mirror of
https://github.com/flatcar/scripts.git
synced 2025-08-22 15:01:00 +02:00
sys-kernel/coreos-*: bump to v4.11
Config changes: - The refreshed Secure Boot patches now use LOCK_DOWN_KERNEL and EFI_SECURE_BOOT_LOCK_DOWN instead of EFI_SECURE_BOOT_SIG_ENFORCE. - KPROBE_EVENT and UPROBE_EVENT were pluralized in 6b0b7551428e4caae1e2c023a529465a9a9ae2d4. - DEBUG_SET_MODULE_RONX was renamed in 0f5bf6d0afe4be6e1391908ff2d6dc9730e91550, but as of ad21fc4faa2a1f919bac1073b885df9310dbc581 it's mandatory on both supported arches. Dropped. - VMXNET3 conflicts with ARM64_64K_PAGES as of fbdf0e28d061708cf18ba0f8e0db5360dc9a15b9, and likely doesn't make sense on ARM. Moved to amd64. - TIMER_STATS was dropped in dfb4357da6ddbdf57d583ba64361c9d792b0e0b1. - CPU_FREQ_STAT_DETAILS was dropped in 801e0f378fe7d53f87246037bf40567277275418.
This commit is contained in:
Benjamin Gilbert
parent
61896d1e5a
commit
3c12f4762b
@ -21,7 +21,8 @@ CONFIG_MEMORY_FAILURE=y
|
||||
CONFIG_X86_CHECK_BIOS_CORRUPTION=y
|
||||
# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set
|
||||
CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=1
|
||||
CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
|
||||
CONFIG_LOCK_DOWN_KERNEL=y
|
||||
CONFIG_EFI_SECURE_BOOT_LOCK_DOWN=y
|
||||
CONFIG_KEXEC=y
|
||||
CONFIG_KEXEC_FILE=y
|
||||
CONFIG_KEXEC_VERIFY_SIG=y
|
||||
@ -149,7 +150,7 @@ CONFIG_SCHED_TRACER=y
|
||||
CONFIG_FTRACE_SYSCALLS=y
|
||||
CONFIG_STACK_TRACER=y
|
||||
CONFIG_BLK_DEV_IO_TRACE=y
|
||||
CONFIG_UPROBE_EVENT=y
|
||||
CONFIG_UPROBE_EVENTS=y
|
||||
CONFIG_FUNCTION_PROFILER=y
|
||||
CONFIG_DEBUG_BOOT_PARAMS=y
|
||||
CONFIG_OPTIMIZE_INLINING=y
|
||||
@ -164,3 +165,4 @@ CONFIG_OPTPROBES=y
|
||||
CONFIG_KPROBES_ON_FTRACE=y
|
||||
CONFIG_FCOE_FNIC=m
|
||||
CONFIG_ISCSI_IBFT_FIND=y
|
||||
CONFIG_VMXNET3=m
|
||||
@ -74,7 +74,6 @@ CONFIG_EFIVAR_FS=y
|
||||
CONFIG_BINFMT_MISC=m
|
||||
CONFIG_CPU_FREQ=y
|
||||
CONFIG_CPU_FREQ_STAT=y
|
||||
CONFIG_CPU_FREQ_STAT_DETAILS=y
|
||||
CONFIG_CPU_FREQ_GOV_POWERSAVE=m
|
||||
CONFIG_CPU_FREQ_GOV_USERSPACE=m
|
||||
CONFIG_CPU_FREQ_GOV_ONDEMAND=m
|
||||
@ -612,7 +611,6 @@ CONFIG_USB_NET_AX8817X=m
|
||||
# CONFIG_WLAN is not set
|
||||
CONFIG_XEN_NETDEV_FRONTEND=m
|
||||
CONFIG_XEN_NETDEV_BACKEND=m
|
||||
CONFIG_VMXNET3=m
|
||||
CONFIG_INPUT_MOUSEDEV=m
|
||||
# CONFIG_INPUT_MOUSEDEV_PSAUX is not set
|
||||
CONFIG_MOUSE_PS2=m
|
||||
@ -811,15 +809,13 @@ CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
|
||||
CONFIG_PANIC_ON_OOPS=y
|
||||
CONFIG_PANIC_TIMEOUT=60
|
||||
CONFIG_SCHED_STACK_END_CHECK=y
|
||||
CONFIG_TIMER_STATS=y
|
||||
CONFIG_DEBUG_CREDENTIALS=y
|
||||
CONFIG_RCU_CPU_STALL_TIMEOUT=60
|
||||
CONFIG_LATENCYTOP=y
|
||||
CONFIG_KPROBE_EVENT=y
|
||||
CONFIG_KPROBE_EVENTS=y
|
||||
CONFIG_BPF_EVENTS=y
|
||||
CONFIG_MEMTEST=y
|
||||
CONFIG_STRICT_DEVMEM=y
|
||||
CONFIG_DEBUG_SET_MODULE_RONX=y
|
||||
CONFIG_TRUSTED_KEYS=m
|
||||
CONFIG_ENCRYPTED_KEYS=m
|
||||
CONFIG_SECURITY=y
|
||||
@ -1,2 +1 @@
|
||||
DIST linux-4.10.tar.xz 94231404 SHA256 3c95d9f049bd085e5c346d2c77f063b8425f191460fcd3ae9fe7e94e0477dc4b SHA512 c3690125a8402df638095bd98a613fcf1a257b81de7611c84711d315cd11e2634ab4636302b3742aedf1e3ba9ce0fea53fe8c7d48e37865d8ee5db3565220d90 WHIRLPOOL 86d021bae2dbfc4ef80c22d9e886bed4fbd9476473a2851d7beaf8ed0c7f7fbc1fa0da230eb9e763eb231b7c164c17b2a73fd336ab233543f57be280d6173738
|
||||
DIST patch-4.10.12.xz 264376 SHA256 ed919b49178bbda14b341058a92362322cbb09e9028229e860e6927553c8d037 SHA512 39dacec6f9ed28a3bf3339d98c9f0cc86b977252c8d2cabf5d39572cc1dff078bf8f52afdd7e6bc3213d00f7b42474d9c6a4ba641497d091b122e748a48ff0f9 WHIRLPOOL e1f9b96761e60da761d78bb8a2ddd91d9659b2c254766ba61c4ea5c72b9088aa8953e4e0fe567fae3e225693218f7995e81c4b6f92b2ce879668849b0df80496
|
||||
DIST linux-4.11.tar.xz 95447768 SHA256 b67ecafd0a42b3383bf4d82f0850cbff92a7e72a215a6d02f42ddbafcf42a7d6 SHA512 6610eed97ffb7207c71771198c36179b8244ace7222bebb109507720e26c5f17d918079a56d5febdd8605844d67fb2df0ebe910fa2f2f53690daf6e2a8ad09c3 WHIRLPOOL f577b7c5c209cb8dfef2f1d56d77314fbd53323743a34b900e2559ab0049b7c2d6262bda136dd3d005bc0527788106e0484e46558448a8720dac389a969e5886
|
||||
|
||||
@ -1,39 +0,0 @@
|
||||
# Copyright 2014 CoreOS, Inc.
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI="5"
|
||||
ETYPE="sources"
|
||||
inherit kernel-2
|
||||
detect_version
|
||||
|
||||
DESCRIPTION="Full sources for the CoreOS Linux kernel"
|
||||
HOMEPAGE="http://www.kernel.org"
|
||||
SRC_URI="${KERNEL_URI}"
|
||||
|
||||
KEYWORDS="amd64 arm64"
|
||||
IUSE=""
|
||||
|
||||
PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
|
||||
|
||||
# XXX: Note we must prefix the patch filenames with "z" to ensure they are
|
||||
# applied _after_ a potential patch-${KV}.patch file, present when building a
|
||||
# patchlevel revision. We mustn't apply our patches first, it fails when the
|
||||
# local patches overlap with the upstream patch.
|
||||
UNIPATCH_LIST="
|
||||
${PATCH_DIR}/z0001-Add-secure_modules-call.patch \
|
||||
${PATCH_DIR}/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \
|
||||
${PATCH_DIR}/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \
|
||||
${PATCH_DIR}/z0004-ACPI-Limit-access-to-custom_method.patch \
|
||||
${PATCH_DIR}/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \
|
||||
${PATCH_DIR}/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \
|
||||
${PATCH_DIR}/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \
|
||||
${PATCH_DIR}/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \
|
||||
${PATCH_DIR}/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \
|
||||
${PATCH_DIR}/z0010-Add-option-to-automatically-enforce-module-signature.patch \
|
||||
${PATCH_DIR}/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \
|
||||
${PATCH_DIR}/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch \
|
||||
${PATCH_DIR}/z0013-hibernate-Disable-in-a-signed-modules-environment.patch \
|
||||
${PATCH_DIR}/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
|
||||
${PATCH_DIR}/z0015-Add-arm64-coreos-verity-hash.patch \
|
||||
${PATCH_DIR}/z0016-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch \
|
||||
"
|
||||
@ -0,0 +1,47 @@
|
||||
# Copyright 2014 CoreOS, Inc.
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI="5"
|
||||
ETYPE="sources"
|
||||
inherit kernel-2
|
||||
detect_version
|
||||
|
||||
DESCRIPTION="Full sources for the CoreOS Linux kernel"
|
||||
HOMEPAGE="http://www.kernel.org"
|
||||
SRC_URI="${KERNEL_URI}"
|
||||
|
||||
KEYWORDS="amd64 arm64"
|
||||
IUSE=""
|
||||
|
||||
PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
|
||||
|
||||
# XXX: Note we must prefix the patch filenames with "z" to ensure they are
|
||||
# applied _after_ a potential patch-${KV}.patch file, present when building a
|
||||
# patchlevel revision. We mustn't apply our patches first, it fails when the
|
||||
# local patches overlap with the upstream patch.
|
||||
UNIPATCH_LIST="
|
||||
${PATCH_DIR}/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch \
|
||||
${PATCH_DIR}/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch \
|
||||
${PATCH_DIR}/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch \
|
||||
${PATCH_DIR}/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch \
|
||||
${PATCH_DIR}/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch \
|
||||
${PATCH_DIR}/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch \
|
||||
${PATCH_DIR}/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch \
|
||||
${PATCH_DIR}/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch \
|
||||
${PATCH_DIR}/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch \
|
||||
${PATCH_DIR}/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch \
|
||||
${PATCH_DIR}/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch \
|
||||
${PATCH_DIR}/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch \
|
||||
${PATCH_DIR}/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch \
|
||||
${PATCH_DIR}/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch \
|
||||
${PATCH_DIR}/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch \
|
||||
${PATCH_DIR}/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch \
|
||||
${PATCH_DIR}/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch \
|
||||
${PATCH_DIR}/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch \
|
||||
${PATCH_DIR}/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch \
|
||||
${PATCH_DIR}/z0020-scsi-Lock-down-the-eata-driver.patch \
|
||||
${PATCH_DIR}/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch \
|
||||
${PATCH_DIR}/z0022-Lock-down-TIOCSSERIAL.patch \
|
||||
${PATCH_DIR}/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
|
||||
${PATCH_DIR}/z0024-Add-arm64-coreos-verity-hash.patch \
|
||||
"
|
||||
@ -1,63 +0,0 @@
|
||||
From 56ce70f57c13296973ef0a14b7a2695d804abae8 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Aug 2013 17:58:15 -0400
|
||||
Subject: [PATCH 01/16] Add secure_modules() call
|
||||
|
||||
Provide a single call to allow kernel code to determine whether the system
|
||||
has been configured to either disable module loading entirely or to load
|
||||
only modules signed with a trusted key.
|
||||
|
||||
Bugzilla: N/A
|
||||
Upstream-status: Fedora mustard. Replaced by securelevels, but that was nak'd
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
include/linux/module.h | 6 ++++++
|
||||
kernel/module.c | 10 ++++++++++
|
||||
2 files changed, 16 insertions(+)
|
||||
|
||||
diff --git a/include/linux/module.h b/include/linux/module.h
|
||||
index cc7cba2..da4bd57 100644
|
||||
--- a/include/linux/module.h
|
||||
+++ b/include/linux/module.h
|
||||
@@ -629,6 +629,8 @@ static inline bool module_requested_async_probing(struct module *module)
|
||||
return module && module->async_probe_requested;
|
||||
}
|
||||
|
||||
+extern bool secure_modules(void);
|
||||
+
|
||||
#ifdef CONFIG_LIVEPATCH
|
||||
static inline bool is_livepatch_module(struct module *mod)
|
||||
{
|
||||
@@ -750,6 +752,10 @@ static inline bool module_requested_async_probing(struct module *module)
|
||||
return false;
|
||||
}
|
||||
|
||||
+static inline bool secure_modules(void)
|
||||
+{
|
||||
+ return false;
|
||||
+}
|
||||
#endif /* CONFIG_MODULES */
|
||||
|
||||
#ifdef CONFIG_SYSFS
|
||||
diff --git a/kernel/module.c b/kernel/module.c
|
||||
index 1cd2bf3..3161532 100644
|
||||
--- a/kernel/module.c
|
||||
+++ b/kernel/module.c
|
||||
@@ -4300,3 +4300,13 @@ void module_layout(struct module *mod,
|
||||
}
|
||||
EXPORT_SYMBOL(module_layout);
|
||||
#endif
|
||||
+
|
||||
+bool secure_modules(void)
|
||||
+{
|
||||
+#ifdef CONFIG_MODULE_SIG
|
||||
+ return (sig_enforce || modules_disabled);
|
||||
+#else
|
||||
+ return modules_disabled;
|
||||
+#endif
|
||||
+}
|
||||
+EXPORT_SYMBOL(secure_modules);
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -1,72 +0,0 @@
|
||||
From e86746ca84516a0f983fcb917d8c7f1e537c3898 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Thu, 8 Mar 2012 10:35:59 -0500
|
||||
Subject: [PATCH 03/16] x86: Lock down IO port access when module security is
|
||||
enabled
|
||||
|
||||
IO port access would permit users to gain access to PCI configuration
|
||||
registers, which in turn (on a lot of hardware) give access to MMIO register
|
||||
space. This would potentially permit root to trigger arbitrary DMA, so lock
|
||||
it down by default.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
arch/x86/kernel/ioport.c | 5 +++--
|
||||
drivers/char/mem.c | 4 ++++
|
||||
2 files changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
|
||||
index 589b319..ab83724 100644
|
||||
--- a/arch/x86/kernel/ioport.c
|
||||
+++ b/arch/x86/kernel/ioport.c
|
||||
@@ -15,6 +15,7 @@
|
||||
#include <linux/thread_info.h>
|
||||
#include <linux/syscalls.h>
|
||||
#include <linux/bitmap.h>
|
||||
+#include <linux/module.h>
|
||||
#include <asm/syscalls.h>
|
||||
|
||||
/*
|
||||
@@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
|
||||
|
||||
if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
|
||||
return -EINVAL;
|
||||
- if (turn_on && !capable(CAP_SYS_RAWIO))
|
||||
+ if (turn_on && (!capable(CAP_SYS_RAWIO) || secure_modules()))
|
||||
return -EPERM;
|
||||
|
||||
/*
|
||||
@@ -108,7 +109,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
|
||||
return -EINVAL;
|
||||
/* Trying to gain more privileges? */
|
||||
if (level > old) {
|
||||
- if (!capable(CAP_SYS_RAWIO))
|
||||
+ if (!capable(CAP_SYS_RAWIO) || secure_modules())
|
||||
return -EPERM;
|
||||
}
|
||||
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
|
||||
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
|
||||
index 7e4a9d1..83cca9f 100644
|
||||
--- a/drivers/char/mem.c
|
||||
+++ b/drivers/char/mem.c
|
||||
@@ -28,6 +28,7 @@
|
||||
#include <linux/export.h>
|
||||
#include <linux/io.h>
|
||||
#include <linux/uio.h>
|
||||
+#include <linux/module.h>
|
||||
|
||||
#include <linux/uaccess.h>
|
||||
|
||||
@@ -600,6 +601,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
|
||||
unsigned long i = *ppos;
|
||||
const char __user *tmp = buf;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (!access_ok(VERIFY_READ, buf, count))
|
||||
return -EFAULT;
|
||||
while (count-- > 0 && i < 65536) {
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -1,39 +0,0 @@
|
||||
From acabe733bc7120d1557bb283dd4e00d55e4282a4 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@redhat.com>
|
||||
Date: Mon, 25 Jun 2012 19:57:30 -0400
|
||||
Subject: [PATCH 07/16] acpi: Ignore acpi_rsdp kernel parameter when module
|
||||
loading is restricted
|
||||
|
||||
This option allows userspace to pass the RSDP address to the kernel, which
|
||||
makes it possible for a user to circumvent any restrictions imposed on
|
||||
loading modules. Disable it in that case.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
|
||||
---
|
||||
drivers/acpi/osl.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
|
||||
index 57fb5f4..9174461 100644
|
||||
--- a/drivers/acpi/osl.c
|
||||
+++ b/drivers/acpi/osl.c
|
||||
@@ -40,6 +40,7 @@
|
||||
#include <linux/list.h>
|
||||
#include <linux/jiffies.h>
|
||||
#include <linux/semaphore.h>
|
||||
+#include <linux/module.h>
|
||||
|
||||
#include <asm/io.h>
|
||||
#include <linux/uaccess.h>
|
||||
@@ -192,7 +193,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
|
||||
acpi_physical_address pa = 0;
|
||||
|
||||
#ifdef CONFIG_KEXEC
|
||||
- if (acpi_rsdp)
|
||||
+ if (acpi_rsdp && !secure_modules())
|
||||
return acpi_rsdp;
|
||||
#endif
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -1,39 +0,0 @@
|
||||
From a135df64b344fc57ddaef49fcb729e0111551ba3 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <mjg59@coreos.com>
|
||||
Date: Thu, 19 Nov 2015 18:55:53 -0800
|
||||
Subject: [PATCH 08/16] kexec: Disable at runtime if the kernel enforces module
|
||||
loading restrictions
|
||||
|
||||
kexec permits the loading and execution of arbitrary code in ring 0, which
|
||||
is something that module signing enforcement is meant to prevent. It makes
|
||||
sense to disable kexec in this situation.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
kernel/kexec.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/kernel/kexec.c b/kernel/kexec.c
|
||||
index 980936a..a0e4cb3 100644
|
||||
--- a/kernel/kexec.c
|
||||
+++ b/kernel/kexec.c
|
||||
@@ -17,6 +17,7 @@
|
||||
#include <linux/syscalls.h>
|
||||
#include <linux/vmalloc.h>
|
||||
#include <linux/slab.h>
|
||||
+#include <linux/module.h>
|
||||
|
||||
#include "kexec_internal.h"
|
||||
|
||||
@@ -190,7 +191,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
|
||||
int result;
|
||||
|
||||
/* We only trust the superuser with rebooting the system. */
|
||||
- if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
|
||||
+ if (!capable(CAP_SYS_BOOT) || kexec_load_disabled || secure_modules())
|
||||
return -EPERM;
|
||||
|
||||
/*
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -1,185 +0,0 @@
|
||||
From 3e73063b8cec1c30f9937f784de14e37606b1e9d Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Aug 2013 18:36:30 -0400
|
||||
Subject: [PATCH 10/16] Add option to automatically enforce module signatures
|
||||
when in Secure Boot mode
|
||||
|
||||
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
|
||||
only load signed bootloaders and kernels. Certain use cases may also
|
||||
require that all kernel modules also be signed. Add a configuration option
|
||||
that enforces this automatically when enabled.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
Documentation/x86/zero-page.txt | 2 ++
|
||||
arch/x86/Kconfig | 10 ++++++++++
|
||||
arch/x86/boot/compressed/eboot.c | 35 +++++++++++++++++++++++++++++++++++
|
||||
arch/x86/include/uapi/asm/bootparam.h | 3 ++-
|
||||
arch/x86/kernel/setup.c | 6 ++++++
|
||||
include/linux/module.h | 6 ++++++
|
||||
kernel/module.c | 7 +++++++
|
||||
7 files changed, 68 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
|
||||
index 95a4d34..b8527c6 100644
|
||||
--- a/Documentation/x86/zero-page.txt
|
||||
+++ b/Documentation/x86/zero-page.txt
|
||||
@@ -31,6 +31,8 @@ Offset Proto Name Meaning
|
||||
1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below)
|
||||
1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer
|
||||
(below)
|
||||
+1EB/001 ALL kbd_status Numlock is enabled
|
||||
+1EC/001 ALL secure_boot Secure boot is enabled in the firmware
|
||||
1EF/001 ALL sentinel Used to detect broken bootloaders
|
||||
290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
|
||||
2D0/A00 ALL e820_map E820 memory map table
|
||||
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
|
||||
index e487493..5be38b4 100644
|
||||
--- a/arch/x86/Kconfig
|
||||
+++ b/arch/x86/Kconfig
|
||||
@@ -1815,6 +1815,16 @@ config EFI_MIXED
|
||||
|
||||
If unsure, say N.
|
||||
|
||||
+config EFI_SECURE_BOOT_SIG_ENFORCE
|
||||
+ def_bool n
|
||||
+ prompt "Force module signing when UEFI Secure Boot is enabled"
|
||||
+ ---help---
|
||||
+ UEFI Secure Boot provides a mechanism for ensuring that the
|
||||
+ firmware will only load signed bootloaders and kernels. Certain
|
||||
+ use cases may also require that all kernel modules also be signed.
|
||||
+ Say Y here to automatically enable module signature enforcement
|
||||
+ when a system boots with UEFI Secure Boot enabled.
|
||||
+
|
||||
config SECCOMP
|
||||
def_bool y
|
||||
prompt "Enable seccomp to safely compute untrusted bytecode"
|
||||
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
|
||||
index ff01c8f..3e9e29a 100644
|
||||
--- a/arch/x86/boot/compressed/eboot.c
|
||||
+++ b/arch/x86/boot/compressed/eboot.c
|
||||
@@ -12,6 +12,7 @@
|
||||
#include <asm/efi.h>
|
||||
#include <asm/setup.h>
|
||||
#include <asm/desc.h>
|
||||
+#include <asm/bootparam_utils.h>
|
||||
|
||||
#include "../string.h"
|
||||
#include "eboot.h"
|
||||
@@ -600,6 +601,36 @@ static void setup_quirks(struct boot_params *boot_params)
|
||||
}
|
||||
}
|
||||
|
||||
+static int get_secure_boot(void)
|
||||
+{
|
||||
+ u8 sb, setup;
|
||||
+ unsigned long datasize = sizeof(sb);
|
||||
+ efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
|
||||
+ efi_status_t status;
|
||||
+
|
||||
+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
|
||||
+ L"SecureBoot", &var_guid, NULL, &datasize, &sb);
|
||||
+
|
||||
+ if (status != EFI_SUCCESS)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (sb == 0)
|
||||
+ return 0;
|
||||
+
|
||||
+
|
||||
+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
|
||||
+ L"SetupMode", &var_guid, NULL, &datasize,
|
||||
+ &setup);
|
||||
+
|
||||
+ if (status != EFI_SUCCESS)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (setup == 1)
|
||||
+ return 0;
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
static efi_status_t
|
||||
setup_uga32(void **uga_handle, unsigned long size, u32 *width, u32 *height)
|
||||
{
|
||||
@@ -1157,6 +1188,10 @@ struct boot_params *efi_main(struct efi_config *c,
|
||||
else
|
||||
setup_boot_services32(efi_early);
|
||||
|
||||
+ sanitize_boot_params(boot_params);
|
||||
+
|
||||
+ boot_params->secure_boot = get_secure_boot();
|
||||
+
|
||||
setup_graphics(boot_params);
|
||||
|
||||
setup_efi_pci(boot_params);
|
||||
diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
|
||||
index b10bf31..5138dac 100644
|
||||
--- a/arch/x86/include/uapi/asm/bootparam.h
|
||||
+++ b/arch/x86/include/uapi/asm/bootparam.h
|
||||
@@ -135,7 +135,8 @@ struct boot_params {
|
||||
__u8 eddbuf_entries; /* 0x1e9 */
|
||||
__u8 edd_mbr_sig_buf_entries; /* 0x1ea */
|
||||
__u8 kbd_status; /* 0x1eb */
|
||||
- __u8 _pad5[3]; /* 0x1ec */
|
||||
+ __u8 secure_boot; /* 0x1ec */
|
||||
+ __u8 _pad5[2]; /* 0x1ed */
|
||||
/*
|
||||
* The sentinel is set to a nonzero value (0xff) in header.S.
|
||||
*
|
||||
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
||||
index 4cfba94..7c4295c 100644
|
||||
--- a/arch/x86/kernel/setup.c
|
||||
+++ b/arch/x86/kernel/setup.c
|
||||
@@ -1184,6 +1184,12 @@ void __init setup_arch(char **cmdline_p)
|
||||
|
||||
io_delay_init();
|
||||
|
||||
+#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
|
||||
+ if (boot_params.secure_boot) {
|
||||
+ enforce_signed_modules();
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
/*
|
||||
* Parse the ACPI tables for possible boot-time SMP configuration.
|
||||
*/
|
||||
diff --git a/include/linux/module.h b/include/linux/module.h
|
||||
index da4bd57..25d88bb 100644
|
||||
--- a/include/linux/module.h
|
||||
+++ b/include/linux/module.h
|
||||
@@ -260,6 +260,12 @@ extern const typeof(name) __mod_##type##__##name##_device_table \
|
||||
|
||||
struct notifier_block;
|
||||
|
||||
+#ifdef CONFIG_MODULE_SIG
|
||||
+extern void enforce_signed_modules(void);
|
||||
+#else
|
||||
+static inline void enforce_signed_modules(void) {};
|
||||
+#endif
|
||||
+
|
||||
#ifdef CONFIG_MODULES
|
||||
|
||||
extern int modules_disabled; /* for sysctl */
|
||||
diff --git a/kernel/module.c b/kernel/module.c
|
||||
index 3161532..19fe883 100644
|
||||
--- a/kernel/module.c
|
||||
+++ b/kernel/module.c
|
||||
@@ -4301,6 +4301,13 @@ void module_layout(struct module *mod,
|
||||
EXPORT_SYMBOL(module_layout);
|
||||
#endif
|
||||
|
||||
+#ifdef CONFIG_MODULE_SIG
|
||||
+void enforce_signed_modules(void)
|
||||
+{
|
||||
+ sig_enforce = true;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
bool secure_modules(void)
|
||||
{
|
||||
#ifdef CONFIG_MODULE_SIG
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -1,30 +0,0 @@
|
||||
From 73f341d91ad94d23b610a87a1813004ce34a315b Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 27 Aug 2013 13:28:43 -0400
|
||||
Subject: [PATCH 11/16] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
|
||||
|
||||
The functionality of the config option is dependent upon the platform being
|
||||
UEFI based. Reflect this in the config deps.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
arch/x86/Kconfig | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
|
||||
index 5be38b4..efe6b42 100644
|
||||
--- a/arch/x86/Kconfig
|
||||
+++ b/arch/x86/Kconfig
|
||||
@@ -1816,7 +1816,8 @@ config EFI_MIXED
|
||||
If unsure, say N.
|
||||
|
||||
config EFI_SECURE_BOOT_SIG_ENFORCE
|
||||
- def_bool n
|
||||
+ def_bool n
|
||||
+ depends on EFI
|
||||
prompt "Force module signing when UEFI Secure Boot is enabled"
|
||||
---help---
|
||||
UEFI Secure Boot provides a mechanism for ensuring that the
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -1,43 +0,0 @@
|
||||
From fef19ea533f24b316a9fbba0e41a654428556721 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 27 Aug 2013 13:33:03 -0400
|
||||
Subject: [PATCH 12/16] efi: Add EFI_SECURE_BOOT bit
|
||||
|
||||
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
|
||||
for use with efi_enabled.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
arch/x86/kernel/setup.c | 2 ++
|
||||
include/linux/efi.h | 1 +
|
||||
2 files changed, 3 insertions(+)
|
||||
|
||||
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
||||
index 7c4295c..c5c88bc 100644
|
||||
--- a/arch/x86/kernel/setup.c
|
||||
+++ b/arch/x86/kernel/setup.c
|
||||
@@ -1186,7 +1186,9 @@ void __init setup_arch(char **cmdline_p)
|
||||
|
||||
#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
|
||||
if (boot_params.secure_boot) {
|
||||
+ set_bit(EFI_SECURE_BOOT, &efi.flags);
|
||||
enforce_signed_modules();
|
||||
+ pr_info("Secure boot enabled\n");
|
||||
}
|
||||
#endif
|
||||
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index 5b1af30..1b12c29 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -1065,6 +1065,7 @@ extern int __init efi_setup_pcdp_console(char *);
|
||||
#define EFI_ARCH_1 7 /* First arch-specific bit */
|
||||
#define EFI_DBG 8 /* Print additional debug info at runtime */
|
||||
#define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */
|
||||
+#define EFI_SECURE_BOOT 10 /* Are we in Secure Boot mode? */
|
||||
|
||||
#ifdef CONFIG_EFI
|
||||
/*
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -1,39 +0,0 @@
|
||||
From f88379d39f564008627fb41ee4880eff9c410a58 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Fri, 20 Jun 2014 08:53:24 -0400
|
||||
Subject: [PATCH 13/16] hibernate: Disable in a signed modules environment
|
||||
|
||||
There is currently no way to verify the resume image when returning
|
||||
from hibernate. This might compromise the signed modules trust model,
|
||||
so until we can work with signed hibernate images we disable it in
|
||||
a secure modules environment.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
kernel/power/hibernate.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
|
||||
index b26dbc4..ab187ad 100644
|
||||
--- a/kernel/power/hibernate.c
|
||||
+++ b/kernel/power/hibernate.c
|
||||
@@ -29,6 +29,7 @@
|
||||
#include <linux/ctype.h>
|
||||
#include <linux/genhd.h>
|
||||
#include <linux/ktime.h>
|
||||
+#include <linux/module.h>
|
||||
#include <trace/events/power.h>
|
||||
|
||||
#include "power.h"
|
||||
@@ -67,7 +68,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
|
||||
|
||||
bool hibernation_available(void)
|
||||
{
|
||||
- return (nohibernate == 0);
|
||||
+ return ((nohibernate == 0) && !secure_modules());
|
||||
}
|
||||
|
||||
/**
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -1,57 +0,0 @@
|
||||
From 85f70950f243ac7477d80053dd9ae8807cf36b08 Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Smalley <sds@tycho.nsa.gov>
|
||||
Date: Mon, 9 Jan 2017 10:07:31 -0500
|
||||
Subject: [PATCH 16/16] selinux: allow context mounts on tmpfs, ramfs, devpts
|
||||
within user namespaces
|
||||
|
||||
commit aad82892af261b9903cc11c55be3ecf5f0b0b4f8 ("selinux: Add support for
|
||||
unprivileged mounts from user namespaces") prohibited any use of context
|
||||
mount options within non-init user namespaces. However, this breaks
|
||||
use of context mount options for tmpfs mounts within user namespaces,
|
||||
which are being used by Docker/runc. There is no reason to block such
|
||||
usage for tmpfs, ramfs or devpts. Exempt these filesystem types
|
||||
from this restriction.
|
||||
|
||||
Before:
|
||||
sh$ userns_child_exec -p -m -U -M '0 1000 1' -G '0 1000 1' bash
|
||||
sh# mount -t tmpfs -o context=system_u:object_r:user_tmp_t:s0:c13 none /tmp
|
||||
mount: tmpfs is write-protected, mounting read-only
|
||||
mount: cannot mount tmpfs read-only
|
||||
|
||||
After:
|
||||
sh$ userns_child_exec -p -m -U -M '0 1000 1' -G '0 1000 1' bash
|
||||
sh# mount -t tmpfs -o context=system_u:object_r:user_tmp_t:s0:c13 none /tmp
|
||||
sh# ls -Zd /tmp
|
||||
unconfined_u:object_r:user_tmp_t:s0:c13 /tmp
|
||||
|
||||
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
||||
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
||||
---
|
||||
security/selinux/hooks.c | 10 +++++++---
|
||||
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
|
||||
index d98550a..fbf2d6d 100644
|
||||
--- a/security/selinux/hooks.c
|
||||
+++ b/security/selinux/hooks.c
|
||||
@@ -833,10 +833,14 @@ static int selinux_set_mnt_opts(struct super_block *sb,
|
||||
}
|
||||
|
||||
/*
|
||||
- * If this is a user namespace mount, no contexts are allowed
|
||||
- * on the command line and security labels must be ignored.
|
||||
+ * If this is a user namespace mount and the filesystem type is not
|
||||
+ * explicitly whitelisted, then no contexts are allowed on the command
|
||||
+ * line and security labels must be ignored.
|
||||
*/
|
||||
- if (sb->s_user_ns != &init_user_ns) {
|
||||
+ if (sb->s_user_ns != &init_user_ns &&
|
||||
+ strcmp(sb->s_type->name, "tmpfs") &&
|
||||
+ strcmp(sb->s_type->name, "ramfs") &&
|
||||
+ strcmp(sb->s_type->name, "devpts")) {
|
||||
if (context_sid || fscontext_sid || rootcontext_sid ||
|
||||
defcontext_sid) {
|
||||
rc = -EACCES;
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -0,0 +1,46 @@
|
||||
From 8d2a3c8d17cbc09d163fb636fd06684ed4c287d6 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Mon, 21 Nov 2016 23:55:55 +0000
|
||||
Subject: [PATCH 01/24] efi: Add EFI_SECURE_BOOT bit
|
||||
|
||||
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
|
||||
that can be passed to efi_enabled() to find out whether secure boot is
|
||||
enabled.
|
||||
|
||||
This will be used by the SysRq+x handler, registered by the x86 arch, to find
|
||||
out whether secure boot mode is enabled so that it can be disabled.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
arch/x86/kernel/setup.c | 1 +
|
||||
include/linux/efi.h | 1 +
|
||||
2 files changed, 2 insertions(+)
|
||||
|
||||
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
||||
index 4bf0c89..396285b 100644
|
||||
--- a/arch/x86/kernel/setup.c
|
||||
+++ b/arch/x86/kernel/setup.c
|
||||
@@ -1184,6 +1184,7 @@ void __init setup_arch(char **cmdline_p)
|
||||
pr_info("Secure boot disabled\n");
|
||||
break;
|
||||
case efi_secureboot_mode_enabled:
|
||||
+ set_bit(EFI_SECURE_BOOT, &efi.flags);
|
||||
pr_info("Secure boot enabled\n");
|
||||
break;
|
||||
default:
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index 94d34e0..6049600 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -1069,6 +1069,7 @@ extern int __init efi_setup_pcdp_console(char *);
|
||||
#define EFI_DBG 8 /* Print additional debug info at runtime */
|
||||
#define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */
|
||||
#define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
|
||||
+#define EFI_SECURE_BOOT 11 /* Are we in Secure Boot mode? */
|
||||
|
||||
#ifdef CONFIG_EFI
|
||||
/*
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -0,0 +1,149 @@
|
||||
From d23f58628946d89a63b5c31c52ca3eb8569d9480 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Mon, 21 Nov 2016 23:36:17 +0000
|
||||
Subject: [PATCH 02/24] Add the ability to lock down access to the running
|
||||
kernel image
|
||||
|
||||
Provide a single call to allow kernel code to determine whether the system
|
||||
should be locked down, thereby disallowing various accesses that might
|
||||
allow the running kernel image to be changed including the loading of
|
||||
modules that aren't validly signed with a key we recognise, fiddling with
|
||||
MSR registers and disallowing hibernation,
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
include/linux/kernel.h | 9 +++++++++
|
||||
include/linux/security.h | 11 +++++++++++
|
||||
security/Kconfig | 15 +++++++++++++++
|
||||
security/Makefile | 3 +++
|
||||
security/lock_down.c | 40 ++++++++++++++++++++++++++++++++++++++++
|
||||
5 files changed, 78 insertions(+)
|
||||
create mode 100644 security/lock_down.c
|
||||
|
||||
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
|
||||
index 4c26dc3..b820a80 100644
|
||||
--- a/include/linux/kernel.h
|
||||
+++ b/include/linux/kernel.h
|
||||
@@ -275,6 +275,15 @@ extern int oops_may_print(void);
|
||||
void do_exit(long error_code) __noreturn;
|
||||
void complete_and_exit(struct completion *, long) __noreturn;
|
||||
|
||||
+#ifdef CONFIG_LOCK_DOWN_KERNEL
|
||||
+extern bool kernel_is_locked_down(void);
|
||||
+#else
|
||||
+static inline bool kernel_is_locked_down(void)
|
||||
+{
|
||||
+ return false;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
/* Internal, do not use. */
|
||||
int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
|
||||
int __must_check _kstrtol(const char *s, unsigned int base, long *res);
|
||||
diff --git a/include/linux/security.h b/include/linux/security.h
|
||||
index 96899fa..5808570 100644
|
||||
--- a/include/linux/security.h
|
||||
+++ b/include/linux/security.h
|
||||
@@ -1678,5 +1678,16 @@ static inline void free_secdata(void *secdata)
|
||||
{ }
|
||||
#endif /* CONFIG_SECURITY */
|
||||
|
||||
+#ifdef CONFIG_LOCK_DOWN_KERNEL
|
||||
+extern void lock_kernel_down(void);
|
||||
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT
|
||||
+extern void lift_kernel_lockdown(void);
|
||||
+#endif
|
||||
+#else
|
||||
+static inline void lock_kernel_down(void)
|
||||
+{
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
#endif /* ! __LINUX_SECURITY_H */
|
||||
|
||||
diff --git a/security/Kconfig b/security/Kconfig
|
||||
index d900f47..d9b391d 100644
|
||||
--- a/security/Kconfig
|
||||
+++ b/security/Kconfig
|
||||
@@ -193,6 +193,21 @@ config STATIC_USERMODEHELPER_PATH
|
||||
If you wish for all usermode helper programs to be disabled,
|
||||
specify an empty string here (i.e. "").
|
||||
|
||||
+config LOCK_DOWN_KERNEL
|
||||
+ bool "Allow the kernel to be 'locked down'"
|
||||
+ help
|
||||
+ Allow the kernel to be locked down under certain circumstances, for
|
||||
+ instance if UEFI secure boot is enabled. Locking down the kernel
|
||||
+ turns off various features that might otherwise allow access to the
|
||||
+ kernel image (eg. setting MSR registers).
|
||||
+
|
||||
+config ALLOW_LOCKDOWN_LIFT
|
||||
+ bool
|
||||
+ help
|
||||
+ Allow the lockdown on a kernel to be lifted, thereby restoring the
|
||||
+ ability of userspace to access the kernel image (eg. by SysRq+x under
|
||||
+ x86).
|
||||
+
|
||||
source security/selinux/Kconfig
|
||||
source security/smack/Kconfig
|
||||
source security/tomoyo/Kconfig
|
||||
diff --git a/security/Makefile b/security/Makefile
|
||||
index f2d71cd..8c4a43e 100644
|
||||
--- a/security/Makefile
|
||||
+++ b/security/Makefile
|
||||
@@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
|
||||
# Object integrity file lists
|
||||
subdir-$(CONFIG_INTEGRITY) += integrity
|
||||
obj-$(CONFIG_INTEGRITY) += integrity/
|
||||
+
|
||||
+# Allow the kernel to be locked down
|
||||
+obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o
|
||||
diff --git a/security/lock_down.c b/security/lock_down.c
|
||||
new file mode 100644
|
||||
index 0000000..5788c60
|
||||
--- /dev/null
|
||||
+++ b/security/lock_down.c
|
||||
@@ -0,0 +1,40 @@
|
||||
+/* Lock down the kernel
|
||||
+ *
|
||||
+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
|
||||
+ * Written by David Howells (dhowells@redhat.com)
|
||||
+ *
|
||||
+ * This program is free software; you can redistribute it and/or
|
||||
+ * modify it under the terms of the GNU General Public Licence
|
||||
+ * as published by the Free Software Foundation; either version
|
||||
+ * 2 of the Licence, or (at your option) any later version.
|
||||
+ */
|
||||
+
|
||||
+#include <linux/security.h>
|
||||
+#include <linux/export.h>
|
||||
+
|
||||
+static __read_mostly bool kernel_locked_down;
|
||||
+
|
||||
+/*
|
||||
+ * Put the kernel into lock-down mode.
|
||||
+ */
|
||||
+void lock_kernel_down(void)
|
||||
+{
|
||||
+ kernel_locked_down = true;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Take the kernel out of lockdown mode.
|
||||
+ */
|
||||
+void lift_kernel_lockdown(void)
|
||||
+{
|
||||
+ kernel_locked_down = false;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * kernel_is_locked_down - Find out if the kernel is locked down
|
||||
+ */
|
||||
+bool kernel_is_locked_down(void)
|
||||
+{
|
||||
+ return kernel_locked_down;
|
||||
+}
|
||||
+EXPORT_SYMBOL(kernel_is_locked_down);
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -0,0 +1,69 @@
|
||||
From 60416b718069a800e830593fdfb852abad37862b Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Mon, 21 Nov 2016 23:55:55 +0000
|
||||
Subject: [PATCH 03/24] efi: Lock down the kernel if booted in secure boot mode
|
||||
|
||||
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
|
||||
only load signed bootloaders and kernels. Certain use cases may also
|
||||
require that all kernel modules also be signed. Add a configuration option
|
||||
that to lock down the kernel - which includes requiring validly signed
|
||||
modules - if the kernel is secure-booted.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
arch/x86/Kconfig | 12 ++++++++++++
|
||||
arch/x86/kernel/setup.c | 8 +++++++-
|
||||
2 files changed, 19 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
|
||||
index cc98d5a..21f3985 100644
|
||||
--- a/arch/x86/Kconfig
|
||||
+++ b/arch/x86/Kconfig
|
||||
@@ -1817,6 +1817,18 @@ config EFI_MIXED
|
||||
|
||||
If unsure, say N.
|
||||
|
||||
+config EFI_SECURE_BOOT_LOCK_DOWN
|
||||
+ def_bool n
|
||||
+ depends on EFI
|
||||
+ prompt "Lock down the kernel when UEFI Secure Boot is enabled"
|
||||
+ ---help---
|
||||
+ UEFI Secure Boot provides a mechanism for ensuring that the firmware
|
||||
+ will only load signed bootloaders and kernels. Certain use cases may
|
||||
+ also require that all kernel modules also be signed and that
|
||||
+ userspace is prevented from directly changing the running kernel
|
||||
+ image. Say Y here to automatically lock down the kernel when a
|
||||
+ system boots with UEFI Secure Boot enabled.
|
||||
+
|
||||
config SECCOMP
|
||||
def_bool y
|
||||
prompt "Enable seccomp to safely compute untrusted bytecode"
|
||||
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
||||
index 396285b..85dfa74 100644
|
||||
--- a/arch/x86/kernel/setup.c
|
||||
+++ b/arch/x86/kernel/setup.c
|
||||
@@ -69,6 +69,7 @@
|
||||
#include <linux/crash_dump.h>
|
||||
#include <linux/tboot.h>
|
||||
#include <linux/jiffies.h>
|
||||
+#include <linux/security.h>
|
||||
|
||||
#include <video/edid.h>
|
||||
|
||||
@@ -1185,7 +1186,12 @@ void __init setup_arch(char **cmdline_p)
|
||||
break;
|
||||
case efi_secureboot_mode_enabled:
|
||||
set_bit(EFI_SECURE_BOOT, &efi.flags);
|
||||
- pr_info("Secure boot enabled\n");
|
||||
+ if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT_LOCK_DOWN)) {
|
||||
+ lock_kernel_down();
|
||||
+ pr_info("Secure boot enabled and kernel locked down\n");
|
||||
+ } else {
|
||||
+ pr_info("Secure boot enabled\n");
|
||||
+ }
|
||||
break;
|
||||
default:
|
||||
pr_info("Secure boot could not be determined\n");
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -0,0 +1,29 @@
|
||||
From 5fb1117bb8bdfa834a1479a250508d87f9c29d9c Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Wed, 23 Nov 2016 13:22:22 +0000
|
||||
Subject: [PATCH 04/24] Enforce module signatures if the kernel is locked down
|
||||
|
||||
If the kernel is locked down, require that all modules have valid
|
||||
signatures that we can verify.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
kernel/module.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/kernel/module.c b/kernel/module.c
|
||||
index 7eba6de..3331f2e 100644
|
||||
--- a/kernel/module.c
|
||||
+++ b/kernel/module.c
|
||||
@@ -2756,7 +2756,7 @@ static int module_sig_check(struct load_info *info, int flags)
|
||||
}
|
||||
|
||||
/* Not having a signature is only an error if we're strict. */
|
||||
- if (err == -ENOKEY && !sig_enforce)
|
||||
+ if (err == -ENOKEY && !sig_enforce && !kernel_is_locked_down())
|
||||
err = 0;
|
||||
|
||||
return err;
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -1,37 +1,38 @@
|
||||
From 3fc3471444e9d743dab373753403b3a5d61c4214 Mon Sep 17 00:00:00 2001
|
||||
From ec94f3ef19d149bf234a02fbf5733fc90532d903 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 09:28:15 -0500
|
||||
Subject: [PATCH 06/16] Restrict /dev/mem and /dev/kmem when module loading is
|
||||
restricted
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 05/24] Restrict /dev/mem and /dev/kmem when the kernel is
|
||||
locked down
|
||||
|
||||
Allowing users to write to address space makes it possible for the kernel
|
||||
to be subverted, avoiding module loading restrictions. Prevent this when
|
||||
any restrictions have been imposed on loading modules.
|
||||
Allowing users to write to address space makes it possible for the kernel to
|
||||
be subverted, avoiding module loading restrictions. Prevent this when the
|
||||
kernel has been locked down.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
drivers/char/mem.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
|
||||
index 83cca9f..e19f483 100644
|
||||
index 7e4a9d1..3c305b8 100644
|
||||
--- a/drivers/char/mem.c
|
||||
+++ b/drivers/char/mem.c
|
||||
@@ -180,6 +180,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
|
||||
@@ -179,6 +179,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
|
||||
if (p != *ppos)
|
||||
return -EFBIG;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ if (kernel_is_locked_down())
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (!valid_phys_addr_range(p, count))
|
||||
return -EFAULT;
|
||||
|
||||
@@ -536,6 +539,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
|
||||
@@ -535,6 +538,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
|
||||
char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
|
||||
int err = 0;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ if (kernel_is_locked_down())
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (p < (unsigned long) high_memory) {
|
||||
@ -0,0 +1,39 @@
|
||||
From a2dee11f2125409c99596864ab59bc6240040180 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:15 +0000
|
||||
Subject: [PATCH 06/24] kexec: Disable at runtime if the kernel is locked down
|
||||
|
||||
kexec permits the loading and execution of arbitrary code in ring 0, which
|
||||
is something that lock-down is meant to prevent. It makes sense to disable
|
||||
kexec in this situation.
|
||||
|
||||
This does not affect kexec_file_load() which can check for a signature on the
|
||||
image to be booted.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
kernel/kexec.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/kernel/kexec.c b/kernel/kexec.c
|
||||
index 980936a..46de8e6 100644
|
||||
--- a/kernel/kexec.c
|
||||
+++ b/kernel/kexec.c
|
||||
@@ -194,6 +194,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
|
||||
return -EPERM;
|
||||
|
||||
/*
|
||||
+ * kexec can be used to circumvent module loading restrictions, so
|
||||
+ * prevent loading in that case
|
||||
+ */
|
||||
+ if (kernel_is_locked_down())
|
||||
+ return -EPERM;
|
||||
+
|
||||
+ /*
|
||||
* Verify we have a legal set of flags
|
||||
* This leaves us room for future extensions.
|
||||
*/
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -0,0 +1,38 @@
|
||||
From ff9bf489aa713b99ef5069e7b87eaa88b3e50838 Mon Sep 17 00:00:00 2001
|
||||
From: Dave Young <dyoung@redhat.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:15 +0000
|
||||
Subject: [PATCH 07/24] Copy secure_boot flag in boot params across kexec
|
||||
reboot
|
||||
|
||||
Kexec reboot in case secure boot being enabled does not keep the secure
|
||||
boot mode in new kernel, so later one can load unsigned kernel via legacy
|
||||
kexec_load. In this state, the system is missing the protections provided
|
||||
by secure boot.
|
||||
|
||||
Adding a patch to fix this by retain the secure_boot flag in original
|
||||
kernel.
|
||||
|
||||
secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
|
||||
stub. Fixing this issue by copying secure_boot flag across kexec reboot.
|
||||
|
||||
Signed-off-by: Dave Young <dyoung@redhat.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
arch/x86/kernel/kexec-bzimage64.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
|
||||
index d0a814a..3551bca 100644
|
||||
--- a/arch/x86/kernel/kexec-bzimage64.c
|
||||
+++ b/arch/x86/kernel/kexec-bzimage64.c
|
||||
@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
|
||||
if (efi_enabled(EFI_OLD_MEMMAP))
|
||||
return 0;
|
||||
|
||||
+ params->secure_boot = boot_params.secure_boot;
|
||||
ei->efi_loader_signature = current_ei->efi_loader_signature;
|
||||
ei->efi_systab = current_ei->efi_systab;
|
||||
ei->efi_systab_hi = current_ei->efi_systab_hi;
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -0,0 +1,39 @@
|
||||
From 5702dfdd0be2172bed2fd65d5f09ccf8f91ceef6 Mon Sep 17 00:00:00 2001
|
||||
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
|
||||
Date: Wed, 23 Nov 2016 13:49:19 +0000
|
||||
Subject: [PATCH 08/24] kexec_file: Disable at runtime if securelevel has been
|
||||
set
|
||||
|
||||
When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
|
||||
through kexec_file systemcall if securelevel has been set.
|
||||
|
||||
This code was showed in Matthew's patch but not in git:
|
||||
https://lkml.org/lkml/2015/3/13/778
|
||||
|
||||
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
|
||||
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
kernel/kexec_file.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
|
||||
index b118735..f6937ee 100644
|
||||
--- a/kernel/kexec_file.c
|
||||
+++ b/kernel/kexec_file.c
|
||||
@@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
|
||||
if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
|
||||
return -EPERM;
|
||||
|
||||
+ /* Don't permit images to be loaded into trusted kernels if we're not
|
||||
+ * going to verify the signature on them
|
||||
+ */
|
||||
+ if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
|
||||
+ return -EPERM;
|
||||
+
|
||||
/* Make sure we have a legal set of flags */
|
||||
if (flags != (flags & KEXEC_FILE_FLAGS))
|
||||
return -EINVAL;
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -0,0 +1,32 @@
|
||||
From 83a20b13d75872926dba2d642eff291979edbe2e Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 22 Nov 2016 08:46:15 +0000
|
||||
Subject: [PATCH 09/24] hibernate: Disable when the kernel is locked down
|
||||
|
||||
There is currently no way to verify the resume image when returning
|
||||
from hibernate. This might compromise the signed modules trust model,
|
||||
so until we can work with signed hibernate images we disable it when the
|
||||
kernel is locked down.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
kernel/power/hibernate.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
|
||||
index a8b978c..50cca5d 100644
|
||||
--- a/kernel/power/hibernate.c
|
||||
+++ b/kernel/power/hibernate.c
|
||||
@@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
|
||||
|
||||
bool hibernation_available(void)
|
||||
{
|
||||
- return (nohibernate == 0);
|
||||
+ return nohibernate == 0 && !kernel_is_locked_down();
|
||||
}
|
||||
|
||||
/**
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -0,0 +1,32 @@
|
||||
From 78782de3728538b3e8fb5a2b23823bc98aa4afe8 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <mjg59@srcf.ucam.org>
|
||||
Date: Wed, 23 Nov 2016 13:28:17 +0000
|
||||
Subject: [PATCH 10/24] uswsusp: Disable when the kernel is locked down
|
||||
|
||||
uswsusp allows a user process to dump and then restore kernel state, which
|
||||
makes it possible to modify the running kernel. Disable this if the kernel
|
||||
is locked down.
|
||||
|
||||
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
kernel/power/user.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/kernel/power/user.c b/kernel/power/user.c
|
||||
index 22df9f7..e4b926d 100644
|
||||
--- a/kernel/power/user.c
|
||||
+++ b/kernel/power/user.c
|
||||
@@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
|
||||
if (!hibernation_available())
|
||||
return -EPERM;
|
||||
|
||||
+ if (kernel_is_locked_down())
|
||||
+ return -EPERM;
|
||||
+
|
||||
lock_system_sleep();
|
||||
|
||||
if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -1,73 +1,66 @@
|
||||
From 7d153226d6afea4f25ba771ad674bcbe8e386c49 Mon Sep 17 00:00:00 2001
|
||||
From 0dfaa6335b722d770fa40ca9e3694fbebb6afcd4 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Thu, 8 Mar 2012 10:10:38 -0500
|
||||
Subject: [PATCH 02/16] PCI: Lock down BAR access when module security is
|
||||
enabled
|
||||
Date: Tue, 22 Nov 2016 08:46:15 +0000
|
||||
Subject: [PATCH 11/24] PCI: Lock down BAR access when the kernel is locked
|
||||
down
|
||||
|
||||
Any hardware that can potentially generate DMA has to be locked down from
|
||||
userspace in order to avoid it being possible for an attacker to modify
|
||||
kernel code, allowing them to circumvent disabled module loading or module
|
||||
signing. Default to paranoid - in future we can potentially relax this for
|
||||
Any hardware that can potentially generate DMA has to be locked down in
|
||||
order to avoid it being possible for an attacker to modify kernel code,
|
||||
allowing them to circumvent disabled module loading or module signing.
|
||||
Default to paranoid - in future we can potentially relax this for
|
||||
sufficiently IOMMU-isolated devices.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
drivers/pci/pci-sysfs.c | 10 ++++++++++
|
||||
drivers/pci/proc.c | 8 +++++++-
|
||||
drivers/pci/syscall.c | 3 ++-
|
||||
3 files changed, 19 insertions(+), 2 deletions(-)
|
||||
drivers/pci/pci-sysfs.c | 9 +++++++++
|
||||
drivers/pci/proc.c | 8 +++++++-
|
||||
drivers/pci/syscall.c | 2 +-
|
||||
3 files changed, 17 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
|
||||
index 0666287..9867e0c 100644
|
||||
index 25d010d..f70b366 100644
|
||||
--- a/drivers/pci/pci-sysfs.c
|
||||
+++ b/drivers/pci/pci-sysfs.c
|
||||
@@ -30,6 +30,7 @@
|
||||
#include <linux/vgaarb.h>
|
||||
#include <linux/pm_runtime.h>
|
||||
#include <linux/of.h>
|
||||
+#include <linux/module.h>
|
||||
#include "pci.h"
|
||||
|
||||
static int sysfs_initialized; /* = 0 */
|
||||
@@ -718,6 +719,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
|
||||
@@ -727,6 +727,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
|
||||
loff_t init_off = off;
|
||||
u8 *data = (u8 *) buf;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ if (kernel_is_locked_down())
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (off > dev->cfg_size)
|
||||
return 0;
|
||||
if (off + count > dev->cfg_size) {
|
||||
@@ -1009,6 +1013,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
|
||||
@@ -1018,6 +1021,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
|
||||
resource_size_t start, end;
|
||||
int i;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ if (kernel_is_locked_down())
|
||||
+ return -EPERM;
|
||||
+
|
||||
for (i = 0; i < PCI_ROM_RESOURCE; i++)
|
||||
if (res == &pdev->resource[i])
|
||||
break;
|
||||
@@ -1108,6 +1115,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
|
||||
@@ -1117,6 +1123,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
|
||||
struct bin_attribute *attr, char *buf,
|
||||
loff_t off, size_t count)
|
||||
{
|
||||
+ if (secure_modules())
|
||||
+ if (kernel_is_locked_down())
|
||||
+ return -EPERM;
|
||||
+
|
||||
return pci_resource_io(filp, kobj, attr, buf, off, count, true);
|
||||
}
|
||||
|
||||
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
|
||||
index f82710a..3af0fcf 100644
|
||||
index f82710a..139d6f0 100644
|
||||
--- a/drivers/pci/proc.c
|
||||
+++ b/drivers/pci/proc.c
|
||||
@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
|
||||
int size = dev->cfg_size;
|
||||
int cnt;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ if (kernel_is_locked_down())
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (pos >= size)
|
||||
@ -77,7 +70,7 @@ index f82710a..3af0fcf 100644
|
||||
#endif /* HAVE_PCI_MMAP */
|
||||
int ret = 0;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ if (kernel_is_locked_down())
|
||||
+ return -EPERM;
|
||||
+
|
||||
switch (cmd) {
|
||||
@ -88,28 +81,20 @@ index f82710a..3af0fcf 100644
|
||||
int i, ret, write_combine;
|
||||
|
||||
- if (!capable(CAP_SYS_RAWIO))
|
||||
+ if (!capable(CAP_SYS_RAWIO) || secure_modules())
|
||||
+ if (!capable(CAP_SYS_RAWIO) || kernel_is_locked_down())
|
||||
return -EPERM;
|
||||
|
||||
/* Make sure the caller is mapping a real resource for this device */
|
||||
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
|
||||
index 9bf993e..922bdf6 100644
|
||||
index 9bf993e..c095247 100644
|
||||
--- a/drivers/pci/syscall.c
|
||||
+++ b/drivers/pci/syscall.c
|
||||
@@ -11,6 +11,7 @@
|
||||
#include <linux/pci.h>
|
||||
#include <linux/syscalls.h>
|
||||
#include <linux/uaccess.h>
|
||||
+#include <linux/module.h>
|
||||
#include "pci.h"
|
||||
|
||||
SYSCALL_DEFINE5(pciconfig_read, unsigned long, bus, unsigned long, dfn,
|
||||
@@ -92,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
|
||||
@@ -92,7 +92,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
|
||||
u32 dword;
|
||||
int err = 0;
|
||||
|
||||
- if (!capable(CAP_SYS_ADMIN))
|
||||
+ if (!capable(CAP_SYS_ADMIN) || secure_modules())
|
||||
+ if (!capable(CAP_SYS_ADMIN) || kernel_is_locked_down())
|
||||
return -EPERM;
|
||||
|
||||
dev = pci_get_bus_and_slot(bus, dfn);
|
||||
@ -0,0 +1,59 @@
|
||||
From 141aed03a504771f93f996bf93208ffc98cb2757 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 12/24] x86: Lock down IO port access when the kernel is locked
|
||||
down
|
||||
|
||||
IO port access would permit users to gain access to PCI configuration
|
||||
registers, which in turn (on a lot of hardware) give access to MMIO
|
||||
register space. This would potentially permit root to trigger arbitrary
|
||||
DMA, so lock it down by default.
|
||||
|
||||
This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
|
||||
KDDISABIO console ioctls.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
arch/x86/kernel/ioport.c | 4 ++--
|
||||
drivers/char/mem.c | 2 ++
|
||||
2 files changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
|
||||
index 9c3cf09..4a613fe 100644
|
||||
--- a/arch/x86/kernel/ioport.c
|
||||
+++ b/arch/x86/kernel/ioport.c
|
||||
@@ -30,7 +30,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
|
||||
|
||||
if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
|
||||
return -EINVAL;
|
||||
- if (turn_on && !capable(CAP_SYS_RAWIO))
|
||||
+ if (turn_on && (!capable(CAP_SYS_RAWIO) || kernel_is_locked_down()))
|
||||
return -EPERM;
|
||||
|
||||
/*
|
||||
@@ -120,7 +120,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
|
||||
return -EINVAL;
|
||||
/* Trying to gain more privileges? */
|
||||
if (level > old) {
|
||||
- if (!capable(CAP_SYS_RAWIO))
|
||||
+ if (!capable(CAP_SYS_RAWIO) || kernel_is_locked_down())
|
||||
return -EPERM;
|
||||
}
|
||||
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
|
||||
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
|
||||
index 3c305b8..f68976e 100644
|
||||
--- a/drivers/char/mem.c
|
||||
+++ b/drivers/char/mem.c
|
||||
@@ -763,6 +763,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
|
||||
|
||||
static int open_port(struct inode *inode, struct file *filp)
|
||||
{
|
||||
+ if (kernel_is_locked_down())
|
||||
+ return -EPERM;
|
||||
return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
|
||||
}
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -1,28 +1,28 @@
|
||||
From ec485c7a0607c648e91a0bfbde3bb00b08834f68 Mon Sep 17 00:00:00 2001
|
||||
From 692346713c770cdcfddd2b03821658b562f02f70 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 8 Feb 2013 11:12:13 -0800
|
||||
Subject: [PATCH 09/16] x86: Restrict MSR access when module loading is
|
||||
restricted
|
||||
Date: Tue, 22 Nov 2016 08:46:17 +0000
|
||||
Subject: [PATCH 13/24] x86: Restrict MSR access when the kernel is locked down
|
||||
|
||||
Writing to MSRs should not be allowed if module loading is restricted,
|
||||
since it could lead to execution of arbitrary code in kernel mode. Based
|
||||
on a patch by Kees Cook.
|
||||
Writing to MSRs should not be allowed if the kernel is locked down, since
|
||||
it could lead to execution of arbitrary code in kernel mode. Based on a
|
||||
patch by Kees Cook.
|
||||
|
||||
Cc: Kees Cook <keescook@chromium.org>
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
arch/x86/kernel/msr.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
|
||||
index ef68880..74937d9 100644
|
||||
index ef68880..fbcce02 100644
|
||||
--- a/arch/x86/kernel/msr.c
|
||||
+++ b/arch/x86/kernel/msr.c
|
||||
@@ -84,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
|
||||
int err = 0;
|
||||
ssize_t bytes = 0;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ if (kernel_is_locked_down())
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (count % 8)
|
||||
@ -32,7 +32,7 @@ index ef68880..74937d9 100644
|
||||
err = -EBADF;
|
||||
break;
|
||||
}
|
||||
+ if (secure_modules()) {
|
||||
+ if (kernel_is_locked_down()) {
|
||||
+ err = -EPERM;
|
||||
+ break;
|
||||
+ }
|
||||
@ -1,29 +1,30 @@
|
||||
From 1cc7d069c2ef9833542ded0bbb2cb4b33163d384 Mon Sep 17 00:00:00 2001
|
||||
From 09a257a1f105159ad9f4450c2968531c4cccf745 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 08:46:50 -0500
|
||||
Subject: [PATCH 05/16] asus-wmi: Restrict debugfs interface when module
|
||||
loading is restricted
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 14/24] asus-wmi: Restrict debugfs interface when the kernel is
|
||||
locked down
|
||||
|
||||
We have no way of validating what all of the Asus WMI methods do on a
|
||||
given machine, and there's a risk that some will allow hardware state to
|
||||
be manipulated in such a way that arbitrary code can be executed in the
|
||||
kernel, circumventing module loading restrictions. Prevent that if any of
|
||||
these features are enabled.
|
||||
We have no way of validating what all of the Asus WMI methods do on a given
|
||||
machine - and there's a risk that some will allow hardware state to be
|
||||
manipulated in such a way that arbitrary code can be executed in the
|
||||
kernel, circumventing module loading restrictions. Prevent that if the
|
||||
kernel is locked down.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
drivers/platform/x86/asus-wmi.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
|
||||
index 8499d3a..8378491 100644
|
||||
index 8fe5890..feef250 100644
|
||||
--- a/drivers/platform/x86/asus-wmi.c
|
||||
+++ b/drivers/platform/x86/asus-wmi.c
|
||||
@@ -1900,6 +1900,9 @@ static int show_dsts(struct seq_file *m, void *data)
|
||||
int err;
|
||||
u32 retval = -1;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ if (kernel_is_locked_down())
|
||||
+ return -EPERM;
|
||||
+
|
||||
err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
|
||||
@ -33,7 +34,7 @@ index 8499d3a..8378491 100644
|
||||
int err;
|
||||
u32 retval = -1;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ if (kernel_is_locked_down())
|
||||
+ return -EPERM;
|
||||
+
|
||||
err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
|
||||
@ -43,7 +44,7 @@ index 8499d3a..8378491 100644
|
||||
union acpi_object *obj;
|
||||
acpi_status status;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ if (kernel_is_locked_down())
|
||||
+ return -EPERM;
|
||||
+
|
||||
status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
|
||||
@ -1,26 +1,28 @@
|
||||
From 6256746af8e6279fa742e586aadb6cd75e129762 Mon Sep 17 00:00:00 2001
|
||||
From fac665360016f0601ce9c1b6d662d7bab23c8019 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 08:39:37 -0500
|
||||
Subject: [PATCH 04/16] ACPI: Limit access to custom_method
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 15/24] ACPI: Limit access to custom_method when the kernel is
|
||||
locked down
|
||||
|
||||
custom_method effectively allows arbitrary access to system memory, making
|
||||
it possible for an attacker to circumvent restrictions on module loading.
|
||||
Disable it if any such restrictions have been enabled.
|
||||
Disable it if the kernel is locked down.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
drivers/acpi/custom_method.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
|
||||
index c68e724..4277938 100644
|
||||
index c68e724..e4d721c 100644
|
||||
--- a/drivers/acpi/custom_method.c
|
||||
+++ b/drivers/acpi/custom_method.c
|
||||
@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
|
||||
struct acpi_table_header table;
|
||||
acpi_status status;
|
||||
|
||||
+ if (secure_modules())
|
||||
+ if (kernel_is_locked_down())
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (!(*ppos)) {
|
||||
@ -0,0 +1,32 @@
|
||||
From 6af7fcaa158248e47ec3319c15226bdb83876749 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@redhat.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 16/24] acpi: Ignore acpi_rsdp kernel param when the kernel has
|
||||
been locked down
|
||||
|
||||
This option allows userspace to pass the RSDP address to the kernel, which
|
||||
makes it possible for a user to circumvent any restrictions imposed on
|
||||
loading modules. Ignore the option when the kernel is locked down.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
drivers/acpi/osl.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
|
||||
index db78d35..d4d4ba3 100644
|
||||
--- a/drivers/acpi/osl.c
|
||||
+++ b/drivers/acpi/osl.c
|
||||
@@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
|
||||
acpi_physical_address pa = 0;
|
||||
|
||||
#ifdef CONFIG_KEXEC
|
||||
- if (acpi_rsdp)
|
||||
+ if (acpi_rsdp && !kernel_is_locked_down())
|
||||
return acpi_rsdp;
|
||||
#endif
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -0,0 +1,41 @@
|
||||
From 3d13a2254fdb3bc3e618c45edf57324d37720e69 Mon Sep 17 00:00:00 2001
|
||||
From: Linn Crosetto <linn@hpe.com>
|
||||
Date: Wed, 23 Nov 2016 13:32:27 +0000
|
||||
Subject: [PATCH 17/24] acpi: Disable ACPI table override if the kernel is
|
||||
locked down
|
||||
|
||||
From the kernel documentation (initrd_table_override.txt):
|
||||
|
||||
If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
|
||||
to override nearly any ACPI table provided by the BIOS with an
|
||||
instrumented, modified one.
|
||||
|
||||
When securelevel is set, the kernel should disallow any unauthenticated
|
||||
changes to kernel space. ACPI tables contain code invoked by the kernel,
|
||||
so do not allow ACPI tables to be overridden if the kernel is locked down.
|
||||
|
||||
Signed-off-by: Linn Crosetto <linn@hpe.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
drivers/acpi/tables.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
|
||||
index 2604189..601096d 100644
|
||||
--- a/drivers/acpi/tables.c
|
||||
+++ b/drivers/acpi/tables.c
|
||||
@@ -542,6 +542,11 @@ void __init acpi_table_upgrade(void)
|
||||
if (table_nr == 0)
|
||||
return;
|
||||
|
||||
+ if (kernel_is_locked_down()) {
|
||||
+ pr_notice("kernel is locked down, ignoring table override\n");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
acpi_tables_addr =
|
||||
memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
|
||||
all_tables_size, PAGE_SIZE);
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -0,0 +1,44 @@
|
||||
From 3109ef59a2ac9c3dc8255ec18f66970c2c4a207c Mon Sep 17 00:00:00 2001
|
||||
From: Linn Crosetto <linn@hpe.com>
|
||||
Date: Wed, 23 Nov 2016 13:39:41 +0000
|
||||
Subject: [PATCH 18/24] acpi: Disable APEI error injection if the kernel is
|
||||
locked down
|
||||
|
||||
ACPI provides an error injection mechanism, EINJ, for debugging and testing
|
||||
the ACPI Platform Error Interface (APEI) and other RAS features. If
|
||||
supported by the firmware, ACPI specification 5.0 and later provide for a
|
||||
way to specify a physical memory address to which to inject the error.
|
||||
|
||||
Injecting errors through EINJ can produce errors which to the platform are
|
||||
indistinguishable from real hardware errors. This can have undesirable
|
||||
side-effects, such as causing the platform to mark hardware as needing
|
||||
replacement.
|
||||
|
||||
While it does not provide a method to load unauthenticated privileged code,
|
||||
the effect of these errors may persist across reboots and affect trust in
|
||||
the underlying hardware, so disable error injection through EINJ if
|
||||
the kernel is locked down.
|
||||
|
||||
Signed-off-by: Linn Crosetto <linn@hpe.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
drivers/acpi/apei/einj.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c
|
||||
index ec50c32..e082718 100644
|
||||
--- a/drivers/acpi/apei/einj.c
|
||||
+++ b/drivers/acpi/apei/einj.c
|
||||
@@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
|
||||
int rc;
|
||||
u64 base_addr, size;
|
||||
|
||||
+ if (kernel_is_locked_down())
|
||||
+ return -EPERM;
|
||||
+
|
||||
/* If user manually set "flags", make sure it is legal */
|
||||
if (flags && (flags &
|
||||
~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -0,0 +1,57 @@
|
||||
From a8b6c30d4fd43d684b3594eb60d62382abc39050 Mon Sep 17 00:00:00 2001
|
||||
From: "Lee, Chun-Yi" <jlee@suse.com>
|
||||
Date: Wed, 23 Nov 2016 13:52:16 +0000
|
||||
Subject: [PATCH 19/24] bpf: Restrict kernel image access functions when the
|
||||
kernel is locked down
|
||||
|
||||
There are some bpf functions can be used to read kernel memory:
|
||||
bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow
|
||||
private keys in kernel memory (e.g. the hibernation image signing key) to
|
||||
be read by an eBPF program. Prohibit those functions when the kernel is
|
||||
locked down.
|
||||
|
||||
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
kernel/trace/bpf_trace.c | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
|
||||
index cee9802..7fde851 100644
|
||||
--- a/kernel/trace/bpf_trace.c
|
||||
+++ b/kernel/trace/bpf_trace.c
|
||||
@@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr)
|
||||
{
|
||||
int ret;
|
||||
|
||||
+ if (kernel_is_locked_down()) {
|
||||
+ memset(dst, 0, size);
|
||||
+ return -EPERM;
|
||||
+ }
|
||||
+
|
||||
ret = probe_kernel_read(dst, unsafe_ptr, size);
|
||||
if (unlikely(ret < 0))
|
||||
memset(dst, 0, size);
|
||||
@@ -84,6 +89,9 @@ static const struct bpf_func_proto bpf_probe_read_proto = {
|
||||
BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src,
|
||||
u32, size)
|
||||
{
|
||||
+ if (kernel_is_locked_down())
|
||||
+ return -EPERM;
|
||||
+
|
||||
/*
|
||||
* Ensure we're in user context which is safe for the helper to
|
||||
* run. This helper has no business in a kthread.
|
||||
@@ -143,6 +151,9 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1,
|
||||
if (fmt[--fmt_size] != 0)
|
||||
return -EINVAL;
|
||||
|
||||
+ if (kernel_is_locked_down())
|
||||
+ return __trace_printk(1, fmt, 0, 0, 0);
|
||||
+
|
||||
/* check format string for allowed specifiers */
|
||||
for (i = 0; i < fmt_size; i++) {
|
||||
if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i]))
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -0,0 +1,47 @@
|
||||
From 8e46fe54f266e8bf44ee499c3e3965c909785751 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 22 Nov 2016 10:10:34 +0000
|
||||
Subject: [PATCH 20/24] scsi: Lock down the eata driver
|
||||
|
||||
When the kernel is running in secure boot mode, we lock down the kernel to
|
||||
prevent userspace from modifying the running kernel image. Whilst this
|
||||
includes prohibiting access to things like /dev/mem, it must also prevent
|
||||
access by means of configuring driver modules in such a way as to cause a
|
||||
device to access or modify the kernel image.
|
||||
|
||||
The eata driver takes a single string parameter that contains a slew of
|
||||
settings, including hardware resource configuration. Prohibit use of the
|
||||
parameter if the kernel is locked down.
|
||||
|
||||
Suggested-by: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
cc: Dario Ballabio <ballabio_dario@emc.com>
|
||||
cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>
|
||||
cc: "Martin K. Petersen" <martin.petersen@oracle.com>
|
||||
cc: linux-scsi@vger.kernel.org
|
||||
---
|
||||
drivers/scsi/eata.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/scsi/eata.c b/drivers/scsi/eata.c
|
||||
index 227dd2c..5c036d1 100644
|
||||
--- a/drivers/scsi/eata.c
|
||||
+++ b/drivers/scsi/eata.c
|
||||
@@ -1552,8 +1552,13 @@ static int eata2x_detect(struct scsi_host_template *tpnt)
|
||||
|
||||
tpnt->proc_name = "eata2x";
|
||||
|
||||
- if (strlen(boot_options))
|
||||
+ if (strlen(boot_options)) {
|
||||
+ if (kernel_is_locked_down()) {
|
||||
+ pr_err("Command line-specified device addresses, irqs and dma channels are not permitted when the kernel is locked down\n");
|
||||
+ return -EPERM;
|
||||
+ }
|
||||
option_setup(boot_options);
|
||||
+ }
|
||||
|
||||
#if defined(MODULE)
|
||||
/* io_port could have been modified when loading as a module */
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -0,0 +1,33 @@
|
||||
From 676e67b4574709c9d4dd7fe3ceef4b0fe236f99a Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Fri, 25 Nov 2016 14:37:45 +0000
|
||||
Subject: [PATCH 21/24] Prohibit PCMCIA CIS storage when the kernel is locked
|
||||
down
|
||||
|
||||
Prohibit replacement of the PCMCIA Card Information Structure when the
|
||||
kernel is locked down.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
drivers/pcmcia/cistpl.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
|
||||
index 55ef7d1..193e4f7 100644
|
||||
--- a/drivers/pcmcia/cistpl.c
|
||||
+++ b/drivers/pcmcia/cistpl.c
|
||||
@@ -1578,6 +1578,11 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
|
||||
struct pcmcia_socket *s;
|
||||
int error;
|
||||
|
||||
+ if (kernel_is_locked_down()) {
|
||||
+ pr_err("Direct CIS storage isn't permitted when the kernel is locked down\n");
|
||||
+ return -EPERM;
|
||||
+ }
|
||||
+
|
||||
s = to_socket(container_of(kobj, struct device, kobj));
|
||||
|
||||
if (off)
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -0,0 +1,36 @@
|
||||
From 754ca1eba971c80218e8dd21e816851721153dff Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Wed, 7 Dec 2016 10:28:39 +0000
|
||||
Subject: [PATCH 22/24] Lock down TIOCSSERIAL
|
||||
|
||||
Lock down TIOCSSERIAL as that can be used to change the ioport and irq
|
||||
settings on a serial port. This only appears to be an issue for the serial
|
||||
drivers that use the core serial code. All other drivers seem to either
|
||||
ignore attempts to change port/irq or give an error.
|
||||
|
||||
Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
drivers/tty/serial/serial_core.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
|
||||
index 3fe5689..4181b00 100644
|
||||
--- a/drivers/tty/serial/serial_core.c
|
||||
+++ b/drivers/tty/serial/serial_core.c
|
||||
@@ -821,6 +821,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
|
||||
new_flags = new_info->flags;
|
||||
old_custom_divisor = uport->custom_divisor;
|
||||
|
||||
+ if ((change_port || change_irq) && kernel_is_locked_down()) {
|
||||
+ pr_err("Using TIOCSSERIAL to change device addresses, irqs and dma channels is not permitted when the kernel is locked down\n");
|
||||
+ retval = -EPERM;
|
||||
+ goto exit;
|
||||
+ }
|
||||
+
|
||||
if (!capable(CAP_SYS_ADMIN)) {
|
||||
retval = -EPERM;
|
||||
if (change_irq || change_port ||
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 8ef1fd05524775d97e12e0afe610678668c2743b Mon Sep 17 00:00:00 2001
|
||||
From 888481838b62903a4b2709cb84595f89820589bb Mon Sep 17 00:00:00 2001
|
||||
From: Vito Caputo <vito.caputo@coreos.com>
|
||||
Date: Wed, 25 Nov 2015 02:59:45 -0800
|
||||
Subject: [PATCH 14/16] kbuild: derive relative path for KBUILD_SRC from CURDIR
|
||||
Subject: [PATCH 23/24] kbuild: derive relative path for KBUILD_SRC from CURDIR
|
||||
|
||||
This enables relocating source and build trees to different roots,
|
||||
provided they stay reachable relative to one another. Useful for
|
||||
@ -12,10 +12,10 @@ by some undesirable path component.
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 9689d3f..0c0b5be 100644
|
||||
index 4b074a9..723c84d 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -147,7 +147,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
|
||||
@@ -149,7 +149,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
|
||||
@:
|
||||
|
||||
sub-make:
|
||||
@ -1,7 +1,7 @@
|
||||
From b6077ba8b3a213a88c805cc14322828b1f08219c Mon Sep 17 00:00:00 2001
|
||||
From 0ec3dd6e4d4b7a14e9fae62c6f2affe6b643063e Mon Sep 17 00:00:00 2001
|
||||
From: Geoff Levand <geoff@infradead.org>
|
||||
Date: Fri, 11 Nov 2016 17:28:52 -0800
|
||||
Subject: [PATCH 15/16] Add arm64 coreos verity hash
|
||||
Subject: [PATCH 24/24] Add arm64 coreos verity hash
|
||||
|
||||
Signed-off-by: Geoff Levand <geoff@infradead.org>
|
||||
---
|
||||
@ -9,10 +9,10 @@ Signed-off-by: Geoff Levand <geoff@infradead.org>
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
|
||||
index 4b1abac..a53fa57 100644
|
||||
index 4fb6ccd..f791d18 100644
|
||||
--- a/arch/arm64/kernel/head.S
|
||||
+++ b/arch/arm64/kernel/head.S
|
||||
@@ -195,6 +195,11 @@ section_table:
|
||||
@@ -200,6 +200,11 @@ section_table:
|
||||
.short 0 // NumberOfLineNumbers (0 for executables)
|
||||
.long 0xe0500020 // Characteristics (section flags)
|
||||
|
||||
@ -21,9 +21,9 @@ index 4b1abac..a53fa57 100644
|
||||
+ .ascii "verity-hash"
|
||||
+ .org _head + 512 + 64
|
||||
+
|
||||
#ifdef CONFIG_DEBUG_EFI
|
||||
/*
|
||||
* EFI will load .text onwards at the 4k section alignment
|
||||
* described in the PE/COFF header. To ensure that instruction
|
||||
* The debug table is referenced via its Relative Virtual Address (RVA),
|
||||
--
|
||||
2.9.3
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user