should not) and is the invoked operation enabled?
ead55f
 		 */
ead55f
-		if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
ead55f
+		if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
ead55f
 			pr_info("%s\n", op_p->action_msg);
ead55f
 			console_loglevel = orig_log_level;
ead55f
 			op_p->handler(key);
4cbd7a
@@ -585,7 +590,7 @@ void __handle_sysrq(int key, bool check_mask)
ead55f
 void handle_sysrq(int key)
ead55f
 {
ead55f
 	if (sysrq_on())
ead55f
-		__handle_sysrq(key, true);
ead55f
+		__handle_sysrq(key, SYSRQ_FROM_KERNEL);
ead55f
 }
ead55f
 EXPORT_SYMBOL(handle_sysrq);
ead55f
 
4cbd7a
@@ -665,7 +670,7 @@ static void sysrq_do_reset(struct timer_list *t)
ead55f
 static void sysrq_handle_reset_request(struct sysrq_state *state)
ead55f
 {
ead55f
 	if (state->reset_requested)
ead55f
-		__handle_sysrq(sysrq_xlate[KEY_B], false);
ead55f
+		__handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL);
ead55f
 
ead55f
 	if (sysrq_reset_downtime_ms)
ead55f
 		mod_timer(&state->keyreset_timer,
4cbd7a
@@ -818,8 +823,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
ead55f
 
ead55f
 	default:
ead55f
 		if (sysrq->active && value && value != 2) {
ead55f
+			int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ?
ead55f
+					SYSRQ_FROM_SYNTHETIC : 0;
ead55f
 			sysrq->need_reinject = false;
ead55f
-			__handle_sysrq(sysrq_xlate[code], true);
ead55f
+			__handle_sysrq(sysrq_xlate[code], from);
ead55f
 		}
ead55f
 		break;
ead55f
 	}
4cbd7a
@@ -1102,7 +1109,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
ead55f
 
ead55f
 		if (get_user(c, buf))
ead55f
 			return -EFAULT;
ead55f
-		__handle_sysrq(c, false);
ead55f
+		__handle_sysrq(c, SYSRQ_FROM_PROC);
ead55f
 	}
ead55f
 
ead55f
 	return count;
ead55f
diff --git a/include/linux/input.h b/include/linux/input.h
4cbd7a
index 510e78558c10..7e7065b2f58a 100644
ead55f
--- a/include/linux/input.h
ead55f
+++ b/include/linux/input.h
4cbd7a
@@ -39,6 +39,7 @@ struct input_value {
ead55f
  * @phys: physical path to the device in the system hierarchy
ead55f
  * @uniq: unique identification code for the device (if device has it)
ead55f
  * @id: id of the device (struct input_id)
ead55f
+ * @flags: input device flags (SYNTHETIC, etc.)
ead55f
  * @propbit: bitmap of device properties and quirks
ead55f
  * @evbit: bitmap of types of events supported by the device (EV_KEY,
ead55f
  *	EV_REL, etc.)
4cbd7a
@@ -121,6 +122,8 @@ struct input_dev {
ead55f
 	const char *uniq;
ead55f
 	struct input_id id;
ead55f
 
ead55f
+	unsigned int flags;
ead55f
+
ead55f
 	unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)];
ead55f
 
ead55f
 	unsigned long evbit[BITS_TO_LONGS(EV_CNT)];
4cbd7a
@@ -187,6 +190,8 @@ struct input_dev {
ead55f
 };
ead55f
 #define to_input_dev(d) container_of(d, struct input_dev, dev)
ead55f
 
ead55f
+#define	INPUTDEV_FLAGS_SYNTHETIC	0x000000001
ead55f
+
ead55f
 /*
ead55f
  * Verify that we are in sync with input_device_id mod_devicetable.h #defines
ead55f
  */
ead55f
diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
ead55f
index 8c71874e8485..7de1f08b60a9 100644
ead55f
--- a/include/linux/sysrq.h
ead55f
+++ b/include/linux/sysrq.h
ead55f
@@ -29,6 +29,8 @@
ead55f
 #define SYSRQ_ENABLE_BOOT	0x0080
ead55f
 #define SYSRQ_ENABLE_RTNICE	0x0100
ead55f
 
ead55f
+#define SYSRQ_DISABLE_USERSPACE	0x00010000
ead55f
+
ead55f
 struct sysrq_key_op {
ead55f
 	void (*handler)(int);
ead55f
 	char *help_msg;
ead55f
@@ -43,8 +45,12 @@ struct sysrq_key_op {
ead55f
  * are available -- else NULL's).
ead55f
  */
ead55f
 
ead55f
+#define SYSRQ_FROM_KERNEL	0x0001
ead55f
+#define SYSRQ_FROM_PROC		0x0002
ead55f
+#define SYSRQ_FROM_SYNTHETIC	0x0004
ead55f
+
ead55f
 void handle_sysrq(int key);
ead55f
-void __handle_sysrq(int key, bool check_mask);
ead55f
+void __handle_sysrq(int key, unsigned int from);
ead55f
 int register_sysrq_key(int key, struct sysrq_key_op *op);
ead55f
 int unregister_sysrq_key(int key, struct sysrq_key_op *op);
ead55f
 struct sysrq_key_op *__sysrq_get_key_op(int key);
ead55f
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
4cbd7a
index 9ecfa37c7fbf..902b7785d7dc 100644
ead55f
--- a/kernel/debug/kdb/kdb_main.c
ead55f
+++ b/kernel/debug/kdb/kdb_main.c
ead55f
@@ -1981,7 +1981,7 @@ static int kdb_sr(int argc, const char **argv)
ead55f
 		return KDB_ARGCOUNT;
ead55f
 
ead55f
 	kdb_trap_printk++;
ead55f
-	__handle_sysrq(*argv[1], check_mask);
ead55f
+	__handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0);
ead55f
 	kdb_trap_printk--;
ead55f
 
ead55f
 	return 0;
ead55f
diff --git a/security/Kconfig b/security/Kconfig
4cbd7a
index 720cf9dee2b4..fe08b674bfce 100644
ead55f
--- a/security/Kconfig
ead55f
+++ b/security/Kconfig
ead55f
@@ -245,6 +245,16 @@ config LOCK_DOWN_KERNEL_FORCE
ead55f
         help
ead55f
           Enable the kernel lock down functionality automatically at boot.
4cbd7a
 
ead55f
+config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
ead55f
+        bool "Allow the kernel lockdown to be lifted by SysRq"
ead55f
+        depends on LOCK_DOWN_KERNEL
ead55f
+        depends on !LOCK_DOWN_KERNEL_FORCE
ead55f
+        depends on MAGIC_SYSRQ
ead55f
+        depends on X86
ead55f
+        help
ead55f
+          Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
ead55f
+          combination on a wired keyboard.  On x86, this is SysRq+x.
ead55f
+
ead55f
 source "security/selinux/Kconfig"
ead55f
 source "security/smack/Kconfig"
ead55f
 source "security/tomoyo/Kconfig"
ead55f
diff --git a/security/lock_down.c b/security/lock_down.c
4cbd7a
index ee00ca2677e7..d68dff872ced 100644
ead55f
--- a/security/lock_down.c
ead55f
+++ b/security/lock_down.c
4cbd7a
@@ -12,8 +12,14 @@
ead55f
 
ead55f
 #include <linux/security.h>
ead55f
 #include <linux/export.h>
ead55f
+#include <linux/sysrq.h>
ead55f
+#include <asm/setup.h>
4cbd7a
 
ead55f
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
ead55f
+static __read_mostly bool kernel_locked_down;
ead55f
+#else
ead55f
 static __ro_after_init bool kernel_locked_down;
ead55f
+#endif
4cbd7a
 
ead55f
 /*
ead55f
  * Put the kernel into lock-down mode.
4cbd7a
@@ -58,3 +64,44 @@ bool __kernel_is_locked_down(const char *what, bool first)
ead55f
 	return kernel_locked_down;
ead55f
 }
ead55f
 EXPORT_SYMBOL(__kernel_is_locked_down);
ead55f
+
ead55f
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
ead55f
+
ead55f
+/*
ead55f
+ * Take the kernel out of lockdown mode.
ead55f
+ */
ead55f
+static void lift_kernel_lockdown(void)
ead55f
+{
ead55f
+	pr_notice("Lifting lockdown\n");
ead55f
+	kernel_locked_down = false;
ead55f
+}
ead55f
+
ead55f
+/*
ead55f
+ * Allow lockdown to be lifted by pressing something like SysRq+x (and not by
ead55f
+ * echoing the appropriate letter into the sysrq-trigger file).
ead55f
+ */
ead55f
+static void sysrq_handle_lockdown_lift(int key)
ead55f
+{
ead55f
+	if (kernel_locked_down)
ead55f
+		lift_kernel_lockdown();
ead55f
+}
ead55f
+
ead55f
+static struct sysrq_key_op lockdown_lift_sysrq_op = {
ead55f
+	.handler	= sysrq_handle_lockdown_lift,
ead55f
+	.help_msg	= "unSB(x)",
ead55f
+	.action_msg	= "Disabling Secure Boot restrictions",
ead55f
+	.enable_mask	= SYSRQ_DISABLE_USERSPACE,
ead55f
+};
ead55f
+
ead55f
+static int __init lockdown_lift_sysrq(void)
ead55f
+{
ead55f
+	if (kernel_locked_down) {
ead55f
+		lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;
ead55f
+		register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);
ead55f
+	}
ead55f
+	return 0;
ead55f
+}
ead55f
+
ead55f
+late_initcall(lockdown_lift_sysrq);
ead55f
+
ead55f
+#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */
ead55f
-- 
4cbd7a
2.21.0
Jeremy Cline 228a4e
4cbd7a
4cbd7a
From c3e9fb754f7603ae10a750f685f0174c5ae51ffa Mon Sep 17 00:00:00 2001
Jeremy Cline 228a4e
From: Vasily Gorbik <gor@linux.ibm.com>
4cbd7a
Date: Wed, 21 Nov 2018 13:05:10 +0100
4cbd7a
Subject: [PATCH 29/29] debugfs: avoid EPERM when no open file operation
4cbd7a
 defined
Jeremy Cline 228a4e
Jeremy Cline 228a4e
With "debugfs: Restrict debugfs when the kernel is locked down"
Jeremy Cline 228a4e
return code "r" is unconditionally set to -EPERM, which stays like that
Jeremy Cline 228a4e
until function return if no "open" file operation defined, effectivelly
Jeremy Cline 228a4e
resulting in "Operation not permitted" for all such files despite kernel
Jeremy Cline 228a4e
lock down status or CONFIG_LOCK_DOWN_KERNEL being enabled.
Jeremy Cline 228a4e
Jeremy Cline 228a4e
In particular this breaks 2 debugfs files on s390:
Jeremy Cline 228a4e
/sys/kernel/debug/s390_hypfs/diag_304
Jeremy Cline 228a4e
/sys/kernel/debug/s390_hypfs/diag_204
Jeremy Cline 228a4e
Jeremy Cline 228a4e
To address that set EPERM return code only when debugfs_is_locked_down
Jeremy Cline 228a4e
returns true.
Jeremy Cline 228a4e
Jeremy Cline 228a4e
Fixes: 3fc322605158 ("debugfs: Restrict debugfs when the kernel is locked down")
Jeremy Cline 228a4e
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Jeremy Cline 228a4e
---
Jeremy Cline 228a4e
 fs/debugfs/file.c | 10 ++++++----
Jeremy Cline 228a4e
 1 file changed, 6 insertions(+), 4 deletions(-)
Jeremy Cline 228a4e
Jeremy Cline 228a4e
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
4cbd7a
index 8eeff9068228..9c56e1aa1f29 100644
Jeremy Cline 228a4e
--- a/fs/debugfs/file.c
Jeremy Cline 228a4e
+++ b/fs/debugfs/file.c
Jeremy Cline 228a4e
@@ -167,9 +167,10 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
Jeremy Cline 228a4e
 
Jeremy Cline 228a4e
 	real_fops = debugfs_real_fops(filp);
Jeremy Cline 228a4e
 
Jeremy Cline 228a4e
-	r = -EPERM;
Jeremy Cline 228a4e
-	if (debugfs_is_locked_down(inode, filp, real_fops))
Jeremy Cline 228a4e
+	if (debugfs_is_locked_down(inode, filp, real_fops)) {
Jeremy Cline 228a4e
+		r = -EPERM;
Jeremy Cline 228a4e
 		goto out;
Jeremy Cline 228a4e
+	}
Jeremy Cline 228a4e
 
Jeremy Cline 228a4e
 	real_fops = fops_get(real_fops);
Jeremy Cline 228a4e
 	if (!real_fops) {
Jeremy Cline 228a4e
@@ -296,9 +297,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
Jeremy Cline 228a4e
 		return r == -EIO ? -ENOENT : r;
Jeremy Cline 228a4e
 
Jeremy Cline 228a4e
 	real_fops = debugfs_real_fops(filp);
Jeremy Cline 228a4e
-	r = -EPERM;
Jeremy Cline 228a4e
-	if (debugfs_is_locked_down(inode, filp, real_fops))
Jeremy Cline 228a4e
+	if (debugfs_is_locked_down(inode, filp, real_fops)) {
Jeremy Cline 228a4e
+		r = -EPERM;
Jeremy Cline 228a4e
 		goto out;
Jeremy Cline 228a4e
+	}
Jeremy Cline 228a4e
 
Jeremy Cline 228a4e
 	real_fops = fops_get(real_fops);
Jeremy Cline 228a4e
 	if (!real_fops) {
Jeremy Cline 228a4e
-- 
Jeremy Cline 228a4e
2.21.0
4cbd7a