diff options
Diffstat (limited to 'freed-ora/tags/f27/4.15.9-300.fc27.gnu/efi-lockdown.patch')
| -rw-r--r-- | freed-ora/tags/f27/4.15.9-300.fc27.gnu/efi-lockdown.patch | 1713 |
1 files changed, 1713 insertions, 0 deletions
diff --git a/freed-ora/tags/f27/4.15.9-300.fc27.gnu/efi-lockdown.patch b/freed-ora/tags/f27/4.15.9-300.fc27.gnu/efi-lockdown.patch new file mode 100644 index 000000000..c99d85c12 --- /dev/null +++ b/freed-ora/tags/f27/4.15.9-300.fc27.gnu/efi-lockdown.patch @@ -0,0 +1,1713 @@ +From 646ac5c07196bc3680e34188e55c8cc3565f65e7 Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Wed, 24 May 2017 14:56:00 +0100 +Subject: [PATCH 01/26] Add the ability to lock down access to the running + kernel image + +Provide a single call to allow kernel code to determine whether the system +should be locked down, thereby disallowing various accesses that might +allow the running kernel image to be changed including the loading of +modules that aren't validly signed with a key we recognise, fiddling with +MSR registers and disallowing hibernation, + +Signed-off-by: David Howells <dhowells@redhat.com> +Acked-by: James Morris <james.l.morris@oracle.com> +--- + include/linux/kernel.h | 17 ++++++++++++++ + include/linux/security.h | 8 +++++++ + security/Kconfig | 8 +++++++ + security/Makefile | 3 +++ + security/lock_down.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 96 insertions(+) + create mode 100644 security/lock_down.c + +diff --git a/include/linux/kernel.h b/include/linux/kernel.h +index 0ad4c3044cf9..362da2e4bf53 100644 +--- a/include/linux/kernel.h ++++ b/include/linux/kernel.h +@@ -287,6 +287,23 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err) + { } + #endif + ++#ifdef CONFIG_LOCK_DOWN_KERNEL ++extern bool __kernel_is_locked_down(const char *what, bool first); ++#else ++static inline bool __kernel_is_locked_down(const char *what, bool first) ++{ ++ return false; ++} ++#endif ++ ++#define kernel_is_locked_down(what) \ ++ ({ \ ++ static bool message_given; \ ++ bool locked_down = __kernel_is_locked_down(what, !message_given); \ ++ message_given = true; \ ++ locked_down; \ ++ }) ++ + /* Internal, do not use. */ + int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res); + int __must_check _kstrtol(const char *s, unsigned int base, long *res); +diff --git a/include/linux/security.h b/include/linux/security.h +index ce6265960d6c..310775476b68 100644 +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -1753,5 +1753,13 @@ static inline void free_secdata(void *secdata) + { } + #endif /* CONFIG_SECURITY */ + ++#ifdef CONFIG_LOCK_DOWN_KERNEL ++extern void __init init_lockdown(void); ++#else ++static inline void __init init_lockdown(void) ++{ ++} ++#endif ++ + #endif /* ! __LINUX_SECURITY_H */ + +diff --git a/security/Kconfig b/security/Kconfig +index e8e449444e65..8e01fd59ae7e 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -205,6 +205,14 @@ config STATIC_USERMODEHELPER_PATH + If you wish for all usermode helper programs to be disabled, + specify an empty string here (i.e. ""). + ++config LOCK_DOWN_KERNEL ++ bool "Allow the kernel to be 'locked down'" ++ help ++ Allow the kernel to be locked down under certain circumstances, for ++ instance if UEFI secure boot is enabled. Locking down the kernel ++ turns off various features that might otherwise allow access to the ++ kernel image (eg. setting MSR registers). ++ + source security/selinux/Kconfig + source security/smack/Kconfig + source security/tomoyo/Kconfig +diff --git a/security/Makefile b/security/Makefile +index f2d71cdb8e19..8c4a43e3d4e0 100644 +--- a/security/Makefile ++++ b/security/Makefile +@@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o + # Object integrity file lists + subdir-$(CONFIG_INTEGRITY) += integrity + obj-$(CONFIG_INTEGRITY) += integrity/ ++ ++# Allow the kernel to be locked down ++obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o +diff --git a/security/lock_down.c b/security/lock_down.c +new file mode 100644 +index 000000000000..d8595c0e6673 +--- /dev/null ++++ b/security/lock_down.c +@@ -0,0 +1,60 @@ ++/* Lock down the kernel ++ * ++ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved. ++ * Written by David Howells (dhowells@redhat.com) ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public Licence ++ * as published by the Free Software Foundation; either version ++ * 2 of the Licence, or (at your option) any later version. ++ */ ++ ++#include <linux/security.h> ++#include <linux/export.h> ++ ++static __ro_after_init bool kernel_locked_down; ++ ++/* ++ * Put the kernel into lock-down mode. ++ */ ++static void __init lock_kernel_down(const char *where) ++{ ++ if (!kernel_locked_down) { ++ kernel_locked_down = true; ++ pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n", ++ where); ++ } ++} ++ ++static int __init lockdown_param(char *ignored) ++{ ++ lock_kernel_down("command line"); ++ return 0; ++} ++ ++early_param("lockdown", lockdown_param); ++ ++/* ++ * Lock the kernel down from very early in the arch setup. This must happen ++ * prior to things like ACPI being initialised. ++ */ ++void __init init_lockdown(void) ++{ ++#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT ++ if (efi_enabled(EFI_SECURE_BOOT)) ++ lock_kernel_down("EFI secure boot"); ++#endif ++} ++ ++/** ++ * kernel_is_locked_down - Find out if the kernel is locked down ++ * @what: Tag to use in notice generated if lockdown is in effect ++ */ ++bool __kernel_is_locked_down(const char *what, bool first) ++{ ++ if (what && first && kernel_locked_down) ++ pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", ++ what); ++ return kernel_locked_down; ++} ++EXPORT_SYMBOL(__kernel_is_locked_down); +-- +2.13.6 + +From 2c46467f43bc54324de5474a8355f98c692309e4 Mon Sep 17 00:00:00 2001 +From: Kyle McMartin <kyle@redhat.com> +Date: Wed, 18 Oct 2017 14:02:25 +0100 +Subject: [PATCH 02/26] Add a SysRq option to lift kernel lockdown + +Make an option to provide a sysrq key that will lift the kernel lockdown, +thereby allowing the running kernel image to be accessed and modified. + +On x86_64 this is triggered with SysRq+x, but this key may not be available +on all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h. + +Signed-off-by: Kyle McMartin <kyle@redhat.com> +Signed-off-by: David Howells <dhowells@redhat.com> +cc: x86@kernel.org +--- + arch/x86/include/asm/setup.h | 2 ++ + drivers/input/misc/uinput.c | 1 + + drivers/tty/sysrq.c | 19 ++++++++++++------ + include/linux/input.h | 5 +++++ + include/linux/sysrq.h | 8 +++++++- + kernel/debug/kdb/kdb_main.c | 2 +- + security/Kconfig | 8 ++++++++ + security/lock_down.c | 47 ++++++++++++++++++++++++++++++++++++++++++++ + 8 files changed, 84 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h +index a65cf544686a..863f77582c09 100644 +--- a/arch/x86/include/asm/setup.h ++++ b/arch/x86/include/asm/setup.h +@@ -8,6 +8,8 @@ + #include <linux/linkage.h> + #include <asm/page_types.h> + ++#define LOCKDOWN_LIFT_KEY 'x' ++ + #ifdef __i386__ + + #include <linux/pfn.h> +diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c +index 39ddd9a73feb..0afeef1672bc 100644 +--- a/drivers/input/misc/uinput.c ++++ b/drivers/input/misc/uinput.c +@@ -362,6 +362,7 @@ static int uinput_create_device(struct uinput_device *udev) + dev->flush = uinput_dev_flush; + } + ++ dev->flags |= INPUTDEV_FLAGS_SYNTHETIC; + dev->event = uinput_dev_event; + + input_set_drvdata(udev->dev, udev); +diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c +index 3ffc1ce29023..8b766dbad6dd 100644 +--- a/drivers/tty/sysrq.c ++++ b/drivers/tty/sysrq.c +@@ -481,6 +481,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = { + /* x: May be registered on mips for TLB dump */ + /* x: May be registered on ppc/powerpc for xmon */ + /* x: May be registered on sparc64 for global PMU dump */ ++ /* x: May be registered on x86_64 for disabling secure boot */ + NULL, /* x */ + /* y: May be registered on sparc64 for global register dump */ + NULL, /* y */ +@@ -524,7 +525,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p) + sysrq_key_table[i] = op_p; + } + +-void __handle_sysrq(int key, bool check_mask) ++void __handle_sysrq(int key, unsigned int from) + { + struct sysrq_key_op *op_p; + int orig_log_level; +@@ -544,11 +545,15 @@ void __handle_sysrq(int key, bool check_mask) + + op_p = __sysrq_get_key_op(key); + if (op_p) { ++ /* Ban synthetic events from some sysrq functionality */ ++ if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) && ++ op_p->enable_mask & SYSRQ_DISABLE_USERSPACE) ++ printk("This sysrq operation is disabled from userspace.\n"); + /* + * Should we check for enabled operations (/proc/sysrq-trigger + * should not) and is the invoked operation enabled? + */ +- if (!check_mask || sysrq_on_mask(op_p->enable_mask)) { ++ if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) { + pr_cont("%s\n", op_p->action_msg); + console_loglevel = orig_log_level; + op_p->handler(key); +@@ -580,7 +585,7 @@ void __handle_sysrq(int key, bool check_mask) + void handle_sysrq(int key) + { + if (sysrq_on()) +- __handle_sysrq(key, true); ++ __handle_sysrq(key, SYSRQ_FROM_KERNEL); + } + EXPORT_SYMBOL(handle_sysrq); + +@@ -661,7 +666,7 @@ static void sysrq_do_reset(unsigned long _state) + static void sysrq_handle_reset_request(struct sysrq_state *state) + { + if (state->reset_requested) +- __handle_sysrq(sysrq_xlate[KEY_B], false); ++ __handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL); + + if (sysrq_reset_downtime_ms) + mod_timer(&state->keyreset_timer, +@@ -812,8 +817,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq, + + default: + if (sysrq->active && value && value != 2) { ++ int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ? ++ SYSRQ_FROM_SYNTHETIC : 0; + sysrq->need_reinject = false; +- __handle_sysrq(sysrq_xlate[code], true); ++ __handle_sysrq(sysrq_xlate[code], from); + } + break; + } +@@ -1097,7 +1104,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf, + + if (get_user(c, buf)) + return -EFAULT; +- __handle_sysrq(c, false); ++ __handle_sysrq(c, SYSRQ_FROM_PROC); + } + + return count; +diff --git a/include/linux/input.h b/include/linux/input.h +index fb5e23c7ed98..9d2b45a21ade 100644 +--- a/include/linux/input.h ++++ b/include/linux/input.h +@@ -42,6 +42,7 @@ struct input_value { + * @phys: physical path to the device in the system hierarchy + * @uniq: unique identification code for the device (if device has it) + * @id: id of the device (struct input_id) ++ * @flags: input device flags (SYNTHETIC, etc.) + * @propbit: bitmap of device properties and quirks + * @evbit: bitmap of types of events supported by the device (EV_KEY, + * EV_REL, etc.) +@@ -124,6 +125,8 @@ struct input_dev { + const char *uniq; + struct input_id id; + ++ unsigned int flags; ++ + unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)]; + + unsigned long evbit[BITS_TO_LONGS(EV_CNT)]; +@@ -190,6 +193,8 @@ struct input_dev { + }; + #define to_input_dev(d) container_of(d, struct input_dev, dev) + ++#define INPUTDEV_FLAGS_SYNTHETIC 0x000000001 ++ + /* + * Verify that we are in sync with input_device_id mod_devicetable.h #defines + */ +diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h +index 387fa7d05c98..f7c52a9ea394 100644 +--- a/include/linux/sysrq.h ++++ b/include/linux/sysrq.h +@@ -28,6 +28,8 @@ + #define SYSRQ_ENABLE_BOOT 0x0080 + #define SYSRQ_ENABLE_RTNICE 0x0100 + ++#define SYSRQ_DISABLE_USERSPACE 0x00010000 ++ + struct sysrq_key_op { + void (*handler)(int); + char *help_msg; +@@ -42,8 +44,12 @@ struct sysrq_key_op { + * are available -- else NULL's). + */ + ++#define SYSRQ_FROM_KERNEL 0x0001 ++#define SYSRQ_FROM_PROC 0x0002 ++#define SYSRQ_FROM_SYNTHETIC 0x0004 ++ + void handle_sysrq(int key); +-void __handle_sysrq(int key, bool check_mask); ++void __handle_sysrq(int key, unsigned int from); + int register_sysrq_key(int key, struct sysrq_key_op *op); + int unregister_sysrq_key(int key, struct sysrq_key_op *op); + struct sysrq_key_op *__sysrq_get_key_op(int key); +diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c +index c8146d53ca67..b480cadf9272 100644 +--- a/kernel/debug/kdb/kdb_main.c ++++ b/kernel/debug/kdb/kdb_main.c +@@ -1970,7 +1970,7 @@ static int kdb_sr(int argc, const char **argv) + return KDB_ARGCOUNT; + + kdb_trap_printk++; +- __handle_sysrq(*argv[1], check_mask); ++ __handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0); + kdb_trap_printk--; + + return 0; +diff --git a/security/Kconfig b/security/Kconfig +index 8e01fd59ae7e..453cc89c198a 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -213,6 +213,14 @@ config LOCK_DOWN_KERNEL + turns off various features that might otherwise allow access to the + kernel image (eg. setting MSR registers). + ++config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ ++ bool "Allow the kernel lockdown to be lifted by SysRq" ++ depends on LOCK_DOWN_KERNEL && MAGIC_SYSRQ ++ help ++ Allow the lockdown on a kernel to be lifted, by pressing a SysRq key ++ combination on a wired keyboard. ++ ++ + source security/selinux/Kconfig + source security/smack/Kconfig + source security/tomoyo/Kconfig +diff --git a/security/lock_down.c b/security/lock_down.c +index d8595c0e6673..2c6b00f0c229 100644 +--- a/security/lock_down.c ++++ b/security/lock_down.c +@@ -11,8 +11,14 @@ + + #include <linux/security.h> + #include <linux/export.h> ++#include <linux/sysrq.h> ++#include <asm/setup.h> + ++#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ ++static __read_mostly bool kernel_locked_down; ++#else + static __ro_after_init bool kernel_locked_down; ++#endif + + /* + * Put the kernel into lock-down mode. +@@ -58,3 +64,44 @@ bool __kernel_is_locked_down(const char *what, bool first) + return kernel_locked_down; + } + EXPORT_SYMBOL(__kernel_is_locked_down); ++ ++#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ ++ ++/* ++ * Take the kernel out of lockdown mode. ++ */ ++static void lift_kernel_lockdown(void) ++{ ++ pr_notice("Lifting lockdown\n"); ++ kernel_locked_down = false; ++} ++ ++/* ++ * Allow lockdown to be lifted by pressing something like SysRq+x (and not by ++ * echoing the appropriate letter into the sysrq-trigger file). ++ */ ++static void sysrq_handle_lockdown_lift(int key) ++{ ++ if (kernel_locked_down) ++ lift_kernel_lockdown(); ++} ++ ++static struct sysrq_key_op lockdown_lift_sysrq_op = { ++ .handler = sysrq_handle_lockdown_lift, ++ .help_msg = "unSB(x)", ++ .action_msg = "Disabling Secure Boot restrictions", ++ .enable_mask = SYSRQ_DISABLE_USERSPACE, ++}; ++ ++static int __init lockdown_lift_sysrq(void) ++{ ++ if (kernel_locked_down) { ++ lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY; ++ register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op); ++ } ++ return 0; ++} ++ ++late_initcall(lockdown_lift_sysrq); ++ ++#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */ +-- +2.13.6 + +From 4c389db9daee3a3a444339a7d789de1d9366f736 Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Wed, 24 May 2017 14:56:01 +0100 +Subject: [PATCH 03/26] Enforce module signatures if the kernel is locked down + +If the kernel is locked down, require that all modules have valid +signatures that we can verify. + +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +Reviewed-by: James Morris <james.l.morris@oracle.com> +--- + kernel/module.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/module.c b/kernel/module.c +index de66ec825992..3d9a3270c179 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -2781,7 +2781,8 @@ static int module_sig_check(struct load_info *info, int flags) + } + + /* Not having a signature is only an error if we're strict. */ +- if (err == -ENOKEY && !sig_enforce) ++ if (err == -ENOKEY && !sig_enforce && ++ !kernel_is_locked_down("Loading of unsigned modules")) + err = 0; + + return err; +-- +2.13.6 + +From 59312c44aa46939a14b3fbfeb510f94b4a73c8a1 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Wed, 24 May 2017 14:56:02 +0100 +Subject: [PATCH 04/26] Restrict /dev/{mem,kmem,port} when the kernel is locked + down + +Allowing users to read and write to core kernel memory makes it possible +for the kernel to be subverted, avoiding module loading restrictions, and +also to steal cryptographic information. + +Disallow /dev/mem and /dev/kmem from being opened this when the kernel has +been locked down to prevent this. + +Also disallow /dev/port from being opened to prevent raw ioport access and +thus DMA from being used to accomplish the same thing. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +--- + drivers/char/mem.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/char/mem.c b/drivers/char/mem.c +index 593a8818aca9..0ce5ac0a5c6b 100644 +--- a/drivers/char/mem.c ++++ b/drivers/char/mem.c +@@ -762,6 +762,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) + + static int open_port(struct inode *inode, struct file *filp) + { ++ if (kernel_is_locked_down("/dev/mem,kmem,port")) ++ return -EPERM; + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; + } + +-- +2.13.6 + +From 6304f16efd61e66701f4b331e95da3cafb5f5f76 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Wed, 24 May 2017 14:56:02 +0100 +Subject: [PATCH 05/26] kexec: Disable at runtime if the kernel is locked down + +kexec permits the loading and execution of arbitrary code in ring 0, which +is something that lock-down is meant to prevent. It makes sense to disable +kexec in this situation. + +This does not affect kexec_file_load() which can check for a signature on the +image to be booted. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Acked-by: Dave Young <dyoung@redhat.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +Reviewed-by: James Morris <james.l.morris@oracle.com> +cc: kexec@lists.infradead.org +--- + kernel/kexec.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/kernel/kexec.c b/kernel/kexec.c +index e62ec4dc6620..7dadfed9b676 100644 +--- a/kernel/kexec.c ++++ b/kernel/kexec.c +@@ -202,6 +202,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, + return -EPERM; + + /* ++ * kexec can be used to circumvent module loading restrictions, so ++ * prevent loading in that case ++ */ ++ if (kernel_is_locked_down("kexec of unsigned images")) ++ return -EPERM; ++ ++ /* + * Verify we have a legal set of flags + * This leaves us room for future extensions. + */ +-- +2.13.6 + +From cd00079900870855cea3573253a95c331ccab523 Mon Sep 17 00:00:00 2001 +From: Dave Young <dyoung@redhat.com> +Date: Wed, 24 May 2017 14:56:02 +0100 +Subject: [PATCH 06/26] Copy secure_boot flag in boot params across kexec + reboot + +Kexec reboot in case secure boot being enabled does not keep the secure +boot mode in new kernel, so later one can load unsigned kernel via legacy +kexec_load. In this state, the system is missing the protections provided +by secure boot. + +Adding a patch to fix this by retain the secure_boot flag in original +kernel. + +secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the +stub. Fixing this issue by copying secure_boot flag across kexec reboot. + +Signed-off-by: Dave Young <dyoung@redhat.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +cc: kexec@lists.infradead.org +--- + arch/x86/kernel/kexec-bzimage64.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c +index fb095ba0c02f..7d0fac5bcbbe 100644 +--- a/arch/x86/kernel/kexec-bzimage64.c ++++ b/arch/x86/kernel/kexec-bzimage64.c +@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, + if (efi_enabled(EFI_OLD_MEMMAP)) + return 0; + ++ params->secure_boot = boot_params.secure_boot; + ei->efi_loader_signature = current_ei->efi_loader_signature; + ei->efi_systab = current_ei->efi_systab; + ei->efi_systab_hi = current_ei->efi_systab_hi; +-- +2.13.6 + +From de2ac5da82fc55156134820ba32095710b935ad5 Mon Sep 17 00:00:00 2001 +From: Chun-Yi Lee <joeyli.kernel@gmail.com> +Date: Wed, 24 May 2017 14:56:03 +0100 +Subject: [PATCH 07/26] kexec_file: Disable at runtime if the kernel is locked + down + +When KEXEC_VERIFY_SIG is not enabled, kernel should not load images +through kexec_file systemcall if the kernel is locked down. + +This code was showed in Matthew's patch but not in git: +https://lkml.org/lkml/2015/3/13/778 + +Cc: Matthew Garrett <mjg59@srcf.ucam.org> +Signed-off-by: Chun-Yi Lee <jlee@suse.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: James Morris <james.l.morris@oracle.com> +cc: kexec@lists.infradead.org +--- + kernel/kexec_file.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c +index 9f48f4412297..ff6523f2dcc2 100644 +--- a/kernel/kexec_file.c ++++ b/kernel/kexec_file.c +@@ -255,6 +255,13 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd, + if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) + return -EPERM; + ++ /* Don't permit images to be loaded into trusted kernels if we're not ++ * going to verify the signature on them ++ */ ++ if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && ++ kernel_is_locked_down("kexec of unsigned images")) ++ return -EPERM; ++ + /* Make sure we have a legal set of flags */ + if (flags != (flags & KEXEC_FILE_FLAGS)) + return -EINVAL; +-- +2.13.6 + +From ba823f2b5125605fcbac150fe27e622fd224ea61 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Wed, 24 May 2017 14:56:03 +0100 +Subject: [PATCH 08/26] hibernate: Disable when the kernel is locked down + +There is currently no way to verify the resume image when returning +from hibernate. This might compromise the signed modules trust model, +so until we can work with signed hibernate images we disable it when the +kernel is locked down. + +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +cc: linux-pm@vger.kernel.org +--- + kernel/power/hibernate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c +index a5c36e9c56a6..f2eafefeec50 100644 +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops; + + bool hibernation_available(void) + { +- return (nohibernate == 0); ++ return nohibernate == 0 && !kernel_is_locked_down("Hibernation"); + } + + /** +-- +2.13.6 + +From 9e78666a6153d72c3e50160a30ead699ba508d8f Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <mjg59@srcf.ucam.org> +Date: Wed, 24 May 2017 14:56:03 +0100 +Subject: [PATCH 09/26] uswsusp: Disable when the kernel is locked down + +uswsusp allows a user process to dump and then restore kernel state, which +makes it possible to modify the running kernel. Disable this if the kernel +is locked down. + +Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +Reviewed-by: James Morris <james.l.morris@oracle.com> +cc: linux-pm@vger.kernel.org +--- + kernel/power/user.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/power/user.c b/kernel/power/user.c +index 22df9f7ff672..678ade9decfe 100644 +--- a/kernel/power/user.c ++++ b/kernel/power/user.c +@@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp) + if (!hibernation_available()) + return -EPERM; + ++ if (kernel_is_locked_down("/dev/snapshot")) ++ return -EPERM; ++ + lock_system_sleep(); + + if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { +-- +2.13.6 + +From 334fa071b01ced7f48b2920208addfb1eab5d0fe Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Wed, 24 May 2017 14:56:03 +0100 +Subject: [PATCH 10/26] PCI: Lock down BAR access when the kernel is locked + down + +Any hardware that can potentially generate DMA has to be locked down in +order to avoid it being possible for an attacker to modify kernel code, +allowing them to circumvent disabled module loading or module signing. +Default to paranoid - in future we can potentially relax this for +sufficiently IOMMU-isolated devices. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Acked-by: Bjorn Helgaas <bhelgaas@google.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +cc: linux-pci@vger.kernel.org +--- + drivers/pci/pci-sysfs.c | 9 +++++++++ + drivers/pci/proc.c | 9 ++++++++- + drivers/pci/syscall.c | 3 ++- + 3 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c +index 1eecfa301f7f..e1a3b0e765c2 100644 +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -881,6 +881,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, + loff_t init_off = off; + u8 *data = (u8 *) buf; + ++ if (kernel_is_locked_down("Direct PCI access")) ++ return -EPERM; ++ + if (off > dev->cfg_size) + return 0; + if (off + count > dev->cfg_size) { +@@ -1175,6 +1178,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, + enum pci_mmap_state mmap_type; + struct resource *res = &pdev->resource[bar]; + ++ if (kernel_is_locked_down("Direct PCI access")) ++ return -EPERM; ++ + if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start)) + return -EINVAL; + +@@ -1255,6 +1261,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, + struct bin_attribute *attr, char *buf, + loff_t off, size_t count) + { ++ if (kernel_is_locked_down("Direct PCI access")) ++ return -EPERM; ++ + return pci_resource_io(filp, kobj, attr, buf, off, count, true); + } + +diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c +index 098360d7ff81..a6c53d855daa 100644 +--- a/drivers/pci/proc.c ++++ b/drivers/pci/proc.c +@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, + int size = dev->cfg_size; + int cnt; + ++ if (kernel_is_locked_down("Direct PCI access")) ++ return -EPERM; ++ + if (pos >= size) + return 0; + if (nbytes >= size) +@@ -195,6 +198,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, + #endif /* HAVE_PCI_MMAP */ + int ret = 0; + ++ if (kernel_is_locked_down("Direct PCI access")) ++ return -EPERM; ++ + switch (cmd) { + case PCIIOC_CONTROLLER: + ret = pci_domain_nr(dev->bus); +@@ -236,7 +242,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) + struct pci_filp_private *fpriv = file->private_data; + int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM; + +- if (!capable(CAP_SYS_RAWIO)) ++ if (!capable(CAP_SYS_RAWIO) || ++ kernel_is_locked_down("Direct PCI access")) + return -EPERM; + + if (fpriv->mmap_state == pci_mmap_io) { +diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c +index 9bf993e1f71e..afa01cc3ceec 100644 +--- a/drivers/pci/syscall.c ++++ b/drivers/pci/syscall.c +@@ -92,7 +92,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, + u32 dword; + int err = 0; + +- if (!capable(CAP_SYS_ADMIN)) ++ if (!capable(CAP_SYS_ADMIN) || ++ kernel_is_locked_down("Direct PCI access")) + return -EPERM; + + dev = pci_get_bus_and_slot(bus, dfn); +-- +2.13.6 + +From 7e608c45ac2ab6c8e125aaf3993b8257352ac631 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Wed, 24 May 2017 14:56:04 +0100 +Subject: [PATCH 11/26] x86: Lock down IO port access when the kernel is locked + down + +IO port access would permit users to gain access to PCI configuration +registers, which in turn (on a lot of hardware) give access to MMIO +register space. This would potentially permit root to trigger arbitrary +DMA, so lock it down by default. + +This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and +KDDISABIO console ioctls. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: Thomas Gleixner <tglx@linutronix.de> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +cc: x86@kernel.org +--- + arch/x86/kernel/ioport.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c +index 9c3cf0944bce..2c0f058651c5 100644 +--- a/arch/x86/kernel/ioport.c ++++ b/arch/x86/kernel/ioport.c +@@ -30,7 +30,8 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) + + if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) + return -EINVAL; +- if (turn_on && !capable(CAP_SYS_RAWIO)) ++ if (turn_on && (!capable(CAP_SYS_RAWIO) || ++ kernel_is_locked_down("ioperm"))) + return -EPERM; + + /* +@@ -120,7 +121,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) + return -EINVAL; + /* Trying to gain more privileges? */ + if (level > old) { +- if (!capable(CAP_SYS_RAWIO)) ++ if (!capable(CAP_SYS_RAWIO) || ++ kernel_is_locked_down("iopl")) + return -EPERM; + } + regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | +-- +2.13.6 + +From 2644bf492568e3733bc841112c6e8628a6e01b8e Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Wed, 24 May 2017 14:56:04 +0100 +Subject: [PATCH 12/26] x86/msr: Restrict MSR access when the kernel is locked + down + +Writing to MSRs should not be allowed if the kernel is locked down, since +it could lead to execution of arbitrary code in kernel mode. Based on a +patch by Kees Cook. + +MSR accesses are logged for the purposes of building up a whitelist as per +Alan Cox's suggestion. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Acked-by: Kees Cook <keescook@chromium.org> +Reviewed-by: Thomas Gleixner <tglx@linutronix.de> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +cc: x86@kernel.org +--- + arch/x86/kernel/msr.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c +index ef688804f80d..dfb61d358196 100644 +--- a/arch/x86/kernel/msr.c ++++ b/arch/x86/kernel/msr.c +@@ -84,6 +84,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf, + int err = 0; + ssize_t bytes = 0; + ++ if (kernel_is_locked_down("Direct MSR access")) { ++ pr_info("Direct access to MSR %x\n", reg); ++ return -EPERM; ++ } ++ + if (count % 8) + return -EINVAL; /* Invalid chunk size */ + +@@ -135,6 +140,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) + err = -EFAULT; + break; + } ++ if (kernel_is_locked_down("Direct MSR access")) { ++ pr_info("Direct access to MSR %x\n", regs[1]); /* Display %ecx */ ++ err = -EPERM; ++ break; ++ } + err = wrmsr_safe_regs_on_cpu(cpu, regs); + if (err) + break; +-- +2.13.6 + +From e6850fffe186e252cc94e8747e589076e215ca1a Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Wed, 24 May 2017 14:56:04 +0100 +Subject: [PATCH 13/26] asus-wmi: Restrict debugfs interface when the kernel is + locked down + +We have no way of validating what all of the Asus WMI methods do on a given +machine - and there's a risk that some will allow hardware state to be +manipulated in such a way that arbitrary code can be executed in the +kernel, circumventing module loading restrictions. Prevent that if the +kernel is locked down. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +cc: acpi4asus-user@lists.sourceforge.net +cc: platform-driver-x86@vger.kernel.org +--- + drivers/platform/x86/asus-wmi.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c +index 48e1541dc8d4..ef5587469337 100644 +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -1905,6 +1905,9 @@ static int show_dsts(struct seq_file *m, void *data) + int err; + u32 retval = -1; + ++ if (kernel_is_locked_down("Asus WMI")) ++ return -EPERM; ++ + err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval); + + if (err < 0) +@@ -1921,6 +1924,9 @@ static int show_devs(struct seq_file *m, void *data) + int err; + u32 retval = -1; + ++ if (kernel_is_locked_down("Asus WMI")) ++ return -EPERM; ++ + err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param, + &retval); + +@@ -1945,6 +1951,9 @@ static int show_call(struct seq_file *m, void *data) + union acpi_object *obj; + acpi_status status; + ++ if (kernel_is_locked_down("Asus WMI")) ++ return -EPERM; ++ + status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID, + 0, asus->debug.method_id, + &input, &output); +-- +2.13.6 + +From 6dda2a4dbc8bb80efaa55aba6d54382e986305c5 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Wed, 24 May 2017 14:56:04 +0100 +Subject: [PATCH 14/26] ACPI: Limit access to custom_method when the kernel is + locked down + +custom_method effectively allows arbitrary access to system memory, making +it possible for an attacker to circumvent restrictions on module loading. +Disable it if the kernel is locked down. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +cc: linux-acpi@vger.kernel.org +--- + drivers/acpi/custom_method.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c +index c68e72414a67..b33fba70ec51 100644 +--- a/drivers/acpi/custom_method.c ++++ b/drivers/acpi/custom_method.c +@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, + struct acpi_table_header table; + acpi_status status; + ++ if (kernel_is_locked_down("ACPI custom methods")) ++ return -EPERM; ++ + if (!(*ppos)) { + /* parse the table header to get the table length */ + if (count <= sizeof(struct acpi_table_header)) +-- +2.13.6 + +From 64caa33410f85663cf0a65e4c09b8b8d28a219ad Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@redhat.com> +Date: Wed, 24 May 2017 14:56:05 +0100 +Subject: [PATCH 15/26] acpi: Ignore acpi_rsdp kernel param when the kernel has + been locked down + +This option allows userspace to pass the RSDP address to the kernel, which +makes it possible for a user to modify the workings of hardware . Reject +the option when the kernel is locked down. + +Signed-off-by: Josh Boyer <jwboyer@redhat.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +cc: Dave Young <dyoung@redhat.com> +cc: linux-acpi@vger.kernel.org +--- + drivers/acpi/osl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c +index db78d353bab1..36c6527c1b0a 100644 +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void) + acpi_physical_address pa = 0; + + #ifdef CONFIG_KEXEC +- if (acpi_rsdp) ++ if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification")) + return acpi_rsdp; + #endif + +-- +2.13.6 + +From d87ce06969f2d4da0c864e8a4cf6c820d950cd1f Mon Sep 17 00:00:00 2001 +From: Linn Crosetto <linn@hpe.com> +Date: Wed, 24 May 2017 14:56:05 +0100 +Subject: [PATCH 16/26] acpi: Disable ACPI table override if the kernel is + locked down + +From the kernel documentation (initrd_table_override.txt): + + If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible + to override nearly any ACPI table provided by the BIOS with an + instrumented, modified one. + +When securelevel is set, the kernel should disallow any unauthenticated +changes to kernel space. ACPI tables contain code invoked by the kernel, +so do not allow ACPI tables to be overridden if the kernel is locked down. + +Signed-off-by: Linn Crosetto <linn@hpe.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +cc: linux-acpi@vger.kernel.org +--- + drivers/acpi/tables.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c +index 80ce2a7d224b..5cc13c42daf9 100644 +--- a/drivers/acpi/tables.c ++++ b/drivers/acpi/tables.c +@@ -526,6 +526,11 @@ void __init acpi_table_upgrade(void) + if (table_nr == 0) + return; + ++ if (kernel_is_locked_down("ACPI table override")) { ++ pr_notice("kernel is locked down, ignoring table override\n"); ++ return; ++ } ++ + acpi_tables_addr = + memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, + all_tables_size, PAGE_SIZE); +-- +2.13.6 + +From 547e2ca9cbfd420a15dd70e1c1c24b7040f88058 Mon Sep 17 00:00:00 2001 +From: Linn Crosetto <linn@hpe.com> +Date: Wed, 24 May 2017 14:56:05 +0100 +Subject: [PATCH 17/26] acpi: Disable APEI error injection if the kernel is + locked down + +ACPI provides an error injection mechanism, EINJ, for debugging and testing +the ACPI Platform Error Interface (APEI) and other RAS features. If +supported by the firmware, ACPI specification 5.0 and later provide for a +way to specify a physical memory address to which to inject the error. + +Injecting errors through EINJ can produce errors which to the platform are +indistinguishable from real hardware errors. This can have undesirable +side-effects, such as causing the platform to mark hardware as needing +replacement. + +While it does not provide a method to load unauthenticated privileged code, +the effect of these errors may persist across reboots and affect trust in +the underlying hardware, so disable error injection through EINJ if +the kernel is locked down. + +Signed-off-by: Linn Crosetto <linn@hpe.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +cc: linux-acpi@vger.kernel.org +--- + drivers/acpi/apei/einj.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c +index b38737c83a24..6d71e1e97b20 100644 +--- a/drivers/acpi/apei/einj.c ++++ b/drivers/acpi/apei/einj.c +@@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2, + int rc; + u64 base_addr, size; + ++ if (kernel_is_locked_down("ACPI error injection")) ++ return -EPERM; ++ + /* If user manually set "flags", make sure it is legal */ + if (flags && (flags & + ~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF))) +-- +2.13.6 + +From abbf8de44feab5f50b316d6491926d8d9029cb49 Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Wed, 24 May 2017 14:56:06 +0100 +Subject: [PATCH 18/26] scsi: Lock down the eata driver + +When the kernel is running in secure boot mode, we lock down the kernel to +prevent userspace from modifying the running kernel image. Whilst this +includes prohibiting access to things like /dev/mem, it must also prevent +access by means of configuring driver modules in such a way as to cause a +device to access or modify the kernel image. + +The eata driver takes a single string parameter that contains a slew of +settings, including hardware resource configuration. Prohibit use of the +parameter if the kernel is locked down. + +Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk> +Signed-off-by: David Howells <dhowells@redhat.com> +cc: Dario Ballabio <ballabio_dario@emc.com> +cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com> +cc: "Martin K. Petersen" <martin.petersen@oracle.com> +cc: linux-scsi@vger.kernel.org +--- + drivers/scsi/eata.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/eata.c b/drivers/scsi/eata.c +index 6501c330d8c8..72fceaa8f3da 100644 +--- a/drivers/scsi/eata.c ++++ b/drivers/scsi/eata.c +@@ -1552,8 +1552,11 @@ static int eata2x_detect(struct scsi_host_template *tpnt) + + tpnt->proc_name = "eata2x"; + +- if (strlen(boot_options)) ++ if (strlen(boot_options)) { ++ if (kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels")) ++ return -EPERM; + option_setup(boot_options); ++ } + + #if defined(MODULE) + /* io_port could have been modified when loading as a module */ +-- +2.13.6 + +From 116b02dff661d497c10099862b8b86e6cd2262ae Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Wed, 24 May 2017 14:56:06 +0100 +Subject: [PATCH 19/26] Prohibit PCMCIA CIS storage when the kernel is locked + down + +Prohibit replacement of the PCMCIA Card Information Structure when the +kernel is locked down. + +Suggested-by: Dominik Brodowski <linux@dominikbrodowski.net> +Signed-off-by: David Howells <dhowells@redhat.com> +cc: linux-pcmcia@lists.infradead.org +--- + drivers/pcmcia/cistpl.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c +index 55ef7d1fd8da..b7a0e42eeb25 100644 +--- a/drivers/pcmcia/cistpl.c ++++ b/drivers/pcmcia/cistpl.c +@@ -1578,6 +1578,9 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj, + struct pcmcia_socket *s; + int error; + ++ if (kernel_is_locked_down("Direct PCMCIA CIS storage")) ++ return -EPERM; ++ + s = to_socket(container_of(kobj, struct device, kobj)); + + if (off) +-- +2.13.6 + +From f3dc03aa368cfde123bc1b60bda287091c9d43b4 Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Wed, 24 May 2017 14:56:06 +0100 +Subject: [PATCH 20/26] Lock down TIOCSSERIAL + +Lock down TIOCSSERIAL as that can be used to change the ioport and irq +settings on a serial port. This only appears to be an issue for the serial +drivers that use the core serial code. All other drivers seem to either +ignore attempts to change port/irq or give an error. + +Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: David Howells <dhowells@redhat.com> +cc: Jiri Slaby <jslaby@suse.com> +--- + drivers/tty/serial/serial_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c +index 3a14cccbd7ff..41f0922ad842 100644 +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -842,6 +842,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port, + new_flags = (__force upf_t)new_info->flags; + old_custom_divisor = uport->custom_divisor; + ++ if ((change_port || change_irq) && ++ kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels")) { ++ retval = -EPERM; ++ goto exit; ++ } ++ + if (!capable(CAP_SYS_ADMIN)) { + retval = -EPERM; + if (change_irq || change_port || +-- +2.13.6 + +From 9d266defc89a73c6dcca3b67ad70b95ac99b8e53 Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Wed, 24 May 2017 14:56:06 +0100 +Subject: [PATCH 21/26] Lock down module params that specify hardware + parameters (eg. ioport) + +Provided an annotation for module parameters that specify hardware +parameters (such as io ports, iomem addresses, irqs, dma channels, fixed +dma buffers and other types). + +Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk> +Signed-off-by: David Howells <dhowells@redhat.com> +--- + kernel/params.c | 26 +++++++++++++++++++++----- + 1 file changed, 21 insertions(+), 5 deletions(-) + +diff --git a/kernel/params.c b/kernel/params.c +index 60b2d8101355..422979adb60a 100644 +--- a/kernel/params.c ++++ b/kernel/params.c +@@ -108,13 +108,19 @@ bool parameq(const char *a, const char *b) + return parameqn(a, b, strlen(a)+1); + } + +-static void param_check_unsafe(const struct kernel_param *kp) ++static bool param_check_unsafe(const struct kernel_param *kp, ++ const char *doing) + { + if (kp->flags & KERNEL_PARAM_FL_UNSAFE) { + pr_warn("Setting dangerous option %s - tainting kernel\n", + kp->name); + add_taint(TAINT_USER, LOCKDEP_STILL_OK); + } ++ ++ if (kp->flags & KERNEL_PARAM_FL_HWPARAM && ++ kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels")) ++ return false; ++ return true; + } + + static int parse_one(char *param, +@@ -144,8 +150,10 @@ static int parse_one(char *param, + pr_debug("handling %s with %p\n", param, + params[i].ops->set); + kernel_param_lock(params[i].mod); +- param_check_unsafe(¶ms[i]); +- err = params[i].ops->set(val, ¶ms[i]); ++ if (param_check_unsafe(¶ms[i], doing)) ++ err = params[i].ops->set(val, ¶ms[i]); ++ else ++ err = -EPERM; + kernel_param_unlock(params[i].mod); + return err; + } +@@ -556,6 +564,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr, + return count; + } + ++#ifdef CONFIG_MODULES ++#define mod_name(mod) (mod)->name ++#else ++#define mod_name(mod) "unknown" ++#endif ++ + /* sysfs always hands a nul-terminated string in buf. We rely on that. */ + static ssize_t param_attr_store(struct module_attribute *mattr, + struct module_kobject *mk, +@@ -568,8 +582,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr, + return -EPERM; + + kernel_param_lock(mk->mod); +- param_check_unsafe(attribute->param); +- err = attribute->param->ops->set(buf, attribute->param); ++ if (param_check_unsafe(attribute->param, mod_name(mk->mod))) ++ err = attribute->param->ops->set(buf, attribute->param); ++ else ++ err = -EPERM; + kernel_param_unlock(mk->mod); + if (!err) + return len; +-- +2.13.6 + +From 17a8caed6507846edd0a7016cdcd97fe46cca263 Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Wed, 24 May 2017 14:56:07 +0100 +Subject: [PATCH 22/26] x86/mmiotrace: Lock down the testmmiotrace module + +The testmmiotrace module shouldn't be permitted when the kernel is locked +down as it can be used to arbitrarily read and write MMIO space. + +Suggested-by: Thomas Gleixner <tglx@linutronix.de> +Signed-off-by: David Howells <dhowells@redhat.com +cc: Thomas Gleixner <tglx@linutronix.de> +cc: Steven Rostedt <rostedt@goodmis.org> +cc: Ingo Molnar <mingo@kernel.org> +cc: "H. Peter Anvin" <hpa@zytor.com> +cc: x86@kernel.org +--- + arch/x86/mm/testmmiotrace.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c +index f6ae6830b341..bbaad357f5d7 100644 +--- a/arch/x86/mm/testmmiotrace.c ++++ b/arch/x86/mm/testmmiotrace.c +@@ -115,6 +115,9 @@ static int __init init(void) + { + unsigned long size = (read_far) ? (8 << 20) : (16 << 10); + ++ if (kernel_is_locked_down("MMIO trace testing")) ++ return -EPERM; ++ + if (mmio_address == 0) { + pr_err("you have to use the module argument mmio_address.\n"); + pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n"); +-- +2.13.6 + +From 79ae67bf5f7eda526abaa80b01b19e08c1ed3558 Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Wed, 18 Oct 2017 17:28:02 +0100 +Subject: [PATCH 23/26] debugfs: Disallow use of debugfs files when the kernel + is locked down + +Disallow opening of debugfs files when the kernel is locked down as various +drivers give raw access to hardware through debugfs. + +Accesses to tracefs should use /sys/kernel/tracing/ rather than +/sys/kernel/debug/tracing/. Possibly a symlink should be emplaced. + +Normal device interaction should be done through configfs or a miscdev, not +debugfs. + +Note that this makes it unnecessary to specifically lock down show_dsts(), +show_devs() and show_call() in the asus-wmi driver. + +Signed-off-by: David Howells <dhowells@redhat.com> +cc: Andy Shevchenko <andy.shevchenko@gmail.com> +cc: acpi4asus-user@lists.sourceforge.net +cc: platform-driver-x86@vger.kernel.org +cc: Matthew Garrett <matthew.garrett@nebula.com> +cc: Thomas Gleixner <tglx@linutronix.de> +--- + fs/debugfs/file.c | 6 ++++++ + + 1 file changed, 6 insertions(+) +diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c +index cd12e6576b48..097be2a59c51 100644 +--- a/fs/debugfs/file.c ++++ b/fs/debugfs/file.c +@@ -142,6 +142,10 @@ static int open_proxy_open(struct inode *inode, struct file *filp) + const struct file_operations *real_fops = NULL; + int r; + ++ if (kernel_is_locked_down("debugfs")) ++ return -EPERM; ++ ++ + r = debugfs_file_get(dentry); + if (r) + return r == -EIO ? -ENOENT : r; +@@ -267,6 +271,9 @@ static int full_proxy_open(struct inode *inode, struct file *filp) + struct file_operations *proxy_fops = NULL; + int r; + ++ if (kernel_is_locked_down("debugfs")) ++ return -EPERM; ++ + r = debugfs_file_get(dentry); + if (r) + return r == -EIO ? -ENOENT : r; +-- +2.13.6 + +From 87ed5c02f0946c855730420cbf1daa6a2dfc54d7 Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Thu, 19 Oct 2017 13:58:19 +0100 +Subject: [PATCH 24/26] Lock down /proc/kcore + +Disallow access to /proc/kcore when the kernel is locked down to prevent +access to cryptographic data. + +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: James Morris <james.l.morris@oracle.com> +--- + fs/proc/kcore.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c +index 45629f4b5402..176cf749e650 100644 +--- a/fs/proc/kcore.c ++++ b/fs/proc/kcore.c +@@ -549,6 +549,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos) + + static int open_kcore(struct inode *inode, struct file *filp) + { ++ if (kernel_is_locked_down("/proc/kcore")) ++ return -EPERM; + if (!capable(CAP_SYS_RAWIO)) + return -EPERM; + +-- +2.13.6 + +From 2bce9ca3a24e0b35dcf665e6ba082f0a796c6aad Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Thu, 19 Oct 2017 14:18:53 +0100 +Subject: [PATCH 25/26] efi: Add an EFI_SECURE_BOOT flag to indicate secure + boot mode + +UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT +flag that can be passed to efi_enabled() to find out whether secure boot is +enabled. + +Move the switch-statement in x86's setup_arch() that inteprets the +secure_boot boot parameter to generic code and set the bit there. + +Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> +cc: linux-efi@vger.kernel.org +--- + arch/x86/kernel/setup.c | 14 +------------- + drivers/firmware/efi/Makefile | 1 + + drivers/firmware/efi/secureboot.c | 38 ++++++++++++++++++++++++++++++++++++++ + include/linux/efi.h | 16 ++++++++++------ + 4 files changed, 50 insertions(+), 19 deletions(-) + create mode 100644 drivers/firmware/efi/secureboot.c + +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index 0957dd73d127..7c2162f9e769 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1197,19 +1197,7 @@ void __init setup_arch(char **cmdline_p) + /* Allocate bigger log buffer */ + setup_log_buf(1); + +- if (efi_enabled(EFI_BOOT)) { +- switch (boot_params.secure_boot) { +- case efi_secureboot_mode_disabled: +- pr_info("Secure boot disabled\n"); +- break; +- case efi_secureboot_mode_enabled: +- pr_info("Secure boot enabled\n"); +- break; +- default: +- pr_info("Secure boot could not be determined\n"); +- break; +- } +- } ++ efi_set_secure_boot(boot_params.secure_boot); + + reserve_initrd(); + +diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile +index 0329d319d89a..883f9f7eefc6 100644 +--- a/drivers/firmware/efi/Makefile ++++ b/drivers/firmware/efi/Makefile +@@ -23,6 +23,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP) += fake_mem.o + obj-$(CONFIG_EFI_BOOTLOADER_CONTROL) += efibc.o + obj-$(CONFIG_EFI_TEST) += test/ + obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o ++obj-$(CONFIG_EFI) += secureboot.o + obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o + + arm-obj-$(CONFIG_EFI) := arm-init.o arm-runtime.o +diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c +new file mode 100644 +index 000000000000..9070055de0a1 +--- /dev/null ++++ b/drivers/firmware/efi/secureboot.c +@@ -0,0 +1,38 @@ ++/* Core kernel secure boot support. ++ * ++ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved. ++ * Written by David Howells (dhowells@redhat.com) ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public Licence ++ * as published by the Free Software Foundation; either version ++ * 2 of the Licence, or (at your option) any later version. ++ */ ++ ++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt ++ ++#include <linux/efi.h> ++#include <linux/kernel.h> ++#include <linux/printk.h> ++ ++/* ++ * Decide what to do when UEFI secure boot mode is enabled. ++ */ ++void __init efi_set_secure_boot(enum efi_secureboot_mode mode) ++{ ++ if (efi_enabled(EFI_BOOT)) { ++ switch (mode) { ++ case efi_secureboot_mode_disabled: ++ pr_info("Secure boot disabled\n"); ++ break; ++ case efi_secureboot_mode_enabled: ++ set_bit(EFI_SECURE_BOOT, &efi.flags); ++ pr_info("Secure boot enabled\n"); ++ break; ++ default: ++ pr_warning("Secure boot could not be determined (mode %u)\n", ++ mode); ++ break; ++ } ++ } ++} +diff --git a/include/linux/efi.h b/include/linux/efi.h +index 66f4a4e79f4b..7c7a7e33e4d1 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -1103,6 +1103,14 @@ extern int __init efi_setup_pcdp_console(char *); + #define EFI_DBG 8 /* Print additional debug info at runtime */ + #define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */ + #define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */ ++#define EFI_SECURE_BOOT 11 /* Are we in Secure Boot mode? */ ++ ++enum efi_secureboot_mode { ++ efi_secureboot_mode_unset, ++ efi_secureboot_mode_unknown, ++ efi_secureboot_mode_disabled, ++ efi_secureboot_mode_enabled, ++}; + + #ifdef CONFIG_EFI + /* +@@ -1115,6 +1123,7 @@ static inline bool efi_enabled(int feature) + extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused); + + extern bool efi_is_table_address(unsigned long phys_addr); ++extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode); + #else + static inline bool efi_enabled(int feature) + { +@@ -1133,6 +1142,7 @@ static inline bool efi_is_table_address(unsigned long phys_addr) + { + return false; + } ++static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {} + #endif + + extern int efi_status_to_err(efi_status_t status); +@@ -1518,12 +1528,6 @@ efi_status_t efi_setup_gop(efi_system_table_t *sys_table_arg, + bool efi_runtime_disabled(void); + extern void efi_call_virt_check_flags(unsigned long flags, const char *call); + +-enum efi_secureboot_mode { +- efi_secureboot_mode_unset, +- efi_secureboot_mode_unknown, +- efi_secureboot_mode_disabled, +- efi_secureboot_mode_enabled, +-}; + enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table); + + #ifdef CONFIG_RESET_ATTACK_MITIGATION +-- +2.13.6 + +From 163d6a313399a4d50c5c7e42e3dd642ca8d495d7 Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Thu, 19 Oct 2017 14:05:02 +0100 +Subject: [PATCH 26/26] efi: Lock down the kernel if booted in secure boot mode + +UEFI Secure Boot provides a mechanism for ensuring that the firmware will +only load signed bootloaders and kernels. Certain use cases may also +require that all kernel modules also be signed. Add a configuration option +that to lock down the kernel - which includes requiring validly signed +modules - if the kernel is secure-booted. + +Signed-off-by: David Howells <dhowells@redhat.com> +Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> +cc: linux-efi@vger.kernel.org +--- + arch/x86/kernel/setup.c | 6 ++++-- + security/Kconfig | 14 ++++++++++++++ + security/lock_down.c | 1 + + 3 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index 7c2162f9e769..4e38327efb2e 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -64,6 +64,7 @@ + #include <linux/dma-mapping.h> + #include <linux/ctype.h> + #include <linux/uaccess.h> ++#include <linux/security.h> + + #include <linux/percpu.h> + #include <linux/crash_dump.h> +@@ -1039,6 +1040,9 @@ void __init setup_arch(char **cmdline_p) + if (efi_enabled(EFI_BOOT)) + efi_init(); + ++ efi_set_secure_boot(boot_params.secure_boot); ++ init_lockdown(); ++ + dmi_scan_machine(); + dmi_memdev_walk(); + dmi_set_dump_stack_arch_desc(); +@@ -1197,8 +1201,6 @@ void __init setup_arch(char **cmdline_p) + /* Allocate bigger log buffer */ + setup_log_buf(1); + +- efi_set_secure_boot(boot_params.secure_boot); +- + reserve_initrd(); + + acpi_table_upgrade(); +diff --git a/security/Kconfig b/security/Kconfig +index 453cc89c198a..974731ac4f85 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -220,6 +220,20 @@ config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ + Allow the lockdown on a kernel to be lifted, by pressing a SysRq key + combination on a wired keyboard. + ++config LOCK_DOWN_IN_EFI_SECURE_BOOT ++ bool "Lock down the kernel in EFI Secure Boot mode" ++ default n ++ select LOCK_DOWN_KERNEL ++ depends on EFI ++ help ++ UEFI Secure Boot provides a mechanism for ensuring that the firmware ++ will only load signed bootloaders and kernels. Secure boot mode may ++ be determined from EFI variables provided by the system firmware if ++ not indicated by the boot parameters. ++ ++ Enabling this option turns on results in kernel lockdown being ++ triggered if EFI Secure Boot is set. ++ + + source security/selinux/Kconfig + source security/smack/Kconfig +diff --git a/security/lock_down.c b/security/lock_down.c +index 2c6b00f0c229..527f7e51dc8d 100644 +--- a/security/lock_down.c ++++ b/security/lock_down.c +@@ -12,6 +12,7 @@ + #include <linux/security.h> + #include <linux/export.h> + #include <linux/sysrq.h> ++#include <linux/efi.h> + #include <asm/setup.h> + + #ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ +-- +2.13.6 + |
