1929e3c
From 85255f3885abdd1d2e5dc9f6e51f2fc9db075843 Mon Sep 17 00:00:00 2001
b915c3f
From: Josh Boyer <jwboyer@fedoraproject.org>
b915c3f
Date: Mon, 21 Nov 2016 23:55:55 +0000
b915c3f
Subject: [PATCH 07/32] efi: Add EFI_SECURE_BOOT bit
b915c3f
b915c3f
UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
b915c3f
that can be passed to efi_enabled() to find out whether secure boot is
b915c3f
enabled.
b915c3f
b915c3f
This will be used by the SysRq+x handler, registered by the x86 arch, to find
b915c3f
out whether secure boot mode is enabled so that it can be disabled.
b915c3f
b915c3f
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
---
1929e3c
 arch/x86/kernel/setup.c | 1 +
1929e3c
 include/linux/efi.h     | 1 +
1929e3c
 2 files changed, 2 insertions(+)
b915c3f
b915c3f
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
1929e3c
index 4bf0c89..396285b 100644
b915c3f
--- a/arch/x86/kernel/setup.c
b915c3f
+++ b/arch/x86/kernel/setup.c
1929e3c
@@ -1184,6 +1184,7 @@ void __init setup_arch(char **cmdline_p)
1929e3c
 			pr_info("Secure boot disabled\n");
1929e3c
 			break;
1929e3c
 		case efi_secureboot_mode_enabled:
b915c3f
+			set_bit(EFI_SECURE_BOOT, &efi.flags);
1929e3c
 			pr_info("Secure boot enabled\n");
1929e3c
 			break;
1929e3c
 		default:
b915c3f
diff --git a/include/linux/efi.h b/include/linux/efi.h
1929e3c
index 94d34e0..6049600 100644
b915c3f
--- a/include/linux/efi.h
b915c3f
+++ b/include/linux/efi.h
1929e3c
@@ -1069,6 +1069,7 @@ extern int __init efi_setup_pcdp_console(char *);
b915c3f
 #define EFI_DBG			8	/* Print additional debug info at runtime */
b915c3f
 #define EFI_NX_PE_DATA		9	/* Can runtime data regions be mapped non-executable? */
1929e3c
 #define EFI_MEM_ATTR		10	/* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
1929e3c
+#define EFI_SECURE_BOOT		11	/* Are we in Secure Boot mode? */
1929e3c
 
b915c3f
 #ifdef CONFIG_EFI
b915c3f
 /*
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From 341507e80b888b5b587bdb60f0d95275dbbcad89 Mon Sep 17 00:00:00 2001
b915c3f
From: David Howells <dhowells@redhat.com>
b915c3f
Date: Mon, 21 Nov 2016 23:36:17 +0000
1929e3c
Subject: [PATCH 09/32] Add the ability to lock down access to the running kernel
1929e3c
 image
b915c3f
b915c3f
Provide a single call to allow kernel code to determine whether the system
b915c3f
should be locked down, thereby disallowing various accesses that might
b915c3f
allow the running kernel image to be changed including the loading of
b915c3f
modules that aren't validly signed with a key we recognise, fiddling with
b915c3f
MSR registers and disallowing hibernation,
b915c3f
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
---
b915c3f
 include/linux/kernel.h   |  9 +++++++++
b915c3f
 include/linux/security.h | 11 +++++++++++
b915c3f
 security/Kconfig         | 15 +++++++++++++++
b915c3f
 security/Makefile        |  3 +++
b915c3f
 security/lock_down.c     | 40 ++++++++++++++++++++++++++++++++++++++++
b915c3f
 5 files changed, 78 insertions(+)
b915c3f
 create mode 100644 security/lock_down.c
b915c3f
b915c3f
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
1929e3c
index 4c26dc3..b820a80 100644
b915c3f
--- a/include/linux/kernel.h
b915c3f
+++ b/include/linux/kernel.h
1929e3c
@@ -275,6 +275,15 @@ extern int oops_may_print(void);
b915c3f
 void do_exit(long error_code) __noreturn;
b915c3f
 void complete_and_exit(struct completion *, long) __noreturn;
1929e3c
 
b915c3f
+#ifdef CONFIG_LOCK_DOWN_KERNEL
b915c3f
+extern bool kernel_is_locked_down(void);
b915c3f
+#else
b915c3f
+static inline bool kernel_is_locked_down(void)
b915c3f
+{
b915c3f
+	return false;
b915c3f
+}
b915c3f
+#endif
b915c3f
+
b915c3f
 /* Internal, do not use. */
b915c3f
 int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
b915c3f
 int __must_check _kstrtol(const char *s, unsigned int base, long *res);
b915c3f
diff --git a/include/linux/security.h b/include/linux/security.h
1929e3c
index 96899fa..5808570 100644
b915c3f
--- a/include/linux/security.h
b915c3f
+++ b/include/linux/security.h
1929e3c
@@ -1678,5 +1678,16 @@ static inline void free_secdata(void *secdata)
b915c3f
 { }
b915c3f
 #endif /* CONFIG_SECURITY */
1929e3c
 
b915c3f
+#ifdef CONFIG_LOCK_DOWN_KERNEL
b915c3f
+extern void lock_kernel_down(void);
b915c3f
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT
b915c3f
+extern void lift_kernel_lockdown(void);
b915c3f
+#endif
b915c3f
+#else
b915c3f
+static inline void lock_kernel_down(void)
b915c3f
+{
b915c3f
+}
b915c3f
+#endif
b915c3f
+
b915c3f
 #endif /* ! __LINUX_SECURITY_H */
1929e3c
 
b915c3f
diff --git a/security/Kconfig b/security/Kconfig
1929e3c
index d900f47..d9b391d 100644
b915c3f
--- a/security/Kconfig
b915c3f
+++ b/security/Kconfig
1929e3c
@@ -193,6 +193,21 @@ config STATIC_USERMODEHELPER_PATH
1929e3c
 	  If you wish for all usermode helper programs to be disabled,
1929e3c
 	  specify an empty string here (i.e. "").
1929e3c
 
b915c3f
+config LOCK_DOWN_KERNEL
b915c3f
+	bool "Allow the kernel to be 'locked down'"
b915c3f
+	help
b915c3f
+	  Allow the kernel to be locked down under certain circumstances, for
b915c3f
+	  instance if UEFI secure boot is enabled.  Locking down the kernel
b915c3f
+	  turns off various features that might otherwise allow access to the
b915c3f
+	  kernel image (eg. setting MSR registers).
b915c3f
+
b915c3f
+config ALLOW_LOCKDOWN_LIFT
b915c3f
+	bool
b915c3f
+	help
b915c3f
+	  Allow the lockdown on a kernel to be lifted, thereby restoring the
b915c3f
+	  ability of userspace to access the kernel image (eg. by SysRq+x under
b915c3f
+	  x86).
b915c3f
+
b915c3f
 source security/selinux/Kconfig
b915c3f
 source security/smack/Kconfig
b915c3f
 source security/tomoyo/Kconfig
b915c3f
diff --git a/security/Makefile b/security/Makefile
b915c3f
index f2d71cd..8c4a43e 100644
b915c3f
--- a/security/Makefile
b915c3f
+++ b/security/Makefile
b915c3f
@@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
b915c3f
 # Object integrity file lists
b915c3f
 subdir-$(CONFIG_INTEGRITY)		+= integrity
b915c3f
 obj-$(CONFIG_INTEGRITY)			+= integrity/
b915c3f
+
b915c3f
+# Allow the kernel to be locked down
b915c3f
+obj-$(CONFIG_LOCK_DOWN_KERNEL)		+= lock_down.o
b915c3f
diff --git a/security/lock_down.c b/security/lock_down.c
b915c3f
new file mode 100644
b915c3f
index 0000000..5788c60
b915c3f
--- /dev/null
b915c3f
+++ b/security/lock_down.c
b915c3f
@@ -0,0 +1,40 @@
b915c3f
+/* Lock down the kernel
b915c3f
+ *
b915c3f
+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
b915c3f
+ * Written by David Howells (dhowells@redhat.com)
b915c3f
+ *
b915c3f
+ * This program is free software; you can redistribute it and/or
b915c3f
+ * modify it under the terms of the GNU General Public Licence
b915c3f
+ * as published by the Free Software Foundation; either version
b915c3f
+ * 2 of the Licence, or (at your option) any later version.
b915c3f
+ */
b915c3f
+
b915c3f
+#include <linux/security.h>
b915c3f
+#include <linux/export.h>
b915c3f
+
b915c3f
+static __read_mostly bool kernel_locked_down;
b915c3f
+
b915c3f
+/*
b915c3f
+ * Put the kernel into lock-down mode.
b915c3f
+ */
b915c3f
+void lock_kernel_down(void)
b915c3f
+{
b915c3f
+	kernel_locked_down = true;
b915c3f
+}
b915c3f
+
b915c3f
+/*
b915c3f
+ * Take the kernel out of lockdown mode.
b915c3f
+ */
b915c3f
+void lift_kernel_lockdown(void)
b915c3f
+{
b915c3f
+	kernel_locked_down = false;
b915c3f
+}
b915c3f
+
b915c3f
+/**
b915c3f
+ * kernel_is_locked_down - Find out if the kernel is locked down
b915c3f
+ */
b915c3f
+bool kernel_is_locked_down(void)
b915c3f
+{
b915c3f
+	return kernel_locked_down;
b915c3f
+}
b915c3f
+EXPORT_SYMBOL(kernel_is_locked_down);
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From dfabd5c5acc95a2de69d44f794e6f1ce894fd3ff Mon Sep 17 00:00:00 2001
b915c3f
From: David Howells <dhowells@redhat.com>
b915c3f
Date: Mon, 21 Nov 2016 23:55:55 +0000
b915c3f
Subject: [PATCH 10/32] efi: Lock down the kernel if booted in secure boot mode
b915c3f
b915c3f
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
b915c3f
only load signed bootloaders and kernels.  Certain use cases may also
b915c3f
require that all kernel modules also be signed.  Add a configuration option
b915c3f
that to lock down the kernel - which includes requiring validly signed
b915c3f
modules - if the kernel is secure-booted.
b915c3f
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
---
b915c3f
 arch/x86/Kconfig        | 12 ++++++++++++
b915c3f
 arch/x86/kernel/setup.c |  8 +++++++-
b915c3f
 2 files changed, 19 insertions(+), 1 deletion(-)
b915c3f
b915c3f
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
1929e3c
index cc98d5a..21f3985 100644
b915c3f
--- a/arch/x86/Kconfig
b915c3f
+++ b/arch/x86/Kconfig
1929e3c
@@ -1817,6 +1817,18 @@ config EFI_MIXED
1929e3c
 
b915c3f
 	   If unsure, say N.
1929e3c
 
b915c3f
+config EFI_SECURE_BOOT_LOCK_DOWN
b915c3f
+	def_bool n
b915c3f
+	depends on EFI
b915c3f
+	prompt "Lock down the kernel when UEFI Secure Boot is enabled"
b915c3f
+	---help---
b915c3f
+	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
b915c3f
+	  will only load signed bootloaders and kernels.  Certain use cases may
b915c3f
+	  also require that all kernel modules also be signed and that
b915c3f
+	  userspace is prevented from directly changing the running kernel
b915c3f
+	  image.  Say Y here to automatically lock down the kernel when a
b915c3f
+	  system boots with UEFI Secure Boot enabled.
b915c3f
+
b915c3f
 config SECCOMP
b915c3f
 	def_bool y
b915c3f
 	prompt "Enable seccomp to safely compute untrusted bytecode"
b915c3f
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
1929e3c
index 396285b..85dfa74 100644
b915c3f
--- a/arch/x86/kernel/setup.c
b915c3f
+++ b/arch/x86/kernel/setup.c
b915c3f
@@ -69,6 +69,7 @@
b915c3f
 #include <linux/crash_dump.h>
b915c3f
 #include <linux/tboot.h>
b915c3f
 #include <linux/jiffies.h>
b915c3f
+#include <linux/security.h>
1929e3c
 
b915c3f
 #include <video/edid.h>
1929e3c
 
1929e3c
@@ -1185,7 +1186,12 @@ void __init setup_arch(char **cmdline_p)
b915c3f
 			break;
b915c3f
 		case efi_secureboot_mode_enabled:
b915c3f
 			set_bit(EFI_SECURE_BOOT, &efi.flags);
b915c3f
-			pr_info("Secure boot enabled\n");
b915c3f
+			if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT_LOCK_DOWN)) {
b915c3f
+				lock_kernel_down();
b915c3f
+				pr_info("Secure boot enabled and kernel locked down\n");
b915c3f
+			} else {
b915c3f
+				pr_info("Secure boot enabled\n");
b915c3f
+			}
b915c3f
 			break;
b915c3f
 		default:
b915c3f
 			pr_info("Secure boot could not be determined\n");
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From 0329e34894da0599619b03fa6cb16d575bfc68d4 Mon Sep 17 00:00:00 2001
b915c3f
From: David Howells <dhowells@redhat.com>
b915c3f
Date: Wed, 23 Nov 2016 13:22:22 +0000
b915c3f
Subject: [PATCH 11/32] Enforce module signatures if the kernel is locked down
b915c3f
b915c3f
If the kernel is locked down, require that all modules have valid
b915c3f
signatures that we can verify.
b915c3f
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
---
b915c3f
 kernel/module.c | 2 +-
b915c3f
 1 file changed, 1 insertion(+), 1 deletion(-)
b915c3f
b915c3f
diff --git a/kernel/module.c b/kernel/module.c
1929e3c
index 7eba6de..3331f2e 100644
b915c3f
--- a/kernel/module.c
b915c3f
+++ b/kernel/module.c
1929e3c
@@ -2756,7 +2756,7 @@ static int module_sig_check(struct load_info *info, int flags)
b915c3f
 	}
1929e3c
 
b915c3f
 	/* Not having a signature is only an error if we're strict. */
b915c3f
-	if (err == -ENOKEY && !sig_enforce)
b915c3f
+	if (err == -ENOKEY && !sig_enforce && !kernel_is_locked_down())
b915c3f
 		err = 0;
1929e3c
 
b915c3f
 	return err;
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From 236e7dcbf5eb7b27416a819d6cb69d3006481cef Mon Sep 17 00:00:00 2001
b915c3f
From: Matthew Garrett <matthew.garrett@nebula.com>
b915c3f
Date: Tue, 22 Nov 2016 08:46:16 +0000
1929e3c
Subject: [PATCH 12/32] Restrict /dev/mem and /dev/kmem when the kernel is locked
1929e3c
 down
b915c3f
b915c3f
Allowing users to write to address space makes it possible for the kernel to
b915c3f
be subverted, avoiding module loading restrictions.  Prevent this when the
b915c3f
kernel has been locked down.
b915c3f
b915c3f
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
---
b915c3f
 drivers/char/mem.c | 6 ++++++
b915c3f
 1 file changed, 6 insertions(+)
b915c3f
b915c3f
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
1929e3c
index 6e0cbe0..a97b22f 100644
b915c3f
--- a/drivers/char/mem.c
b915c3f
+++ b/drivers/char/mem.c
1929e3c
@@ -179,6 +179,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
b915c3f
 	if (p != *ppos)
b915c3f
 		return -EFBIG;
1929e3c
 
b915c3f
+	if (kernel_is_locked_down())
b915c3f
+		return -EPERM;
b915c3f
+
b915c3f
 	if (!valid_phys_addr_range(p, count))
b915c3f
 		return -EFAULT;
1929e3c
 
1929e3c
@@ -540,6 +543,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
b915c3f
 	char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
b915c3f
 	int err = 0;
1929e3c
 
b915c3f
+	if (kernel_is_locked_down())
b915c3f
+		return -EPERM;
b915c3f
+
b915c3f
 	if (p < (unsigned long) high_memory) {
b915c3f
 		unsigned long to_write = min_t(unsigned long, count,
b915c3f
 					       (unsigned long)high_memory - p);
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From 58a5ca7a67b9091800f61c1c411b3f411fcd857b Mon Sep 17 00:00:00 2001
b915c3f
From: Kyle McMartin <kyle@redhat.com>
b915c3f
Date: Mon, 21 Nov 2016 23:55:56 +0000
b915c3f
Subject: [PATCH 13/32] Add a sysrq option to exit secure boot mode
b915c3f
b915c3f
Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running
b915c3f
kernel image to be modified.  This lifts the lockdown.
b915c3f
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
---
b915c3f
 arch/x86/Kconfig            | 10 ++++++++++
b915c3f
 arch/x86/kernel/setup.c     | 31 +++++++++++++++++++++++++++++++
b915c3f
 drivers/input/misc/uinput.c |  1 +
b915c3f
 drivers/tty/sysrq.c         | 19 +++++++++++++------
b915c3f
 include/linux/input.h       |  5 +++++
b915c3f
 include/linux/sysrq.h       |  8 +++++++-
b915c3f
 kernel/debug/kdb/kdb_main.c |  2 +-
b915c3f
 7 files changed, 68 insertions(+), 8 deletions(-)
b915c3f
b915c3f
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
1929e3c
index 21f3985..457c049 100644
b915c3f
--- a/arch/x86/Kconfig
b915c3f
+++ b/arch/x86/Kconfig
1929e3c
@@ -1829,6 +1829,16 @@ config EFI_SECURE_BOOT_LOCK_DOWN
b915c3f
 	  image.  Say Y here to automatically lock down the kernel when a
b915c3f
 	  system boots with UEFI Secure Boot enabled.
1929e3c
 
b915c3f
+config EFI_ALLOW_SECURE_BOOT_EXIT
b915c3f
+	def_bool n
b915c3f
+	depends on EFI_SECURE_BOOT_LOCK_DOWN && MAGIC_SYSRQ
b915c3f
+	select ALLOW_LOCKDOWN_LIFT
b915c3f
+	prompt "Allow secure boot mode to be exited with SysRq+x on a keyboard"
b915c3f
+	---help---
b915c3f
+	  Allow secure boot mode to be exited and the kernel lockdown lifted by
b915c3f
+	  typing SysRq+x on a keyboard attached to the system (not permitted
b915c3f
+	  through procfs).
b915c3f
+
b915c3f
 config SECCOMP
b915c3f
 	def_bool y
b915c3f
 	prompt "Enable seccomp to safely compute untrusted bytecode"
b915c3f
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
1929e3c
index 85dfa74..a415a48 100644
b915c3f
--- a/arch/x86/kernel/setup.c
b915c3f
+++ b/arch/x86/kernel/setup.c
b915c3f
@@ -71,6 +71,11 @@
b915c3f
 #include <linux/jiffies.h>
b915c3f
 #include <linux/security.h>
1929e3c
 
b915c3f
+#include <linux/fips.h>
b915c3f
+#include <linux/cred.h>
b915c3f
+#include <linux/sysrq.h>
b915c3f
+#include <linux/init_task.h>
b915c3f
+
b915c3f
 #include <video/edid.h>
1929e3c
 
b915c3f
 #include <asm/mtrr.h>
1929e3c
@@ -1330,6 +1335,32 @@ void __init i386_reserve_resources(void)
1929e3c
 
b915c3f
 #endif /* CONFIG_X86_32 */
1929e3c
 
b915c3f
+#ifdef CONFIG_EFI_ALLOW_SECURE_BOOT_EXIT
b915c3f
+
b915c3f
+static void sysrq_handle_secure_boot(int key)
b915c3f
+{
b915c3f
+	if (!efi_enabled(EFI_SECURE_BOOT))
b915c3f
+		return;
b915c3f
+
b915c3f
+	pr_info("Secure boot disabled\n");
b915c3f
+	lift_kernel_lockdown();
b915c3f
+}
b915c3f
+static struct sysrq_key_op secure_boot_sysrq_op = {
b915c3f
+	.handler	=	sysrq_handle_secure_boot,
b915c3f
+	.help_msg	=	"unSB(x)",
b915c3f
+	.action_msg	=	"Disabling Secure Boot restrictions",
b915c3f
+	.enable_mask	=	SYSRQ_DISABLE_USERSPACE,
b915c3f
+};
b915c3f
+static int __init secure_boot_sysrq(void)
b915c3f
+{
b915c3f
+	if (efi_enabled(EFI_SECURE_BOOT))
b915c3f
+		register_sysrq_key('x', &secure_boot_sysrq_op);
b915c3f
+	return 0;
b915c3f
+}
b915c3f
+late_initcall(secure_boot_sysrq);
b915c3f
+#endif /*CONFIG_EFI_ALLOW_SECURE_BOOT_EXIT*/
b915c3f
+
b915c3f
+
b915c3f
 static struct notifier_block kernel_offset_notifier = {
b915c3f
 	.notifier_call = dump_kernel_offset
b915c3f
 };
b915c3f
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
1929e3c
index 022be0e..4a054a5 100644
b915c3f
--- a/drivers/input/misc/uinput.c
b915c3f
+++ b/drivers/input/misc/uinput.c
1929e3c
@@ -387,6 +387,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
b915c3f
 	if (!udev->dev)
b915c3f
 		return -ENOMEM;
1929e3c
 
b915c3f
+	udev->dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;
b915c3f
 	udev->dev->event = uinput_dev_event;
b915c3f
 	input_set_drvdata(udev->dev, udev);
1929e3c
 
b915c3f
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
1929e3c
index c6fc714..0c96cf6 100644
b915c3f
--- a/drivers/tty/sysrq.c
b915c3f
+++ b/drivers/tty/sysrq.c
1929e3c
@@ -481,6 +481,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
b915c3f
 	/* x: May be registered on mips for TLB dump */
b915c3f
 	/* x: May be registered on ppc/powerpc for xmon */
b915c3f
 	/* x: May be registered on sparc64 for global PMU dump */
b915c3f
+	/* x: May be registered on x86_64 for disabling secure boot */
b915c3f
 	NULL,				/* x */
b915c3f
 	/* y: May be registered on sparc64 for global register dump */
b915c3f
 	NULL,				/* y */
1929e3c
@@ -524,7 +525,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
b915c3f
                 sysrq_key_table[i] = op_p;
b915c3f
 }
1929e3c
 
b915c3f
-void __handle_sysrq(int key, bool check_mask)
b915c3f
+void __handle_sysrq(int key, unsigned int from)
b915c3f
 {
b915c3f
 	struct sysrq_key_op *op_p;
b915c3f
 	int orig_log_level;
1929e3c
@@ -544,11 +545,15 @@ void __handle_sysrq(int key, bool check_mask)
1929e3c
 
b915c3f
         op_p = __sysrq_get_key_op(key);
b915c3f
         if (op_p) {
b915c3f
+		/* Ban synthetic events from some sysrq functionality */
b915c3f
+		if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
b915c3f
+		    op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
b915c3f
+			printk("This sysrq operation is disabled from userspace.\n");
b915c3f
 		/*
b915c3f
 		 * Should we check for enabled operations (/proc/sysrq-trigger
b915c3f
 		 * should not) and is the invoked operation enabled?
b915c3f
 		 */
b915c3f
-		if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
b915c3f
+		if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
b915c3f
 			pr_cont("%s\n", op_p->action_msg);
b915c3f
 			console_loglevel = orig_log_level;
b915c3f
 			op_p->handler(key);
1929e3c
@@ -580,7 +585,7 @@ void __handle_sysrq(int key, bool check_mask)
b915c3f
 void handle_sysrq(int key)
b915c3f
 {
b915c3f
 	if (sysrq_on())
b915c3f
-		__handle_sysrq(key, true);
b915c3f
+		__handle_sysrq(key, SYSRQ_FROM_KERNEL);
b915c3f
 }
b915c3f
 EXPORT_SYMBOL(handle_sysrq);
1929e3c
 
1929e3c
@@ -661,7 +666,7 @@ static void sysrq_do_reset(unsigned long _state)
b915c3f
 static void sysrq_handle_reset_request(struct sysrq_state *state)
b915c3f
 {
b915c3f
 	if (state->reset_requested)
b915c3f
-		__handle_sysrq(sysrq_xlate[KEY_B], false);
b915c3f
+		__handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL);
1929e3c
 
b915c3f
 	if (sysrq_reset_downtime_ms)
b915c3f
 		mod_timer(&state->keyreset_timer,
1929e3c
@@ -812,8 +817,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
1929e3c
 
b915c3f
 	default:
b915c3f
 		if (sysrq->active && value && value != 2) {
b915c3f
+			int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ?
b915c3f
+					SYSRQ_FROM_SYNTHETIC : 0;
b915c3f
 			sysrq->need_reinject = false;
b915c3f
-			__handle_sysrq(sysrq_xlate[code], true);
b915c3f
+			__handle_sysrq(sysrq_xlate[code], from);
b915c3f
 		}
b915c3f
 		break;
b915c3f
 	}
1929e3c
@@ -1097,7 +1104,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
1929e3c
 
b915c3f
 		if (get_user(c, buf))
b915c3f
 			return -EFAULT;
b915c3f
-		__handle_sysrq(c, false);
b915c3f
+		__handle_sysrq(c, SYSRQ_FROM_PROC);
b915c3f
 	}
1929e3c
 
b915c3f
 	return count;
b915c3f
diff --git a/include/linux/input.h b/include/linux/input.h
b915c3f
index a65e3b2..8b03571 100644
b915c3f
--- a/include/linux/input.h
b915c3f
+++ b/include/linux/input.h
b915c3f
@@ -42,6 +42,7 @@ struct input_value {
b915c3f
  * @phys: physical path to the device in the system hierarchy
b915c3f
  * @uniq: unique identification code for the device (if device has it)
b915c3f
  * @id: id of the device (struct input_id)
b915c3f
+ * @flags: input device flags (SYNTHETIC, etc.)
b915c3f
  * @propbit: bitmap of device properties and quirks
b915c3f
  * @evbit: bitmap of types of events supported by the device (EV_KEY,
b915c3f
  *	EV_REL, etc.)
b915c3f
@@ -124,6 +125,8 @@ struct input_dev {
b915c3f
 	const char *uniq;
b915c3f
 	struct input_id id;
1929e3c
 
b915c3f
+	unsigned int flags;
b915c3f
+
b915c3f
 	unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)];
1929e3c
 
b915c3f
 	unsigned long evbit[BITS_TO_LONGS(EV_CNT)];
b915c3f
@@ -190,6 +193,8 @@ struct input_dev {
b915c3f
 };
b915c3f
 #define to_input_dev(d) container_of(d, struct input_dev, dev)
1929e3c
 
b915c3f
+#define	INPUTDEV_FLAGS_SYNTHETIC	0x000000001
b915c3f
+
b915c3f
 /*
b915c3f
  * Verify that we are in sync with input_device_id mod_devicetable.h #defines
b915c3f
  */
b915c3f
diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
b915c3f
index 387fa7d..f7c52a9 100644
b915c3f
--- a/include/linux/sysrq.h
b915c3f
+++ b/include/linux/sysrq.h
b915c3f
@@ -28,6 +28,8 @@
b915c3f
 #define SYSRQ_ENABLE_BOOT	0x0080
b915c3f
 #define SYSRQ_ENABLE_RTNICE	0x0100
1929e3c
 
b915c3f
+#define SYSRQ_DISABLE_USERSPACE	0x00010000
b915c3f
+
b915c3f
 struct sysrq_key_op {
b915c3f
 	void (*handler)(int);
b915c3f
 	char *help_msg;
b915c3f
@@ -42,8 +44,12 @@ struct sysrq_key_op {
b915c3f
  * are available -- else NULL's).
b915c3f
  */
1929e3c
 
b915c3f
+#define SYSRQ_FROM_KERNEL	0x0001
b915c3f
+#define SYSRQ_FROM_PROC		0x0002
b915c3f
+#define SYSRQ_FROM_SYNTHETIC	0x0004
b915c3f
+
b915c3f
 void handle_sysrq(int key);
b915c3f
-void __handle_sysrq(int key, bool check_mask);
b915c3f
+void __handle_sysrq(int key, unsigned int from);
b915c3f
 int register_sysrq_key(int key, struct sysrq_key_op *op);
b915c3f
 int unregister_sysrq_key(int key, struct sysrq_key_op *op);
b915c3f
 struct sysrq_key_op *__sysrq_get_key_op(int key);
b915c3f
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
1929e3c
index c8146d5..b480cad 100644
b915c3f
--- a/kernel/debug/kdb/kdb_main.c
b915c3f
+++ b/kernel/debug/kdb/kdb_main.c
1929e3c
@@ -1970,7 +1970,7 @@ static int kdb_sr(int argc, const char **argv)
b915c3f
 		return KDB_ARGCOUNT;
1929e3c
 
b915c3f
 	kdb_trap_printk++;
b915c3f
-	__handle_sysrq(*argv[1], check_mask);
b915c3f
+	__handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0);
b915c3f
 	kdb_trap_printk--;
1929e3c
 
b915c3f
 	return 0;
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From 1b5f90719268c27616172f00cde6e1078eb413c5 Mon Sep 17 00:00:00 2001
b915c3f
From: Matthew Garrett <matthew.garrett@nebula.com>
b915c3f
Date: Tue, 22 Nov 2016 08:46:15 +0000
b915c3f
Subject: [PATCH 14/32] kexec: Disable at runtime if the kernel is locked down
b915c3f
b915c3f
kexec permits the loading and execution of arbitrary code in ring 0, which
b915c3f
is something that lock-down is meant to prevent. It makes sense to disable
b915c3f
kexec in this situation.
b915c3f
b915c3f
This does not affect kexec_file_load() which can check for a signature on the
b915c3f
image to be booted.
b915c3f
b915c3f
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
---
b915c3f
 kernel/kexec.c | 7 +++++++
b915c3f
 1 file changed, 7 insertions(+)
b915c3f
b915c3f
diff --git a/kernel/kexec.c b/kernel/kexec.c
b915c3f
index 980936a..46de8e6 100644
b915c3f
--- a/kernel/kexec.c
b915c3f
+++ b/kernel/kexec.c
b915c3f
@@ -194,6 +194,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
b915c3f
 		return -EPERM;
1929e3c
 
b915c3f
 	/*
b915c3f
+	 * kexec can be used to circumvent module loading restrictions, so
b915c3f
+	 * prevent loading in that case
b915c3f
+	 */
b915c3f
+	if (kernel_is_locked_down())
b915c3f
+		return -EPERM;
b915c3f
+
b915c3f
+	/*
b915c3f
 	 * Verify we have a legal set of flags
b915c3f
 	 * This leaves us room for future extensions.
b915c3f
 	 */
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From 85eaf32ad6cb1ce6ab88601daac8e601386929bb Mon Sep 17 00:00:00 2001
b915c3f
From: Dave Young <dyoung@redhat.com>
b915c3f
Date: Tue, 22 Nov 2016 08:46:15 +0000
1929e3c
Subject: [PATCH] Copy secure_boot flag in boot params across kexec reboot
b915c3f
b915c3f
Kexec reboot in case secure boot being enabled does not keep the secure
b915c3f
boot mode in new kernel, so later one can load unsigned kernel via legacy
b915c3f
kexec_load.  In this state, the system is missing the protections provided
b915c3f
by secure boot.
b915c3f
b915c3f
Adding a patch to fix this by retain the secure_boot flag in original
b915c3f
kernel.
b915c3f
b915c3f
secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
b915c3f
stub.  Fixing this issue by copying secure_boot flag across kexec reboot.
b915c3f
b915c3f
Signed-off-by: Dave Young <dyoung@redhat.com>
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
---
b915c3f
 arch/x86/kernel/kexec-bzimage64.c | 1 +
b915c3f
 1 file changed, 1 insertion(+)
b915c3f
b915c3f
diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
1929e3c
index d0a814a..3551bca 100644
b915c3f
--- a/arch/x86/kernel/kexec-bzimage64.c
b915c3f
+++ b/arch/x86/kernel/kexec-bzimage64.c
b915c3f
@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
b915c3f
 	if (efi_enabled(EFI_OLD_MEMMAP))
b915c3f
 		return 0;
1929e3c
 
b915c3f
+	params->secure_boot = boot_params.secure_boot;
b915c3f
 	ei->efi_loader_signature = current_ei->efi_loader_signature;
b915c3f
 	ei->efi_systab = current_ei->efi_systab;
b915c3f
 	ei->efi_systab_hi = current_ei->efi_systab_hi;
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From 421f4933387c7663b99d63624bdc23d4037e9c26 Mon Sep 17 00:00:00 2001
b915c3f
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
b915c3f
Date: Wed, 23 Nov 2016 13:49:19 +0000
1929e3c
Subject: [PATCH 16/32] kexec_file: Disable at runtime if securelevel has been set
b915c3f
b915c3f
When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
b915c3f
through kexec_file systemcall if securelevel has been set.
b915c3f
b915c3f
This code was showed in Matthew's patch but not in git:
b915c3f
https://lkml.org/lkml/2015/3/13/778
b915c3f
b915c3f
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
b915c3f
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
---
b915c3f
 kernel/kexec_file.c | 6 ++++++
b915c3f
 1 file changed, 6 insertions(+)
b915c3f
b915c3f
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
1929e3c
index b118735..f6937ee 100644
b915c3f
--- a/kernel/kexec_file.c
b915c3f
+++ b/kernel/kexec_file.c
1929e3c
@@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
b915c3f
 	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
b915c3f
 		return -EPERM;
1929e3c
 
b915c3f
+	/* Don't permit images to be loaded into trusted kernels if we're not
b915c3f
+	 * going to verify the signature on them
b915c3f
+	 */
b915c3f
+	if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
b915c3f
+		return -EPERM;
b915c3f
+
b915c3f
 	/* Make sure we have a legal set of flags */
b915c3f
 	if (flags != (flags & KEXEC_FILE_FLAGS))
b915c3f
 		return -EINVAL;
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From 0376070dd24c4226e047cf5ab8d68c8341b8d521 Mon Sep 17 00:00:00 2001
b915c3f
From: Josh Boyer <jwboyer@fedoraproject.org>
b915c3f
Date: Tue, 22 Nov 2016 08:46:15 +0000
b915c3f
Subject: [PATCH 17/32] hibernate: Disable when the kernel is locked down
b915c3f
b915c3f
There is currently no way to verify the resume image when returning
b915c3f
from hibernate.  This might compromise the signed modules trust model,
b915c3f
so until we can work with signed hibernate images we disable it when the
b915c3f
kernel is locked down.
b915c3f
b915c3f
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
---
b915c3f
 kernel/power/hibernate.c | 2 +-
b915c3f
 1 file changed, 1 insertion(+), 1 deletion(-)
b915c3f
b915c3f
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
1929e3c
index a8b978c..50cca5d 100644
b915c3f
--- a/kernel/power/hibernate.c
b915c3f
+++ b/kernel/power/hibernate.c
1929e3c
@@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
1929e3c
 
b915c3f
 bool hibernation_available(void)
b915c3f
 {
b915c3f
-	return (nohibernate == 0);
b915c3f
+	return nohibernate == 0 && !kernel_is_locked_down();
b915c3f
 }
1929e3c
 
b915c3f
 /**
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From fff7953fd653f695d0a43872726086637cad224b Mon Sep 17 00:00:00 2001
b915c3f
From: Matthew Garrett <mjg59@srcf.ucam.org>
b915c3f
Date: Wed, 23 Nov 2016 13:28:17 +0000
1929e3c
Subject: [PATCH] uswsusp: Disable when the kernel is locked down
b915c3f
b915c3f
uswsusp allows a user process to dump and then restore kernel state, which
b915c3f
makes it possible to modify the running kernel.  Disable this if the kernel
b915c3f
is locked down.
b915c3f
b915c3f
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
---
b915c3f
 kernel/power/user.c | 3 +++
b915c3f
 1 file changed, 3 insertions(+)
b915c3f
b915c3f
diff --git a/kernel/power/user.c b/kernel/power/user.c
1929e3c
index 22df9f7..e4b926d 100644
b915c3f
--- a/kernel/power/user.c
b915c3f
+++ b/kernel/power/user.c
b915c3f
@@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
b915c3f
 	if (!hibernation_available())
b915c3f
 		return -EPERM;
1929e3c
 
b915c3f
+	if (kernel_is_locked_down())
b915c3f
+		return -EPERM;
b915c3f
+
b915c3f
 	lock_system_sleep();
1929e3c
 
b915c3f
 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From a4cb6a7d28d27aa8166b7e0d5f75fe16f2f18ac8 Mon Sep 17 00:00:00 2001
b915c3f
From: Matthew Garrett <matthew.garrett@nebula.com>
b915c3f
Date: Tue, 22 Nov 2016 08:46:15 +0000
1929e3c
Subject: [PATCH 19/32] PCI: Lock down BAR access when the kernel is locked down
b915c3f
b915c3f
Any hardware that can potentially generate DMA has to be locked down in
b915c3f
order to avoid it being possible for an attacker to modify kernel code,
b915c3f
allowing them to circumvent disabled module loading or module signing.
b915c3f
Default to paranoid - in future we can potentially relax this for
b915c3f
sufficiently IOMMU-isolated devices.
b915c3f
b915c3f
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
---
b915c3f
 drivers/pci/pci-sysfs.c | 9 +++++++++
b915c3f
 drivers/pci/proc.c      | 8 +++++++-
b915c3f
 drivers/pci/syscall.c   | 2 +-
b915c3f
 3 files changed, 17 insertions(+), 2 deletions(-)
b915c3f
b915c3f
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
1929e3c
index 7ac258f..7d29b03 100644
b915c3f
--- a/drivers/pci/pci-sysfs.c
b915c3f
+++ b/drivers/pci/pci-sysfs.c
1929e3c
@@ -727,6 +727,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
b915c3f
 	loff_t init_off = off;
b915c3f
 	u8 *data = (u8 *) buf;
1929e3c
 
b915c3f
+	if (kernel_is_locked_down())
b915c3f
+		return -EPERM;
b915c3f
+
b915c3f
 	if (off > dev->cfg_size)
b915c3f
 		return 0;
b915c3f
 	if (off + count > dev->cfg_size) {
1929e3c
@@ -1022,6 +1025,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
b915c3f
 	resource_size_t start, end;
b915c3f
 	int i;
1929e3c
 
b915c3f
+	if (kernel_is_locked_down())
b915c3f
+		return -EPERM;
b915c3f
+
b915c3f
 	for (i = 0; i < PCI_ROM_RESOURCE; i++)
b915c3f
 		if (res == &pdev->resource[i])
b915c3f
 			break;
1929e3c
@@ -1121,6 +1127,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
b915c3f
 				     struct bin_attribute *attr, char *buf,
b915c3f
 				     loff_t off, size_t count)
b915c3f
 {
b915c3f
+	if (kernel_is_locked_down())
b915c3f
+		return -EPERM;
b915c3f
+
b915c3f
 	return pci_resource_io(filp, kobj, attr, buf, off, count, true);
b915c3f
 }
1929e3c
 
b915c3f
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
1929e3c
index dc8912e..e2c5eff 100644
b915c3f
--- a/drivers/pci/proc.c
b915c3f
+++ b/drivers/pci/proc.c
b915c3f
@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
b915c3f
 	int size = dev->cfg_size;
b915c3f
 	int cnt;
1929e3c
 
b915c3f
+	if (kernel_is_locked_down())
b915c3f
+		return -EPERM;
b915c3f
+
b915c3f
 	if (pos >= size)
b915c3f
 		return 0;
b915c3f
 	if (nbytes >= size)
b915c3f
@@ -195,6 +198,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
b915c3f
 #endif /* HAVE_PCI_MMAP */
b915c3f
 	int ret = 0;
1929e3c
 
b915c3f
+	if (kernel_is_locked_down())
b915c3f
+		return -EPERM;
b915c3f
+
b915c3f
 	switch (cmd) {
b915c3f
 	case PCIIOC_CONTROLLER:
b915c3f
 		ret = pci_domain_nr(dev->bus);
b915c3f
@@ -233,7 +239,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
b915c3f
 	struct pci_filp_private *fpriv = file->private_data;
1929e3c
 	int i, ret, write_combine = 0, res_bit;
1929e3c
 
b915c3f
-	if (!capable(CAP_SYS_RAWIO))
b915c3f
+	if (!capable(CAP_SYS_RAWIO) || kernel_is_locked_down())
b915c3f
 		return -EPERM;
1929e3c
 
1929e3c
 	if (fpriv->mmap_state == pci_mmap_io)
b915c3f
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
1929e3c
index 9bf993e..c095247 100644
b915c3f
--- a/drivers/pci/syscall.c
b915c3f
+++ b/drivers/pci/syscall.c
b915c3f
@@ -92,7 +92,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
b915c3f
 	u32 dword;
b915c3f
 	int err = 0;
1929e3c
 
b915c3f
-	if (!capable(CAP_SYS_ADMIN))
b915c3f
+	if (!capable(CAP_SYS_ADMIN) || kernel_is_locked_down())
b915c3f
 		return -EPERM;
1929e3c
 
b915c3f
 	dev = pci_get_bus_and_slot(bus, dfn);
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From 4f9b39483a30ae4bd6e9c90caaf3a0466161d024 Mon Sep 17 00:00:00 2001
b915c3f
From: Matthew Garrett <matthew.garrett@nebula.com>
b915c3f
Date: Tue, 22 Nov 2016 08:46:16 +0000
1929e3c
Subject: [PATCH 20/32] x86: Lock down IO port access when the kernel is locked down
b915c3f
b915c3f
IO port access would permit users to gain access to PCI configuration
b915c3f
registers, which in turn (on a lot of hardware) give access to MMIO
b915c3f
register space. This would potentially permit root to trigger arbitrary
b915c3f
DMA, so lock it down by default.
b915c3f
b915c3f
This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
b915c3f
KDDISABIO console ioctls.
b915c3f
b915c3f
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
---
b915c3f
 arch/x86/kernel/ioport.c | 4 ++--
b915c3f
 drivers/char/mem.c       | 2 ++
b915c3f
 2 files changed, 4 insertions(+), 2 deletions(-)
b915c3f
b915c3f
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
1929e3c
index 9c3cf09..4a613fe 100644
b915c3f
--- a/arch/x86/kernel/ioport.c
b915c3f
+++ b/arch/x86/kernel/ioport.c
1929e3c
@@ -30,7 +30,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
1929e3c
 
b915c3f
 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
b915c3f
 		return -EINVAL;
b915c3f
-	if (turn_on && !capable(CAP_SYS_RAWIO))
b915c3f
+	if (turn_on && (!capable(CAP_SYS_RAWIO) || kernel_is_locked_down()))
b915c3f
 		return -EPERM;
1929e3c
 
b915c3f
 	/*
1929e3c
@@ -120,7 +120,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
b915c3f
 		return -EINVAL;
b915c3f
 	/* Trying to gain more privileges? */
b915c3f
 	if (level > old) {
b915c3f
-		if (!capable(CAP_SYS_RAWIO))
b915c3f
+		if (!capable(CAP_SYS_RAWIO) || kernel_is_locked_down())
b915c3f
 			return -EPERM;
b915c3f
 	}
b915c3f
 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
b915c3f
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
1929e3c
index a97b22f..8705f8f 100644
b915c3f
--- a/drivers/char/mem.c
b915c3f
+++ b/drivers/char/mem.c
1929e3c
@@ -768,6 +768,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
1929e3c
 
b915c3f
 static int open_port(struct inode *inode, struct file *filp)
b915c3f
 {
b915c3f
+	if (kernel_is_locked_down())
b915c3f
+		return -EPERM;
b915c3f
 	return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
b915c3f
 }
1929e3c
 
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From b746ba587c937240794cd7006c15a0fb3b2f8128 Mon Sep 17 00:00:00 2001
b915c3f
From: Matthew Garrett <matthew.garrett@nebula.com>
b915c3f
Date: Tue, 22 Nov 2016 08:46:17 +0000
b915c3f
Subject: [PATCH 21/32] x86: Restrict MSR access when the kernel is locked down
b915c3f
b915c3f
Writing to MSRs should not be allowed if the kernel is locked down, since
b915c3f
it could lead to execution of arbitrary code in kernel mode.  Based on a
b915c3f
patch by Kees Cook.
b915c3f
b915c3f
Cc: Kees Cook <keescook@chromium.org>
b915c3f
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
---
b915c3f
 arch/x86/kernel/msr.c | 7 +++++++
b915c3f
 1 file changed, 7 insertions(+)
b915c3f
b915c3f
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
1929e3c
index ef68880..fbcce02 100644
b915c3f
--- a/arch/x86/kernel/msr.c
b915c3f
+++ b/arch/x86/kernel/msr.c
1929e3c
@@ -84,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
b915c3f
 	int err = 0;
b915c3f
 	ssize_t bytes = 0;
1929e3c
 
b915c3f
+	if (kernel_is_locked_down())
b915c3f
+		return -EPERM;
b915c3f
+
b915c3f
 	if (count % 8)
b915c3f
 		return -EINVAL;	/* Invalid chunk size */
1929e3c
 
1929e3c
@@ -131,6 +134,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
b915c3f
 			err = -EBADF;
b915c3f
 			break;
b915c3f
 		}
b915c3f
+		if (kernel_is_locked_down()) {
b915c3f
+			err = -EPERM;
b915c3f
+			break;
b915c3f
+		}
b915c3f
 		if (copy_from_user(&regs, uregs, sizeof regs)) {
b915c3f
 			err = -EFAULT;
b915c3f
 			break;
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From 5aff4c16ee0a6441b1abbf6e80a5da9cf2007469 Mon Sep 17 00:00:00 2001
b915c3f
From: Matthew Garrett <matthew.garrett@nebula.com>
b915c3f
Date: Tue, 22 Nov 2016 08:46:16 +0000
b915c3f
Subject: [PATCH 22/32] asus-wmi: Restrict debugfs interface when the kernel is
b915c3f
 locked down
b915c3f
b915c3f
We have no way of validating what all of the Asus WMI methods do on a given
b915c3f
machine - and there's a risk that some will allow hardware state to be
b915c3f
manipulated in such a way that arbitrary code can be executed in the
b915c3f
kernel, circumventing module loading restrictions.  Prevent that if the
b915c3f
kernel is locked down.
b915c3f
b915c3f
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
---
b915c3f
 drivers/platform/x86/asus-wmi.c | 9 +++++++++
b915c3f
 1 file changed, 9 insertions(+)
b915c3f
b915c3f
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
1929e3c
index 8fe5890..feef250 100644
b915c3f
--- a/drivers/platform/x86/asus-wmi.c
b915c3f
+++ b/drivers/platform/x86/asus-wmi.c
1929e3c
@@ -1900,6 +1900,9 @@ static int show_dsts(struct seq_file *m, void *data)
b915c3f
 	int err;
b915c3f
 	u32 retval = -1;
1929e3c
 
b915c3f
+	if (kernel_is_locked_down())
b915c3f
+		return -EPERM;
b915c3f
+
b915c3f
 	err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
1929e3c
 
b915c3f
 	if (err < 0)
1929e3c
@@ -1916,6 +1919,9 @@ static int show_devs(struct seq_file *m, void *data)
b915c3f
 	int err;
b915c3f
 	u32 retval = -1;
1929e3c
 
b915c3f
+	if (kernel_is_locked_down())
b915c3f
+		return -EPERM;
b915c3f
+
b915c3f
 	err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
b915c3f
 				    &retval);
1929e3c
 
1929e3c
@@ -1940,6 +1946,9 @@ static int show_call(struct seq_file *m, void *data)
b915c3f
 	union acpi_object *obj;
b915c3f
 	acpi_status status;
1929e3c
 
b915c3f
+	if (kernel_is_locked_down())
b915c3f
+		return -EPERM;
b915c3f
+
b915c3f
 	status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
b915c3f
 				     1, asus->debug.method_id,
b915c3f
 				     &input, &output);
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From f0b27fdb42b57c2044ea3cf49371f786acc7b58e Mon Sep 17 00:00:00 2001
b915c3f
From: Matthew Garrett <matthew.garrett@nebula.com>
b915c3f
Date: Tue, 22 Nov 2016 08:46:16 +0000
1929e3c
Subject: [PATCH 23/32] ACPI: Limit access to custom_method when the kernel is locked
1929e3c
 down
b915c3f
b915c3f
custom_method effectively allows arbitrary access to system memory, making
b915c3f
it possible for an attacker to circumvent restrictions on module loading.
b915c3f
Disable it if the kernel is locked down.
b915c3f
b915c3f
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
---
b915c3f
 drivers/acpi/custom_method.c | 3 +++
b915c3f
 1 file changed, 3 insertions(+)
b915c3f
b915c3f
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
b915c3f
index c68e724..e4d721c 100644
b915c3f
--- a/drivers/acpi/custom_method.c
b915c3f
+++ b/drivers/acpi/custom_method.c
b915c3f
@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
b915c3f
 	struct acpi_table_header table;
b915c3f
 	acpi_status status;
1929e3c
 
b915c3f
+	if (kernel_is_locked_down())
b915c3f
+		return -EPERM;
b915c3f
+
b915c3f
 	if (!(*ppos)) {
b915c3f
 		/* parse the table header to get the table length */
b915c3f
 		if (count <= sizeof(struct acpi_table_header))
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From d67f882220ae3d969b496ad93fcbbcd3b09288cd Mon Sep 17 00:00:00 2001
b915c3f
From: Josh Boyer <jwboyer@redhat.com>
b915c3f
Date: Tue, 22 Nov 2016 08:46:16 +0000
1929e3c
Subject: [PATCH 24/32] acpi: Ignore acpi_rsdp kernel param when the kernel has been
1929e3c
 locked down
b915c3f
b915c3f
This option allows userspace to pass the RSDP address to the kernel, which
b915c3f
makes it possible for a user to circumvent any restrictions imposed on
b915c3f
loading modules.  Ignore the option when the kernel is locked down.
b915c3f
b915c3f
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
---
b915c3f
 drivers/acpi/osl.c | 2 +-
b915c3f
 1 file changed, 1 insertion(+), 1 deletion(-)
b915c3f
b915c3f
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
1929e3c
index db78d35..d4d4ba3 100644
b915c3f
--- a/drivers/acpi/osl.c
b915c3f
+++ b/drivers/acpi/osl.c
1929e3c
@@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
b915c3f
 	acpi_physical_address pa = 0;
b915c3f
 
b915c3f
 #ifdef CONFIG_KEXEC
b915c3f
-	if (acpi_rsdp)
b915c3f
+	if (acpi_rsdp && !kernel_is_locked_down())
b915c3f
 		return acpi_rsdp;
b915c3f
 #endif
1929e3c
 
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From 15b10045321ac2af988918726a461178237d2d24 Mon Sep 17 00:00:00 2001
b915c3f
From: Linn Crosetto <linn@hpe.com>
b915c3f
Date: Wed, 23 Nov 2016 13:32:27 +0000
1929e3c
Subject: [PATCH 25/32] acpi: Disable ACPI table override if the kernel is locked
1929e3c
 down
b915c3f
b915c3f
From the kernel documentation (initrd_table_override.txt):
b915c3f
b915c3f
  If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
b915c3f
  to override nearly any ACPI table provided by the BIOS with an
b915c3f
  instrumented, modified one.
b915c3f
b915c3f
When securelevel is set, the kernel should disallow any unauthenticated
b915c3f
changes to kernel space.  ACPI tables contain code invoked by the kernel,
b915c3f
so do not allow ACPI tables to be overridden if the kernel is locked down.
b915c3f
b915c3f
Signed-off-by: Linn Crosetto <linn@hpe.com>
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
---
b915c3f
 drivers/acpi/tables.c | 5 +++++
b915c3f
 1 file changed, 5 insertions(+)
b915c3f
b915c3f
diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
1929e3c
index 2604189..601096d 100644
b915c3f
--- a/drivers/acpi/tables.c
b915c3f
+++ b/drivers/acpi/tables.c
1929e3c
@@ -542,6 +542,11 @@ void __init acpi_table_upgrade(void)
b915c3f
 	if (table_nr == 0)
b915c3f
 		return;
1929e3c
 
b915c3f
+	if (kernel_is_locked_down()) {
b915c3f
+		pr_notice("kernel is locked down, ignoring table override\n");
b915c3f
+		return;
b915c3f
+	}
b915c3f
+
b915c3f
 	acpi_tables_addr =
b915c3f
 		memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
b915c3f
 				       all_tables_size, PAGE_SIZE);
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From dec3a108f63021d82b132847a02e8496f613ac6f Mon Sep 17 00:00:00 2001
b915c3f
From: Linn Crosetto <linn@hpe.com>
b915c3f
Date: Wed, 23 Nov 2016 13:39:41 +0000
1929e3c
Subject: [PATCH 26/32] acpi: Disable APEI error injection if the kernel is locked
1929e3c
 down
b915c3f
b915c3f
ACPI provides an error injection mechanism, EINJ, for debugging and testing
b915c3f
the ACPI Platform Error Interface (APEI) and other RAS features.  If
b915c3f
supported by the firmware, ACPI specification 5.0 and later provide for a
b915c3f
way to specify a physical memory address to which to inject the error.
b915c3f
b915c3f
Injecting errors through EINJ can produce errors which to the platform are
b915c3f
indistinguishable from real hardware errors.  This can have undesirable
b915c3f
side-effects, such as causing the platform to mark hardware as needing
b915c3f
replacement.
b915c3f
b915c3f
While it does not provide a method to load unauthenticated privileged code,
b915c3f
the effect of these errors may persist across reboots and affect trust in
b915c3f
the underlying hardware, so disable error injection through EINJ if
b915c3f
the kernel is locked down.
b915c3f
b915c3f
Signed-off-by: Linn Crosetto <linn@hpe.com>
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
---
b915c3f
 drivers/acpi/apei/einj.c | 3 +++
b915c3f
 1 file changed, 3 insertions(+)
b915c3f
b915c3f
diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c
1929e3c
index ec50c32..e082718 100644
b915c3f
--- a/drivers/acpi/apei/einj.c
b915c3f
+++ b/drivers/acpi/apei/einj.c
b915c3f
@@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
b915c3f
 	int rc;
b915c3f
 	u64 base_addr, size;
1929e3c
 
b915c3f
+	if (kernel_is_locked_down())
b915c3f
+		return -EPERM;
b915c3f
+
b915c3f
 	/* If user manually set "flags", make sure it is legal */
b915c3f
 	if (flags && (flags &
b915c3f
 		~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From dcc51d5b69c23c3f955b332d959f13cb61b4500c Mon Sep 17 00:00:00 2001
b915c3f
From: Matthew Garrett <mjg59@coreos.com>
b915c3f
Date: Wed, 23 Nov 2016 13:41:23 +0000
b915c3f
Subject: [PATCH 27/32] Enable cold boot attack mitigation
b915c3f
b915c3f
---
b915c3f
 arch/x86/boot/compressed/eboot.c | 28 ++++++++++++++++++++++++++++
b915c3f
 1 file changed, 28 insertions(+)
b915c3f
b915c3f
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
1929e3c
index 801c7a1..ef9409b 100644
b915c3f
--- a/arch/x86/boot/compressed/eboot.c
b915c3f
+++ b/arch/x86/boot/compressed/eboot.c
1929e3c
@@ -604,6 +604,31 @@ void setup_graphics(struct boot_params *boot_params)
b915c3f
 	}
b915c3f
 }
1929e3c
 
b915c3f
+#define MEMORY_ONLY_RESET_CONTROL_GUID \
b915c3f
+	EFI_GUID (0xe20939be, 0x32d4, 0x41be, 0xa1, 0x50, 0x89, 0x7f, 0x85, 0xd4, 0x98, 0x29)
b915c3f
+
b915c3f
+static void enable_reset_attack_mitigation(void)
b915c3f
+{
b915c3f
+	static const efi_guid_t var_guid = MEMORY_ONLY_RESET_CONTROL_GUID;
b915c3f
+	static const efi_char16_t MemoryOverwriteRequestControl_name[] = {
b915c3f
+		'M', 'e', 'm', 'o', 'r', 'y',
b915c3f
+		'O', 'v', 'e', 'r', 'w', 'r', 'i', 't', 'e',
b915c3f
+		'R', 'e', 'q', 'u', 'e', 's', 't',
b915c3f
+		'C', 'o', 'n', 't', 'r', 'o', 'l',
b915c3f
+		0
b915c3f
+	};
b915c3f
+	u8 val = 1;
b915c3f
+
b915c3f
+	/* Ignore the return value here - there's not really a lot we can do */
b915c3f
+	efi_call_runtime(set_variable,
b915c3f
+			(efi_char16_t *)MemoryOverwriteRequestControl_name,
b915c3f
+			(efi_guid_t *)&var_guid,
b915c3f
+			EFI_VARIABLE_NON_VOLATILE |
b915c3f
+			EFI_VARIABLE_BOOTSERVICE_ACCESS |
b915c3f
+			EFI_VARIABLE_RUNTIME_ACCESS,
b915c3f
+			sizeof(val), val);
b915c3f
+}
b915c3f
+
b915c3f
 /*
b915c3f
  * Because the x86 boot code expects to be passed a boot_params we
b915c3f
  * need to create one ourselves (usually the bootloader would create
1929e3c
@@ -988,6 +1013,9 @@ struct boot_params *efi_main(struct efi_config *c,
b915c3f
 	else
b915c3f
 		setup_boot_services32(efi_early);
1929e3c
 
b915c3f
+	/* Ask the firmware to clear memory if we don't have a clean shutdown */
b915c3f
+	enable_reset_attack_mitigation();
b915c3f
+
1929e3c
 	/*
1929e3c
 	 * If the boot loader gave us a value for secure_boot then we use that,
1929e3c
 	 * otherwise we ask the BIOS.
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From 6cff44c809671affbf65ac2e0d0c2b0a0f705756 Mon Sep 17 00:00:00 2001
b915c3f
From: "Lee, Chun-Yi" <jlee@suse.com>
b915c3f
Date: Wed, 23 Nov 2016 13:52:16 +0000
1929e3c
Subject: [PATCH 28/32] bpf: Restrict kernel image access functions when the kernel
1929e3c
 is locked down
b915c3f
b915c3f
There are some bpf functions can be used to read kernel memory:
b915c3f
bpf_probe_read, bpf_probe_write_user and bpf_trace_printk.  These allow
b915c3f
private keys in kernel memory (e.g. the hibernation image signing key) to
b915c3f
be read by an eBPF program.  Prohibit those functions when the kernel is
b915c3f
locked down.
b915c3f
b915c3f
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
---
b915c3f
 kernel/trace/bpf_trace.c | 11 +++++++++++
b915c3f
 1 file changed, 11 insertions(+)
b915c3f
b915c3f
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
1929e3c
index cee9802..7fde851 100644
b915c3f
--- a/kernel/trace/bpf_trace.c
b915c3f
+++ b/kernel/trace/bpf_trace.c
b915c3f
@@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr)
b915c3f
 {
b915c3f
 	int ret;
1929e3c
 
b915c3f
+	if (kernel_is_locked_down()) {
b915c3f
+		memset(dst, 0, size);
b915c3f
+		return -EPERM;
b915c3f
+	}
b915c3f
+
b915c3f
 	ret = probe_kernel_read(dst, unsafe_ptr, size);
b915c3f
 	if (unlikely(ret < 0))
b915c3f
 		memset(dst, 0, size);
b915c3f
@@ -84,6 +89,9 @@ static const struct bpf_func_proto bpf_probe_read_proto = {
b915c3f
 BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src,
b915c3f
 	   u32, size)
b915c3f
 {
b915c3f
+	if (kernel_is_locked_down())
b915c3f
+		return -EPERM;
b915c3f
+
b915c3f
 	/*
b915c3f
 	 * Ensure we're in user context which is safe for the helper to
b915c3f
 	 * run. This helper has no business in a kthread.
b915c3f
@@ -143,6 +151,9 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1,
b915c3f
 	if (fmt[--fmt_size] != 0)
b915c3f
 		return -EINVAL;
1929e3c
 
b915c3f
+	if (kernel_is_locked_down())
b915c3f
+		return __trace_printk(1, fmt, 0, 0, 0);
b915c3f
+
b915c3f
 	/* check format string for allowed specifiers */
b915c3f
 	for (i = 0; i < fmt_size; i++) {
b915c3f
 		if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i]))
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From 9c7dd48309e4d8e18a9979f6c0cbf9c7b8bf4ea1 Mon Sep 17 00:00:00 2001
b915c3f
From: David Howells <dhowells@redhat.com>
b915c3f
Date: Tue, 22 Nov 2016 10:10:34 +0000
b915c3f
Subject: [PATCH 29/32] scsi: Lock down the eata driver
b915c3f
b915c3f
When the kernel is running in secure boot mode, we lock down the kernel to
b915c3f
prevent userspace from modifying the running kernel image.  Whilst this
b915c3f
includes prohibiting access to things like /dev/mem, it must also prevent
b915c3f
access by means of configuring driver modules in such a way as to cause a
b915c3f
device to access or modify the kernel image.
b915c3f
b915c3f
The eata driver takes a single string parameter that contains a slew of
b915c3f
settings, including hardware resource configuration.  Prohibit use of the
b915c3f
parameter if the kernel is locked down.
b915c3f
b915c3f
Suggested-by: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
cc: Dario Ballabio <ballabio_dario@emc.com>
b915c3f
cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>
b915c3f
cc: "Martin K. Petersen" <martin.petersen@oracle.com>
b915c3f
cc: linux-scsi@vger.kernel.org
b915c3f
---
b915c3f
 drivers/scsi/eata.c | 7 ++++++-
b915c3f
 1 file changed, 6 insertions(+), 1 deletion(-)
b915c3f
b915c3f
diff --git a/drivers/scsi/eata.c b/drivers/scsi/eata.c
b915c3f
index 227dd2c..5c036d1 100644
b915c3f
--- a/drivers/scsi/eata.c
b915c3f
+++ b/drivers/scsi/eata.c
b915c3f
@@ -1552,8 +1552,13 @@ static int eata2x_detect(struct scsi_host_template *tpnt)
1929e3c
 
b915c3f
 	tpnt->proc_name = "eata2x";
1929e3c
 
b915c3f
-	if (strlen(boot_options))
b915c3f
+	if (strlen(boot_options)) {
b915c3f
+		if (kernel_is_locked_down()) {
b915c3f
+			pr_err("Command line-specified device addresses, irqs and dma channels are not permitted when the kernel is locked down\n");
b915c3f
+			return -EPERM;
b915c3f
+		}
b915c3f
 		option_setup(boot_options);
b915c3f
+	}
1929e3c
 
b915c3f
 #if defined(MODULE)
b915c3f
 	/* io_port could have been modified when loading as a module */
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From 5e2b99e099ba52131c7a87695b294961a0bf54f1 Mon Sep 17 00:00:00 2001
b915c3f
From: David Howells <dhowells@redhat.com>
b915c3f
Date: Fri, 25 Nov 2016 14:37:45 +0000
1929e3c
Subject: [PATCH 30/32] Prohibit PCMCIA CIS storage when the kernel is locked down
b915c3f
b915c3f
Prohibit replacement of the PCMCIA Card Information Structure when the
b915c3f
kernel is locked down.
b915c3f
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
---
b915c3f
 drivers/pcmcia/cistpl.c | 5 +++++
b915c3f
 1 file changed, 5 insertions(+)
b915c3f
b915c3f
diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
b915c3f
index 55ef7d1..193e4f7 100644
b915c3f
--- a/drivers/pcmcia/cistpl.c
b915c3f
+++ b/drivers/pcmcia/cistpl.c
b915c3f
@@ -1578,6 +1578,11 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
b915c3f
 	struct pcmcia_socket *s;
b915c3f
 	int error;
1929e3c
 
b915c3f
+	if (kernel_is_locked_down()) {
b915c3f
+		pr_err("Direct CIS storage isn't permitted when the kernel is locked down\n");
b915c3f
+		return -EPERM;
b915c3f
+	}
b915c3f
+
b915c3f
 	s = to_socket(container_of(kobj, struct device, kobj));
1929e3c
 
b915c3f
 	if (off)
b915c3f
-- 
1929e3c
2.7.5
b915c3f
1929e3c
From 6d6e052a6c2df0a7a492439efe1ac6d62498e0d4 Mon Sep 17 00:00:00 2001
b915c3f
From: David Howells <dhowells@redhat.com>
b915c3f
Date: Wed, 7 Dec 2016 10:28:39 +0000
b915c3f
Subject: [PATCH 31/32] Lock down TIOCSSERIAL
b915c3f
b915c3f
Lock down TIOCSSERIAL as that can be used to change the ioport and irq
b915c3f
settings on a serial port.  This only appears to be an issue for the serial
b915c3f
drivers that use the core serial code.  All other drivers seem to either
b915c3f
ignore attempts to change port/irq or give an error.
b915c3f
b915c3f
Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
b915c3f
Signed-off-by: David Howells <dhowells@redhat.com>
b915c3f
---
b915c3f
 drivers/tty/serial/serial_core.c | 6 ++++++
b915c3f
 1 file changed, 6 insertions(+)
b915c3f
b915c3f
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
1929e3c
index 3fe5689..4181b00 100644
b915c3f
--- a/drivers/tty/serial/serial_core.c
b915c3f
+++ b/drivers/tty/serial/serial_core.c
1929e3c
@@ -821,6 +821,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
b915c3f
 	new_flags = new_info->flags;
b915c3f
 	old_custom_divisor = uport->custom_divisor;
1929e3c
 
b915c3f
+	if ((change_port || change_irq) && kernel_is_locked_down()) {
b915c3f
+		pr_err("Using TIOCSSERIAL to change device addresses, irqs and dma channels is not permitted when the kernel is locked down\n");
b915c3f
+		retval = -EPERM;
b915c3f
+		goto exit;
b915c3f
+	}
b915c3f
+
b915c3f
 	if (!capable(CAP_SYS_ADMIN)) {
b915c3f
 		retval = -EPERM;
b915c3f
 		if (change_irq || change_port ||
b915c3f
-- 
1929e3c
2.7.5
1929e3c