713abc
From 0fc411ee00c81b8a18b1417d31f2736fad155d89 Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5
From: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f
Date: Fri, 9 Aug 2013 17:58:15 -0400
Josh Boyer d7ee6f
Subject: [PATCH 01/14] Add secure_modules() call
Josh Boyer c9d9c5
Josh Boyer c9d9c5
Provide a single call to allow kernel code to determine whether the system
Josh Boyer c9d9c5
has been configured to either disable module loading entirely or to load
Josh Boyer c9d9c5
only modules signed with a trusted key.
Josh Boyer c9d9c5
Josh Boyer c9d9c5
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer c9d9c5
---
Josh Boyer c9d9c5
 include/linux/module.h |  7 +++++++
Josh Boyer c9d9c5
 kernel/module.c        | 10 ++++++++++
Josh Boyer c9d9c5
 2 files changed, 17 insertions(+)
Josh Boyer c9d9c5
Josh Boyer c9d9c5
diff --git a/include/linux/module.h b/include/linux/module.h
713abc
index 05f2447..de97e77 100644
Josh Boyer c9d9c5
--- a/include/linux/module.h
Josh Boyer c9d9c5
+++ b/include/linux/module.h
713abc
@@ -515,6 +515,8 @@ int unregister_module_notifier(struct notifier_block * nb);
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
 extern void print_modules(void);
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
+extern bool secure_modules(void);
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
 #else /* !CONFIG_MODULES... */
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
 /* Given an address, look for it in the exception tables. */
713abc
@@ -625,6 +627,11 @@ static inline int unregister_module_notifier(struct notifier_block * nb)
Josh Boyer c9d9c5
 static inline void print_modules(void)
Josh Boyer c9d9c5
 {
Josh Boyer c9d9c5
 }
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
+static inline bool secure_modules(void)
Josh Boyer c9d9c5
+{
Josh Boyer c9d9c5
+	return false;
Josh Boyer c9d9c5
+}
Josh Boyer c9d9c5
 #endif /* CONFIG_MODULES */
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
 #ifdef CONFIG_SYSFS
Josh Boyer c9d9c5
diff --git a/kernel/module.c b/kernel/module.c
713abc
index dc58274..81206c1 100644
Josh Boyer c9d9c5
--- a/kernel/module.c
Josh Boyer c9d9c5
+++ b/kernel/module.c
713abc
@@ -3860,3 +3860,13 @@ void module_layout(struct module *mod,
Josh Boyer c9d9c5
 }
Josh Boyer c9d9c5
 EXPORT_SYMBOL(module_layout);
Josh Boyer c9d9c5
 #endif
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
+bool secure_modules(void)
Josh Boyer c9d9c5
+{
Josh Boyer c9d9c5
+#ifdef CONFIG_MODULE_SIG
Josh Boyer c9d9c5
+	return (sig_enforce || modules_disabled);
Josh Boyer c9d9c5
+#else
Josh Boyer c9d9c5
+	return modules_disabled;
Josh Boyer c9d9c5
+#endif
Josh Boyer c9d9c5
+}
Josh Boyer d7ee6f
+EXPORT_SYMBOL(secure_modules);
Josh Boyer c9d9c5
-- 
Josh Boyer c9d9c5
1.8.3.1
Josh Boyer c9d9c5
Josh Boyer c9d9c5
713abc
From b94942e55b519e70366e970cea3665c464d1b7da Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5
From: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f
Date: Thu, 8 Mar 2012 10:10:38 -0500
Josh Boyer d7ee6f
Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is
Josh Boyer c9d9c5
 enabled
Josh Boyer c9d9c5
Josh Boyer c9d9c5
Any hardware that can potentially generate DMA has to be locked down from
Josh Boyer c9d9c5
userspace in order to avoid it being possible for an attacker to modify
Josh Boyer c9d9c5
kernel code, allowing them to circumvent disabled module loading or module
Josh Boyer c9d9c5
signing. Default to paranoid - in future we can potentially relax this for
Josh Boyer c9d9c5
sufficiently IOMMU-isolated devices.
Josh Boyer c9d9c5
Josh Boyer c9d9c5
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer c9d9c5
---
Josh Boyer c9d9c5
 drivers/pci/pci-sysfs.c | 10 ++++++++++
Josh Boyer c9d9c5
 drivers/pci/proc.c      |  8 +++++++-
Josh Boyer c9d9c5
 drivers/pci/syscall.c   |  3 ++-
Josh Boyer c9d9c5
 3 files changed, 19 insertions(+), 2 deletions(-)
Josh Boyer c9d9c5
Josh Boyer c9d9c5
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
713abc
index d8eb880..a851ad6 100644
Josh Boyer c9d9c5
--- a/drivers/pci/pci-sysfs.c
Josh Boyer c9d9c5
+++ b/drivers/pci/pci-sysfs.c
Josh Boyer c9d9c5
@@ -29,6 +29,7 @@
Josh Boyer c9d9c5
 #include <linux/slab.h>
Josh Boyer c9d9c5
 #include <linux/vgaarb.h>
Josh Boyer c9d9c5
 #include <linux/pm_runtime.h>
Josh Boyer c9d9c5
+#include <linux/module.h>
Josh Boyer c9d9c5
 #include "pci.h"
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
 static int sysfs_initialized;	/* = 0 */
713abc
@@ -644,6 +645,9 @@ pci_write_config(struct file* filp, struct kobject *kobj,
Josh Boyer c9d9c5
 	loff_t init_off = off;
Josh Boyer c9d9c5
 	u8 *data = (u8*) buf;
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
+	if (secure_modules())
Josh Boyer c9d9c5
+		return -EPERM;
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
 	if (off > dev->cfg_size)
Josh Boyer c9d9c5
 		return 0;
Josh Boyer c9d9c5
 	if (off + count > dev->cfg_size) {
713abc
@@ -950,6 +954,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
Josh Boyer c9d9c5
 	resource_size_t start, end;
Josh Boyer c9d9c5
 	int i;
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
+	if (secure_modules())
Josh Boyer c9d9c5
+		return -EPERM;
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
 	for (i = 0; i < PCI_ROM_RESOURCE; i++)
Josh Boyer c9d9c5
 		if (res == &pdev->resource[i])
Josh Boyer c9d9c5
 			break;
713abc
@@ -1057,6 +1064,9 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj,
Josh Boyer c9d9c5
 		      struct bin_attribute *attr, char *buf,
Josh Boyer c9d9c5
 		      loff_t off, size_t count)
Josh Boyer c9d9c5
 {
Josh Boyer c9d9c5
+	if (secure_modules())
Josh Boyer c9d9c5
+		return -EPERM;
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
 	return pci_resource_io(filp, kobj, attr, buf, off, count, true);
Josh Boyer c9d9c5
 }
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
Josh Boyer c9d9c5
index cdc7836..e3d498b 100644
Josh Boyer c9d9c5
--- a/drivers/pci/proc.c
Josh Boyer c9d9c5
+++ b/drivers/pci/proc.c
Josh Boyer c9d9c5
@@ -117,6 +117,9 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof
Josh Boyer c9d9c5
 	int size = dev->cfg_size;
Josh Boyer c9d9c5
 	int cnt;
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
+	if (secure_modules())
Josh Boyer c9d9c5
+		return -EPERM;
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
 	if (pos >= size)
Josh Boyer c9d9c5
 		return 0;
Josh Boyer c9d9c5
 	if (nbytes >= size)
Josh Boyer c9d9c5
@@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
Josh Boyer c9d9c5
 #endif /* HAVE_PCI_MMAP */
Josh Boyer c9d9c5
 	int ret = 0;
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
+	if (secure_modules())
Josh Boyer c9d9c5
+		return -EPERM;
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
 	switch (cmd) {
Josh Boyer c9d9c5
 	case PCIIOC_CONTROLLER:
Josh Boyer c9d9c5
 		ret = pci_domain_nr(dev->bus);
Josh Boyer c9d9c5
@@ -234,7 +240,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
Josh Boyer c9d9c5
 	struct pci_filp_private *fpriv = file->private_data;
Josh Boyer c9d9c5
 	int i, ret;
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
-	if (!capable(CAP_SYS_RAWIO))
Josh Boyer c9d9c5
+	if (!capable(CAP_SYS_RAWIO) || secure_modules())
Josh Boyer c9d9c5
 		return -EPERM;
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
 	/* Make sure the caller is mapping a real resource for this device */
Josh Boyer c9d9c5
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
Josh Boyer c9d9c5
index e1c1ec5..bffbf71 100644
Josh Boyer c9d9c5
--- a/drivers/pci/syscall.c
Josh Boyer c9d9c5
+++ b/drivers/pci/syscall.c
Josh Boyer c9d9c5
@@ -10,6 +10,7 @@
Josh Boyer c9d9c5
 #include <linux/errno.h>
Josh Boyer c9d9c5
 #include <linux/pci.h>
Josh Boyer c9d9c5
 #include <linux/syscalls.h>
Josh Boyer c9d9c5
+#include <linux/module.h>
Josh Boyer c9d9c5
 #include <asm/uaccess.h>
Josh Boyer c9d9c5
 #include "pci.h"
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
@@ -92,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
Josh Boyer c9d9c5
 	u32 dword;
Josh Boyer c9d9c5
 	int err = 0;
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
-	if (!capable(CAP_SYS_ADMIN))
Josh Boyer c9d9c5
+	if (!capable(CAP_SYS_ADMIN) || secure_modules())
Josh Boyer c9d9c5
 		return -EPERM;
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
 	dev = pci_get_bus_and_slot(bus, dfn);
Josh Boyer c9d9c5
-- 
Josh Boyer c9d9c5
1.8.3.1
Josh Boyer c9d9c5
Josh Boyer c9d9c5
713abc
From 36f34509fe52cc49e1b1f6815a3f235040f64a03 Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5
From: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f
Date: Thu, 8 Mar 2012 10:35:59 -0500
Josh Boyer d7ee6f
Subject: [PATCH 03/14] x86: Lock down IO port access when module security is
Josh Boyer c9d9c5
 enabled
Josh Boyer c9d9c5
Josh Boyer c9d9c5
IO port access would permit users to gain access to PCI configuration
Josh Boyer c9d9c5
registers, which in turn (on a lot of hardware) give access to MMIO register
Josh Boyer c9d9c5
space. This would potentially permit root to trigger arbitrary DMA, so lock
Josh Boyer c9d9c5
it down by default.
Josh Boyer c9d9c5
Josh Boyer c9d9c5
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer c9d9c5
---
Josh Boyer c9d9c5
 arch/x86/kernel/ioport.c | 5 +++--
Josh Boyer c9d9c5
 drivers/char/mem.c       | 4 ++++
Josh Boyer c9d9c5
 2 files changed, 7 insertions(+), 2 deletions(-)
Josh Boyer c9d9c5
Josh Boyer c9d9c5
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
Josh Boyer c9d9c5
index 4ddaf66..00b4403 100644
Josh Boyer c9d9c5
--- a/arch/x86/kernel/ioport.c
Josh Boyer c9d9c5
+++ b/arch/x86/kernel/ioport.c
Josh Boyer c9d9c5
@@ -15,6 +15,7 @@
Josh Boyer c9d9c5
 #include <linux/thread_info.h>
Josh Boyer c9d9c5
 #include <linux/syscalls.h>
Josh Boyer c9d9c5
 #include <linux/bitmap.h>
Josh Boyer c9d9c5
+#include <linux/module.h>
Josh Boyer c9d9c5
 #include <asm/syscalls.h>
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
 /*
Josh Boyer c9d9c5
@@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
Josh Boyer c9d9c5
 		return -EINVAL;
Josh Boyer c9d9c5
-	if (turn_on && !capable(CAP_SYS_RAWIO))
Josh Boyer c9d9c5
+	if (turn_on && (!capable(CAP_SYS_RAWIO) || secure_modules()))
Josh Boyer c9d9c5
 		return -EPERM;
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
 	/*
Josh Boyer c9d9c5
@@ -103,7 +104,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
Josh Boyer c9d9c5
 		return -EINVAL;
Josh Boyer c9d9c5
 	/* Trying to gain more privileges? */
Josh Boyer c9d9c5
 	if (level > old) {
Josh Boyer c9d9c5
-		if (!capable(CAP_SYS_RAWIO))
Josh Boyer c9d9c5
+		if (!capable(CAP_SYS_RAWIO) || secure_modules())
Josh Boyer c9d9c5
 			return -EPERM;
Josh Boyer c9d9c5
 	}
Josh Boyer c9d9c5
 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
Josh Boyer c9d9c5
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
Josh Boyer c9d9c5
index f895a8c..1af8664 100644
Josh Boyer c9d9c5
--- a/drivers/char/mem.c
Josh Boyer c9d9c5
+++ b/drivers/char/mem.c
Josh Boyer c9d9c5
@@ -28,6 +28,7 @@
Josh Boyer c9d9c5
 #include <linux/export.h>
Josh Boyer c9d9c5
 #include <linux/io.h>
Josh Boyer c9d9c5
 #include <linux/aio.h>
Josh Boyer c9d9c5
+#include <linux/module.h>
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
 #include <asm/uaccess.h>
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
@@ -563,6 +564,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
Josh Boyer c9d9c5
 	unsigned long i = *ppos;
Josh Boyer c9d9c5
 	const char __user *tmp = buf;
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
+	if (secure_modules())
Josh Boyer c9d9c5
+		return -EPERM;
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
 	if (!access_ok(VERIFY_READ, buf, count))
Josh Boyer c9d9c5
 		return -EFAULT;
Josh Boyer c9d9c5
 	while (count-- > 0 && i < 65536) {
Josh Boyer c9d9c5
-- 
Josh Boyer c9d9c5
1.8.3.1
Josh Boyer c9d9c5
Josh Boyer c9d9c5
713abc
From 67d9800dcf60467e076587b0aac67bcdc516cfe2 Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5
From: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f
Date: Fri, 9 Mar 2012 08:39:37 -0500
Josh Boyer d7ee6f
Subject: [PATCH 04/14] ACPI: Limit access to custom_method
Josh Boyer c9d9c5
Josh Boyer c9d9c5
custom_method effectively allows arbitrary access to system memory, making
Josh Boyer c9d9c5
it possible for an attacker to circumvent restrictions on module loading.
Josh Boyer c9d9c5
Disable it if any such restrictions have been enabled.
Josh Boyer c9d9c5
Josh Boyer c9d9c5
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer c9d9c5
---
Josh Boyer d7ee6f
 drivers/acpi/custom_method.c | 3 +++
Josh Boyer d7ee6f
 1 file changed, 3 insertions(+)
Josh Boyer c9d9c5
Josh Boyer c9d9c5
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
Josh Boyer d7ee6f
index 12b62f2..50647b3 100644
Josh Boyer c9d9c5
--- a/drivers/acpi/custom_method.c
Josh Boyer c9d9c5
+++ b/drivers/acpi/custom_method.c
Josh Boyer d7ee6f
@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
Josh Boyer c9d9c5
 	struct acpi_table_header table;
Josh Boyer c9d9c5
 	acpi_status status;
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
+	if (secure_modules())
Josh Boyer c9d9c5
+		return -EPERM;
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
 	if (!(*ppos)) {
Josh Boyer c9d9c5
 		/* parse the table header to get the table length */
Josh Boyer c9d9c5
 		if (count <= sizeof(struct acpi_table_header))
Josh Boyer c9d9c5
-- 
Josh Boyer c9d9c5
1.8.3.1
Josh Boyer c9d9c5
Josh Boyer c9d9c5
713abc
From bdf3761573167c20c72b151c1088b24fd24869ac Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5
From: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f
Date: Fri, 9 Mar 2012 08:46:50 -0500
Josh Boyer d7ee6f
Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module
Josh Boyer c9d9c5
 loading is restricted
Josh Boyer c9d9c5
Josh Boyer c9d9c5
We have no way of validating what all of the Asus WMI methods do on a
Josh Boyer c9d9c5
given machine, and there's a risk that some will allow hardware state to
Josh Boyer c9d9c5
be manipulated in such a way that arbitrary code can be executed in the
Josh Boyer c9d9c5
kernel, circumventing module loading restrictions. Prevent that if any of
Josh Boyer c9d9c5
these features are enabled.
Josh Boyer c9d9c5
Josh Boyer c9d9c5
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer c9d9c5
---
Josh Boyer c9d9c5
 drivers/platform/x86/asus-wmi.c | 9 +++++++++
Josh Boyer c9d9c5
 1 file changed, 9 insertions(+)
Josh Boyer c9d9c5
Josh Boyer c9d9c5
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
Josh Boyer c9d9c5
index 19c313b..db18ef66 100644
Josh Boyer c9d9c5
--- a/drivers/platform/x86/asus-wmi.c
Josh Boyer c9d9c5
+++ b/drivers/platform/x86/asus-wmi.c
Josh Boyer c9d9c5
@@ -1618,6 +1618,9 @@ static int show_dsts(struct seq_file *m, void *data)
Josh Boyer c9d9c5
 	int err;
Josh Boyer c9d9c5
 	u32 retval = -1;
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
+	if (secure_modules())
Josh Boyer c9d9c5
+		return -EPERM;
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
 	err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
 	if (err < 0)
Josh Boyer c9d9c5
@@ -1634,6 +1637,9 @@ static int show_devs(struct seq_file *m, void *data)
Josh Boyer c9d9c5
 	int err;
Josh Boyer c9d9c5
 	u32 retval = -1;
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
+	if (secure_modules())
Josh Boyer c9d9c5
+		return -EPERM;
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
 	err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
Josh Boyer c9d9c5
 				    &retval);
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
@@ -1658,6 +1664,9 @@ static int show_call(struct seq_file *m, void *data)
Josh Boyer c9d9c5
 	union acpi_object *obj;
Josh Boyer c9d9c5
 	acpi_status status;
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
+	if (secure_modules())
Josh Boyer c9d9c5
+		return -EPERM;
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
 	status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
Josh Boyer c9d9c5
 				     1, asus->debug.method_id,
Josh Boyer c9d9c5
 				     &input, &output);
Josh Boyer c9d9c5
-- 
Josh Boyer c9d9c5
1.8.3.1
Josh Boyer c9d9c5
Josh Boyer c9d9c5
713abc
From 65d88af5a2c6bb6d01da17819d8ba782bd208837 Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5
From: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f
Date: Fri, 9 Mar 2012 09:28:15 -0500
Josh Boyer d7ee6f
Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is
Josh Boyer c9d9c5
 restricted
Josh Boyer c9d9c5
Josh Boyer c9d9c5
Allowing users to write to address space makes it possible for the kernel
Josh Boyer c9d9c5
to be subverted, avoiding module loading restrictions. Prevent this when
Josh Boyer c9d9c5
any restrictions have been imposed on loading modules.
Josh Boyer c9d9c5
Josh Boyer c9d9c5
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer c9d9c5
---
Josh Boyer c9d9c5
 drivers/char/mem.c | 6 ++++++
Josh Boyer c9d9c5
 1 file changed, 6 insertions(+)
Josh Boyer c9d9c5
Josh Boyer c9d9c5
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
Josh Boyer c9d9c5
index 1af8664..61406c8 100644
Josh Boyer c9d9c5
--- a/drivers/char/mem.c
Josh Boyer c9d9c5
+++ b/drivers/char/mem.c
Josh Boyer c9d9c5
@@ -159,6 +159,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
Josh Boyer c9d9c5
 	unsigned long copied;
Josh Boyer c9d9c5
 	void *ptr;
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
+	if (secure_modules())
Josh Boyer c9d9c5
+		return -EPERM;
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
 	if (!valid_phys_addr_range(p, count))
Josh Boyer c9d9c5
 		return -EFAULT;
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
@@ -497,6 +500,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
Josh Boyer c9d9c5
 	char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
Josh Boyer c9d9c5
 	int err = 0;
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
+	if (secure_modules())
Josh Boyer c9d9c5
+		return -EPERM;
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
 	if (p < (unsigned long) high_memory) {
Josh Boyer c9d9c5
 		unsigned long to_write = min_t(unsigned long, count,
Josh Boyer c9d9c5
 					       (unsigned long)high_memory - p);
Josh Boyer c9d9c5
-- 
Josh Boyer c9d9c5
1.8.3.1
Josh Boyer c9d9c5
Josh Boyer c9d9c5
713abc
From 4aa42b7fa5d7f79eb1d179e728ffa561fd9cf354 Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5
From: Josh Boyer <jwboyer@redhat.com>
Josh Boyer d7ee6f
Date: Mon, 25 Jun 2012 19:57:30 -0400
Josh Boyer d7ee6f
Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module
Josh Boyer c9d9c5
 loading is restricted
Josh Boyer c9d9c5
Josh Boyer c9d9c5
This option allows userspace to pass the RSDP address to the kernel, which
Josh Boyer c9d9c5
makes it possible for a user to circumvent any restrictions imposed on
Josh Boyer c9d9c5
loading modules. Disable it in that case.
Josh Boyer c9d9c5
Josh Boyer c9d9c5
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
Josh Boyer c9d9c5
---
Josh Boyer c9d9c5
 drivers/acpi/osl.c | 3 ++-
Josh Boyer c9d9c5
 1 file changed, 2 insertions(+), 1 deletion(-)
Josh Boyer c9d9c5
Josh Boyer c9d9c5
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
713abc
index e5f416c..9311c00 100644
Josh Boyer c9d9c5
--- a/drivers/acpi/osl.c
Josh Boyer c9d9c5
+++ b/drivers/acpi/osl.c
Josh Boyer c9d9c5
@@ -45,6 +45,7 @@
Josh Boyer c9d9c5
 #include <linux/list.h>
Josh Boyer c9d9c5
 #include <linux/jiffies.h>
Josh Boyer c9d9c5
 #include <linux/semaphore.h>
Josh Boyer c9d9c5
+#include <linux/module.h>
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
 #include <asm/io.h>
Josh Boyer c9d9c5
 #include <asm/uaccess.h>
713abc
@@ -249,7 +250,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
Josh Boyer c9d9c5
 acpi_physical_address __init acpi_os_get_root_pointer(void)
Josh Boyer c9d9c5
 {
Josh Boyer c9d9c5
 #ifdef CONFIG_KEXEC
Josh Boyer c9d9c5
-	if (acpi_rsdp)
Josh Boyer c9d9c5
+	if (acpi_rsdp && !secure_modules())
Josh Boyer c9d9c5
 		return acpi_rsdp;
Josh Boyer c9d9c5
 #endif
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
-- 
Josh Boyer c9d9c5
1.8.3.1
Josh Boyer c9d9c5
Josh Boyer c9d9c5
713abc
From c9e62c2ce588d98a774a3853e56d95e48b9df98c Mon Sep 17 00:00:00 2001
Josh Boyer d7ee6f
From: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f
Date: Fri, 9 Aug 2013 03:33:56 -0400
Josh Boyer d7ee6f
Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module
Josh Boyer d7ee6f
 loading restrictions
Josh Boyer d7ee6f
Josh Boyer d7ee6f
kexec permits the loading and execution of arbitrary code in ring 0, which
Josh Boyer d7ee6f
is something that module signing enforcement is meant to prevent. It makes
Josh Boyer d7ee6f
sense to disable kexec in this situation.
Josh Boyer d7ee6f
Josh Boyer d7ee6f
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f
---
Josh Boyer d7ee6f
 kernel/kexec.c | 8 ++++++++
Josh Boyer d7ee6f
 1 file changed, 8 insertions(+)
Josh Boyer d7ee6f
Josh Boyer d7ee6f
diff --git a/kernel/kexec.c b/kernel/kexec.c
713abc
index 2a74f30..13601e3 100644
Josh Boyer d7ee6f
--- a/kernel/kexec.c
Josh Boyer d7ee6f
+++ b/kernel/kexec.c
Josh Boyer d7ee6f
@@ -32,6 +32,7 @@
Josh Boyer d7ee6f
 #include <linux/vmalloc.h>
Josh Boyer d7ee6f
 #include <linux/swap.h>
Josh Boyer d7ee6f
 #include <linux/syscore_ops.h>
Josh Boyer d7ee6f
+#include <linux/module.h>
Josh Boyer d7ee6f
 
Josh Boyer d7ee6f
 #include <asm/page.h>
Josh Boyer d7ee6f
 #include <asm/uaccess.h>
Josh Boyer d7ee6f
@@ -943,6 +944,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
Josh Boyer d7ee6f
 		return -EPERM;
Josh Boyer d7ee6f
 
Josh Boyer d7ee6f
 	/*
Josh Boyer d7ee6f
+	 * kexec can be used to circumvent module loading restrictions, so
Josh Boyer d7ee6f
+	 * prevent loading in that case
Josh Boyer d7ee6f
+	 */
Josh Boyer d7ee6f
+	if (secure_modules())
Josh Boyer d7ee6f
+		return -EPERM;
Josh Boyer d7ee6f
+
Josh Boyer d7ee6f
+	/*
Josh Boyer d7ee6f
 	 * Verify we have a legal set of flags
Josh Boyer d7ee6f
 	 * This leaves us room for future extensions.
Josh Boyer d7ee6f
 	 */
Josh Boyer d7ee6f
-- 
Josh Boyer d7ee6f
1.8.3.1
Josh Boyer d7ee6f
Josh Boyer d7ee6f
713abc
From d0e3cb2c13dc9634849ddacf75b6f0d94147516a Mon Sep 17 00:00:00 2001
Josh Boyer d7ee6f
From: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f
Date: Tue, 3 Sep 2013 11:23:29 -0400
Josh Boyer d7ee6f
Subject: [PATCH 09/14] uswsusp: Disable when module loading is restricted
Josh Boyer d7ee6f
Josh Boyer d7ee6f
uswsusp allows a user process to dump and then restore kernel state, which
Josh Boyer d7ee6f
makes it possible to avoid module loading restrictions. Prevent this when
Josh Boyer d7ee6f
any restrictions have been imposed on loading modules.
Josh Boyer d7ee6f
Josh Boyer d7ee6f
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f
---
Josh Boyer d7ee6f
 kernel/power/user.c | 4 ++++
Josh Boyer d7ee6f
 1 file changed, 4 insertions(+)
Josh Boyer d7ee6f
Josh Boyer d7ee6f
diff --git a/kernel/power/user.c b/kernel/power/user.c
713abc
index 957f061..e570609d 100644
Josh Boyer d7ee6f
--- a/kernel/power/user.c
Josh Boyer d7ee6f
+++ b/kernel/power/user.c
Josh Boyer d7ee6f
@@ -24,6 +24,7 @@
Josh Boyer d7ee6f
 #include <linux/console.h>
Josh Boyer d7ee6f
 #include <linux/cpu.h>
Josh Boyer d7ee6f
 #include <linux/freezer.h>
Josh Boyer d7ee6f
+#include <linux/module.h>
Josh Boyer d7ee6f
 
Josh Boyer d7ee6f
 #include <asm/uaccess.h>
Josh Boyer d7ee6f
 
713abc
@@ -49,6 +50,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
Josh Boyer d7ee6f
 	struct snapshot_data *data;
Josh Boyer d7ee6f
 	int error;
Josh Boyer d7ee6f
 
Josh Boyer d7ee6f
+	if (secure_modules())
Josh Boyer d7ee6f
+		return -EPERM;
Josh Boyer d7ee6f
+
Josh Boyer d7ee6f
 	lock_system_sleep();
Josh Boyer d7ee6f
 
Josh Boyer d7ee6f
 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
Josh Boyer d7ee6f
-- 
Josh Boyer d7ee6f
1.8.3.1
Josh Boyer d7ee6f
Josh Boyer d7ee6f
713abc
From b238417ed3c5a0b21bbfcac84f6c70011b8977c0 Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5
From: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f
Date: Fri, 8 Feb 2013 11:12:13 -0800
Josh Boyer d7ee6f
Subject: [PATCH 10/14] x86: Restrict MSR access when module loading is
Josh Boyer c9d9c5
 restricted
Josh Boyer c9d9c5
Josh Boyer c9d9c5
Writing to MSRs should not be allowed if module loading is restricted,
Josh Boyer c9d9c5
since it could lead to execution of arbitrary code in kernel mode. Based
Josh Boyer c9d9c5
on a patch by Kees Cook.
Josh Boyer c9d9c5
Josh Boyer c9d9c5
Cc: Kees Cook <keescook@chromium.org>
Josh Boyer c9d9c5
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer c9d9c5
---
Josh Boyer c9d9c5
 arch/x86/kernel/msr.c | 7 +++++++
Josh Boyer c9d9c5
 1 file changed, 7 insertions(+)
Josh Boyer c9d9c5
Josh Boyer c9d9c5
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
713abc
index 05266b5..e2bd647 100644
Josh Boyer c9d9c5
--- a/arch/x86/kernel/msr.c
Josh Boyer c9d9c5
+++ b/arch/x86/kernel/msr.c
Josh Boyer c9d9c5
@@ -103,6 +103,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
Josh Boyer c9d9c5
 	int err = 0;
Josh Boyer c9d9c5
 	ssize_t bytes = 0;
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
+	if (secure_modules())
Josh Boyer c9d9c5
+		return -EPERM;
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
 	if (count % 8)
Josh Boyer c9d9c5
 		return -EINVAL;	/* Invalid chunk size */
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
@@ -150,6 +153,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
Josh Boyer c9d9c5
 			err = -EBADF;
Josh Boyer c9d9c5
 			break;
Josh Boyer c9d9c5
 		}
Josh Boyer c9d9c5
+		if (secure_modules()) {
Josh Boyer c9d9c5
+			err = -EPERM;
Josh Boyer c9d9c5
+			break;
Josh Boyer c9d9c5
+		}
Josh Boyer c9d9c5
 		if (copy_from_user(&regs, uregs, sizeof regs)) {
Josh Boyer c9d9c5
 			err = -EFAULT;
Josh Boyer c9d9c5
 			break;
Josh Boyer c9d9c5
-- 
Josh Boyer c9d9c5
1.8.3.1
Josh Boyer c9d9c5
Josh Boyer c9d9c5
713abc
From c3a9afb3b580b4f721d245fc5d13e378b99b9cd8 Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5
From: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f
Date: Fri, 9 Aug 2013 18:36:30 -0400
Josh Boyer d7ee6f
Subject: [PATCH 11/14] Add option to automatically enforce module signatures
Josh Boyer c9d9c5
 when in Secure Boot mode
Josh Boyer c9d9c5
Josh Boyer c9d9c5
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
Josh Boyer c9d9c5
only load signed bootloaders and kernels. Certain use cases may also
Josh Boyer c9d9c5
require that all kernel modules also be signed. Add a configuration option
Josh Boyer c9d9c5
that enforces this automatically when enabled.
Josh Boyer c9d9c5
Josh Boyer c9d9c5
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer c9d9c5
---
Josh Boyer d7ee6f
 Documentation/x86/zero-page.txt       |  2 ++
Josh Boyer d7ee6f
 arch/x86/Kconfig                      | 10 ++++++++++
Josh Boyer d7ee6f
 arch/x86/boot/compressed/eboot.c      | 36 +++++++++++++++++++++++++++++++++++
Josh Boyer d7ee6f
 arch/x86/include/uapi/asm/bootparam.h |  3 ++-
Josh Boyer d7ee6f
 arch/x86/kernel/setup.c               |  6 ++++++
Josh Boyer d7ee6f
 include/linux/module.h                |  6 ++++++
Josh Boyer d7ee6f
 kernel/module.c                       |  7 +++++++
Josh Boyer d7ee6f
 7 files changed, 69 insertions(+), 1 deletion(-)
Josh Boyer c9d9c5
Josh Boyer c9d9c5
diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
Josh Boyer c9d9c5
index 199f453..ec38acf 100644
Josh Boyer c9d9c5
--- a/Documentation/x86/zero-page.txt
Josh Boyer c9d9c5
+++ b/Documentation/x86/zero-page.txt
Josh Boyer c9d9c5
@@ -30,6 +30,8 @@ Offset	Proto	Name		Meaning
Josh Boyer c9d9c5
 1E9/001	ALL	eddbuf_entries	Number of entries in eddbuf (below)
Josh Boyer c9d9c5
 1EA/001	ALL	edd_mbr_sig_buf_entries	Number of entries in edd_mbr_sig_buffer
Josh Boyer c9d9c5
 				(below)
Josh Boyer c9d9c5
+1EB/001	ALL     kbd_status      Numlock is enabled
Josh Boyer c9d9c5
+1EC/001	ALL     secure_boot	Secure boot is enabled in the firmware
Josh Boyer c9d9c5
 1EF/001	ALL	sentinel	Used to detect broken bootloaders
Josh Boyer c9d9c5
 290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures
Josh Boyer c9d9c5
 2D0/A00	ALL	e820_map	E820 memory map table
Josh Boyer c9d9c5
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
713abc
index 725e157..fe212ef 100644
Josh Boyer c9d9c5
--- a/arch/x86/Kconfig
Josh Boyer c9d9c5
+++ b/arch/x86/Kconfig
713abc
@@ -1604,6 +1604,16 @@ config EFI_STUB
Josh Boyer c9d9c5
 
713abc
 	  See Documentation/efi-stub.txt for more information.
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
+config EFI_SECURE_BOOT_SIG_ENFORCE
Josh Boyer c9d9c5
+        def_bool n
Josh Boyer c9d9c5
+	prompt "Force module signing when UEFI Secure Boot is enabled"
Josh Boyer c9d9c5
+	---help---
Josh Boyer c9d9c5
+	  UEFI Secure Boot provides a mechanism for ensuring that the
Josh Boyer c9d9c5
+	  firmware will only load signed bootloaders and kernels. Certain
Josh Boyer c9d9c5
+	  use cases may also require that all kernel modules also be signed.
Josh Boyer c9d9c5
+	  Say Y here to automatically enable module signature enforcement
Josh Boyer c9d9c5
+	  when a system boots with UEFI Secure Boot enabled.
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
 config SECCOMP
Josh Boyer c9d9c5
 	def_bool y
Josh Boyer c9d9c5
 	prompt "Enable seccomp to safely compute untrusted bytecode"
Josh Boyer c9d9c5
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
713abc
index a7677ba..4e172e9 100644
Josh Boyer c9d9c5
--- a/arch/x86/boot/compressed/eboot.c
Josh Boyer c9d9c5
+++ b/arch/x86/boot/compressed/eboot.c
Josh Boyer d7ee6f
@@ -12,6 +12,7 @@
Josh Boyer d7ee6f
 #include <asm/efi.h>
Josh Boyer d7ee6f
 #include <asm/setup.h>
Josh Boyer d7ee6f
 #include <asm/desc.h>
Josh Boyer d7ee6f
+#include <asm/bootparam_utils.h>
Josh Boyer d7ee6f
 
Josh Boyer d7ee6f
 #undef memcpy			/* Use memcpy from misc.c */
Josh Boyer d7ee6f
 
713abc
@@ -741,6 +742,37 @@ free_mem_map:
Josh Boyer c9d9c5
 }
Josh Boyer c9d9c5
 
713abc
 
Josh Boyer d7ee6f
+static int get_secure_boot(void)
Josh Boyer c9d9c5
+{
Josh Boyer c9d9c5
+	u8 sb, setup;
Josh Boyer c9d9c5
+	unsigned long datasize = sizeof(sb);
Josh Boyer c9d9c5
+	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
Josh Boyer c9d9c5
+	efi_status_t status;
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
+	status = efi_call_phys5(sys_table->runtime->get_variable,
Josh Boyer c9d9c5
+				L"SecureBoot", &var_guid, NULL, &datasize, &sb);
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
+	if (status != EFI_SUCCESS)
Josh Boyer c9d9c5
+		return 0;
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
+	if (sb == 0)
Josh Boyer c9d9c5
+		return 0;
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
+	status = efi_call_phys5(sys_table->runtime->get_variable,
Josh Boyer c9d9c5
+				L"SetupMode", &var_guid, NULL, &datasize,
Josh Boyer c9d9c5
+				&setup);
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
+	if (status != EFI_SUCCESS)
Josh Boyer c9d9c5
+		return 0;
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
+	if (setup == 1)
Josh Boyer c9d9c5
+		return 0;
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
+	return 1;
Josh Boyer c9d9c5
+}
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
 /*
713abc
  * On success we return a pointer to a boot_params structure, and NULL
713abc
  * on failure.
713abc
@@ -760,6 +792,10 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
Josh Boyer c9d9c5
 	if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE)
Josh Boyer c9d9c5
 		goto fail;
Josh Boyer c9d9c5
 
Josh Boyer d7ee6f
+	sanitize_boot_params(boot_params);
Josh Boyer d7ee6f
+
Josh Boyer d7ee6f
+	boot_params->secure_boot = get_secure_boot();
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
 	setup_graphics(boot_params);
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
 	setup_efi_pci(boot_params);
Josh Boyer c9d9c5
diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
713abc
index 9c3733c..a7ba210 100644
Josh Boyer c9d9c5
--- a/arch/x86/include/uapi/asm/bootparam.h
Josh Boyer c9d9c5
+++ b/arch/x86/include/uapi/asm/bootparam.h
Josh Boyer c9d9c5
@@ -131,7 +131,8 @@ struct boot_params {
Josh Boyer c9d9c5
 	__u8  eddbuf_entries;				/* 0x1e9 */
Josh Boyer c9d9c5
 	__u8  edd_mbr_sig_buf_entries;			/* 0x1ea */
Josh Boyer c9d9c5
 	__u8  kbd_status;				/* 0x1eb */
Josh Boyer c9d9c5
-	__u8  _pad5[3];					/* 0x1ec */
Josh Boyer c9d9c5
+	__u8  secure_boot;				/* 0x1ec */
Josh Boyer d7ee6f
+	__u8  _pad5[2];					/* 0x1ed */
Josh Boyer c9d9c5
 	/*
Josh Boyer c9d9c5
 	 * The sentinel is set to a nonzero value (0xff) in header.S.
Josh Boyer c9d9c5
 	 *
Josh Boyer c9d9c5
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
713abc
index 918d489..fe429c1 100644
Josh Boyer c9d9c5
--- a/arch/x86/kernel/setup.c
Josh Boyer c9d9c5
+++ b/arch/x86/kernel/setup.c
713abc
@@ -1127,6 +1127,12 @@ void __init setup_arch(char **cmdline_p)
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
 	io_delay_init();
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
+#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
Josh Boyer c9d9c5
+	if (boot_params.secure_boot) {
Josh Boyer c9d9c5
+		enforce_signed_modules();
Josh Boyer c9d9c5
+	}
Josh Boyer c9d9c5
+#endif
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
 	/*
Josh Boyer c9d9c5
 	 * Parse the ACPI tables for possible boot-time SMP configuration.
Josh Boyer c9d9c5
 	 */
Josh Boyer c9d9c5
diff --git a/include/linux/module.h b/include/linux/module.h
713abc
index de97e77..d69fe19 100644
Josh Boyer c9d9c5
--- a/include/linux/module.h
Josh Boyer c9d9c5
+++ b/include/linux/module.h
713abc
@@ -190,6 +190,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
 struct notifier_block;
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
+#ifdef CONFIG_MODULE_SIG
Josh Boyer c9d9c5
+extern void enforce_signed_modules(void);
Josh Boyer c9d9c5
+#else
Josh Boyer c9d9c5
+static inline void enforce_signed_modules(void) {};
Josh Boyer c9d9c5
+#endif
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
 #ifdef CONFIG_MODULES
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
 extern int modules_disabled; /* for sysctl */
Josh Boyer c9d9c5
diff --git a/kernel/module.c b/kernel/module.c
713abc
index 81206c1..e1428f0 100644
Josh Boyer c9d9c5
--- a/kernel/module.c
Josh Boyer c9d9c5
+++ b/kernel/module.c
713abc
@@ -3861,6 +3861,13 @@ void module_layout(struct module *mod,
Josh Boyer c9d9c5
 EXPORT_SYMBOL(module_layout);
Josh Boyer c9d9c5
 #endif
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
+#ifdef CONFIG_MODULE_SIG
Josh Boyer c9d9c5
+void enforce_signed_modules(void)
Josh Boyer c9d9c5
+{
Josh Boyer c9d9c5
+	sig_enforce = true;
Josh Boyer c9d9c5
+}
Josh Boyer c9d9c5
+#endif
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
 bool secure_modules(void)
Josh Boyer c9d9c5
 {
Josh Boyer c9d9c5
 #ifdef CONFIG_MODULE_SIG
Josh Boyer c9d9c5
-- 
Josh Boyer c9d9c5
1.8.3.1
Josh Boyer c9d9c5
Josh Boyer c9d9c5
713abc
From 27a1aa77c7fbaaae8c6a776190a38dcbf3c3d6d2 Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5
From: Josh Boyer <jwboyer@redhat.com>
Josh Boyer c9d9c5
Date: Tue, 5 Feb 2013 19:25:05 -0500
Josh Boyer d7ee6f
Subject: [PATCH 12/14] efi: Disable secure boot if shim is in insecure mode
Josh Boyer c9d9c5
Josh Boyer c9d9c5
A user can manually tell the shim boot loader to disable validation of
Josh Boyer c9d9c5
images it loads.  When a user does this, it creates a UEFI variable called
Josh Boyer c9d9c5
MokSBState that does not have the runtime attribute set.  Given that the
Josh Boyer c9d9c5
user explicitly disabled validation, we can honor that and not enable
Josh Boyer c9d9c5
secure boot mode if that variable is set.
Josh Boyer c9d9c5
Josh Boyer c9d9c5
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
Josh Boyer c9d9c5
---
Josh Boyer c9d9c5
 arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++-
Josh Boyer c9d9c5
 1 file changed, 19 insertions(+), 1 deletion(-)
Josh Boyer c9d9c5
Josh Boyer c9d9c5
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
713abc
index 4e172e9..4905f4d 100644
Josh Boyer c9d9c5
--- a/arch/x86/boot/compressed/eboot.c
Josh Boyer c9d9c5
+++ b/arch/x86/boot/compressed/eboot.c
713abc
@@ -744,8 +744,9 @@ free_mem_map:
Josh Boyer c9d9c5
 
Josh Boyer d7ee6f
 static int get_secure_boot(void)
Josh Boyer c9d9c5
 {
Josh Boyer c9d9c5
-	u8 sb, setup;
Josh Boyer c9d9c5
+	u8 sb, setup, moksbstate;
Josh Boyer c9d9c5
 	unsigned long datasize = sizeof(sb);
Josh Boyer c9d9c5
+	u32 attr;
Josh Boyer c9d9c5
 	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
Josh Boyer c9d9c5
 	efi_status_t status;
Josh Boyer c9d9c5
 
713abc
@@ -769,6 +770,23 @@ static int get_secure_boot(void)
Josh Boyer c9d9c5
 	if (setup == 1)
Josh Boyer c9d9c5
 		return 0;
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
+	/* See if a user has put shim into insecure_mode.  If so, and the variable
Josh Boyer c9d9c5
+	 * doesn't have the runtime attribute set, we might as well honor that.
Josh Boyer c9d9c5
+	 */
Josh Boyer c9d9c5
+	var_guid = EFI_SHIM_LOCK_GUID;
Josh Boyer c9d9c5
+	status = efi_call_phys5(sys_table->runtime->get_variable,
Josh Boyer c9d9c5
+				L"MokSBState", &var_guid, &attr, &datasize,
Josh Boyer c9d9c5
+				&moksbstate);
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
+	/* If it fails, we don't care why.  Default to secure */
Josh Boyer c9d9c5
+	if (status != EFI_SUCCESS)
Josh Boyer c9d9c5
+		return 1;
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
+	if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
Josh Boyer c9d9c5
+		if (moksbstate == 1)
Josh Boyer c9d9c5
+			return 0;
Josh Boyer c9d9c5
+	}
Josh Boyer c9d9c5
+
Josh Boyer c9d9c5
 	return 1;
Josh Boyer c9d9c5
 }
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
-- 
Josh Boyer c9d9c5
1.8.3.1
Josh Boyer c9d9c5
Josh Boyer c9d9c5
713abc
From 2a445ca2c187da4497ef5f68f111574fd2b0d419 Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5
From: Josh Boyer <jwboyer@fedoraproject.org>
Josh Boyer c9d9c5
Date: Tue, 27 Aug 2013 13:28:43 -0400
Josh Boyer d7ee6f
Subject: [PATCH 13/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
Josh Boyer c9d9c5
Josh Boyer c9d9c5
The functionality of the config option is dependent upon the platform being
Josh Boyer c9d9c5
UEFI based.  Reflect this in the config deps.
Josh Boyer c9d9c5
Josh Boyer c9d9c5
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Josh Boyer c9d9c5
---
Josh Boyer c9d9c5
 arch/x86/Kconfig | 3 ++-
Josh Boyer c9d9c5
 1 file changed, 2 insertions(+), 1 deletion(-)
Josh Boyer c9d9c5
Josh Boyer c9d9c5
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
713abc
index fe212ef..bf83fd3 100644
Josh Boyer c9d9c5
--- a/arch/x86/Kconfig
Josh Boyer c9d9c5
+++ b/arch/x86/Kconfig
713abc
@@ -1605,7 +1605,8 @@ config EFI_STUB
713abc
 	  See Documentation/efi-stub.txt for more information.
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
 config EFI_SECURE_BOOT_SIG_ENFORCE
Josh Boyer c9d9c5
-        def_bool n
Josh Boyer c9d9c5
+	def_bool n
Josh Boyer c9d9c5
+	depends on EFI
Josh Boyer c9d9c5
 	prompt "Force module signing when UEFI Secure Boot is enabled"
Josh Boyer c9d9c5
 	---help---
Josh Boyer c9d9c5
 	  UEFI Secure Boot provides a mechanism for ensuring that the
Josh Boyer c9d9c5
-- 
Josh Boyer c9d9c5
1.8.3.1
Josh Boyer c9d9c5
Josh Boyer c9d9c5
713abc
From b1c533cc1d1ca7a03497cc4f2e1b029bde95633c Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5
From: Josh Boyer <jwboyer@fedoraproject.org>
Josh Boyer c9d9c5
Date: Tue, 27 Aug 2013 13:33:03 -0400
Josh Boyer d7ee6f
Subject: [PATCH 14/14] efi: Add EFI_SECURE_BOOT bit
Josh Boyer c9d9c5
Josh Boyer c9d9c5
UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
Josh Boyer c9d9c5
for use with efi_enabled.
Josh Boyer c9d9c5
Josh Boyer c9d9c5
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Josh Boyer c9d9c5
---
Josh Boyer c9d9c5
 arch/x86/kernel/setup.c | 2 ++
Josh Boyer c9d9c5
 include/linux/efi.h     | 1 +
Josh Boyer c9d9c5
 2 files changed, 3 insertions(+)
Josh Boyer c9d9c5
Josh Boyer c9d9c5
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
713abc
index fe429c1..469fbf0 100644
Josh Boyer c9d9c5
--- a/arch/x86/kernel/setup.c
Josh Boyer c9d9c5
+++ b/arch/x86/kernel/setup.c
713abc
@@ -1129,7 +1129,9 @@ void __init setup_arch(char **cmdline_p)
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
 #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
Josh Boyer c9d9c5
 	if (boot_params.secure_boot) {
Josh Boyer c9d9c5
+		set_bit(EFI_SECURE_BOOT, &x86_efi_facility);
Josh Boyer c9d9c5
 		enforce_signed_modules();
Josh Boyer c9d9c5
+		pr_info("Secure boot enabled\n");
Josh Boyer c9d9c5
 	}
Josh Boyer c9d9c5
 #endif
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
diff --git a/include/linux/efi.h b/include/linux/efi.h
713abc
index bc5687d..b010a2e 100644
Josh Boyer c9d9c5
--- a/include/linux/efi.h
Josh Boyer c9d9c5
+++ b/include/linux/efi.h
713abc
@@ -653,6 +653,7 @@ extern int __init efi_setup_pcdp_console(char *);
Josh Boyer c9d9c5
 #define EFI_RUNTIME_SERVICES	3	/* Can we use runtime services? */
Josh Boyer c9d9c5
 #define EFI_MEMMAP		4	/* Can we use EFI memory map? */
Josh Boyer c9d9c5
 #define EFI_64BIT		5	/* Is the firmware 64-bit? */
Josh Boyer c9d9c5
+#define EFI_SECURE_BOOT		6 /* Are we in Secure Boot mode? */
Josh Boyer c9d9c5
 
Josh Boyer c9d9c5
 #ifdef CONFIG_EFI
Josh Boyer c9d9c5
 # ifdef CONFIG_X86
Josh Boyer c9d9c5
-- 
Josh Boyer c9d9c5
1.8.3.1
Josh Boyer c9d9c5