68d0d67
Bugzilla: N/A
68d0d67
Upstream-status: Fedora mustard.  Replaced by securelevels, but that was nak'd
68d0d67
Josh Boyer 700baa3
From 0f81a4461431941c17ff26fd3d5e284ede4a368a Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5a
From: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f3
Date: Fri, 9 Aug 2013 17:58:15 -0400
Josh Boyer d7ee6f3
Subject: [PATCH 01/14] Add secure_modules() call
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Provide a single call to allow kernel code to determine whether the system
Josh Boyer c9d9c5a
has been configured to either disable module loading entirely or to load
Josh Boyer c9d9c5a
only modules signed with a trusted key.
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer c9d9c5a
---
Josh Boyer c9d9c5a
 include/linux/module.h |  7 +++++++
Josh Boyer c9d9c5a
 kernel/module.c        | 10 ++++++++++
Josh Boyer c9d9c5a
 2 files changed, 17 insertions(+)
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
diff --git a/include/linux/module.h b/include/linux/module.h
Josh Boyer 700baa3
index f520a767c86c..fc9b54eb779e 100644
Josh Boyer c9d9c5a
--- a/include/linux/module.h
Josh Boyer c9d9c5a
+++ b/include/linux/module.h
Josh Boyer 700baa3
@@ -509,6 +509,8 @@ int unregister_module_notifier(struct notifier_block *nb);
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
 extern void print_modules(void);
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
+extern bool secure_modules(void);
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
 #else /* !CONFIG_MODULES... */
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
 /* Given an address, look for it in the exception tables. */
Josh Boyer 700baa3
@@ -619,6 +621,11 @@ static inline int unregister_module_notifier(struct notifier_block *nb)
Josh Boyer c9d9c5a
 static inline void print_modules(void)
Josh Boyer c9d9c5a
 {
Josh Boyer c9d9c5a
 }
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
+static inline bool secure_modules(void)
Josh Boyer c9d9c5a
+{
Josh Boyer c9d9c5a
+	return false;
Josh Boyer c9d9c5a
+}
Josh Boyer c9d9c5a
 #endif /* CONFIG_MODULES */
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
 #ifdef CONFIG_SYSFS
Josh Boyer c9d9c5a
diff --git a/kernel/module.c b/kernel/module.c
Josh Boyer 700baa3
index 11869408f79b..2b9204fe055f 100644
Josh Boyer c9d9c5a
--- a/kernel/module.c
Josh Boyer c9d9c5a
+++ b/kernel/module.c
Josh Boyer 700baa3
@@ -3835,3 +3835,13 @@ void module_layout(struct module *mod,
Josh Boyer c9d9c5a
 }
Josh Boyer c9d9c5a
 EXPORT_SYMBOL(module_layout);
Josh Boyer c9d9c5a
 #endif
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
+bool secure_modules(void)
Josh Boyer c9d9c5a
+{
Josh Boyer c9d9c5a
+#ifdef CONFIG_MODULE_SIG
Josh Boyer c9d9c5a
+	return (sig_enforce || modules_disabled);
Josh Boyer c9d9c5a
+#else
Josh Boyer c9d9c5a
+	return modules_disabled;
Josh Boyer c9d9c5a
+#endif
Josh Boyer c9d9c5a
+}
Josh Boyer d7ee6f3
+EXPORT_SYMBOL(secure_modules);
Josh Boyer c9d9c5a
-- 
Josh Boyer fbff9ed
1.8.5.3
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Josh Boyer 700baa3
From 806c4ee0e6484b529b88b3d0ceb49f6edf96ae11 Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5a
From: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f3
Date: Thu, 8 Mar 2012 10:10:38 -0500
Josh Boyer d7ee6f3
Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is
Josh Boyer c9d9c5a
 enabled
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Any hardware that can potentially generate DMA has to be locked down from
Josh Boyer c9d9c5a
userspace in order to avoid it being possible for an attacker to modify
Josh Boyer c9d9c5a
kernel code, allowing them to circumvent disabled module loading or module
Josh Boyer c9d9c5a
signing. Default to paranoid - in future we can potentially relax this for
Josh Boyer c9d9c5a
sufficiently IOMMU-isolated devices.
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer c9d9c5a
---
Josh Boyer c9d9c5a
 drivers/pci/pci-sysfs.c | 10 ++++++++++
Josh Boyer c9d9c5a
 drivers/pci/proc.c      |  8 +++++++-
Josh Boyer c9d9c5a
 drivers/pci/syscall.c   |  3 ++-
Josh Boyer c9d9c5a
 3 files changed, 19 insertions(+), 2 deletions(-)
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
Josh Boyer 9ed75fb
index 4e0acefb7565..01b56d13d021 100644
Josh Boyer c9d9c5a
--- a/drivers/pci/pci-sysfs.c
Josh Boyer c9d9c5a
+++ b/drivers/pci/pci-sysfs.c
Josh Boyer c9d9c5a
@@ -29,6 +29,7 @@
Josh Boyer c9d9c5a
 #include <linux/slab.h>
Josh Boyer c9d9c5a
 #include <linux/vgaarb.h>
Josh Boyer c9d9c5a
 #include <linux/pm_runtime.h>
Josh Boyer c9d9c5a
+#include <linux/module.h>
Josh Boyer c9d9c5a
 #include "pci.h"
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
 static int sysfs_initialized;	/* = 0 */
Josh Boyer 9ed75fb
@@ -652,6 +653,9 @@ pci_write_config(struct file* filp, struct kobject *kobj,
Josh Boyer c9d9c5a
 	loff_t init_off = off;
Josh Boyer c9d9c5a
 	u8 *data = (u8*) buf;
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
+	if (secure_modules())
Josh Boyer c9d9c5a
+		return -EPERM;
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
 	if (off > dev->cfg_size)
Josh Boyer c9d9c5a
 		return 0;
Josh Boyer c9d9c5a
 	if (off + count > dev->cfg_size) {
Josh Boyer 9ed75fb
@@ -958,6 +962,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
Josh Boyer c9d9c5a
 	resource_size_t start, end;
Josh Boyer c9d9c5a
 	int i;
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
+	if (secure_modules())
Josh Boyer c9d9c5a
+		return -EPERM;
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
 	for (i = 0; i < PCI_ROM_RESOURCE; i++)
Josh Boyer c9d9c5a
 		if (res == &pdev->resource[i])
Josh Boyer c9d9c5a
 			break;
Josh Boyer 9ed75fb
@@ -1065,6 +1072,9 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj,
Josh Boyer c9d9c5a
 		      struct bin_attribute *attr, char *buf,
Josh Boyer c9d9c5a
 		      loff_t off, size_t count)
Josh Boyer c9d9c5a
 {
Josh Boyer c9d9c5a
+	if (secure_modules())
Josh Boyer c9d9c5a
+		return -EPERM;
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
 	return pci_resource_io(filp, kobj, attr, buf, off, count, true);
Josh Boyer c9d9c5a
 }
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
Josh Boyer fbff9ed
index 46d1378f2e9e..294fe7b34af0 100644
Josh Boyer c9d9c5a
--- a/drivers/pci/proc.c
Josh Boyer c9d9c5a
+++ b/drivers/pci/proc.c
Josh Boyer c9d9c5a
@@ -117,6 +117,9 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof
Josh Boyer c9d9c5a
 	int size = dev->cfg_size;
Josh Boyer c9d9c5a
 	int cnt;
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
+	if (secure_modules())
Josh Boyer c9d9c5a
+		return -EPERM;
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
 	if (pos >= size)
Josh Boyer c9d9c5a
 		return 0;
Josh Boyer c9d9c5a
 	if (nbytes >= size)
Josh Boyer c9d9c5a
@@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
Josh Boyer c9d9c5a
 #endif /* HAVE_PCI_MMAP */
Josh Boyer c9d9c5a
 	int ret = 0;
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
+	if (secure_modules())
Josh Boyer c9d9c5a
+		return -EPERM;
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
 	switch (cmd) {
Josh Boyer c9d9c5a
 	case PCIIOC_CONTROLLER:
Josh Boyer c9d9c5a
 		ret = pci_domain_nr(dev->bus);
Josh Boyer c9d9c5a
@@ -234,7 +240,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
Josh Boyer c9d9c5a
 	struct pci_filp_private *fpriv = file->private_data;
Josh Boyer c9d9c5a
 	int i, ret;
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
-	if (!capable(CAP_SYS_RAWIO))
Josh Boyer c9d9c5a
+	if (!capable(CAP_SYS_RAWIO) || secure_modules())
Josh Boyer c9d9c5a
 		return -EPERM;
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
 	/* Make sure the caller is mapping a real resource for this device */
Josh Boyer c9d9c5a
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
Josh Boyer fbff9ed
index 24750a1b39b6..fa57896b97dd 100644
Josh Boyer c9d9c5a
--- a/drivers/pci/syscall.c
Josh Boyer c9d9c5a
+++ b/drivers/pci/syscall.c
Josh Boyer c9d9c5a
@@ -10,6 +10,7 @@
Josh Boyer c9d9c5a
 #include <linux/errno.h>
Josh Boyer c9d9c5a
 #include <linux/pci.h>
Josh Boyer c9d9c5a
 #include <linux/syscalls.h>
Josh Boyer c9d9c5a
+#include <linux/module.h>
Josh Boyer c9d9c5a
 #include <asm/uaccess.h>
Josh Boyer c9d9c5a
 #include "pci.h"
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
@@ -92,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
Josh Boyer c9d9c5a
 	u32 dword;
Josh Boyer c9d9c5a
 	int err = 0;
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
-	if (!capable(CAP_SYS_ADMIN))
Josh Boyer c9d9c5a
+	if (!capable(CAP_SYS_ADMIN) || secure_modules())
Josh Boyer c9d9c5a
 		return -EPERM;
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
 	dev = pci_get_bus_and_slot(bus, dfn);
Josh Boyer c9d9c5a
-- 
Josh Boyer fbff9ed
1.8.5.3
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Josh Boyer 700baa3
From 16ee82e2add8684e374451e6ba34be3ee41e4ef1 Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5a
From: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f3
Date: Thu, 8 Mar 2012 10:35:59 -0500
Josh Boyer d7ee6f3
Subject: [PATCH 03/14] x86: Lock down IO port access when module security is
Josh Boyer c9d9c5a
 enabled
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
IO port access would permit users to gain access to PCI configuration
Josh Boyer c9d9c5a
registers, which in turn (on a lot of hardware) give access to MMIO register
Josh Boyer c9d9c5a
space. This would potentially permit root to trigger arbitrary DMA, so lock
Josh Boyer c9d9c5a
it down by default.
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer c9d9c5a
---
Josh Boyer c9d9c5a
 arch/x86/kernel/ioport.c | 5 +++--
Josh Boyer c9d9c5a
 drivers/char/mem.c       | 4 ++++
Josh Boyer c9d9c5a
 2 files changed, 7 insertions(+), 2 deletions(-)
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
Josh Boyer fbff9ed
index 4ddaf66ea35f..00b440307419 100644
Josh Boyer c9d9c5a
--- a/arch/x86/kernel/ioport.c
Josh Boyer c9d9c5a
+++ b/arch/x86/kernel/ioport.c
Josh Boyer c9d9c5a
@@ -15,6 +15,7 @@
Josh Boyer c9d9c5a
 #include <linux/thread_info.h>
Josh Boyer c9d9c5a
 #include <linux/syscalls.h>
Josh Boyer c9d9c5a
 #include <linux/bitmap.h>
Josh Boyer c9d9c5a
+#include <linux/module.h>
Josh Boyer c9d9c5a
 #include <asm/syscalls.h>
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
 /*
Josh Boyer c9d9c5a
@@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
Josh Boyer c9d9c5a
 		return -EINVAL;
Josh Boyer c9d9c5a
-	if (turn_on && !capable(CAP_SYS_RAWIO))
Josh Boyer c9d9c5a
+	if (turn_on && (!capable(CAP_SYS_RAWIO) || secure_modules()))
Josh Boyer c9d9c5a
 		return -EPERM;
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
 	/*
Josh Boyer c9d9c5a
@@ -103,7 +104,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
Josh Boyer c9d9c5a
 		return -EINVAL;
Josh Boyer c9d9c5a
 	/* Trying to gain more privileges? */
Josh Boyer c9d9c5a
 	if (level > old) {
Josh Boyer c9d9c5a
-		if (!capable(CAP_SYS_RAWIO))
Josh Boyer c9d9c5a
+		if (!capable(CAP_SYS_RAWIO) || secure_modules())
Josh Boyer c9d9c5a
 			return -EPERM;
Josh Boyer c9d9c5a
 	}
Josh Boyer c9d9c5a
 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
Josh Boyer c9d9c5a
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
Josh Boyer 9ed75fb
index 917403fe10da..cdf839f9defe 100644
Josh Boyer c9d9c5a
--- a/drivers/char/mem.c
Josh Boyer c9d9c5a
+++ b/drivers/char/mem.c
Josh Boyer fbff9ed
@@ -27,6 +27,7 @@
Josh Boyer c9d9c5a
 #include <linux/export.h>
Josh Boyer c9d9c5a
 #include <linux/io.h>
Josh Boyer c9d9c5a
 #include <linux/aio.h>
Josh Boyer c9d9c5a
+#include <linux/module.h>
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
 #include <asm/uaccess.h>
Josh Boyer c9d9c5a
 
Josh Boyer 9ed75fb
@@ -568,6 +569,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
Josh Boyer c9d9c5a
 	unsigned long i = *ppos;
Josh Boyer c9d9c5a
 	const char __user *tmp = buf;
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
+	if (secure_modules())
Josh Boyer c9d9c5a
+		return -EPERM;
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
 	if (!access_ok(VERIFY_READ, buf, count))
Josh Boyer c9d9c5a
 		return -EFAULT;
Josh Boyer c9d9c5a
 	while (count-- > 0 && i < 65536) {
Josh Boyer c9d9c5a
-- 
Josh Boyer fbff9ed
1.8.5.3
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Josh Boyer 700baa3
From 2fd4b35393b19cde87e4770d3b85d12760e72f6a Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5a
From: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f3
Date: Fri, 9 Mar 2012 08:39:37 -0500
Josh Boyer d7ee6f3
Subject: [PATCH 04/14] ACPI: Limit access to custom_method
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
custom_method effectively allows arbitrary access to system memory, making
Josh Boyer c9d9c5a
it possible for an attacker to circumvent restrictions on module loading.
Josh Boyer c9d9c5a
Disable it if any such restrictions have been enabled.
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer c9d9c5a
---
Josh Boyer d7ee6f3
 drivers/acpi/custom_method.c | 3 +++
Josh Boyer d7ee6f3
 1 file changed, 3 insertions(+)
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
Josh Boyer fbff9ed
index c68e72414a67..4277938af700 100644
Josh Boyer c9d9c5a
--- a/drivers/acpi/custom_method.c
Josh Boyer c9d9c5a
+++ b/drivers/acpi/custom_method.c
Josh Boyer d7ee6f3
@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
Josh Boyer c9d9c5a
 	struct acpi_table_header table;
Josh Boyer c9d9c5a
 	acpi_status status;
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
+	if (secure_modules())
Josh Boyer c9d9c5a
+		return -EPERM;
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
 	if (!(*ppos)) {
Josh Boyer c9d9c5a
 		/* parse the table header to get the table length */
Josh Boyer c9d9c5a
 		if (count <= sizeof(struct acpi_table_header))
Josh Boyer c9d9c5a
-- 
Josh Boyer fbff9ed
1.8.5.3
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Josh Boyer 700baa3
From 543d64276237adb782ec30a5dab67d0b21afc1d4 Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5a
From: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f3
Date: Fri, 9 Mar 2012 08:46:50 -0500
Josh Boyer d7ee6f3
Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module
Josh Boyer c9d9c5a
 loading is restricted
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
We have no way of validating what all of the Asus WMI methods do on a
Josh Boyer c9d9c5a
given machine, and there's a risk that some will allow hardware state to
Josh Boyer c9d9c5a
be manipulated in such a way that arbitrary code can be executed in the
Josh Boyer c9d9c5a
kernel, circumventing module loading restrictions. Prevent that if any of
Josh Boyer c9d9c5a
these features are enabled.
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer c9d9c5a
---
Josh Boyer c9d9c5a
 drivers/platform/x86/asus-wmi.c | 9 +++++++++
Josh Boyer c9d9c5a
 1 file changed, 9 insertions(+)
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
Josh Boyer fbff9ed
index c5e082fb82fa..03c57fc8de8a 100644
Josh Boyer c9d9c5a
--- a/drivers/platform/x86/asus-wmi.c
Josh Boyer c9d9c5a
+++ b/drivers/platform/x86/asus-wmi.c
Josh Boyer fbff9ed
@@ -1595,6 +1595,9 @@ static int show_dsts(struct seq_file *m, void *data)
Josh Boyer c9d9c5a
 	int err;
Josh Boyer c9d9c5a
 	u32 retval = -1;
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
+	if (secure_modules())
Josh Boyer c9d9c5a
+		return -EPERM;
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
 	err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
 	if (err < 0)
Josh Boyer fbff9ed
@@ -1611,6 +1614,9 @@ static int show_devs(struct seq_file *m, void *data)
Josh Boyer c9d9c5a
 	int err;
Josh Boyer c9d9c5a
 	u32 retval = -1;
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
+	if (secure_modules())
Josh Boyer c9d9c5a
+		return -EPERM;
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
 	err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
Josh Boyer c9d9c5a
 				    &retval);
Josh Boyer c9d9c5a
 
Josh Boyer fbff9ed
@@ -1635,6 +1641,9 @@ static int show_call(struct seq_file *m, void *data)
Josh Boyer c9d9c5a
 	union acpi_object *obj;
Josh Boyer c9d9c5a
 	acpi_status status;
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
+	if (secure_modules())
Josh Boyer c9d9c5a
+		return -EPERM;
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
 	status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
Josh Boyer c9d9c5a
 				     1, asus->debug.method_id,
Josh Boyer c9d9c5a
 				     &input, &output);
Josh Boyer c9d9c5a
-- 
Josh Boyer fbff9ed
1.8.5.3
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Josh Boyer 700baa3
From 6e2fec5547b597c43ca72e34729b8a402660a7c1 Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5a
From: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f3
Date: Fri, 9 Mar 2012 09:28:15 -0500
Josh Boyer d7ee6f3
Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is
Josh Boyer c9d9c5a
 restricted
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Allowing users to write to address space makes it possible for the kernel
Josh Boyer c9d9c5a
to be subverted, avoiding module loading restrictions. Prevent this when
Josh Boyer c9d9c5a
any restrictions have been imposed on loading modules.
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer c9d9c5a
---
Josh Boyer c9d9c5a
 drivers/char/mem.c | 6 ++++++
Josh Boyer c9d9c5a
 1 file changed, 6 insertions(+)
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
Josh Boyer 9ed75fb
index cdf839f9defe..c63cf93b00eb 100644
Josh Boyer c9d9c5a
--- a/drivers/char/mem.c
Josh Boyer c9d9c5a
+++ b/drivers/char/mem.c
Josh Boyer 9ed75fb
@@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
Josh Boyer 9ed75fb
 	if (p != *ppos)
Josh Boyer 9ed75fb
 		return -EFBIG;
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
+	if (secure_modules())
Josh Boyer c9d9c5a
+		return -EPERM;
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
 	if (!valid_phys_addr_range(p, count))
Josh Boyer c9d9c5a
 		return -EFAULT;
Josh Boyer c9d9c5a
 
Josh Boyer 9ed75fb
@@ -502,6 +505,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
Josh Boyer c9d9c5a
 	char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
Josh Boyer c9d9c5a
 	int err = 0;
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
+	if (secure_modules())
Josh Boyer c9d9c5a
+		return -EPERM;
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
 	if (p < (unsigned long) high_memory) {
Josh Boyer c9d9c5a
 		unsigned long to_write = min_t(unsigned long, count,
Josh Boyer c9d9c5a
 					       (unsigned long)high_memory - p);
Josh Boyer c9d9c5a
-- 
Josh Boyer fbff9ed
1.8.5.3
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Josh Boyer 700baa3
From 358cea0a54f726fa61839b411f3f54284d4588bf Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5a
From: Josh Boyer <jwboyer@redhat.com>
Josh Boyer d7ee6f3
Date: Mon, 25 Jun 2012 19:57:30 -0400
Josh Boyer d7ee6f3
Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module
Josh Boyer c9d9c5a
 loading is restricted
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
This option allows userspace to pass the RSDP address to the kernel, which
Josh Boyer c9d9c5a
makes it possible for a user to circumvent any restrictions imposed on
Josh Boyer c9d9c5a
loading modules. Disable it in that case.
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
Josh Boyer c9d9c5a
---
Josh Boyer c9d9c5a
 drivers/acpi/osl.c | 3 ++-
Josh Boyer c9d9c5a
 1 file changed, 2 insertions(+), 1 deletion(-)
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
Josh Boyer 700baa3
index f7fd72ac69cf..ccdae1c8c386 100644
Josh Boyer c9d9c5a
--- a/drivers/acpi/osl.c
Josh Boyer c9d9c5a
+++ b/drivers/acpi/osl.c
Josh Boyer fbff9ed
@@ -44,6 +44,7 @@
Josh Boyer c9d9c5a
 #include <linux/list.h>
Josh Boyer c9d9c5a
 #include <linux/jiffies.h>
Josh Boyer c9d9c5a
 #include <linux/semaphore.h>
Josh Boyer c9d9c5a
+#include <linux/module.h>
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
 #include <asm/io.h>
Josh Boyer c9d9c5a
 #include <asm/uaccess.h>
Josh Boyer fbff9ed
@@ -244,7 +245,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
Josh Boyer c9d9c5a
 acpi_physical_address __init acpi_os_get_root_pointer(void)
Josh Boyer c9d9c5a
 {
Josh Boyer c9d9c5a
 #ifdef CONFIG_KEXEC
Josh Boyer c9d9c5a
-	if (acpi_rsdp)
Josh Boyer c9d9c5a
+	if (acpi_rsdp && !secure_modules())
Josh Boyer c9d9c5a
 		return acpi_rsdp;
Josh Boyer c9d9c5a
 #endif
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
-- 
Josh Boyer fbff9ed
1.8.5.3
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Josh Boyer 700baa3
From 89751b3ad4dea7cf5b806cd14126dd70657a9148 Mon Sep 17 00:00:00 2001
Josh Boyer d7ee6f3
From: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f3
Date: Fri, 9 Aug 2013 03:33:56 -0400
Josh Boyer d7ee6f3
Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module
Josh Boyer d7ee6f3
 loading restrictions
Josh Boyer d7ee6f3
Josh Boyer d7ee6f3
kexec permits the loading and execution of arbitrary code in ring 0, which
Josh Boyer d7ee6f3
is something that module signing enforcement is meant to prevent. It makes
Josh Boyer d7ee6f3
sense to disable kexec in this situation.
Josh Boyer d7ee6f3
Josh Boyer d7ee6f3
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f3
---
Josh Boyer d7ee6f3
 kernel/kexec.c | 8 ++++++++
Josh Boyer d7ee6f3
 1 file changed, 8 insertions(+)
Josh Boyer d7ee6f3
Josh Boyer d7ee6f3
diff --git a/kernel/kexec.c b/kernel/kexec.c
Josh Boyer 700baa3
index c8380ad203bc..e6eb239f567a 100644
Josh Boyer d7ee6f3
--- a/kernel/kexec.c
Josh Boyer d7ee6f3
+++ b/kernel/kexec.c
Josh Boyer 700baa3
@@ -33,6 +33,7 @@
Josh Boyer d7ee6f3
 #include <linux/swap.h>
Josh Boyer d7ee6f3
 #include <linux/syscore_ops.h>
Josh Boyer 700baa3
 #include <linux/compiler.h>
Josh Boyer d7ee6f3
+#include <linux/module.h>
Josh Boyer d7ee6f3
 
Josh Boyer d7ee6f3
 #include <asm/page.h>
Josh Boyer d7ee6f3
 #include <asm/uaccess.h>
Josh Boyer 700baa3
@@ -948,6 +949,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
Josh Boyer d7ee6f3
 		return -EPERM;
Josh Boyer d7ee6f3
 
Josh Boyer d7ee6f3
 	/*
Josh Boyer d7ee6f3
+	 * kexec can be used to circumvent module loading restrictions, so
Josh Boyer d7ee6f3
+	 * prevent loading in that case
Josh Boyer d7ee6f3
+	 */
Josh Boyer d7ee6f3
+	if (secure_modules())
Josh Boyer d7ee6f3
+		return -EPERM;
Josh Boyer d7ee6f3
+
Josh Boyer d7ee6f3
+	/*
Josh Boyer d7ee6f3
 	 * Verify we have a legal set of flags
Josh Boyer d7ee6f3
 	 * This leaves us room for future extensions.
Josh Boyer d7ee6f3
 	 */
Josh Boyer d7ee6f3
-- 
Josh Boyer fbff9ed
1.8.5.3
Josh Boyer d7ee6f3
Josh Boyer d7ee6f3
Josh Boyer 700baa3
From 31174421a7103571a1c3faf7ba27d4045e5fbc18 Mon Sep 17 00:00:00 2001
Josh Boyer d7ee6f3
From: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f3
Date: Tue, 3 Sep 2013 11:23:29 -0400
Josh Boyer d7ee6f3
Subject: [PATCH 09/14] uswsusp: Disable when module loading is restricted
Josh Boyer d7ee6f3
Josh Boyer d7ee6f3
uswsusp allows a user process to dump and then restore kernel state, which
Josh Boyer d7ee6f3
makes it possible to avoid module loading restrictions. Prevent this when
Josh Boyer d7ee6f3
any restrictions have been imposed on loading modules.
Josh Boyer d7ee6f3
Josh Boyer d7ee6f3
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f3
---
Josh Boyer d7ee6f3
 kernel/power/user.c | 4 ++++
Josh Boyer d7ee6f3
 1 file changed, 4 insertions(+)
Josh Boyer d7ee6f3
Josh Boyer d7ee6f3
diff --git a/kernel/power/user.c b/kernel/power/user.c
Josh Boyer fbff9ed
index 98d357584cd6..efe99dee9510 100644
Josh Boyer d7ee6f3
--- a/kernel/power/user.c
Josh Boyer d7ee6f3
+++ b/kernel/power/user.c
Josh Boyer d7ee6f3
@@ -24,6 +24,7 @@
Josh Boyer d7ee6f3
 #include <linux/console.h>
Josh Boyer d7ee6f3
 #include <linux/cpu.h>
Josh Boyer d7ee6f3
 #include <linux/freezer.h>
Josh Boyer d7ee6f3
+#include <linux/module.h>
Josh Boyer d7ee6f3
 
Josh Boyer d7ee6f3
 #include <asm/uaccess.h>
Josh Boyer d7ee6f3
 
713abc0
@@ -49,6 +50,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
Josh Boyer d7ee6f3
 	struct snapshot_data *data;
Josh Boyer d7ee6f3
 	int error;
Josh Boyer d7ee6f3
 
Josh Boyer d7ee6f3
+	if (secure_modules())
Josh Boyer d7ee6f3
+		return -EPERM;
Josh Boyer d7ee6f3
+
Josh Boyer d7ee6f3
 	lock_system_sleep();
Josh Boyer d7ee6f3
 
Josh Boyer d7ee6f3
 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
Josh Boyer d7ee6f3
-- 
Josh Boyer fbff9ed
1.8.5.3
Josh Boyer d7ee6f3
Josh Boyer d7ee6f3
Josh Boyer 700baa3
From ea5cf8801db979fa7d5f90ab3faf72eb22490f9b Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5a
From: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f3
Date: Fri, 8 Feb 2013 11:12:13 -0800
Josh Boyer d7ee6f3
Subject: [PATCH 10/14] x86: Restrict MSR access when module loading is
Josh Boyer c9d9c5a
 restricted
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Writing to MSRs should not be allowed if module loading is restricted,
Josh Boyer c9d9c5a
since it could lead to execution of arbitrary code in kernel mode. Based
Josh Boyer c9d9c5a
on a patch by Kees Cook.
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Cc: Kees Cook <keescook@chromium.org>
Josh Boyer c9d9c5a
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer c9d9c5a
---
Josh Boyer c9d9c5a
 arch/x86/kernel/msr.c | 7 +++++++
Josh Boyer c9d9c5a
 1 file changed, 7 insertions(+)
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
Josh Boyer 700baa3
index c9603ac80de5..8bef43fc3f40 100644
Josh Boyer c9d9c5a
--- a/arch/x86/kernel/msr.c
Josh Boyer c9d9c5a
+++ b/arch/x86/kernel/msr.c
Josh Boyer c9d9c5a
@@ -103,6 +103,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
Josh Boyer c9d9c5a
 	int err = 0;
Josh Boyer c9d9c5a
 	ssize_t bytes = 0;
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
+	if (secure_modules())
Josh Boyer c9d9c5a
+		return -EPERM;
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
 	if (count % 8)
Josh Boyer c9d9c5a
 		return -EINVAL;	/* Invalid chunk size */
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
@@ -150,6 +153,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
Josh Boyer c9d9c5a
 			err = -EBADF;
Josh Boyer c9d9c5a
 			break;
Josh Boyer c9d9c5a
 		}
Josh Boyer c9d9c5a
+		if (secure_modules()) {
Josh Boyer c9d9c5a
+			err = -EPERM;
Josh Boyer c9d9c5a
+			break;
Josh Boyer c9d9c5a
+		}
Josh Boyer c9d9c5a
 		if (copy_from_user(&regs, uregs, sizeof regs)) {
Josh Boyer c9d9c5a
 			err = -EFAULT;
Josh Boyer c9d9c5a
 			break;
Josh Boyer c9d9c5a
-- 
Josh Boyer fbff9ed
1.8.5.3
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Josh Boyer 700baa3
From 2985684ff78972bde7ebf1e295b52afd9bea29e0 Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5a
From: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer d7ee6f3
Date: Fri, 9 Aug 2013 18:36:30 -0400
Josh Boyer d7ee6f3
Subject: [PATCH 11/14] Add option to automatically enforce module signatures
Josh Boyer c9d9c5a
 when in Secure Boot mode
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
Josh Boyer c9d9c5a
only load signed bootloaders and kernels. Certain use cases may also
Josh Boyer c9d9c5a
require that all kernel modules also be signed. Add a configuration option
Josh Boyer c9d9c5a
that enforces this automatically when enabled.
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Josh Boyer c9d9c5a
---
Josh Boyer d7ee6f3
 Documentation/x86/zero-page.txt       |  2 ++
Josh Boyer d7ee6f3
 arch/x86/Kconfig                      | 10 ++++++++++
Josh Boyer d7ee6f3
 arch/x86/boot/compressed/eboot.c      | 36 +++++++++++++++++++++++++++++++++++
Josh Boyer d7ee6f3
 arch/x86/include/uapi/asm/bootparam.h |  3 ++-
Josh Boyer d7ee6f3
 arch/x86/kernel/setup.c               |  6 ++++++
Josh Boyer d7ee6f3
 include/linux/module.h                |  6 ++++++
Josh Boyer d7ee6f3
 kernel/module.c                       |  7 +++++++
Josh Boyer d7ee6f3
 7 files changed, 69 insertions(+), 1 deletion(-)
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
Josh Boyer fbff9ed
index 199f453cb4de..ec38acf00b40 100644
Josh Boyer c9d9c5a
--- a/Documentation/x86/zero-page.txt
Josh Boyer c9d9c5a
+++ b/Documentation/x86/zero-page.txt
Josh Boyer c9d9c5a
@@ -30,6 +30,8 @@ Offset	Proto	Name		Meaning
Josh Boyer c9d9c5a
 1E9/001	ALL	eddbuf_entries	Number of entries in eddbuf (below)
Josh Boyer c9d9c5a
 1EA/001	ALL	edd_mbr_sig_buf_entries	Number of entries in edd_mbr_sig_buffer
Josh Boyer c9d9c5a
 				(below)
Josh Boyer c9d9c5a
+1EB/001	ALL     kbd_status      Numlock is enabled
Josh Boyer c9d9c5a
+1EC/001	ALL     secure_boot	Secure boot is enabled in the firmware
Josh Boyer c9d9c5a
 1EF/001	ALL	sentinel	Used to detect broken bootloaders
Josh Boyer c9d9c5a
 290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures
Josh Boyer c9d9c5a
 2D0/A00	ALL	e820_map	E820 memory map table
Josh Boyer c9d9c5a
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
Josh Boyer 700baa3
index 5b8ec0f53b57..085d5eb36361 100644
Josh Boyer c9d9c5a
--- a/arch/x86/Kconfig
Josh Boyer c9d9c5a
+++ b/arch/x86/Kconfig
Josh Boyer 700baa3
@@ -1534,6 +1534,16 @@ config EFI_MIXED
Josh Boyer c9d9c5a
 
Josh Boyer fbff9ed
 	   If unsure, say N.
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
+config EFI_SECURE_BOOT_SIG_ENFORCE
Josh Boyer c9d9c5a
+        def_bool n
Josh Boyer c9d9c5a
+	prompt "Force module signing when UEFI Secure Boot is enabled"
Josh Boyer c9d9c5a
+	---help---
Josh Boyer c9d9c5a
+	  UEFI Secure Boot provides a mechanism for ensuring that the
Josh Boyer c9d9c5a
+	  firmware will only load signed bootloaders and kernels. Certain
Josh Boyer c9d9c5a
+	  use cases may also require that all kernel modules also be signed.
Josh Boyer c9d9c5a
+	  Say Y here to automatically enable module signature enforcement
Josh Boyer c9d9c5a
+	  when a system boots with UEFI Secure Boot enabled.
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
 config SECCOMP
Josh Boyer c9d9c5a
 	def_bool y
Josh Boyer c9d9c5a
 	prompt "Enable seccomp to safely compute untrusted bytecode"
Josh Boyer c9d9c5a
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
Josh Boyer fbff9ed
index 1e6146137f8e..b00745ff398a 100644
Josh Boyer c9d9c5a
--- a/arch/x86/boot/compressed/eboot.c
Josh Boyer c9d9c5a
+++ b/arch/x86/boot/compressed/eboot.c
Josh Boyer d7ee6f3
@@ -12,6 +12,7 @@
Josh Boyer d7ee6f3
 #include <asm/efi.h>
Josh Boyer d7ee6f3
 #include <asm/setup.h>
Josh Boyer d7ee6f3
 #include <asm/desc.h>
Josh Boyer d7ee6f3
+#include <asm/bootparam_utils.h>
Josh Boyer d7ee6f3
 
Josh Boyer d7ee6f3
 #undef memcpy			/* Use memcpy from misc.c */
Josh Boyer d7ee6f3
 
Josh Boyer fbff9ed
@@ -809,6 +810,37 @@ out:
Josh Boyer fbff9ed
 	return status;
Josh Boyer c9d9c5a
 }
Josh Boyer c9d9c5a
 
Josh Boyer d7ee6f3
+static int get_secure_boot(void)
Josh Boyer c9d9c5a
+{
Josh Boyer c9d9c5a
+	u8 sb, setup;
Josh Boyer c9d9c5a
+	unsigned long datasize = sizeof(sb);
Josh Boyer c9d9c5a
+	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
Josh Boyer c9d9c5a
+	efi_status_t status;
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
+	status = efi_call_phys5(sys_table->runtime->get_variable,
Josh Boyer c9d9c5a
+				L"SecureBoot", &var_guid, NULL, &datasize, &sb);
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
+	if (status != EFI_SUCCESS)
Josh Boyer c9d9c5a
+		return 0;
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
+	if (sb == 0)
Josh Boyer c9d9c5a
+		return 0;
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
+	status = efi_call_phys5(sys_table->runtime->get_variable,
Josh Boyer c9d9c5a
+				L"SetupMode", &var_guid, NULL, &datasize,
Josh Boyer c9d9c5a
+				&setup);
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
+	if (status != EFI_SUCCESS)
Josh Boyer c9d9c5a
+		return 0;
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
+	if (setup == 1)
Josh Boyer c9d9c5a
+		return 0;
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
+	return 1;
Josh Boyer c9d9c5a
+}
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
 /*
Josh Boyer fbff9ed
  * See if we have Graphics Output Protocol
Josh Boyer fbff9ed
  */
Josh Boyer fbff9ed
@@ -1372,6 +1404,10 @@ struct boot_params *efi_main(struct efi_config *c,
Josh Boyer fbff9ed
 	else
Josh Boyer fbff9ed
 		setup_boot_services32(efi_early);
Josh Boyer c9d9c5a
 
Josh Boyer d7ee6f3
+	sanitize_boot_params(boot_params);
Josh Boyer d7ee6f3
+
Josh Boyer d7ee6f3
+	boot_params->secure_boot = get_secure_boot();
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
 	setup_graphics(boot_params);
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
 	setup_efi_pci(boot_params);
Josh Boyer c9d9c5a
diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
Josh Boyer fbff9ed
index 225b0988043a..90dbfb73e11f 100644
Josh Boyer c9d9c5a
--- a/arch/x86/include/uapi/asm/bootparam.h
Josh Boyer c9d9c5a
+++ b/arch/x86/include/uapi/asm/bootparam.h
05892a5
@@ -133,7 +133,8 @@ struct boot_params {
Josh Boyer c9d9c5a
 	__u8  eddbuf_entries;				/* 0x1e9 */
Josh Boyer c9d9c5a
 	__u8  edd_mbr_sig_buf_entries;			/* 0x1ea */
Josh Boyer c9d9c5a
 	__u8  kbd_status;				/* 0x1eb */
Josh Boyer c9d9c5a
-	__u8  _pad5[3];					/* 0x1ec */
Josh Boyer c9d9c5a
+	__u8  secure_boot;				/* 0x1ec */
Josh Boyer d7ee6f3
+	__u8  _pad5[2];					/* 0x1ed */
Josh Boyer c9d9c5a
 	/*
Josh Boyer c9d9c5a
 	 * The sentinel is set to a nonzero value (0xff) in header.S.
Josh Boyer c9d9c5a
 	 *
Josh Boyer c9d9c5a
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
Josh Boyer 700baa3
index 09c76d265550..5a61d732fd5c 100644
Josh Boyer c9d9c5a
--- a/arch/x86/kernel/setup.c
Josh Boyer c9d9c5a
+++ b/arch/x86/kernel/setup.c
Josh Boyer 700baa3
@@ -1142,6 +1142,12 @@ void __init setup_arch(char **cmdline_p)
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
 	io_delay_init();
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
+#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
Josh Boyer c9d9c5a
+	if (boot_params.secure_boot) {
Josh Boyer c9d9c5a
+		enforce_signed_modules();
Josh Boyer c9d9c5a
+	}
Josh Boyer c9d9c5a
+#endif
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
 	/*
Josh Boyer c9d9c5a
 	 * Parse the ACPI tables for possible boot-time SMP configuration.
Josh Boyer c9d9c5a
 	 */
Josh Boyer c9d9c5a
diff --git a/include/linux/module.h b/include/linux/module.h
Josh Boyer 700baa3
index fc9b54eb779e..7377bc851461 100644
Josh Boyer c9d9c5a
--- a/include/linux/module.h
Josh Boyer c9d9c5a
+++ b/include/linux/module.h
Josh Boyer 700baa3
@@ -188,6 +188,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
 struct notifier_block;
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
+#ifdef CONFIG_MODULE_SIG
Josh Boyer c9d9c5a
+extern void enforce_signed_modules(void);
Josh Boyer c9d9c5a
+#else
Josh Boyer c9d9c5a
+static inline void enforce_signed_modules(void) {};
Josh Boyer c9d9c5a
+#endif
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
 #ifdef CONFIG_MODULES
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
 extern int modules_disabled; /* for sysctl */
Josh Boyer c9d9c5a
diff --git a/kernel/module.c b/kernel/module.c
Josh Boyer 700baa3
index 2b9204fe055f..2b8cc2d57c16 100644
Josh Boyer c9d9c5a
--- a/kernel/module.c
Josh Boyer c9d9c5a
+++ b/kernel/module.c
Josh Boyer 700baa3
@@ -3836,6 +3836,13 @@ void module_layout(struct module *mod,
Josh Boyer c9d9c5a
 EXPORT_SYMBOL(module_layout);
Josh Boyer c9d9c5a
 #endif
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
+#ifdef CONFIG_MODULE_SIG
Josh Boyer c9d9c5a
+void enforce_signed_modules(void)
Josh Boyer c9d9c5a
+{
Josh Boyer c9d9c5a
+	sig_enforce = true;
Josh Boyer c9d9c5a
+}
Josh Boyer c9d9c5a
+#endif
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
 bool secure_modules(void)
Josh Boyer c9d9c5a
 {
Josh Boyer c9d9c5a
 #ifdef CONFIG_MODULE_SIG
Josh Boyer c9d9c5a
-- 
Josh Boyer fbff9ed
1.8.5.3
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Josh Boyer 700baa3
From b2e4ea728ccab2befbd5fe1bd834881a7dd8f34b Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5a
From: Josh Boyer <jwboyer@redhat.com>
Josh Boyer c9d9c5a
Date: Tue, 5 Feb 2013 19:25:05 -0500
Josh Boyer d7ee6f3
Subject: [PATCH 12/14] efi: Disable secure boot if shim is in insecure mode
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
A user can manually tell the shim boot loader to disable validation of
Josh Boyer c9d9c5a
images it loads.  When a user does this, it creates a UEFI variable called
Josh Boyer c9d9c5a
MokSBState that does not have the runtime attribute set.  Given that the
Josh Boyer c9d9c5a
user explicitly disabled validation, we can honor that and not enable
Josh Boyer c9d9c5a
secure boot mode if that variable is set.
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
Josh Boyer c9d9c5a
---
Josh Boyer c9d9c5a
 arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++-
Josh Boyer c9d9c5a
 1 file changed, 19 insertions(+), 1 deletion(-)
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
Josh Boyer fbff9ed
index b00745ff398a..bf42cc5f083d 100644
Josh Boyer c9d9c5a
--- a/arch/x86/boot/compressed/eboot.c
Josh Boyer c9d9c5a
+++ b/arch/x86/boot/compressed/eboot.c
Josh Boyer fbff9ed
@@ -812,8 +812,9 @@ out:
Josh Boyer c9d9c5a
 
Josh Boyer d7ee6f3
 static int get_secure_boot(void)
Josh Boyer c9d9c5a
 {
Josh Boyer c9d9c5a
-	u8 sb, setup;
Josh Boyer c9d9c5a
+	u8 sb, setup, moksbstate;
Josh Boyer c9d9c5a
 	unsigned long datasize = sizeof(sb);
Josh Boyer c9d9c5a
+	u32 attr;
Josh Boyer c9d9c5a
 	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
Josh Boyer c9d9c5a
 	efi_status_t status;
Josh Boyer c9d9c5a
 
Josh Boyer fbff9ed
@@ -837,6 +838,23 @@ static int get_secure_boot(void)
Josh Boyer c9d9c5a
 	if (setup == 1)
Josh Boyer c9d9c5a
 		return 0;
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
+	/* See if a user has put shim into insecure_mode.  If so, and the variable
Josh Boyer c9d9c5a
+	 * doesn't have the runtime attribute set, we might as well honor that.
Josh Boyer c9d9c5a
+	 */
Josh Boyer c9d9c5a
+	var_guid = EFI_SHIM_LOCK_GUID;
Josh Boyer c9d9c5a
+	status = efi_call_phys5(sys_table->runtime->get_variable,
Josh Boyer c9d9c5a
+				L"MokSBState", &var_guid, &attr, &datasize,
Josh Boyer c9d9c5a
+				&moksbstate);
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
+	/* If it fails, we don't care why.  Default to secure */
Josh Boyer c9d9c5a
+	if (status != EFI_SUCCESS)
Josh Boyer c9d9c5a
+		return 1;
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
+	if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
Josh Boyer c9d9c5a
+		if (moksbstate == 1)
Josh Boyer c9d9c5a
+			return 0;
Josh Boyer c9d9c5a
+	}
Josh Boyer c9d9c5a
+
Josh Boyer c9d9c5a
 	return 1;
Josh Boyer c9d9c5a
 }
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
-- 
Josh Boyer fbff9ed
1.8.5.3
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Josh Boyer 700baa3
From fb418c682d01c447d30b5591a591fdbf33b1334e Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5a
From: Josh Boyer <jwboyer@fedoraproject.org>
Josh Boyer c9d9c5a
Date: Tue, 27 Aug 2013 13:28:43 -0400
Josh Boyer d7ee6f3
Subject: [PATCH 13/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
The functionality of the config option is dependent upon the platform being
Josh Boyer c9d9c5a
UEFI based.  Reflect this in the config deps.
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Josh Boyer c9d9c5a
---
Josh Boyer c9d9c5a
 arch/x86/Kconfig | 3 ++-
Josh Boyer c9d9c5a
 1 file changed, 2 insertions(+), 1 deletion(-)
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
Josh Boyer 700baa3
index 085d5eb36361..3e8d398a976d 100644
Josh Boyer c9d9c5a
--- a/arch/x86/Kconfig
Josh Boyer c9d9c5a
+++ b/arch/x86/Kconfig
Josh Boyer 700baa3
@@ -1535,7 +1535,8 @@ config EFI_MIXED
Josh Boyer fbff9ed
 	   If unsure, say N.
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
 config EFI_SECURE_BOOT_SIG_ENFORCE
Josh Boyer c9d9c5a
-        def_bool n
Josh Boyer c9d9c5a
+	def_bool n
Josh Boyer c9d9c5a
+	depends on EFI
Josh Boyer c9d9c5a
 	prompt "Force module signing when UEFI Secure Boot is enabled"
Josh Boyer c9d9c5a
 	---help---
Josh Boyer c9d9c5a
 	  UEFI Secure Boot provides a mechanism for ensuring that the
Josh Boyer c9d9c5a
-- 
Josh Boyer fbff9ed
1.8.5.3
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Josh Boyer 700baa3
From 87bf357dd4589cfca043ec4b641b912a088b1234 Mon Sep 17 00:00:00 2001
Josh Boyer c9d9c5a
From: Josh Boyer <jwboyer@fedoraproject.org>
Josh Boyer c9d9c5a
Date: Tue, 27 Aug 2013 13:33:03 -0400
Josh Boyer d7ee6f3
Subject: [PATCH 14/14] efi: Add EFI_SECURE_BOOT bit
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
Josh Boyer c9d9c5a
for use with efi_enabled.
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Josh Boyer c9d9c5a
---
Josh Boyer c9d9c5a
 arch/x86/kernel/setup.c | 2 ++
Josh Boyer c9d9c5a
 include/linux/efi.h     | 1 +
Josh Boyer c9d9c5a
 2 files changed, 3 insertions(+)
Josh Boyer c9d9c5a
Josh Boyer c9d9c5a
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
Josh Boyer 700baa3
index 5a61d732fd5c..23fe9bf3c401 100644
Josh Boyer c9d9c5a
--- a/arch/x86/kernel/setup.c
Josh Boyer c9d9c5a
+++ b/arch/x86/kernel/setup.c
Josh Boyer 700baa3
@@ -1144,7 +1144,9 @@ void __init setup_arch(char **cmdline_p)
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
 #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
Josh Boyer c9d9c5a
 	if (boot_params.secure_boot) {
Josh Boyer fbff9ed
+		set_bit(EFI_SECURE_BOOT, &efi.flags);
Josh Boyer c9d9c5a
 		enforce_signed_modules();
Josh Boyer c9d9c5a
+		pr_info("Secure boot enabled\n");
Josh Boyer c9d9c5a
 	}
Josh Boyer c9d9c5a
 #endif
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
diff --git a/include/linux/efi.h b/include/linux/efi.h
Josh Boyer fbff9ed
index 6c100ff0cae4..3a77a70fff27 100644
Josh Boyer c9d9c5a
--- a/include/linux/efi.h
Josh Boyer c9d9c5a
+++ b/include/linux/efi.h
Josh Boyer fbff9ed
@@ -899,6 +899,7 @@ extern int __init efi_setup_pcdp_console(char *);
Josh Boyer c9d9c5a
 #define EFI_MEMMAP		4	/* Can we use EFI memory map? */
Josh Boyer c9d9c5a
 #define EFI_64BIT		5	/* Is the firmware 64-bit? */
05892a5
 #define EFI_ARCH_1		6	/* First arch-specific bit */
05892a5
+#define EFI_SECURE_BOOT		7 /* Are we in Secure Boot mode? */
Josh Boyer c9d9c5a
 
Josh Boyer c9d9c5a
 #ifdef CONFIG_EFI
Josh Boyer fbff9ed
 /*
Josh Boyer c9d9c5a
-- 
Josh Boyer fbff9ed
1.8.5.3
Josh Boyer c9d9c5a