b03622d
From 1235d72fe1d34f9961051d159af3b48a1617ff0a Mon Sep 17 00:00:00 2001
962ea4f
From: David Howells <dhowells@redhat.com>
b03622d
Date: Tue, 27 Feb 2018 10:04:50 +0000
b03622d
Subject: [PATCH 01/31] Add the ability to lock down access to the running
3ff7c26
 kernel image
962ea4f
962ea4f
Provide a single call to allow kernel code to determine whether the system
962ea4f
should be locked down, thereby disallowing various accesses that might
962ea4f
allow the running kernel image to be changed including the loading of
962ea4f
modules that aren't validly signed with a key we recognise, fiddling with
962ea4f
MSR registers and disallowing hibernation,
962ea4f
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c75cb4d
Acked-by: James Morris <james.l.morris@oracle.com>
962ea4f
---
c75cb4d
 include/linux/kernel.h   | 17 ++++++++++++++
c75cb4d
 include/linux/security.h |  8 +++++++
c75cb4d
 security/Kconfig         |  8 +++++++
962ea4f
 security/Makefile        |  3 +++
c75cb4d
 security/lock_down.c     | 60 ++++++++++++++++++++++++++++++++++++++++++++++++
c75cb4d
 5 files changed, 96 insertions(+)
962ea4f
 create mode 100644 security/lock_down.c
962ea4f
962ea4f
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
b03622d
index 3fd291503576..dcc8916098e7 100644
962ea4f
--- a/include/linux/kernel.h
962ea4f
+++ b/include/linux/kernel.h
b03622d
@@ -306,6 +306,23 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err)
c75cb4d
 { }
c75cb4d
 #endif
c75cb4d
962ea4f
+#ifdef CONFIG_LOCK_DOWN_KERNEL
c75cb4d
+extern bool __kernel_is_locked_down(const char *what, bool first);
962ea4f
+#else
c75cb4d
+static inline bool __kernel_is_locked_down(const char *what, bool first)
962ea4f
+{
962ea4f
+	return false;
962ea4f
+}
962ea4f
+#endif
962ea4f
+
c75cb4d
+#define kernel_is_locked_down(what)					\
c75cb4d
+	({								\
c75cb4d
+		static bool message_given;				\
c75cb4d
+		bool locked_down = __kernel_is_locked_down(what, !message_given); \
c75cb4d
+		message_given = true;					\
c75cb4d
+		locked_down;						\
c75cb4d
+	})
c75cb4d
+
962ea4f
 /* Internal, do not use. */
962ea4f
 int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
962ea4f
 int __must_check _kstrtol(const char *s, unsigned int base, long *res);
962ea4f
diff --git a/include/linux/security.h b/include/linux/security.h
b03622d
index 73f1ef625d40..2e9690f3d1ce 100644
962ea4f
--- a/include/linux/security.h
962ea4f
+++ b/include/linux/security.h
b03622d
@@ -1801,5 +1801,13 @@ static inline void free_secdata(void *secdata)
962ea4f
 { }
962ea4f
 #endif /* CONFIG_SECURITY */
c75cb4d
962ea4f
+#ifdef CONFIG_LOCK_DOWN_KERNEL
c75cb4d
+extern void __init init_lockdown(void);
962ea4f
+#else
c75cb4d
+static inline void __init init_lockdown(void)
962ea4f
+{
962ea4f
+}
962ea4f
+#endif
962ea4f
+
962ea4f
 #endif /* ! __LINUX_SECURITY_H */
c75cb4d
962ea4f
diff --git a/security/Kconfig b/security/Kconfig
b03622d
index c4302067a3ad..a9e6207d287e 100644
962ea4f
--- a/security/Kconfig
962ea4f
+++ b/security/Kconfig
b03622d
@@ -231,6 +231,14 @@ config STATIC_USERMODEHELPER_PATH
c796f87
 	  If you wish for all usermode helper programs to be disabled,
c796f87
 	  specify an empty string here (i.e. "").
c75cb4d
962ea4f
+config LOCK_DOWN_KERNEL
962ea4f
+	bool "Allow the kernel to be 'locked down'"
962ea4f
+	help
962ea4f
+	  Allow the kernel to be locked down under certain circumstances, for
962ea4f
+	  instance if UEFI secure boot is enabled.  Locking down the kernel
962ea4f
+	  turns off various features that might otherwise allow access to the
962ea4f
+	  kernel image (eg. setting MSR registers).
962ea4f
+
962ea4f
 source security/selinux/Kconfig
962ea4f
 source security/smack/Kconfig
962ea4f
 source security/tomoyo/Kconfig
962ea4f
diff --git a/security/Makefile b/security/Makefile
b03622d
index 4d2d3782ddef..507ac8c520ce 100644
962ea4f
--- a/security/Makefile
962ea4f
+++ b/security/Makefile
b03622d
@@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
962ea4f
 # Object integrity file lists
962ea4f
 subdir-$(CONFIG_INTEGRITY)		+= integrity
962ea4f
 obj-$(CONFIG_INTEGRITY)			+= integrity/
962ea4f
+
962ea4f
+# Allow the kernel to be locked down
962ea4f
+obj-$(CONFIG_LOCK_DOWN_KERNEL)		+= lock_down.o
962ea4f
diff --git a/security/lock_down.c b/security/lock_down.c
962ea4f
new file mode 100644
c75cb4d
index 000000000000..d8595c0e6673
962ea4f
--- /dev/null
962ea4f
+++ b/security/lock_down.c
c75cb4d
@@ -0,0 +1,60 @@
962ea4f
+/* Lock down the kernel
962ea4f
+ *
962ea4f
+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
962ea4f
+ * Written by David Howells (dhowells@redhat.com)
962ea4f
+ *
962ea4f
+ * This program is free software; you can redistribute it and/or
962ea4f
+ * modify it under the terms of the GNU General Public Licence
962ea4f
+ * as published by the Free Software Foundation; either version
962ea4f
+ * 2 of the Licence, or (at your option) any later version.
962ea4f
+ */
962ea4f
+
962ea4f
+#include <linux/security.h>
962ea4f
+#include <linux/export.h>
962ea4f
+
c75cb4d
+static __ro_after_init bool kernel_locked_down;
962ea4f
+
962ea4f
+/*
962ea4f
+ * Put the kernel into lock-down mode.
962ea4f
+ */
c75cb4d
+static void __init lock_kernel_down(const char *where)
962ea4f
+{
c75cb4d
+	if (!kernel_locked_down) {
c75cb4d
+		kernel_locked_down = true;
c75cb4d
+		pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",
c75cb4d
+			  where);
c75cb4d
+	}
962ea4f
+}
962ea4f
+
c75cb4d
+static int __init lockdown_param(char *ignored)
c75cb4d
+{
c75cb4d
+	lock_kernel_down("command line");
c75cb4d
+	return 0;
c75cb4d
+}
c75cb4d
+
c75cb4d
+early_param("lockdown", lockdown_param);
c75cb4d
+
962ea4f
+/*
c75cb4d
+ * Lock the kernel down from very early in the arch setup.  This must happen
c75cb4d
+ * prior to things like ACPI being initialised.
962ea4f
+ */
c75cb4d
+void __init init_lockdown(void)
962ea4f
+{
c75cb4d
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
c75cb4d
+	if (efi_enabled(EFI_SECURE_BOOT))
c75cb4d
+		lock_kernel_down("EFI secure boot");
c75cb4d
+#endif
962ea4f
+}
962ea4f
+
962ea4f
+/**
962ea4f
+ * kernel_is_locked_down - Find out if the kernel is locked down
c75cb4d
+ * @what: Tag to use in notice generated if lockdown is in effect
962ea4f
+ */
c75cb4d
+bool __kernel_is_locked_down(const char *what, bool first)
962ea4f
+{
c75cb4d
+	if (what && first && kernel_locked_down)
c75cb4d
+		pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n",
c75cb4d
+			  what);
962ea4f
+	return kernel_locked_down;
962ea4f
+}
c75cb4d
+EXPORT_SYMBOL(__kernel_is_locked_down);
962ea4f
-- 
b03622d
2.14.3
962ea4f
b03622d
From 2c6e78b766569c7a966639346cc2b5a023998adc Mon Sep 17 00:00:00 2001
c75cb4d
From: Kyle McMartin <kyle@redhat.com>
b03622d
Date: Tue, 27 Feb 2018 10:04:50 +0000
b03622d
Subject: [PATCH 02/31] Add a SysRq option to lift kernel lockdown
962ea4f
c75cb4d
Make an option to provide a sysrq key that will lift the kernel lockdown,
c75cb4d
thereby allowing the running kernel image to be accessed and modified.
962ea4f
b03622d
On x86 this is triggered with SysRq+x, but this key may not be available on
b03622d
all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h.
b03622d
Since this macro must be defined in an arch to be able to use this facility
b03622d
for that arch, the Kconfig option is restricted to arches that support it.
962ea4f
c75cb4d
Signed-off-by: Kyle McMartin <kyle@redhat.com>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c75cb4d
cc: x86@kernel.org
962ea4f
---
c75cb4d
 arch/x86/include/asm/setup.h |  2 ++
c75cb4d
 drivers/input/misc/uinput.c  |  1 +
c75cb4d
 drivers/tty/sysrq.c          | 19 ++++++++++++------
c75cb4d
 include/linux/input.h        |  5 +++++
c75cb4d
 include/linux/sysrq.h        |  8 +++++++-
c75cb4d
 kernel/debug/kdb/kdb_main.c  |  2 +-
b03622d
 security/Kconfig             | 10 ++++++++++
c75cb4d
 security/lock_down.c         | 47 ++++++++++++++++++++++++++++++++++++++++++++
b03622d
 8 files changed, 86 insertions(+), 8 deletions(-)
c75cb4d
c75cb4d
diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h
b03622d
index ae13bc974416..3108e297d87d 100644
c75cb4d
--- a/arch/x86/include/asm/setup.h
c75cb4d
+++ b/arch/x86/include/asm/setup.h
b03622d
@@ -9,6 +9,8 @@
c75cb4d
 #include <linux/linkage.h>
c75cb4d
 #include <asm/page_types.h>
c75cb4d
c75cb4d
+#define LOCKDOWN_LIFT_KEY 'x'
962ea4f
+
c75cb4d
 #ifdef __i386__
962ea4f
c75cb4d
 #include <linux/pfn.h>
962ea4f
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
b03622d
index 96a887f33698..027c730631cc 100644
962ea4f
--- a/drivers/input/misc/uinput.c
962ea4f
+++ b/drivers/input/misc/uinput.c
b03622d
@@ -365,6 +365,7 @@ static int uinput_create_device(struct uinput_device *udev)
99240ed
 		dev->flush = uinput_dev_flush;
99240ed
 	}
b03622d
99240ed
+	dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;
99240ed
 	dev->event = uinput_dev_event;
b03622d
962ea4f
 	input_set_drvdata(udev->dev, udev);
962ea4f
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
b03622d
index b674793be478..7c06541b422e 100644
962ea4f
--- a/drivers/tty/sysrq.c
962ea4f
+++ b/drivers/tty/sysrq.c
b03622d
@@ -487,6 +487,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
962ea4f
 	/* x: May be registered on mips for TLB dump */
962ea4f
 	/* x: May be registered on ppc/powerpc for xmon */
962ea4f
 	/* x: May be registered on sparc64 for global PMU dump */
962ea4f
+	/* x: May be registered on x86_64 for disabling secure boot */
962ea4f
 	NULL,				/* x */
962ea4f
 	/* y: May be registered on sparc64 for global register dump */
962ea4f
 	NULL,				/* y */
b03622d
@@ -530,7 +531,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
962ea4f
                 sysrq_key_table[i] = op_p;
962ea4f
 }
c75cb4d
962ea4f
-void __handle_sysrq(int key, bool check_mask)
962ea4f
+void __handle_sysrq(int key, unsigned int from)
962ea4f
 {
962ea4f
 	struct sysrq_key_op *op_p;
962ea4f
 	int orig_log_level;
b03622d
@@ -550,11 +551,15 @@ void __handle_sysrq(int key, bool check_mask)
c75cb4d
962ea4f
         op_p = __sysrq_get_key_op(key);
962ea4f
         if (op_p) {
962ea4f
+		/* Ban synthetic events from some sysrq functionality */
962ea4f
+		if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
962ea4f
+		    op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
962ea4f
+			printk("This sysrq operation is disabled from userspace.\n");
962ea4f
 		/*
962ea4f
 		 * Should we check for enabled operations (/proc/sysrq-trigger
962ea4f
 		 * should not) and is the invoked operation enabled?
962ea4f
 		 */
962ea4f
-		if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
962ea4f
+		if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
962ea4f
 			pr_cont("%s\n", op_p->action_msg);
962ea4f
 			console_loglevel = orig_log_level;
962ea4f
 			op_p->handler(key);
b03622d
@@ -586,7 +591,7 @@ void __handle_sysrq(int key, bool check_mask)
962ea4f
 void handle_sysrq(int key)
962ea4f
 {
962ea4f
 	if (sysrq_on())
962ea4f
-		__handle_sysrq(key, true);
962ea4f
+		__handle_sysrq(key, SYSRQ_FROM_KERNEL);
962ea4f
 }
962ea4f
 EXPORT_SYMBOL(handle_sysrq);
c75cb4d
b03622d
@@ -667,7 +672,7 @@ static void sysrq_do_reset(struct timer_list *t)
962ea4f
 static void sysrq_handle_reset_request(struct sysrq_state *state)
962ea4f
 {
962ea4f
 	if (state->reset_requested)
962ea4f
-		__handle_sysrq(sysrq_xlate[KEY_B], false);
962ea4f
+		__handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL);
c75cb4d
962ea4f
 	if (sysrq_reset_downtime_ms)
962ea4f
 		mod_timer(&state->keyreset_timer,
b03622d
@@ -818,8 +823,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
c75cb4d
962ea4f
 	default:
962ea4f
 		if (sysrq->active && value && value != 2) {
962ea4f
+			int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ?
962ea4f
+					SYSRQ_FROM_SYNTHETIC : 0;
962ea4f
 			sysrq->need_reinject = false;
962ea4f
-			__handle_sysrq(sysrq_xlate[code], true);
962ea4f
+			__handle_sysrq(sysrq_xlate[code], from);
962ea4f
 		}
962ea4f
 		break;
962ea4f
 	}
b03622d
@@ -1102,7 +1109,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
c75cb4d
962ea4f
 		if (get_user(c, buf))
962ea4f
 			return -EFAULT;
962ea4f
-		__handle_sysrq(c, false);
962ea4f
+		__handle_sysrq(c, SYSRQ_FROM_PROC);
962ea4f
 	}
c75cb4d
962ea4f
 	return count;
962ea4f
diff --git a/include/linux/input.h b/include/linux/input.h
b03622d
index 7c7516eb7d76..38cd0ea72c37 100644
962ea4f
--- a/include/linux/input.h
962ea4f
+++ b/include/linux/input.h
962ea4f
@@ -42,6 +42,7 @@ struct input_value {
962ea4f
  * @phys: physical path to the device in the system hierarchy
962ea4f
  * @uniq: unique identification code for the device (if device has it)
962ea4f
  * @id: id of the device (struct input_id)
962ea4f
+ * @flags: input device flags (SYNTHETIC, etc.)
962ea4f
  * @propbit: bitmap of device properties and quirks
962ea4f
  * @evbit: bitmap of types of events supported by the device (EV_KEY,
962ea4f
  *	EV_REL, etc.)
962ea4f
@@ -124,6 +125,8 @@ struct input_dev {
962ea4f
 	const char *uniq;
962ea4f
 	struct input_id id;
c75cb4d
962ea4f
+	unsigned int flags;
962ea4f
+
962ea4f
 	unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)];
c75cb4d
962ea4f
 	unsigned long evbit[BITS_TO_LONGS(EV_CNT)];
962ea4f
@@ -190,6 +193,8 @@ struct input_dev {
962ea4f
 };
962ea4f
 #define to_input_dev(d) container_of(d, struct input_dev, dev)
c75cb4d
962ea4f
+#define	INPUTDEV_FLAGS_SYNTHETIC	0x000000001
962ea4f
+
962ea4f
 /*
962ea4f
  * Verify that we are in sync with input_device_id mod_devicetable.h #defines
962ea4f
  */
962ea4f
diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
b03622d
index 8c71874e8485..7de1f08b60a9 100644
962ea4f
--- a/include/linux/sysrq.h
962ea4f
+++ b/include/linux/sysrq.h
b03622d
@@ -29,6 +29,8 @@
962ea4f
 #define SYSRQ_ENABLE_BOOT	0x0080
962ea4f
 #define SYSRQ_ENABLE_RTNICE	0x0100
c75cb4d
962ea4f
+#define SYSRQ_DISABLE_USERSPACE	0x00010000
962ea4f
+
962ea4f
 struct sysrq_key_op {
962ea4f
 	void (*handler)(int);
962ea4f
 	char *help_msg;
b03622d
@@ -43,8 +45,12 @@ struct sysrq_key_op {
962ea4f
  * are available -- else NULL's).
962ea4f
  */
c75cb4d
962ea4f
+#define SYSRQ_FROM_KERNEL	0x0001
962ea4f
+#define SYSRQ_FROM_PROC		0x0002
962ea4f
+#define SYSRQ_FROM_SYNTHETIC	0x0004
962ea4f
+
962ea4f
 void handle_sysrq(int key);
962ea4f
-void __handle_sysrq(int key, bool check_mask);
962ea4f
+void __handle_sysrq(int key, unsigned int from);
962ea4f
 int register_sysrq_key(int key, struct sysrq_key_op *op);
962ea4f
 int unregister_sysrq_key(int key, struct sysrq_key_op *op);
962ea4f
 struct sysrq_key_op *__sysrq_get_key_op(int key);
962ea4f
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
b03622d
index dbb0781a0533..aae9a0f44058 100644
962ea4f
--- a/kernel/debug/kdb/kdb_main.c
962ea4f
+++ b/kernel/debug/kdb/kdb_main.c
c75cb4d
@@ -1970,7 +1970,7 @@ static int kdb_sr(int argc, const char **argv)
962ea4f
 		return KDB_ARGCOUNT;
c75cb4d
962ea4f
 	kdb_trap_printk++;
962ea4f
-	__handle_sysrq(*argv[1], check_mask);
962ea4f
+	__handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0);
962ea4f
 	kdb_trap_printk--;
c75cb4d
962ea4f
 	return 0;
c75cb4d
diff --git a/security/Kconfig b/security/Kconfig
b03622d
index a9e6207d287e..461d5acc3616 100644
c75cb4d
--- a/security/Kconfig
c75cb4d
+++ b/security/Kconfig
b03622d
@@ -239,6 +239,16 @@ config LOCK_DOWN_KERNEL
c75cb4d
 	  turns off various features that might otherwise allow access to the
c75cb4d
 	  kernel image (eg. setting MSR registers).
c75cb4d
c75cb4d
+config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
c75cb4d
+	bool "Allow the kernel lockdown to be lifted by SysRq"
b03622d
+	depends on LOCK_DOWN_KERNEL
b03622d
+	depends on MAGIC_SYSRQ
b03622d
+	depends on X86
c75cb4d
+	help
c75cb4d
+	  Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
c75cb4d
+	  combination on a wired keyboard.
c75cb4d
+
c75cb4d
+
c75cb4d
 source security/selinux/Kconfig
c75cb4d
 source security/smack/Kconfig
c75cb4d
 source security/tomoyo/Kconfig
c75cb4d
diff --git a/security/lock_down.c b/security/lock_down.c
c75cb4d
index d8595c0e6673..2c6b00f0c229 100644
c75cb4d
--- a/security/lock_down.c
c75cb4d
+++ b/security/lock_down.c
c75cb4d
@@ -11,8 +11,14 @@
c75cb4d
c75cb4d
 #include <linux/security.h>
c75cb4d
 #include <linux/export.h>
c75cb4d
+#include <linux/sysrq.h>
c75cb4d
+#include <asm/setup.h>
c75cb4d
c75cb4d
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
c75cb4d
+static __read_mostly bool kernel_locked_down;
c75cb4d
+#else
c75cb4d
 static __ro_after_init bool kernel_locked_down;
c75cb4d
+#endif
c75cb4d
c75cb4d
 /*
c75cb4d
  * Put the kernel into lock-down mode.
c75cb4d
@@ -58,3 +64,44 @@ bool __kernel_is_locked_down(const char *what, bool first)
c75cb4d
 	return kernel_locked_down;
c75cb4d
 }
c75cb4d
 EXPORT_SYMBOL(__kernel_is_locked_down);
c75cb4d
+
c75cb4d
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
c75cb4d
+
c75cb4d
+/*
c75cb4d
+ * Take the kernel out of lockdown mode.
c75cb4d
+ */
c75cb4d
+static void lift_kernel_lockdown(void)
c75cb4d
+{
c75cb4d
+	pr_notice("Lifting lockdown\n");
c75cb4d
+	kernel_locked_down = false;
c75cb4d
+}
c75cb4d
+
c75cb4d
+/*
c75cb4d
+ * Allow lockdown to be lifted by pressing something like SysRq+x (and not by
c75cb4d
+ * echoing the appropriate letter into the sysrq-trigger file).
c75cb4d
+ */
c75cb4d
+static void sysrq_handle_lockdown_lift(int key)
c75cb4d
+{
c75cb4d
+	if (kernel_locked_down)
c75cb4d
+		lift_kernel_lockdown();
c75cb4d
+}
c75cb4d
+
c75cb4d
+static struct sysrq_key_op lockdown_lift_sysrq_op = {
c75cb4d
+	.handler	= sysrq_handle_lockdown_lift,
c75cb4d
+	.help_msg	= "unSB(x)",
c75cb4d
+	.action_msg	= "Disabling Secure Boot restrictions",
c75cb4d
+	.enable_mask	= SYSRQ_DISABLE_USERSPACE,
c75cb4d
+};
c75cb4d
+
c75cb4d
+static int __init lockdown_lift_sysrq(void)
c75cb4d
+{
c75cb4d
+	if (kernel_locked_down) {
c75cb4d
+		lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;
c75cb4d
+		register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);
c75cb4d
+	}
c75cb4d
+	return 0;
c75cb4d
+}
c75cb4d
+
c75cb4d
+late_initcall(lockdown_lift_sysrq);
c75cb4d
+
c75cb4d
+#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */
c75cb4d
-- 
b03622d
2.14.3
b03622d
b03622d
From 16376a9b88db8d79637fbda7576ced261050eb2a Mon Sep 17 00:00:00 2001
b03622d
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
b03622d
Date: Tue, 27 Feb 2018 10:04:50 +0000
b03622d
Subject: [PATCH 03/31] ima: require secure_boot rules in lockdown mode
b03622d
b03622d
Require the "secure_boot" rules, whether or not it is specified
b03622d
on the boot command line, for both the builtin and custom policies
b03622d
in secure boot lockdown mode.
b03622d
b03622d
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
b03622d
Signed-off-by: David Howells <dhowells@redhat.com>
b03622d
---
b03622d
 security/integrity/ima/ima_policy.c | 39 +++++++++++++++++++++++++++----------
b03622d
 1 file changed, 29 insertions(+), 10 deletions(-)
b03622d
b03622d
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
b03622d
index 915f5572c6ff..830ce0de5386 100644
b03622d
--- a/security/integrity/ima/ima_policy.c
b03622d
+++ b/security/integrity/ima/ima_policy.c
b03622d
@@ -431,14 +431,21 @@ void ima_update_policy_flag(void)
b03622d
  */
b03622d
 void __init ima_init_policy(void)
b03622d
 {
b03622d
-	int i, measure_entries, appraise_entries, secure_boot_entries;
b03622d
+	int i;
b03622d
+	int measure_entries = 0;
b03622d
+	int appraise_entries = 0;
b03622d
+	int secure_boot_entries = 0;
b03622d
+	bool kernel_locked_down = __kernel_is_locked_down(NULL, false);
b03622d
b03622d
 	/* if !ima_policy set entries = 0 so we load NO default rules */
b03622d
-	measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0;
b03622d
-	appraise_entries = ima_use_appraise_tcb ?
b03622d
-			 ARRAY_SIZE(default_appraise_rules) : 0;
b03622d
-	secure_boot_entries = ima_use_secure_boot ?
b03622d
-			ARRAY_SIZE(secure_boot_rules) : 0;
b03622d
+	if (ima_policy)
b03622d
+		measure_entries = ARRAY_SIZE(dont_measure_rules);
b03622d
+
b03622d
+	if (ima_use_appraise_tcb)
b03622d
+		appraise_entries = ARRAY_SIZE(default_appraise_rules);
b03622d
+
b03622d
+	if (ima_use_secure_boot || kernel_locked_down)
b03622d
+		secure_boot_entries = ARRAY_SIZE(secure_boot_rules);
b03622d
b03622d
 	for (i = 0; i < measure_entries; i++)
b03622d
 		list_add_tail(&dont_measure_rules[i].list, &ima_default_rules);
b03622d
@@ -459,11 +466,23 @@ void __init ima_init_policy(void)
b03622d
b03622d
 	/*
b03622d
 	 * Insert the appraise rules requiring file signatures, prior to
b03622d
-	 * any other appraise rules.
b03622d
+	 * any other appraise rules.  In secure boot lock-down mode, also
b03622d
+	 * require these appraise rules for custom policies.
b03622d
 	 */
b03622d
-	for (i = 0; i < secure_boot_entries; i++)
b03622d
-		list_add_tail(&secure_boot_rules[i].list,
b03622d
-			      &ima_default_rules);
b03622d
+	for (i = 0; i < secure_boot_entries; i++) {
b03622d
+		struct ima_rule_entry *entry;
b03622d
+
b03622d
+		/* Include for builtin policies */
b03622d
+		list_add_tail(&secure_boot_rules[i].list, &ima_default_rules);
b03622d
+
b03622d
+		/* Include for custom policies */
b03622d
+		if (kernel_locked_down) {
b03622d
+			entry = kmemdup(&secure_boot_rules[i], sizeof(*entry),
b03622d
+					GFP_KERNEL);
b03622d
+			if (entry)
b03622d
+				list_add_tail(&entry->list, &ima_policy_rules);
b03622d
+		}
b03622d
+	}
c75cb4d
b03622d
 	for (i = 0; i < appraise_entries; i++) {
b03622d
 		list_add_tail(&default_appraise_rules[i].list,
b03622d
-- 
b03622d
2.14.3
b03622d
b03622d
From 7c0d4949d8343a3b6ceca21f3d7710b20f283de0 Mon Sep 17 00:00:00 2001
c75cb4d
From: David Howells <dhowells@redhat.com>
b03622d
Date: Tue, 27 Feb 2018 10:04:50 +0000
b03622d
Subject: [PATCH 04/31] Enforce module signatures if the kernel is locked down
c75cb4d
c75cb4d
If the kernel is locked down, require that all modules have valid
b03622d
signatures that we can verify or that IMA can validate the file.
b03622d
b03622d
I have adjusted the errors generated:
b03622d
b03622d
 (1) If there's no signature (ENODATA) or we can't check it (ENOPKG,
b03622d
     ENOKEY), then:
b03622d
b03622d
     (a) If signatures are enforced then EKEYREJECTED is returned.
b03622d
b03622d
     (b) If IMA will have validated the image, return 0 (okay).
b03622d
b03622d
     (c) If there's no signature or we can't check it, but the kernel is
b03622d
	 locked down then EPERM is returned (this is then consistent with
b03622d
	 other lockdown cases).
b03622d
b03622d
 (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails
b03622d
     the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we
b03622d
     return the error we got.
b03622d
b03622d
Note that the X.509 code doesn't check for key expiry as the RTC might not
b03622d
be valid or might not have been transferred to the kernel's clock yet.
c75cb4d
c75cb4d
Signed-off-by: David Howells <dhowells@redhat.com>
b03622d
Reviewed-by: Jiri Bohac <jbohac@suse.cz>
b03622d
cc: "Lee, Chun-Yi" <jlee@suse.com>
b03622d
cc: James Morris <james.l.morris@oracle.com>
c75cb4d
---
b03622d
 kernel/module.c | 56 +++++++++++++++++++++++++++++++++++++++++++-------------
b03622d
 1 file changed, 43 insertions(+), 13 deletions(-)
c75cb4d
c75cb4d
diff --git a/kernel/module.c b/kernel/module.c
b03622d
index ad2d420024f6..62419cf48ef6 100644
c75cb4d
--- a/kernel/module.c
c75cb4d
+++ b/kernel/module.c
b03622d
@@ -64,6 +64,7 @@
b03622d
 #include <linux/bsearch.h>
b03622d
 #include <linux/dynamic_debug.h>
b03622d
 #include <linux/audit.h>
b03622d
+#include <linux/ima.h>
b03622d
 #include <uapi/linux/module.h>
b03622d
 #include "module-internal.h"
b03622d
b03622d
@@ -2765,10 +2766,12 @@ static inline void kmemleak_load_module(const struct module *mod,
b03622d
 #endif
b03622d
b03622d
 #ifdef CONFIG_MODULE_SIG
b03622d
-static int module_sig_check(struct load_info *info, int flags)
b03622d
+static int module_sig_check(struct load_info *info, int flags,
b03622d
+			    bool can_do_ima_check)
b03622d
 {
b03622d
-	int err = -ENOKEY;
b03622d
+	int err = -ENODATA;
b03622d
 	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
b03622d
+	const char *reason;
b03622d
 	const void *mod = info->hdr;
b03622d
b03622d
 	/*
b03622d
@@ -2783,19 +2786,46 @@ static int module_sig_check(struct load_info *info, int flags)
b03622d
 		err = mod_verify_sig(mod, &info->len);
c75cb4d
 	}
c75cb4d
b03622d
-	if (!err) {
b03622d
+	switch (err) {
b03622d
+	case 0:
b03622d
 		info->sig_ok = true;
b03622d
 		return 0;
b03622d
-	}
b03622d
b03622d
-	/* Not having a signature is only an error if we're strict. */
c75cb4d
-	if (err == -ENOKEY && !sig_enforce)
b03622d
-		err = 0;
b03622d
+		/* We don't permit modules to be loaded into trusted kernels
b03622d
+		 * without a valid signature on them, but if we're not
b03622d
+		 * enforcing, certain errors are non-fatal.
b03622d
+		 */
b03622d
+	case -ENODATA:
b03622d
+		reason = "Loading of unsigned module";
b03622d
+		goto decide;
b03622d
+	case -ENOPKG:
b03622d
+		reason = "Loading of module with unsupported crypto";
b03622d
+		goto decide;
b03622d
+	case -ENOKEY:
b03622d
+		reason = "Loading of module with unavailable key";
b03622d
+	decide:
b03622d
+		if (sig_enforce) {
b03622d
+			pr_notice("%s is rejected\n", reason);
b03622d
+			return -EKEYREJECTED;
b03622d
+		}
b03622d
b03622d
-	return err;
b03622d
+		if (can_do_ima_check && is_ima_appraise_enabled())
b03622d
+			return 0;
b03622d
+		if (kernel_is_locked_down(reason))
b03622d
+			return -EPERM;
b03622d
+		return 0;
b03622d
+
b03622d
+		/* All other errors are fatal, including nomem, unparseable
b03622d
+		 * signatures and signature check failures - even if signatures
b03622d
+		 * aren't required.
b03622d
+		 */
b03622d
+	default:
b03622d
+		return err;
b03622d
+	}
b03622d
 }
b03622d
 #else /* !CONFIG_MODULE_SIG */
b03622d
-static int module_sig_check(struct load_info *info, int flags)
b03622d
+static int module_sig_check(struct load_info *info, int flags,
b03622d
+			    bool can_do_ima_check)
b03622d
 {
b03622d
 	return 0;
b03622d
 }
b03622d
@@ -3655,13 +3685,13 @@ static int unknown_module_param_cb(char *param, char *val, const char *modname,
b03622d
 /* Allocate and load the module: note that size of section 0 is always
b03622d
    zero, and we rely on this for optional sections. */
b03622d
 static int load_module(struct load_info *info, const char __user *uargs,
b03622d
-		       int flags)
b03622d
+		       int flags, bool can_do_ima_check)
b03622d
 {
b03622d
 	struct module *mod;
b03622d
 	long err;
b03622d
 	char *after_dashes;
b03622d
b03622d
-	err = module_sig_check(info, flags);
b03622d
+	err = module_sig_check(info, flags, can_do_ima_check);
b03622d
 	if (err)
b03622d
 		goto free_copy;
b03622d
b03622d
@@ -3850,7 +3880,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
b03622d
 	if (err)
b03622d
 		return err;
b03622d
b03622d
-	return load_module(&info, uargs, 0);
b03622d
+	return load_module(&info, uargs, 0, false);
b03622d
 }
b03622d
b03622d
 SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags)
b03622d
@@ -3877,7 +3907,7 @@ SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags)
b03622d
 	info.hdr = hdr;
b03622d
 	info.len = size;
b03622d
b03622d
-	return load_module(&info, uargs, flags);
b03622d
+	return load_module(&info, uargs, flags, true);
b03622d
 }
c75cb4d
b03622d
 static inline int within(unsigned long addr, void *start, unsigned long size)
962ea4f
-- 
b03622d
2.14.3
962ea4f
b03622d
From 11b23b45b895133b0c4660622fe2cd8cea373324 Mon Sep 17 00:00:00 2001
b03622d
From: Matthew Garrett <mjg59@srcf.ucam.org>
b03622d
Date: Tue, 27 Feb 2018 10:04:51 +0000
b03622d
Subject: [PATCH 05/31] Restrict /dev/{mem,kmem,port} when the kernel is locked
c75cb4d
 down
c75cb4d
c75cb4d
Allowing users to read and write to core kernel memory makes it possible
c75cb4d
for the kernel to be subverted, avoiding module loading restrictions, and
c75cb4d
also to steal cryptographic information.
c75cb4d
c75cb4d
Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
c75cb4d
been locked down to prevent this.
c75cb4d
c75cb4d
Also disallow /dev/port from being opened to prevent raw ioport access and
c75cb4d
thus DMA from being used to accomplish the same thing.
c75cb4d
b03622d
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
c75cb4d
Signed-off-by: David Howells <dhowells@redhat.com>
c75cb4d
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c75cb4d
---
c75cb4d
 drivers/char/mem.c | 2 ++
c75cb4d
 1 file changed, 2 insertions(+)
c75cb4d
c75cb4d
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
b03622d
index 052011bcf100..c024e7b2bbcb 100644
c75cb4d
--- a/drivers/char/mem.c
c75cb4d
+++ b/drivers/char/mem.c
b03622d
@@ -784,6 +784,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
c75cb4d
c75cb4d
 static int open_port(struct inode *inode, struct file *filp)
c75cb4d
 {
c75cb4d
+	if (kernel_is_locked_down("/dev/mem,kmem,port"))
c75cb4d
+		return -EPERM;
c75cb4d
 	return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
c75cb4d
 }
c75cb4d
c75cb4d
-- 
b03622d
2.14.3
c75cb4d
b03622d
From ccaf57b0a1afb62c1278e3fee69634a710b60a44 Mon Sep 17 00:00:00 2001
b03622d
From: Matthew Garrett <mjg59@srcf.ucam.org>
b03622d
Date: Tue, 27 Feb 2018 10:04:51 +0000
b03622d
Subject: [PATCH 06/31] kexec_load: Disable at runtime if the kernel is locked
b03622d
 down
962ea4f
b03622d
The kexec_load() syscall permits the loading and execution of arbitrary
b03622d
code in ring 0, which is something that lock-down is meant to prevent. It
b03622d
makes sense to disable kexec_load() in this situation.
962ea4f
b03622d
This does not affect kexec_file_load() syscall which can check for a
b03622d
signature on the image to be booted.
962ea4f
b03622d
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c75cb4d
Acked-by: Dave Young <dyoung@redhat.com>
c75cb4d
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c75cb4d
Reviewed-by: James Morris <james.l.morris@oracle.com>
c75cb4d
cc: kexec@lists.infradead.org
962ea4f
---
962ea4f
 kernel/kexec.c | 7 +++++++
962ea4f
 1 file changed, 7 insertions(+)
962ea4f
962ea4f
diff --git a/kernel/kexec.c b/kernel/kexec.c
c75cb4d
index e62ec4dc6620..7dadfed9b676 100644
962ea4f
--- a/kernel/kexec.c
962ea4f
+++ b/kernel/kexec.c
b03622d
@@ -201,6 +201,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
b03622d
 	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
962ea4f
 		return -EPERM;
c75cb4d
b03622d
+	/*
962ea4f
+	 * kexec can be used to circumvent module loading restrictions, so
962ea4f
+	 * prevent loading in that case
962ea4f
+	 */
c75cb4d
+	if (kernel_is_locked_down("kexec of unsigned images"))
962ea4f
+		return -EPERM;
962ea4f
+
b03622d
 	/*
962ea4f
 	 * Verify we have a legal set of flags
962ea4f
 	 * This leaves us room for future extensions.
962ea4f
-- 
b03622d
2.14.3
962ea4f
b03622d
From b96ff1fd9e94772fde7b58fd69969d1a1c87eb6d Mon Sep 17 00:00:00 2001
962ea4f
From: Dave Young <dyoung@redhat.com>
b03622d
Date: Tue, 27 Feb 2018 10:04:51 +0000
b03622d
Subject: [PATCH 07/31] Copy secure_boot flag in boot params across kexec
3ff7c26
 reboot
962ea4f
962ea4f
Kexec reboot in case secure boot being enabled does not keep the secure
962ea4f
boot mode in new kernel, so later one can load unsigned kernel via legacy
962ea4f
kexec_load.  In this state, the system is missing the protections provided
962ea4f
by secure boot.
962ea4f
962ea4f
Adding a patch to fix this by retain the secure_boot flag in original
962ea4f
kernel.
962ea4f
962ea4f
secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
962ea4f
stub.  Fixing this issue by copying secure_boot flag across kexec reboot.
962ea4f
962ea4f
Signed-off-by: Dave Young <dyoung@redhat.com>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c75cb4d
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c75cb4d
cc: kexec@lists.infradead.org
962ea4f
---
962ea4f
 arch/x86/kernel/kexec-bzimage64.c | 1 +
962ea4f
 1 file changed, 1 insertion(+)
962ea4f
962ea4f
diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
c75cb4d
index fb095ba0c02f..7d0fac5bcbbe 100644
962ea4f
--- a/arch/x86/kernel/kexec-bzimage64.c
962ea4f
+++ b/arch/x86/kernel/kexec-bzimage64.c
962ea4f
@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
962ea4f
 	if (efi_enabled(EFI_OLD_MEMMAP))
962ea4f
 		return 0;
c75cb4d
962ea4f
+	params->secure_boot = boot_params.secure_boot;
962ea4f
 	ei->efi_loader_signature = current_ei->efi_loader_signature;
962ea4f
 	ei->efi_systab = current_ei->efi_systab;
962ea4f
 	ei->efi_systab_hi = current_ei->efi_systab_hi;
962ea4f
-- 
b03622d
2.14.3
b03622d
b03622d
From 092494dea28896108dfb654cebf9f7e3666fc514 Mon Sep 17 00:00:00 2001
b03622d
From: Jiri Bohac <jbohac@suse.cz>
b03622d
Date: Tue, 27 Feb 2018 10:04:51 +0000
b03622d
Subject: [PATCH 08/31] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and
b03622d
 KEXEC_SIG_FORCE
b03622d
b03622d
This is a preparatory patch for kexec_file_load() lockdown.  A locked down
b03622d
kernel needs to prevent unsigned kernel images from being loaded with
b03622d
kexec_file_load().  Currently, the only way to force the signature
b03622d
verification is compiling with KEXEC_VERIFY_SIG.  This prevents loading
b03622d
usigned images even when the kernel is not locked down at runtime.
b03622d
b03622d
This patch splits KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE.
b03622d
Analogous to the MODULE_SIG and MODULE_SIG_FORCE for modules, KEXEC_SIG
b03622d
turns on the signature verification but allows unsigned images to be
b03622d
loaded.  KEXEC_SIG_FORCE disallows images without a valid signature.
b03622d
b03622d
[Modified by David Howells such that:
b03622d
b03622d
 (1) verify_pefile_signature() differentiates between no-signature and
b03622d
     sig-didn't-match in its returned errors.
b03622d
b03622d
 (2) kexec fails with EKEYREJECTED and logs an appropriate message if
b03622d
     signature checking is enforced and an signature is not found, uses
b03622d
     unsupported crypto or has no matching key.
962ea4f
b03622d
 (3) kexec fails with EKEYREJECTED if there is a signature for which we
b03622d
     have a key, but signature doesn't match - even if in non-forcing mode.
b03622d
b03622d
 (4) kexec fails with EBADMSG or some other error if there is a signature
b03622d
     which cannot be parsed - even if in non-forcing mode.
b03622d
b03622d
 (5) kexec fails with ELIBBAD if the PE file cannot be parsed to extract
b03622d
     the signature - even if in non-forcing mode.
b03622d
b03622d
]
b03622d
b03622d
Signed-off-by: Jiri Bohac <jbohac@suse.cz>
b03622d
Signed-off-by: David Howells <dhowells@redhat.com>
b03622d
Reviewed-by: Jiri Bohac <jbohac@suse.cz>
b03622d
cc: Matthew Garrett <mjg59@srcf.ucam.org>
b03622d
cc: Chun-Yi Lee <jlee@suse.com>
b03622d
cc: kexec@lists.infradead.org
b03622d
---
b03622d
 arch/x86/Kconfig                       | 20 ++++++++++----
b03622d
 arch/x86/kernel/machine_kexec_64.c     |  2 +-
b03622d
 crypto/asymmetric_keys/verify_pefile.c |  4 ++-
b03622d
 include/linux/kexec.h                  |  4 +--
b03622d
 kernel/kexec_file.c                    | 48 +++++++++++++++++++++++++++++-----
b03622d
 5 files changed, 62 insertions(+), 16 deletions(-)
b03622d
b03622d
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
b03622d
index eb7f43f23521..b2c5eb5a8333 100644
b03622d
--- a/arch/x86/Kconfig
b03622d
+++ b/arch/x86/Kconfig
b03622d
@@ -2020,20 +2020,30 @@ config KEXEC_FILE
b03622d
 	  for kernel and initramfs as opposed to list of segments as
b03622d
 	  accepted by previous system call.
b03622d
b03622d
-config KEXEC_VERIFY_SIG
b03622d
+config KEXEC_SIG
b03622d
 	bool "Verify kernel signature during kexec_file_load() syscall"
b03622d
 	depends on KEXEC_FILE
b03622d
 	---help---
b03622d
-	  This option makes kernel signature verification mandatory for
b03622d
-	  the kexec_file_load() syscall.
b03622d
b03622d
-	  In addition to that option, you need to enable signature
b03622d
+	  This option makes the kexec_file_load() syscall check for a valid
b03622d
+	  signature of the kernel image.  The image can still be loaded without
b03622d
+	  a valid signature unless you also enable KEXEC_SIG_FORCE, though if
b03622d
+	  there's a signature that we can check, then it must be valid.
b03622d
+
b03622d
+	  In addition to this option, you need to enable signature
b03622d
 	  verification for the corresponding kernel image type being
b03622d
 	  loaded in order for this to work.
b03622d
b03622d
+config KEXEC_SIG_FORCE
b03622d
+	bool "Require a valid signature in kexec_file_load() syscall"
b03622d
+	depends on KEXEC_SIG
b03622d
+	---help---
b03622d
+	  This option makes kernel signature verification mandatory for
b03622d
+	  the kexec_file_load() syscall.
b03622d
+
b03622d
 config KEXEC_BZIMAGE_VERIFY_SIG
b03622d
 	bool "Enable bzImage signature verification support"
b03622d
-	depends on KEXEC_VERIFY_SIG
b03622d
+	depends on KEXEC_SIG
b03622d
 	depends on SIGNED_PE_FILE_VERIFICATION
b03622d
 	select SYSTEM_TRUSTED_KEYRING
b03622d
 	---help---
b03622d
diff --git a/arch/x86/kernel/machine_kexec_64.c b/arch/x86/kernel/machine_kexec_64.c
b03622d
index 3b7427aa7d85..b0870d47d520 100644
b03622d
--- a/arch/x86/kernel/machine_kexec_64.c
b03622d
+++ b/arch/x86/kernel/machine_kexec_64.c
b03622d
@@ -406,7 +406,7 @@ int arch_kimage_file_post_load_cleanup(struct kimage *image)
b03622d
 	return image->fops->cleanup(image->image_loader_data);
b03622d
 }
b03622d
b03622d
-#ifdef CONFIG_KEXEC_VERIFY_SIG
b03622d
+#ifdef CONFIG_KEXEC_SIG
b03622d
 int arch_kexec_kernel_verify_sig(struct kimage *image, void *kernel,
b03622d
 				 unsigned long kernel_len)
b03622d
 {
b03622d
diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c
b03622d
index d178650fd524..4473cea1e877 100644
b03622d
--- a/crypto/asymmetric_keys/verify_pefile.c
b03622d
+++ b/crypto/asymmetric_keys/verify_pefile.c
b03622d
@@ -100,7 +100,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen,
b03622d
b03622d
 	if (!ddir->certs.virtual_address || !ddir->certs.size) {
b03622d
 		pr_debug("Unsigned PE binary\n");
b03622d
-		return -EKEYREJECTED;
b03622d
+		return -ENODATA;
b03622d
 	}
b03622d
b03622d
 	chkaddr(ctx->header_size, ddir->certs.virtual_address,
b03622d
@@ -408,6 +408,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen,
b03622d
  *  (*) 0 if at least one signature chain intersects with the keys in the trust
b03622d
  *	keyring, or:
b03622d
  *
b03622d
+ *  (*) -ENODATA if there is no signature present.
b03622d
+ *
b03622d
  *  (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a
b03622d
  *	chain.
b03622d
  *
b03622d
diff --git a/include/linux/kexec.h b/include/linux/kexec.h
b03622d
index f16f6ceb3875..19652372f3ee 100644
b03622d
--- a/include/linux/kexec.h
b03622d
+++ b/include/linux/kexec.h
b03622d
@@ -121,7 +121,7 @@ typedef void *(kexec_load_t)(struct kimage *image, char *kernel_buf,
b03622d
 			     unsigned long cmdline_len);
b03622d
 typedef int (kexec_cleanup_t)(void *loader_data);
b03622d
b03622d
-#ifdef CONFIG_KEXEC_VERIFY_SIG
b03622d
+#ifdef CONFIG_KEXEC_SIG
b03622d
 typedef int (kexec_verify_sig_t)(const char *kernel_buf,
b03622d
 				 unsigned long kernel_len);
b03622d
 #endif
b03622d
@@ -130,7 +130,7 @@ struct kexec_file_ops {
b03622d
 	kexec_probe_t *probe;
b03622d
 	kexec_load_t *load;
b03622d
 	kexec_cleanup_t *cleanup;
b03622d
-#ifdef CONFIG_KEXEC_VERIFY_SIG
b03622d
+#ifdef CONFIG_KEXEC_SIG
b03622d
 	kexec_verify_sig_t *verify_sig;
b03622d
 #endif
b03622d
 };
b03622d
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
b03622d
index e5bcd94c1efb..d5931e392050 100644
b03622d
--- a/kernel/kexec_file.c
b03622d
+++ b/kernel/kexec_file.c
b03622d
@@ -45,7 +45,7 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image)
b03622d
 	return -EINVAL;
b03622d
 }
b03622d
b03622d
-#ifdef CONFIG_KEXEC_VERIFY_SIG
b03622d
+#ifdef CONFIG_KEXEC_SIG
b03622d
 int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
b03622d
 					unsigned long buf_len)
b03622d
 {
b03622d
@@ -116,7 +116,8 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
b03622d
 			     const char __user *cmdline_ptr,
b03622d
 			     unsigned long cmdline_len, unsigned flags)
b03622d
 {
b03622d
-	int ret = 0;
b03622d
+	const char *reason;
b03622d
+	int ret;
b03622d
 	void *ldata;
b03622d
 	loff_t size;
b03622d
b03622d
@@ -135,15 +136,48 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
b03622d
 	if (ret)
b03622d
 		goto out;
b03622d
b03622d
-#ifdef CONFIG_KEXEC_VERIFY_SIG
b03622d
+#ifdef CONFIG_KEXEC_SIG
b03622d
 	ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
b03622d
 					   image->kernel_buf_len);
b03622d
-	if (ret) {
b03622d
-		pr_debug("kernel signature verification failed.\n");
b03622d
+#else
b03622d
+	ret = -ENODATA;
b03622d
+#endif
b03622d
+
b03622d
+	switch (ret) {
b03622d
+	case 0:
b03622d
+		break;
b03622d
+
b03622d
+		/* Certain verification errors are non-fatal if we're not
b03622d
+		 * checking errors, provided we aren't mandating that there
b03622d
+		 * must be a valid signature.
b03622d
+		 */
b03622d
+	case -ENODATA:
b03622d
+		reason = "kexec of unsigned image";
b03622d
+		goto decide;
b03622d
+	case -ENOPKG:
b03622d
+		reason = "kexec of image with unsupported crypto";
b03622d
+		goto decide;
b03622d
+	case -ENOKEY:
b03622d
+		reason = "kexec of image with unavailable key";
b03622d
+	decide:
b03622d
+		if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
b03622d
+			pr_notice("%s rejected\n", reason);
b03622d
+			ret = -EKEYREJECTED;
b03622d
+			goto out;
b03622d
+		}
b03622d
+
b03622d
+		ret = 0;
b03622d
+		break;
b03622d
+
b03622d
+		/* All other errors are fatal, including nomem, unparseable
b03622d
+		 * signatures and signature check failures - even if signatures
b03622d
+		 * aren't required.
b03622d
+		 */
b03622d
+	default:
b03622d
+		pr_notice("kernel signature verification failed (%d).\n", ret);
b03622d
 		goto out;
b03622d
 	}
b03622d
-	pr_debug("kernel signature verification successful.\n");
b03622d
-#endif
b03622d
+
b03622d
 	/* It is possible that there no initramfs is being loaded */
b03622d
 	if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
b03622d
 		ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,
b03622d
-- 
b03622d
2.14.3
b03622d
b03622d
From 7124221c5cdb956365ed731b55e663db4075a131 Mon Sep 17 00:00:00 2001
b03622d
From: Jiri Bohac <jbohac@suse.cz>
b03622d
Date: Tue, 27 Feb 2018 10:04:52 +0000
b03622d
Subject: [PATCH 09/31] kexec_file: Restrict at runtime if the kernel is locked
c75cb4d
 down
962ea4f
b03622d
When KEXEC_SIG is not enabled, kernel should not load images through
b03622d
kexec_file systemcall if the kernel is locked down unless IMA can be used
b03622d
to validate the image.
962ea4f
b03622d
[Modified by David Howells to fit with modifications to the previous patch
b03622d
 and to return -EPERM if the kernel is locked down for consistency with
b03622d
 other lockdowns]
962ea4f
b03622d
Signed-off-by: Jiri Bohac <jbohac@suse.cz>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
b03622d
Reviewed-by: Jiri Bohac <jbohac@suse.cz>
b03622d
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
b03622d
cc: Chun-Yi Lee <jlee@suse.com>
c75cb4d
cc: kexec@lists.infradead.org
962ea4f
---
b03622d
 kernel/kexec_file.c | 8 ++++++++
b03622d
 1 file changed, 8 insertions(+)
962ea4f
962ea4f
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
b03622d
index d5931e392050..c47c4de604cd 100644
962ea4f
--- a/kernel/kexec_file.c
962ea4f
+++ b/kernel/kexec_file.c
b03622d
@@ -167,6 +167,14 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
b03622d
 		}
c75cb4d
b03622d
 		ret = 0;
b03622d
+		if (is_ima_appraise_enabled())
b03622d
+			break;
962ea4f
+
b03622d
+		if (kernel_is_locked_down(reason)) {
b03622d
+			ret = -EPERM;
b03622d
+			goto out;
b03622d
+		}
b03622d
+
b03622d
 		break;
b03622d
b03622d
 		/* All other errors are fatal, including nomem, unparseable
962ea4f
-- 
b03622d
2.14.3
962ea4f
b03622d
From 70911b9a15ee62c6222e09099d23d94bdd132972 Mon Sep 17 00:00:00 2001
962ea4f
From: Josh Boyer <jwboyer@fedoraproject.org>
b03622d
Date: Tue, 27 Feb 2018 10:04:52 +0000
b03622d
Subject: [PATCH 10/31] hibernate: Disable when the kernel is locked down
962ea4f
962ea4f
There is currently no way to verify the resume image when returning
962ea4f
from hibernate.  This might compromise the signed modules trust model,
962ea4f
so until we can work with signed hibernate images we disable it when the
962ea4f
kernel is locked down.
962ea4f
962ea4f
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c75cb4d
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c75cb4d
cc: linux-pm@vger.kernel.org
962ea4f
---
962ea4f
 kernel/power/hibernate.c | 2 +-
962ea4f
 1 file changed, 1 insertion(+), 1 deletion(-)
962ea4f
962ea4f
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
c75cb4d
index a5c36e9c56a6..f2eafefeec50 100644
962ea4f
--- a/kernel/power/hibernate.c
962ea4f
+++ b/kernel/power/hibernate.c
c75cb4d
@@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
c75cb4d
962ea4f
 bool hibernation_available(void)
962ea4f
 {
962ea4f
-	return (nohibernate == 0);
c75cb4d
+	return nohibernate == 0 && !kernel_is_locked_down("Hibernation");
962ea4f
 }
c75cb4d
962ea4f
 /**
962ea4f
-- 
b03622d
2.14.3
962ea4f
b03622d
From b85febc7ab5ceede3c53b438b899dfba7741f366 Mon Sep 17 00:00:00 2001
962ea4f
From: Matthew Garrett <mjg59@srcf.ucam.org>
b03622d
Date: Tue, 27 Feb 2018 10:04:52 +0000
b03622d
Subject: [PATCH 11/31] uswsusp: Disable when the kernel is locked down
962ea4f
962ea4f
uswsusp allows a user process to dump and then restore kernel state, which
962ea4f
makes it possible to modify the running kernel.  Disable this if the kernel
962ea4f
is locked down.
962ea4f
962ea4f
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c75cb4d
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c75cb4d
Reviewed-by: James Morris <james.l.morris@oracle.com>
c75cb4d
cc: linux-pm@vger.kernel.org
962ea4f
---
962ea4f
 kernel/power/user.c | 3 +++
962ea4f
 1 file changed, 3 insertions(+)
962ea4f
962ea4f
diff --git a/kernel/power/user.c b/kernel/power/user.c
c75cb4d
index 22df9f7ff672..678ade9decfe 100644
962ea4f
--- a/kernel/power/user.c
962ea4f
+++ b/kernel/power/user.c
962ea4f
@@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
962ea4f
 	if (!hibernation_available())
962ea4f
 		return -EPERM;
c75cb4d
c75cb4d
+	if (kernel_is_locked_down("/dev/snapshot"))
962ea4f
+		return -EPERM;
962ea4f
+
962ea4f
 	lock_system_sleep();
c75cb4d
962ea4f
 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
962ea4f
-- 
b03622d
2.14.3
962ea4f
b03622d
From 9e2700d1746e53da4de4d0fbee7ca4f8f06d6ff2 Mon Sep 17 00:00:00 2001
b03622d
From: Matthew Garrett <mjg59@srcf.ucam.org>
b03622d
Date: Tue, 27 Feb 2018 10:04:52 +0000
b03622d
Subject: [PATCH 12/31] PCI: Lock down BAR access when the kernel is locked
3ff7c26
 down
962ea4f
962ea4f
Any hardware that can potentially generate DMA has to be locked down in
962ea4f
order to avoid it being possible for an attacker to modify kernel code,
962ea4f
allowing them to circumvent disabled module loading or module signing.
962ea4f
Default to paranoid - in future we can potentially relax this for
962ea4f
sufficiently IOMMU-isolated devices.
962ea4f
b03622d
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c75cb4d
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
c75cb4d
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c75cb4d
cc: linux-pci@vger.kernel.org
962ea4f
---
962ea4f
 drivers/pci/pci-sysfs.c | 9 +++++++++
c75cb4d
 drivers/pci/proc.c      | 9 ++++++++-
c75cb4d
 drivers/pci/syscall.c   | 3 ++-
c75cb4d
 3 files changed, 19 insertions(+), 2 deletions(-)
962ea4f
962ea4f
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
b03622d
index eb6bee8724cc..6d2afc730ab7 100644
962ea4f
--- a/drivers/pci/pci-sysfs.c
962ea4f
+++ b/drivers/pci/pci-sysfs.c
b03622d
@@ -930,6 +930,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
962ea4f
 	loff_t init_off = off;
962ea4f
 	u8 *data = (u8 *) buf;
c75cb4d
c75cb4d
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4f
+		return -EPERM;
962ea4f
+
962ea4f
 	if (off > dev->cfg_size)
962ea4f
 		return 0;
962ea4f
 	if (off + count > dev->cfg_size) {
b03622d
@@ -1224,6 +1227,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
3ff7c26
 	enum pci_mmap_state mmap_type;
3ff7c26
 	struct resource *res = &pdev->resource[bar];
c75cb4d
c75cb4d
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4f
+		return -EPERM;
962ea4f
+
3ff7c26
 	if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
3ff7c26
 		return -EINVAL;
c75cb4d
b03622d
@@ -1299,6 +1305,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
962ea4f
 				     struct bin_attribute *attr, char *buf,
962ea4f
 				     loff_t off, size_t count)
962ea4f
 {
c75cb4d
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4f
+		return -EPERM;
962ea4f
+
962ea4f
 	return pci_resource_io(filp, kobj, attr, buf, off, count, true);
962ea4f
 }
c75cb4d
962ea4f
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
b03622d
index 58a662e3c4a6..b30e53eb41df 100644
962ea4f
--- a/drivers/pci/proc.c
962ea4f
+++ b/drivers/pci/proc.c
b03622d
@@ -117,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
962ea4f
 	int size = dev->cfg_size;
962ea4f
 	int cnt;
c75cb4d
c75cb4d
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4f
+		return -EPERM;
962ea4f
+
962ea4f
 	if (pos >= size)
962ea4f
 		return 0;
962ea4f
 	if (nbytes >= size)
b03622d
@@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
962ea4f
 #endif /* HAVE_PCI_MMAP */
962ea4f
 	int ret = 0;
c75cb4d
c75cb4d
+	if (kernel_is_locked_down("Direct PCI access"))
962ea4f
+		return -EPERM;
962ea4f
+
962ea4f
 	switch (cmd) {
962ea4f
 	case PCIIOC_CONTROLLER:
962ea4f
 		ret = pci_domain_nr(dev->bus);
b03622d
@@ -237,7 +243,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
962ea4f
 	struct pci_filp_private *fpriv = file->private_data;
3ff7c26
 	int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM;
c75cb4d
962ea4f
-	if (!capable(CAP_SYS_RAWIO))
c75cb4d
+	if (!capable(CAP_SYS_RAWIO) ||
c75cb4d
+	    kernel_is_locked_down("Direct PCI access"))
962ea4f
 		return -EPERM;
c75cb4d
3ff7c26
 	if (fpriv->mmap_state == pci_mmap_io) {
962ea4f
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
b03622d
index e725f99b5479..6cb3b22a3b94 100644
962ea4f
--- a/drivers/pci/syscall.c
962ea4f
+++ b/drivers/pci/syscall.c
b03622d
@@ -93,7 +93,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
962ea4f
 	u32 dword;
962ea4f
 	int err = 0;
c75cb4d
962ea4f
-	if (!capable(CAP_SYS_ADMIN))
c75cb4d
+	if (!capable(CAP_SYS_ADMIN) ||
c75cb4d
+	    kernel_is_locked_down("Direct PCI access"))
962ea4f
 		return -EPERM;
c75cb4d
b03622d
 	dev = pci_get_domain_bus_and_slot(0, bus, dfn);
962ea4f
-- 
b03622d
2.14.3
962ea4f
b03622d
From d7a876a8a1616730c0bc44c47823483ec3b99c12 Mon Sep 17 00:00:00 2001
b03622d
From: Matthew Garrett <mjg59@srcf.ucam.org>
b03622d
Date: Tue, 27 Feb 2018 10:04:52 +0000
b03622d
Subject: [PATCH 13/31] x86: Lock down IO port access when the kernel is locked
3ff7c26
 down
962ea4f
962ea4f
IO port access would permit users to gain access to PCI configuration
962ea4f
registers, which in turn (on a lot of hardware) give access to MMIO
962ea4f
register space. This would potentially permit root to trigger arbitrary
962ea4f
DMA, so lock it down by default.
962ea4f
962ea4f
This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
962ea4f
KDDISABIO console ioctls.
962ea4f
b03622d
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c75cb4d
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
c75cb4d
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c75cb4d
cc: x86@kernel.org
962ea4f
---
c75cb4d
 arch/x86/kernel/ioport.c | 6 ++++--
c75cb4d
 1 file changed, 4 insertions(+), 2 deletions(-)
962ea4f
962ea4f
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
b03622d
index 2f723301eb58..b3758cc23262 100644
962ea4f
--- a/arch/x86/kernel/ioport.c
962ea4f
+++ b/arch/x86/kernel/ioport.c
b03622d
@@ -31,7 +31,8 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
c75cb4d
962ea4f
 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
962ea4f
 		return -EINVAL;
962ea4f
-	if (turn_on && !capable(CAP_SYS_RAWIO))
c75cb4d
+	if (turn_on && (!capable(CAP_SYS_RAWIO) ||
c75cb4d
+			kernel_is_locked_down("ioperm")))
962ea4f
 		return -EPERM;
c75cb4d
962ea4f
 	/*
b03622d
@@ -121,7 +122,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
962ea4f
 		return -EINVAL;
962ea4f
 	/* Trying to gain more privileges? */
962ea4f
 	if (level > old) {
962ea4f
-		if (!capable(CAP_SYS_RAWIO))
c75cb4d
+		if (!capable(CAP_SYS_RAWIO) ||
c75cb4d
+		    kernel_is_locked_down("iopl"))
962ea4f
 			return -EPERM;
962ea4f
 	}
962ea4f
 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
962ea4f
-- 
b03622d
2.14.3
962ea4f
b03622d
From 43e89781371daf295925ffa1f9074eb31b815491 Mon Sep 17 00:00:00 2001
b03622d
From: Matthew Garrett <mjg59@srcf.ucam.org>
b03622d
Date: Tue, 27 Feb 2018 10:04:53 +0000
b03622d
Subject: [PATCH 14/31] x86/msr: Restrict MSR access when the kernel is locked
c75cb4d
 down
962ea4f
962ea4f
Writing to MSRs should not be allowed if the kernel is locked down, since
962ea4f
it could lead to execution of arbitrary code in kernel mode.  Based on a
962ea4f
patch by Kees Cook.
962ea4f
c75cb4d
MSR accesses are logged for the purposes of building up a whitelist as per
c75cb4d
Alan Cox's suggestion.
c75cb4d
b03622d
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c75cb4d
Acked-by: Kees Cook <keescook@chromium.org>
c75cb4d
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
c75cb4d
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c75cb4d
cc: x86@kernel.org
962ea4f
---
c75cb4d
 arch/x86/kernel/msr.c | 10 ++++++++++
c75cb4d
 1 file changed, 10 insertions(+)
962ea4f
962ea4f
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
c75cb4d
index ef688804f80d..dfb61d358196 100644
962ea4f
--- a/arch/x86/kernel/msr.c
962ea4f
+++ b/arch/x86/kernel/msr.c
c75cb4d
@@ -84,6 +84,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
962ea4f
 	int err = 0;
962ea4f
 	ssize_t bytes = 0;
c75cb4d
c75cb4d
+	if (kernel_is_locked_down("Direct MSR access")) {
c75cb4d
+		pr_info("Direct access to MSR %x\n", reg);
962ea4f
+		return -EPERM;
c75cb4d
+	}
962ea4f
+
962ea4f
 	if (count % 8)
962ea4f
 		return -EINVAL;	/* Invalid chunk size */
c75cb4d
c75cb4d
@@ -135,6 +140,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
c75cb4d
 			err = -EFAULT;
962ea4f
 			break;
962ea4f
 		}
c75cb4d
+		if (kernel_is_locked_down("Direct MSR access")) {
c75cb4d
+			pr_info("Direct access to MSR %x\n", regs[1]); /* Display %ecx */
962ea4f
+			err = -EPERM;
962ea4f
+			break;
962ea4f
+		}
c75cb4d
 		err = wrmsr_safe_regs_on_cpu(cpu, regs);
c75cb4d
 		if (err)
962ea4f
 			break;
962ea4f
-- 
b03622d
2.14.3
c75cb4d
b03622d
From 13b28d5eb338531f53ac27bce86c663c88ac4aca Mon Sep 17 00:00:00 2001
b03622d
From: Matthew Garrett <mjg59@srcf.ucam.org>
b03622d
Date: Tue, 27 Feb 2018 10:04:53 +0000
b03622d
Subject: [PATCH 15/31] ACPI: Limit access to custom_method when the kernel is
3ff7c26
 locked down
962ea4f
962ea4f
custom_method effectively allows arbitrary access to system memory, making
962ea4f
it possible for an attacker to circumvent restrictions on module loading.
962ea4f
Disable it if the kernel is locked down.
962ea4f
b03622d
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c75cb4d
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c75cb4d
cc: linux-acpi@vger.kernel.org
962ea4f
---
962ea4f
 drivers/acpi/custom_method.c | 3 +++
962ea4f
 1 file changed, 3 insertions(+)
962ea4f
962ea4f
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
c75cb4d
index c68e72414a67..b33fba70ec51 100644
962ea4f
--- a/drivers/acpi/custom_method.c
962ea4f
+++ b/drivers/acpi/custom_method.c
962ea4f
@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
962ea4f
 	struct acpi_table_header table;
962ea4f
 	acpi_status status;
c75cb4d
c75cb4d
+	if (kernel_is_locked_down("ACPI custom methods"))
962ea4f
+		return -EPERM;
962ea4f
+
962ea4f
 	if (!(*ppos)) {
962ea4f
 		/* parse the table header to get the table length */
962ea4f
 		if (count <= sizeof(struct acpi_table_header))
962ea4f
-- 
b03622d
2.14.3
962ea4f
b03622d
From dadc30f71155a6f2df81d791cf1314ecdb36cb84 Mon Sep 17 00:00:00 2001
962ea4f
From: Josh Boyer <jwboyer@redhat.com>
b03622d
Date: Tue, 27 Feb 2018 10:04:53 +0000
b03622d
Subject: [PATCH 16/31] acpi: Ignore acpi_rsdp kernel param when the kernel has
3ff7c26
 been locked down
962ea4f
962ea4f
This option allows userspace to pass the RSDP address to the kernel, which
c75cb4d
makes it possible for a user to modify the workings of hardware .  Reject
c75cb4d
the option when the kernel is locked down.
962ea4f
962ea4f
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c75cb4d
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c75cb4d
cc: Dave Young <dyoung@redhat.com>
c75cb4d
cc: linux-acpi@vger.kernel.org
962ea4f
---
962ea4f
 drivers/acpi/osl.c | 2 +-
962ea4f
 1 file changed, 1 insertion(+), 1 deletion(-)
962ea4f
962ea4f
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
b03622d
index 3bb46cb24a99..3d3b59b97f31 100644
962ea4f
--- a/drivers/acpi/osl.c
962ea4f
+++ b/drivers/acpi/osl.c
c796f87
@@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
962ea4f
 	acpi_physical_address pa = 0;
c75cb4d
962ea4f
 #ifdef CONFIG_KEXEC
962ea4f
-	if (acpi_rsdp)
c75cb4d
+	if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification"))
962ea4f
 		return acpi_rsdp;
962ea4f
 #endif
c75cb4d
962ea4f
-- 
b03622d
2.14.3
962ea4f
b03622d
From 9185a89b926a57d52ac9edf588ad533d53af4985 Mon Sep 17 00:00:00 2001
962ea4f
From: Linn Crosetto <linn@hpe.com>
b03622d
Date: Tue, 27 Feb 2018 10:04:53 +0000
b03622d
Subject: [PATCH 17/31] acpi: Disable ACPI table override if the kernel is
3ff7c26
 locked down
962ea4f
962ea4f
From the kernel documentation (initrd_table_override.txt):
962ea4f
962ea4f
  If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
962ea4f
  to override nearly any ACPI table provided by the BIOS with an
962ea4f
  instrumented, modified one.
962ea4f
962ea4f
When securelevel is set, the kernel should disallow any unauthenticated
962ea4f
changes to kernel space.  ACPI tables contain code invoked by the kernel,
962ea4f
so do not allow ACPI tables to be overridden if the kernel is locked down.
962ea4f
962ea4f
Signed-off-by: Linn Crosetto <linn@hpe.com>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c75cb4d
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c75cb4d
cc: linux-acpi@vger.kernel.org
962ea4f
---
962ea4f
 drivers/acpi/tables.c | 5 +++++
962ea4f
 1 file changed, 5 insertions(+)
962ea4f
962ea4f
diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
b03622d
index 7bcb66ccccf3..5ea02c9ca47f 100644
962ea4f
--- a/drivers/acpi/tables.c
962ea4f
+++ b/drivers/acpi/tables.c
b03622d
@@ -527,6 +527,11 @@ void __init acpi_table_upgrade(void)
962ea4f
 	if (table_nr == 0)
962ea4f
 		return;
c75cb4d
c75cb4d
+	if (kernel_is_locked_down("ACPI table override")) {
962ea4f
+		pr_notice("kernel is locked down, ignoring table override\n");
962ea4f
+		return;
962ea4f
+	}
962ea4f
+
962ea4f
 	acpi_tables_addr =
962ea4f
 		memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
962ea4f
 				       all_tables_size, PAGE_SIZE);
962ea4f
-- 
b03622d
2.14.3
962ea4f
b03622d
From aa434c790a2581df5dc7973f2dc3a6a3234bd6b7 Mon Sep 17 00:00:00 2001
962ea4f
From: Linn Crosetto <linn@hpe.com>
b03622d
Date: Tue, 27 Feb 2018 10:04:53 +0000
b03622d
Subject: [PATCH 18/31] acpi: Disable APEI error injection if the kernel is
3ff7c26
 locked down
962ea4f
962ea4f
ACPI provides an error injection mechanism, EINJ, for debugging and testing
962ea4f
the ACPI Platform Error Interface (APEI) and other RAS features.  If
962ea4f
supported by the firmware, ACPI specification 5.0 and later provide for a
962ea4f
way to specify a physical memory address to which to inject the error.
962ea4f
962ea4f
Injecting errors through EINJ can produce errors which to the platform are
962ea4f
indistinguishable from real hardware errors.  This can have undesirable
962ea4f
side-effects, such as causing the platform to mark hardware as needing
962ea4f
replacement.
962ea4f
962ea4f
While it does not provide a method to load unauthenticated privileged code,
962ea4f
the effect of these errors may persist across reboots and affect trust in
962ea4f
the underlying hardware, so disable error injection through EINJ if
962ea4f
the kernel is locked down.
962ea4f
962ea4f
Signed-off-by: Linn Crosetto <linn@hpe.com>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c75cb4d
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
c75cb4d
cc: linux-acpi@vger.kernel.org
962ea4f
---
962ea4f
 drivers/acpi/apei/einj.c | 3 +++
962ea4f
 1 file changed, 3 insertions(+)
962ea4f
962ea4f
diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c
c75cb4d
index b38737c83a24..6d71e1e97b20 100644
962ea4f
--- a/drivers/acpi/apei/einj.c
962ea4f
+++ b/drivers/acpi/apei/einj.c
962ea4f
@@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
962ea4f
 	int rc;
962ea4f
 	u64 base_addr, size;
c75cb4d
c75cb4d
+	if (kernel_is_locked_down("ACPI error injection"))
962ea4f
+		return -EPERM;
962ea4f
+
962ea4f
 	/* If user manually set "flags", make sure it is legal */
962ea4f
 	if (flags && (flags &
962ea4f
 		~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
962ea4f
-- 
b03622d
2.14.3
962ea4f
b03622d
From 5b76b160badb6e53f68a65f0374df700894559bb Mon Sep 17 00:00:00 2001
962ea4f
From: David Howells <dhowells@redhat.com>
b03622d
Date: Tue, 27 Feb 2018 10:04:53 +0000
b03622d
Subject: [PATCH 19/31] scsi: Lock down the eata driver
962ea4f
962ea4f
When the kernel is running in secure boot mode, we lock down the kernel to
962ea4f
prevent userspace from modifying the running kernel image.  Whilst this
962ea4f
includes prohibiting access to things like /dev/mem, it must also prevent
962ea4f
access by means of configuring driver modules in such a way as to cause a
962ea4f
device to access or modify the kernel image.
962ea4f
962ea4f
The eata driver takes a single string parameter that contains a slew of
962ea4f
settings, including hardware resource configuration.  Prohibit use of the
962ea4f
parameter if the kernel is locked down.
962ea4f
c75cb4d
Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
962ea4f
cc: Dario Ballabio <ballabio_dario@emc.com>
962ea4f
cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>
962ea4f
cc: "Martin K. Petersen" <martin.petersen@oracle.com>
962ea4f
cc: linux-scsi@vger.kernel.org
962ea4f
---
c75cb4d
 drivers/scsi/eata.c | 5 ++++-
c75cb4d
 1 file changed, 4 insertions(+), 1 deletion(-)
962ea4f
962ea4f
diff --git a/drivers/scsi/eata.c b/drivers/scsi/eata.c
c75cb4d
index 6501c330d8c8..72fceaa8f3da 100644
962ea4f
--- a/drivers/scsi/eata.c
962ea4f
+++ b/drivers/scsi/eata.c
c75cb4d
@@ -1552,8 +1552,11 @@ static int eata2x_detect(struct scsi_host_template *tpnt)
c75cb4d
962ea4f
 	tpnt->proc_name = "eata2x";
c75cb4d
962ea4f
-	if (strlen(boot_options))
962ea4f
+	if (strlen(boot_options)) {
c75cb4d
+		if (kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels"))
962ea4f
+			return -EPERM;
962ea4f
 		option_setup(boot_options);
962ea4f
+	}
c75cb4d
962ea4f
 #if defined(MODULE)
962ea4f
 	/* io_port could have been modified when loading as a module */
962ea4f
-- 
b03622d
2.14.3
962ea4f
b03622d
From ebdc673699d9732a1cccfc2f80e84402aa7ec0c9 Mon Sep 17 00:00:00 2001
962ea4f
From: David Howells <dhowells@redhat.com>
b03622d
Date: Tue, 27 Feb 2018 10:04:54 +0000
b03622d
Subject: [PATCH 20/31] Prohibit PCMCIA CIS storage when the kernel is locked
3ff7c26
 down
962ea4f
962ea4f
Prohibit replacement of the PCMCIA Card Information Structure when the
962ea4f
kernel is locked down.
962ea4f
c75cb4d
Suggested-by: Dominik Brodowski <linux@dominikbrodowski.net>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c75cb4d
cc: linux-pcmcia@lists.infradead.org
962ea4f
---
c75cb4d
 drivers/pcmcia/cistpl.c | 3 +++
c75cb4d
 1 file changed, 3 insertions(+)
962ea4f
962ea4f
diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
b03622d
index 102646fedb56..e46c948d7246 100644
962ea4f
--- a/drivers/pcmcia/cistpl.c
962ea4f
+++ b/drivers/pcmcia/cistpl.c
c75cb4d
@@ -1578,6 +1578,9 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
962ea4f
 	struct pcmcia_socket *s;
962ea4f
 	int error;
c75cb4d
c75cb4d
+	if (kernel_is_locked_down("Direct PCMCIA CIS storage"))
962ea4f
+		return -EPERM;
962ea4f
+
962ea4f
 	s = to_socket(container_of(kobj, struct device, kobj));
c75cb4d
962ea4f
 	if (off)
962ea4f
-- 
b03622d
2.14.3
962ea4f
b03622d
From 0f058a0aecf0aea70fc42905250bb2a0f195157a Mon Sep 17 00:00:00 2001
962ea4f
From: David Howells <dhowells@redhat.com>
b03622d
Date: Tue, 27 Feb 2018 10:04:54 +0000
b03622d
Subject: [PATCH 21/31] Lock down TIOCSSERIAL
962ea4f
962ea4f
Lock down TIOCSSERIAL as that can be used to change the ioport and irq
962ea4f
settings on a serial port.  This only appears to be an issue for the serial
962ea4f
drivers that use the core serial code.  All other drivers seem to either
962ea4f
ignore attempts to change port/irq or give an error.
962ea4f
962ea4f
Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
962ea4f
Signed-off-by: David Howells <dhowells@redhat.com>
c75cb4d
cc: Jiri Slaby <jslaby@suse.com>
962ea4f
---
962ea4f
 drivers/tty/serial/serial_core.c | 6 ++++++
962ea4f
 1 file changed, 6 insertions(+)
962ea4f
962ea4f
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
b03622d
index c8dde56b532b..7370f3d169fe 100644
962ea4f
--- a/drivers/tty/serial/serial_core.c
962ea4f
+++ b/drivers/tty/serial/serial_core.c
b03622d
@@ -829,6 +829,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
c75cb4d
 	new_flags = (__force upf_t)new_info->flags;
962ea4f
 	old_custom_divisor = uport->custom_divisor;
c75cb4d
c75cb4d
+	if ((change_port || change_irq) &&
c75cb4d
+	    kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels")) {
962ea4f
+		retval = -EPERM;
962ea4f
+		goto exit;
962ea4f
+	}
962ea4f
+
962ea4f
 	if (!capable(CAP_SYS_ADMIN)) {
962ea4f
 		retval = -EPERM;
962ea4f
 		if (change_irq || change_port ||
962ea4f
-- 
b03622d
2.14.3
c75cb4d
b03622d
From e5a9ff56a0c1762ba2b3d3ea46b03cf2ba9d2c60 Mon Sep 17 00:00:00 2001
c75cb4d
From: David Howells <dhowells@redhat.com>
b03622d
Date: Tue, 27 Feb 2018 10:04:54 +0000
b03622d
Subject: [PATCH 22/31] Lock down module params that specify hardware
c75cb4d
 parameters (eg. ioport)
c75cb4d
c75cb4d
Provided an annotation for module parameters that specify hardware
c75cb4d
parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
c75cb4d
dma buffers and other types).
c75cb4d
c75cb4d
Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
c75cb4d
Signed-off-by: David Howells <dhowells@redhat.com>
c75cb4d
---
c75cb4d
 kernel/params.c | 26 +++++++++++++++++++++-----
c75cb4d
 1 file changed, 21 insertions(+), 5 deletions(-)
c75cb4d
c75cb4d
diff --git a/kernel/params.c b/kernel/params.c
b03622d
index cc9108c2a1fd..2c08c4aa376b 100644
c75cb4d
--- a/kernel/params.c
c75cb4d
+++ b/kernel/params.c
c75cb4d
@@ -108,13 +108,19 @@ bool parameq(const char *a, const char *b)
c75cb4d
 	return parameqn(a, b, strlen(a)+1);
c75cb4d
 }
c75cb4d
c75cb4d
-static void param_check_unsafe(const struct kernel_param *kp)
c75cb4d
+static bool param_check_unsafe(const struct kernel_param *kp,
c75cb4d
+			       const char *doing)
c75cb4d
 {
c75cb4d
 	if (kp->flags & KERNEL_PARAM_FL_UNSAFE) {
c75cb4d
 		pr_warn("Setting dangerous option %s - tainting kernel\n",
c75cb4d
 			kp->name);
c75cb4d
 		add_taint(TAINT_USER, LOCKDEP_STILL_OK);
c75cb4d
 	}
c75cb4d
+
c75cb4d
+	if (kp->flags & KERNEL_PARAM_FL_HWPARAM &&
c75cb4d
+	    kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels"))
c75cb4d
+		return false;
c75cb4d
+	return true;
c75cb4d
 }
c75cb4d
c75cb4d
 static int parse_one(char *param,
c75cb4d
@@ -144,8 +150,10 @@ static int parse_one(char *param,
c75cb4d
 			pr_debug("handling %s with %p\n", param,
c75cb4d
 				params[i].ops->set);
c75cb4d
 			kernel_param_lock(params[i].mod);
c75cb4d
-			param_check_unsafe(&params[i]);
c75cb4d
-			err = params[i].ops->set(val, &params[i]);
c75cb4d
+			if (param_check_unsafe(&params[i], doing))
c75cb4d
+				err = params[i].ops->set(val, &params[i]);
c75cb4d
+			else
c75cb4d
+				err = -EPERM;
c75cb4d
 			kernel_param_unlock(params[i].mod);
c75cb4d
 			return err;
c75cb4d
 		}
b03622d
@@ -553,6 +561,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr,
c75cb4d
 	return count;
c75cb4d
 }
c75cb4d
c75cb4d
+#ifdef CONFIG_MODULES
c75cb4d
+#define mod_name(mod) (mod)->name
c75cb4d
+#else
c75cb4d
+#define mod_name(mod) "unknown"
c75cb4d
+#endif
c75cb4d
+
c75cb4d
 /* sysfs always hands a nul-terminated string in buf.  We rely on that. */
c75cb4d
 static ssize_t param_attr_store(struct module_attribute *mattr,
c75cb4d
 				struct module_kobject *mk,
b03622d
@@ -565,8 +579,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr,
c75cb4d
 		return -EPERM;
c75cb4d
c75cb4d
 	kernel_param_lock(mk->mod);
c75cb4d
-	param_check_unsafe(attribute->param);
c75cb4d
-	err = attribute->param->ops->set(buf, attribute->param);
c75cb4d
+	if (param_check_unsafe(attribute->param, mod_name(mk->mod)))
c75cb4d
+		err = attribute->param->ops->set(buf, attribute->param);
c75cb4d
+	else
c75cb4d
+		err = -EPERM;
c75cb4d
 	kernel_param_unlock(mk->mod);
c75cb4d
 	if (!err)
c75cb4d
 		return len;
c75cb4d
-- 
b03622d
2.14.3
c75cb4d
b03622d
From 6733115594290091a00d19060893f2396e51832c Mon Sep 17 00:00:00 2001
c75cb4d
From: David Howells <dhowells@redhat.com>
b03622d
Date: Tue, 27 Feb 2018 10:04:54 +0000
b03622d
Subject: [PATCH 23/31] x86/mmiotrace: Lock down the testmmiotrace module
c75cb4d
c75cb4d
The testmmiotrace module shouldn't be permitted when the kernel is locked
c75cb4d
down as it can be used to arbitrarily read and write MMIO space.
c75cb4d
c75cb4d
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
c75cb4d
Signed-off-by: David Howells 
c75cb4d
cc: Thomas Gleixner <tglx@linutronix.de>
c75cb4d
cc: Steven Rostedt <rostedt@goodmis.org>
c75cb4d
cc: Ingo Molnar <mingo@kernel.org>
c75cb4d
cc: "H. Peter Anvin" <hpa@zytor.com>
c75cb4d
cc: x86@kernel.org
c75cb4d
---
c75cb4d
 arch/x86/mm/testmmiotrace.c | 3 +++
c75cb4d
 1 file changed, 3 insertions(+)
c75cb4d
c75cb4d
diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c
c75cb4d
index f6ae6830b341..bbaad357f5d7 100644
c75cb4d
--- a/arch/x86/mm/testmmiotrace.c
c75cb4d
+++ b/arch/x86/mm/testmmiotrace.c
c75cb4d
@@ -115,6 +115,9 @@ static int __init init(void)
c75cb4d
 {
c75cb4d
 	unsigned long size = (read_far) ? (8 << 20) : (16 << 10);
c75cb4d
c75cb4d
+	if (kernel_is_locked_down("MMIO trace testing"))
c75cb4d
+		return -EPERM;
c75cb4d
+
c75cb4d
 	if (mmio_address == 0) {
c75cb4d
 		pr_err("you have to use the module argument mmio_address.\n");
c75cb4d
 		pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n");
c75cb4d
-- 
b03622d
2.14.3
b03622d
b03622d
From 69a17e04714182d314a7a7425f584ed3a54e065e Mon Sep 17 00:00:00 2001
b03622d
From: David Howells <dhowells@redhat.com>
b03622d
Date: Tue, 27 Feb 2018 10:04:54 +0000
b03622d
Subject: [PATCH 24/31] Lock down /proc/kcore
b03622d
b03622d
Disallow access to /proc/kcore when the kernel is locked down to prevent
b03622d
access to cryptographic data.
b03622d
b03622d
Signed-off-by: David Howells <dhowells@redhat.com>
b03622d
Reviewed-by: James Morris <james.l.morris@oracle.com>
b03622d
---
b03622d
 fs/proc/kcore.c | 2 ++
b03622d
 1 file changed, 2 insertions(+)
b03622d
b03622d
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
b03622d
index d1e82761de81..cdebdee81719 100644
b03622d
--- a/fs/proc/kcore.c
b03622d
+++ b/fs/proc/kcore.c
b03622d
@@ -546,6 +546,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
b03622d
b03622d
 static int open_kcore(struct inode *inode, struct file *filp)
b03622d
 {
b03622d
+	if (kernel_is_locked_down("/proc/kcore"))
b03622d
+		return -EPERM;
b03622d
 	if (!capable(CAP_SYS_RAWIO))
b03622d
 		return -EPERM;
b03622d
b03622d
-- 
b03622d
2.14.3
b03622d
b03622d
From aa4a17515ea163cf0020d4a8c41302fb159b56ce Mon Sep 17 00:00:00 2001
b03622d
From: David Howells <dhowells@redhat.com>
b03622d
Date: Tue, 27 Feb 2018 10:04:54 +0000
b03622d
Subject: [PATCH 25/31] Lock down kprobes
b03622d
b03622d
Disallow the creation of kprobes when the kernel is locked down by
b03622d
preventing their registration.  This prevents kprobes from being used to
b03622d
access kernel memory, either to make modifications or to steal crypto data.
b03622d
b03622d
Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
b03622d
Signed-off-by: David Howells <dhowells@redhat.com>
b03622d
---
b03622d
 kernel/kprobes.c | 3 +++
b03622d
 1 file changed, 3 insertions(+)
b03622d
b03622d
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
b03622d
index 102160ff5c66..4f5757732553 100644
b03622d
--- a/kernel/kprobes.c
b03622d
+++ b/kernel/kprobes.c
b03622d
@@ -1561,6 +1561,9 @@ int register_kprobe(struct kprobe *p)
b03622d
 	struct module *probed_mod;
b03622d
 	kprobe_opcode_t *addr;
b03622d
b03622d
+	if (kernel_is_locked_down("Use of kprobes"))
b03622d
+		return -EPERM;
b03622d
+
b03622d
 	/* Adjust probe address from symbol */
b03622d
 	addr = kprobe_addr(p);
b03622d
 	if (IS_ERR(addr))
b03622d
-- 
b03622d
2.14.3
b03622d
b03622d
From 78bb0059c3b8304a8d124b55feebc780fb3e0500 Mon Sep 17 00:00:00 2001
b03622d
From: David Howells <dhowells@redhat.com>
b03622d
Date: Tue, 27 Feb 2018 10:04:55 +0000
b03622d
Subject: [PATCH 26/31] bpf: Restrict kernel image access functions when the
b03622d
 kernel is locked down
b03622d
b03622d
There are some bpf functions can be used to read kernel memory:
b03622d
bpf_probe_read, bpf_probe_write_user and bpf_trace_printk.  These allow
b03622d
private keys in kernel memory (e.g. the hibernation image signing key) to
b03622d
be read by an eBPF program and kernel memory to be altered without
b03622d
restriction.
b03622d
b03622d
Completely prohibit the use of BPF when the kernel is locked down.
b03622d
b03622d
Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
b03622d
Signed-off-by: David Howells <dhowells@redhat.com>
b03622d
cc: netdev@vger.kernel.org
b03622d
cc: Chun-Yi Lee <jlee@suse.com>
b03622d
cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
b03622d
---
b03622d
 kernel/bpf/syscall.c | 3 +++
b03622d
 1 file changed, 3 insertions(+)
b03622d
b03622d
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
b03622d
index e24aa3241387..3ea87a004771 100644
b03622d
--- a/kernel/bpf/syscall.c
b03622d
+++ b/kernel/bpf/syscall.c
b03622d
@@ -1848,6 +1848,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz
b03622d
 	if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
b03622d
 		return -EPERM;
b03622d
b03622d
+	if (kernel_is_locked_down("BPF"))
b03622d
+		return -EPERM;
b03622d
+
b03622d
 	err = check_uarg_tail_zero(uattr, sizeof(attr), size);
b03622d
 	if (err)
b03622d
 		return err;
b03622d
-- 
b03622d
2.14.3
b03622d
b03622d
From 9d6d6000dffb44cb2269b26eafeb371345bd2297 Mon Sep 17 00:00:00 2001
b03622d
From: David Howells <dhowells@redhat.com>
b03622d
Date: Tue, 27 Feb 2018 10:04:55 +0000
b03622d
Subject: [PATCH 27/31] Lock down perf
b03622d
b03622d
Disallow the use of certain perf facilities that might allow userspace to
b03622d
access kernel data.
b03622d
b03622d
Signed-off-by: David Howells <dhowells@redhat.com>
b03622d
---
b03622d
 kernel/events/core.c | 5 +++++
b03622d
 1 file changed, 5 insertions(+)
b03622d
b03622d
diff --git a/kernel/events/core.c b/kernel/events/core.c
b03622d
index 96db9ae5d5af..1fba021d61d4 100644
b03622d
--- a/kernel/events/core.c
b03622d
+++ b/kernel/events/core.c
b03622d
@@ -9924,6 +9924,11 @@ SYSCALL_DEFINE5(perf_event_open,
b03622d
 			return -EINVAL;
b03622d
 	}
b03622d
b03622d
+	if ((attr.sample_type & PERF_SAMPLE_REGS_INTR) &&
b03622d
+	    kernel_is_locked_down("PERF_SAMPLE_REGS_INTR"))
b03622d
+		/* REGS_INTR can leak data, lockdown must prevent this */
b03622d
+		return -EPERM;
b03622d
+
b03622d
 	/* Only privileged users can get physical addresses */
b03622d
 	if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR) &&
b03622d
 	    perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN))
b03622d
-- 
b03622d
2.14.3
c75cb4d
b03622d
From 3fc32260515837f4c87cb923513973f1e77ccef9 Mon Sep 17 00:00:00 2001
c75cb4d
From: David Howells <dhowells@redhat.com>
b03622d
Date: Tue, 27 Feb 2018 10:04:55 +0000
b03622d
Subject: [PATCH 28/31] debugfs: Restrict debugfs when the kernel is locked
b03622d
 down
b03622d
b03622d
Disallow opening of debugfs files that might be used to muck around when
b03622d
the kernel is locked down as various drivers give raw access to hardware
b03622d
through debugfs.  Given the effort of auditing all 2000 or so files and
b03622d
manually fixing each one as necessary, I've chosen to apply a heuristic
b03622d
instead.  The following changes are made:
b03622d
b03622d
 (1) chmod and chown are disallowed on debugfs objects (though the root dir
b03622d
     can be modified by mount and remount, but I'm not worried about that).
c75cb4d
b03622d
 (2) When the kernel is locked down, only files with the following criteria
b03622d
     are permitted to be opened:
c75cb4d
b03622d
	- The file must have mode 00444
b03622d
	- The file must not have ioctl methods
b03622d
	- The file must not have mmap
c75cb4d
b03622d
 (3) When the kernel is locked down, files may only be opened for reading.
b03622d
b03622d
Normal device interaction should be done through configfs, sysfs or a
b03622d
miscdev, not debugfs.
c75cb4d
c75cb4d
Note that this makes it unnecessary to specifically lock down show_dsts(),
c75cb4d
show_devs() and show_call() in the asus-wmi driver.
c75cb4d
b03622d
I would actually prefer to lock down all files by default and have the
b03622d
the files unlocked by the creator.  This is tricky to manage correctly,
b03622d
though, as there are 19 creation functions and ~1600 call sites (some of
b03622d
them in loops scanning tables).
b03622d
c75cb4d
Signed-off-by: David Howells <dhowells@redhat.com>
c75cb4d
cc: Andy Shevchenko <andy.shevchenko@gmail.com>
c75cb4d
cc: acpi4asus-user@lists.sourceforge.net
c75cb4d
cc: platform-driver-x86@vger.kernel.org
b03622d
cc: Matthew Garrett <mjg59@srcf.ucam.org>
c75cb4d
cc: Thomas Gleixner <tglx@linutronix.de>
c75cb4d
---
b03622d
 fs/debugfs/file.c  | 28 ++++++++++++++++++++++++++++
b03622d
 fs/debugfs/inode.c | 30 ++++++++++++++++++++++++++++--
b03622d
 2 files changed, 56 insertions(+), 2 deletions(-)
c75cb4d
c75cb4d
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
b03622d
index 1f99678ff5d3..51cb894c21f2 100644
c75cb4d
--- a/fs/debugfs/file.c
c75cb4d
+++ b/fs/debugfs/file.c
b03622d
@@ -136,6 +136,25 @@ void debugfs_file_put(struct dentry *dentry)
b03622d
 }
b03622d
 EXPORT_SYMBOL_GPL(debugfs_file_put);
b03622d
b03622d
+/*
b03622d
+ * Only permit access to world-readable files when the kernel is locked down.
b03622d
+ * We also need to exclude any file that has ways to write or alter it as root
b03622d
+ * can bypass the permissions check.
b03622d
+ */
b03622d
+static bool debugfs_is_locked_down(struct inode *inode,
b03622d
+				   struct file *filp,
b03622d
+				   const struct file_operations *real_fops)
b03622d
+{
b03622d
+	if ((inode->i_mode & 07777) == 0444 &&
b03622d
+	    !(filp->f_mode & FMODE_WRITE) &&
b03622d
+	    !real_fops->unlocked_ioctl &&
b03622d
+	    !real_fops->compat_ioctl &&
b03622d
+	    !real_fops->mmap)
b03622d
+		return false;
c75cb4d
+
b03622d
+	return kernel_is_locked_down("debugfs");
b03622d
+}
99240ed
+
b03622d
 static int open_proxy_open(struct inode *inode, struct file *filp)
b03622d
 {
b03622d
 	struct dentry *dentry = F_DENTRY(filp);
b03622d
@@ -147,6 +166,11 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
99240ed
 		return r == -EIO ? -ENOENT : r;
b03622d
b03622d
 	real_fops = debugfs_real_fops(filp);
b03622d
+
b03622d
+	r = -EPERM;
b03622d
+	if (debugfs_is_locked_down(inode, filp, real_fops))
b03622d
+		goto out;
c75cb4d
+
b03622d
 	real_fops = fops_get(real_fops);
b03622d
 	if (!real_fops) {
b03622d
 		/* Huh? Module did not clean up after itself at exit? */
b03622d
@@ -272,6 +296,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
99240ed
 		return r == -EIO ? -ENOENT : r;
c75cb4d
b03622d
 	real_fops = debugfs_real_fops(filp);
b03622d
+	r = -EPERM;
b03622d
+	if (debugfs_is_locked_down(inode, filp, real_fops))
b03622d
+		goto out;
b03622d
+
b03622d
 	real_fops = fops_get(real_fops);
b03622d
 	if (!real_fops) {
b03622d
 		/* Huh? Module did not cleanup after itself at exit? */
b03622d
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
b03622d
index 63a998c3f252..ce261e1765ff 100644
b03622d
--- a/fs/debugfs/inode.c
b03622d
+++ b/fs/debugfs/inode.c
b03622d
@@ -32,6 +32,31 @@ static struct vfsmount *debugfs_mount;
b03622d
 static int debugfs_mount_count;
b03622d
 static bool debugfs_registered;
c75cb4d
b03622d
+/*
b03622d
+ * Don't allow access attributes to be changed whilst the kernel is locked down
b03622d
+ * so that we can use the file mode as part of a heuristic to determine whether
b03622d
+ * to lock down individual files.
b03622d
+ */
b03622d
+static int debugfs_setattr(struct dentry *dentry, struct iattr *ia)
b03622d
+{
b03622d
+	if ((ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) &&
b03622d
+	    kernel_is_locked_down("debugfs"))
c75cb4d
+		return -EPERM;
b03622d
+	return simple_setattr(dentry, ia);
b03622d
+}
b03622d
+
b03622d
+static const struct inode_operations debugfs_file_inode_operations = {
b03622d
+	.setattr	= debugfs_setattr,
b03622d
+};
b03622d
+static const struct inode_operations debugfs_dir_inode_operations = {
b03622d
+	.lookup		= simple_lookup,
b03622d
+	.setattr	= debugfs_setattr,
b03622d
+};
b03622d
+static const struct inode_operations debugfs_symlink_inode_operations = {
b03622d
+	.get_link	= simple_get_link,
b03622d
+	.setattr	= debugfs_setattr,
b03622d
+};
b03622d
+