diff options
Diffstat (limited to 'debian/patches/features/all/lockdown')
33 files changed, 1813 insertions, 0 deletions
diff --git a/debian/patches/features/all/lockdown/0001-Add-the-ability-to-lock-down-access-to-the-running-k.patch b/debian/patches/features/all/lockdown/0001-Add-the-ability-to-lock-down-access-to-the-running-k.patch new file mode 100644 index 000000000..9a8cd7c82 --- /dev/null +++ b/debian/patches/features/all/lockdown/0001-Add-the-ability-to-lock-down-access-to-the-running-k.patch @@ -0,0 +1,164 @@ +From: David Howells <dhowells@redhat.com> +Date: Wed, 8 Nov 2017 15:11:31 +0000 +Subject: [01/29] Add the ability to lock down access to the running kernel + image +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=6d350e2534bfaaaa3e523484b2ca44d22377e951 + +Provide a single call to allow kernel code to determine whether the system +should be locked down, thereby disallowing various accesses that might +allow the running kernel image to be changed including the loading of +modules that aren't validly signed with a key we recognise, fiddling with +MSR registers and disallowing hibernation, + +Signed-off-by: David Howells <dhowells@redhat.com> +Acked-by: James Morris <james.l.morris@oracle.com> +--- + include/linux/kernel.h | 17 ++++++++++++++ + include/linux/security.h | 8 +++++++ + security/Kconfig | 8 +++++++ + security/Makefile | 3 +++ + security/lock_down.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 96 insertions(+) + create mode 100644 security/lock_down.c + +Index: linux/include/linux/kernel.h +=================================================================== +--- linux.orig/include/linux/kernel.h ++++ linux/include/linux/kernel.h +@@ -341,6 +341,23 @@ static inline void refcount_error_report + { } + #endif + ++#ifdef CONFIG_LOCK_DOWN_KERNEL ++extern bool __kernel_is_locked_down(const char *what, bool first); ++#else ++static inline bool __kernel_is_locked_down(const char *what, bool first) ++{ ++ return false; ++} ++#endif ++ ++#define kernel_is_locked_down(what) \ ++ ({ \ ++ static bool message_given; \ ++ bool locked_down = __kernel_is_locked_down(what, !message_given); \ ++ message_given = true; \ ++ locked_down; \ ++ }) ++ + /* Internal, do not use. */ + int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res); + int __must_check _kstrtol(const char *s, unsigned int base, long *res); +Index: linux/include/linux/security.h +=================================================================== +--- linux.orig/include/linux/security.h ++++ linux/include/linux/security.h +@@ -1843,5 +1843,13 @@ static inline void free_secdata(void *se + { } + #endif /* CONFIG_SECURITY */ + ++#ifdef CONFIG_LOCK_DOWN_KERNEL ++extern void __init init_lockdown(void); ++#else ++static inline void __init init_lockdown(void) ++{ ++} ++#endif ++ + #endif /* ! __LINUX_SECURITY_H */ + +Index: linux/security/Kconfig +=================================================================== +--- linux.orig/security/Kconfig ++++ linux/security/Kconfig +@@ -239,6 +239,14 @@ config STATIC_USERMODEHELPER_PATH + If you wish for all usermode helper programs to be disabled, + specify an empty string here (i.e. ""). + ++config LOCK_DOWN_KERNEL ++ bool "Allow the kernel to be 'locked down'" ++ help ++ Allow the kernel to be locked down under certain circumstances, for ++ instance if UEFI secure boot is enabled. Locking down the kernel ++ turns off various features that might otherwise allow access to the ++ kernel image (eg. setting MSR registers). ++ + source security/selinux/Kconfig + source security/smack/Kconfig + source security/tomoyo/Kconfig +Index: linux/security/Makefile +=================================================================== +--- linux.orig/security/Makefile ++++ linux/security/Makefile +@@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c + # Object integrity file lists + subdir-$(CONFIG_INTEGRITY) += integrity + obj-$(CONFIG_INTEGRITY) += integrity/ ++ ++# Allow the kernel to be locked down ++obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o +Index: linux/security/lock_down.c +=================================================================== +--- /dev/null ++++ linux/security/lock_down.c +@@ -0,0 +1,60 @@ ++/* Lock down the kernel ++ * ++ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved. ++ * Written by David Howells (dhowells@redhat.com) ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public Licence ++ * as published by the Free Software Foundation; either version ++ * 2 of the Licence, or (at your option) any later version. ++ */ ++ ++#include <linux/security.h> ++#include <linux/export.h> ++ ++static __ro_after_init bool kernel_locked_down; ++ ++/* ++ * Put the kernel into lock-down mode. ++ */ ++static void __init lock_kernel_down(const char *where) ++{ ++ if (!kernel_locked_down) { ++ kernel_locked_down = true; ++ pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n", ++ where); ++ } ++} ++ ++static int __init lockdown_param(char *ignored) ++{ ++ lock_kernel_down("command line"); ++ return 0; ++} ++ ++early_param("lockdown", lockdown_param); ++ ++/* ++ * Lock the kernel down from very early in the arch setup. This must happen ++ * prior to things like ACPI being initialised. ++ */ ++void __init init_lockdown(void) ++{ ++#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT ++ if (efi_enabled(EFI_SECURE_BOOT)) ++ lock_kernel_down("EFI secure boot"); ++#endif ++} ++ ++/** ++ * kernel_is_locked_down - Find out if the kernel is locked down ++ * @what: Tag to use in notice generated if lockdown is in effect ++ */ ++bool __kernel_is_locked_down(const char *what, bool first) ++{ ++ if (what && first && kernel_locked_down) ++ pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", ++ what); ++ return kernel_locked_down; ++} ++EXPORT_SYMBOL(__kernel_is_locked_down); diff --git a/debian/patches/features/all/lockdown/0003-ima-require-secure_boot-rules-in-lockdown-mode.patch b/debian/patches/features/all/lockdown/0003-ima-require-secure_boot-rules-in-lockdown-mode.patch new file mode 100644 index 000000000..0ab99ba64 --- /dev/null +++ b/debian/patches/features/all/lockdown/0003-ima-require-secure_boot-rules-in-lockdown-mode.patch @@ -0,0 +1,75 @@ +From: Mimi Zohar <zohar@linux.vnet.ibm.com> +Date: Wed, 8 Nov 2017 15:11:32 +0000 +Subject: [03/29] ima: require secure_boot rules in lockdown mode +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=29c55d71a8185208c7962843a29c9a84ae27b2b0 + +Require the "secure_boot" rules, whether or not it is specified +on the boot command line, for both the builtin and custom policies +in secure boot lockdown mode. + +Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> +Signed-off-by: David Howells <dhowells@redhat.com> +[bwh: Adjust context to apply after commits 6f0911a666d1 + "ima: fix updating the ima_appraise flag" and ef96837b0de4 + "ima: add build time policy"] +--- + security/integrity/ima/ima_policy.c | 39 +++++++++++++++++++++++++++---------- + 1 file changed, 29 insertions(+), 10 deletions(-) + +Index: linux/security/integrity/ima/ima_policy.c +=================================================================== +--- linux.orig/security/integrity/ima/ima_policy.c ++++ linux/security/integrity/ima/ima_policy.c +@@ -481,14 +481,21 @@ static int ima_appraise_flag(enum ima_ho + */ + void __init ima_init_policy(void) + { +- int i, measure_entries, appraise_entries, secure_boot_entries; ++ int i; ++ int measure_entries = 0; ++ int appraise_entries = 0; ++ int secure_boot_entries = 0; ++ bool kernel_locked_down = __kernel_is_locked_down(NULL, false); + + /* if !ima_policy set entries = 0 so we load NO default rules */ +- measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0; +- appraise_entries = ima_use_appraise_tcb ? +- ARRAY_SIZE(default_appraise_rules) : 0; +- secure_boot_entries = ima_use_secure_boot ? +- ARRAY_SIZE(secure_boot_rules) : 0; ++ if (ima_policy) ++ measure_entries = ARRAY_SIZE(dont_measure_rules); ++ ++ if (ima_use_appraise_tcb) ++ appraise_entries = ARRAY_SIZE(default_appraise_rules); ++ ++ if (ima_use_secure_boot || kernel_locked_down) ++ secure_boot_entries = ARRAY_SIZE(secure_boot_rules); + + for (i = 0; i < measure_entries; i++) + list_add_tail(&dont_measure_rules[i].list, &ima_default_rules); +@@ -510,11 +517,24 @@ void __init ima_init_policy(void) + /* + * Insert the builtin "secure_boot" policy rules requiring file + * signatures, prior to any other appraise rules. ++ * In secure boot lock-down mode, also require these appraise ++ * rules for custom policies. + */ + for (i = 0; i < secure_boot_entries; i++) { ++ struct ima_rule_entry *entry; ++ ++ /* Include for builtin policies */ + list_add_tail(&secure_boot_rules[i].list, &ima_default_rules); + temp_ima_appraise |= + ima_appraise_flag(secure_boot_rules[i].func); ++ ++ /* Include for custom policies */ ++ if (kernel_locked_down) { ++ entry = kmemdup(&secure_boot_rules[i], sizeof(*entry), ++ GFP_KERNEL); ++ if (entry) ++ list_add_tail(&entry->list, &ima_policy_rules); ++ } + } + + /* diff --git a/debian/patches/features/all/lockdown/0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch b/debian/patches/features/all/lockdown/0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch new file mode 100644 index 000000000..0ab5e258c --- /dev/null +++ b/debian/patches/features/all/lockdown/0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch @@ -0,0 +1,95 @@ +From: David Howells <dhowells@redhat.com> +Date: Wed, 8 Nov 2017 15:11:32 +0000 +Subject: [04/29] Enforce module signatures if the kernel is locked down +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=1616ef1deccf5fdb525643a6b3efae34946a148d + +If the kernel is locked down, require that all modules have valid +signatures that we can verify or that IMA can validate the file. + +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +Reviewed-by: James Morris <james.l.morris@oracle.com> +[bwh: Adjust context to apply after commits 2c8fd268f418 + "module: Do not access sig_enforce directly" and 5fdc7db6448a + "module: setup load info before module_sig_check()"] +--- + kernel/module.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +Index: linux/kernel/module.c +=================================================================== +--- linux.orig/kernel/module.c ++++ linux/kernel/module.c +@@ -64,6 +64,7 @@ + #include <linux/bsearch.h> + #include <linux/dynamic_debug.h> + #include <linux/audit.h> ++#include <linux/ima.h> + #include <uapi/linux/module.h> + #include "module-internal.h" + +@@ -2784,7 +2785,8 @@ static inline void kmemleak_load_module( + #endif + + #ifdef CONFIG_MODULE_SIG +-static int module_sig_check(struct load_info *info, int flags) ++static int module_sig_check(struct load_info *info, int flags, ++ bool can_do_ima_check) + { + int err = -ENOKEY; + const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; +@@ -2808,13 +2810,16 @@ static int module_sig_check(struct load_ + } + + /* Not having a signature is only an error if we're strict. */ +- if (err == -ENOKEY && !is_module_sig_enforced()) ++ if (err == -ENOKEY && !is_module_sig_enforced() && ++ (!can_do_ima_check || !is_ima_appraise_enabled()) && ++ !kernel_is_locked_down("Loading of unsigned modules")) + err = 0; + + return err; + } + #else /* !CONFIG_MODULE_SIG */ +-static int module_sig_check(struct load_info *info, int flags) ++static int module_sig_check(struct load_info *info, int flags, ++ bool can_do_ima_check) + { + return 0; + } +@@ -3662,7 +3667,7 @@ static int unknown_module_param_cb(char + /* Allocate and load the module: note that size of section 0 is always + zero, and we rely on this for optional sections. */ + static int load_module(struct load_info *info, const char __user *uargs, +- int flags) ++ int flags, bool can_do_ima_check) + { + struct module *mod; + long err = 0; +@@ -3681,7 +3686,7 @@ static int load_module(struct load_info + goto free_copy; + } + +- err = module_sig_check(info, flags); ++ err = module_sig_check(info, flags, can_do_ima_check); + if (err) + goto free_copy; + +@@ -3876,7 +3881,7 @@ SYSCALL_DEFINE3(init_module, void __user + if (err) + return err; + +- return load_module(&info, uargs, 0); ++ return load_module(&info, uargs, 0, false); + } + + SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) +@@ -3903,7 +3908,7 @@ SYSCALL_DEFINE3(finit_module, int, fd, c + info.hdr = hdr; + info.len = size; + +- return load_module(&info, uargs, flags); ++ return load_module(&info, uargs, flags, true); + } + + static inline int within(unsigned long addr, void *start, unsigned long size) diff --git a/debian/patches/features/all/lockdown/0005-Restrict-dev-mem-kmem-port-when-the-kernel-is-locked.patch b/debian/patches/features/all/lockdown/0005-Restrict-dev-mem-kmem-port-when-the-kernel-is-locked.patch new file mode 100644 index 000000000..625f8f763 --- /dev/null +++ b/debian/patches/features/all/lockdown/0005-Restrict-dev-mem-kmem-port-when-the-kernel-is-locked.patch @@ -0,0 +1,35 @@ +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Wed, 8 Nov 2017 15:11:32 +0000 +Subject: [05/29] Restrict /dev/{mem,kmem,port} when the kernel is locked down +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=8214bb0d847928bf08a7d8475f84c06541c5a352 + +Allowing users to read and write to core kernel memory makes it possible +for the kernel to be subverted, avoiding module loading restrictions, and +also to steal cryptographic information. + +Disallow /dev/mem and /dev/kmem from being opened this when the kernel has +been locked down to prevent this. + +Also disallow /dev/port from being opened to prevent raw ioport access and +thus DMA from being used to accomplish the same thing. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +--- + drivers/char/mem.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: linux/drivers/char/mem.c +=================================================================== +--- linux.orig/drivers/char/mem.c ++++ linux/drivers/char/mem.c +@@ -807,6 +807,8 @@ static loff_t memory_lseek(struct file * + + static int open_port(struct inode *inode, struct file *filp) + { ++ if (kernel_is_locked_down("/dev/mem,kmem,port")) ++ return -EPERM; + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; + } + diff --git a/debian/patches/features/all/lockdown/0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch b/debian/patches/features/all/lockdown/0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch new file mode 100644 index 000000000..522387d9a --- /dev/null +++ b/debian/patches/features/all/lockdown/0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch @@ -0,0 +1,42 @@ +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Wed, 8 Nov 2017 15:11:32 +0000 +Subject: [06/29] kexec: Disable at runtime if the kernel is locked down +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=6081db9ba435b757a3a3473d0cd50ee2252ccaeb + +kexec permits the loading and execution of arbitrary code in ring 0, which +is something that lock-down is meant to prevent. It makes sense to disable +kexec in this situation. + +This does not affect kexec_file_load() which can check for a signature on the +image to be booted. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Acked-by: Dave Young <dyoung@redhat.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +Reviewed-by: James Morris <james.l.morris@oracle.com> +cc: kexec@lists.infradead.org +[bwh: Adjust context to apply after commit a210fd32a46b + "kexec: add call to LSM hook in original kexec_load syscall"] +--- + kernel/kexec.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +Index: linux/kernel/kexec.c +=================================================================== +--- linux.orig/kernel/kexec.c ++++ linux/kernel/kexec.c +@@ -208,6 +208,13 @@ static inline int kexec_load_check(unsig + return result; + + /* ++ * kexec can be used to circumvent module loading restrictions, so ++ * prevent loading in that case ++ */ ++ if (kernel_is_locked_down("kexec of unsigned images")) ++ return -EPERM; ++ ++ /* + * Verify we have a legal set of flags + * This leaves us room for future extensions. + */ diff --git a/debian/patches/features/all/lockdown/0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch b/debian/patches/features/all/lockdown/0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch new file mode 100644 index 000000000..2024c04a6 --- /dev/null +++ b/debian/patches/features/all/lockdown/0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch @@ -0,0 +1,36 @@ +From: Dave Young <dyoung@redhat.com> +Date: Wed, 8 Nov 2017 15:11:32 +0000 +Subject: [07/29] Copy secure_boot flag in boot params across kexec reboot +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a6b7f780bdaa731f3e2970d65dcd52fe9ba2409d + +Kexec reboot in case secure boot being enabled does not keep the secure +boot mode in new kernel, so later one can load unsigned kernel via legacy +kexec_load. In this state, the system is missing the protections provided +by secure boot. + +Adding a patch to fix this by retain the secure_boot flag in original +kernel. + +secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the +stub. Fixing this issue by copying secure_boot flag across kexec reboot. + +Signed-off-by: Dave Young <dyoung@redhat.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +cc: kexec@lists.infradead.org +--- + arch/x86/kernel/kexec-bzimage64.c | 1 + + 1 file changed, 1 insertion(+) + +Index: linux/arch/x86/kernel/kexec-bzimage64.c +=================================================================== +--- linux.orig/arch/x86/kernel/kexec-bzimage64.c ++++ linux/arch/x86/kernel/kexec-bzimage64.c +@@ -182,6 +182,7 @@ setup_efi_state(struct boot_params *para + if (efi_enabled(EFI_OLD_MEMMAP)) + return 0; + ++ params->secure_boot = boot_params.secure_boot; + ei->efi_loader_signature = current_ei->efi_loader_signature; + ei->efi_systab = current_ei->efi_systab; + ei->efi_systab_hi = current_ei->efi_systab_hi; diff --git a/debian/patches/features/all/lockdown/0008-kexec_file-Restrict-at-runtime-if-the-kernel-is-lock.patch b/debian/patches/features/all/lockdown/0008-kexec_file-Restrict-at-runtime-if-the-kernel-is-lock.patch new file mode 100644 index 000000000..056936427 --- /dev/null +++ b/debian/patches/features/all/lockdown/0008-kexec_file-Restrict-at-runtime-if-the-kernel-is-lock.patch @@ -0,0 +1,40 @@ +From: Chun-Yi Lee <joeyli.kernel@gmail.com> +Date: Wed, 8 Nov 2017 15:11:33 +0000 +Subject: [08/29] kexec_file: Restrict at runtime if the kernel is locked down +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=eed4aca0409692d7d24bc64f5c98d346cd0506c4 + +When KEXEC_VERIFY_SIG is not enabled, kernel should not load images through +kexec_file systemcall if the kernel is locked down unless IMA can be used +to validate the image. + +This code was showed in Matthew's patch but not in git: +https://lkml.org/lkml/2015/3/13/778 + +Cc: Matthew Garrett <mjg59@srcf.ucam.org> +Signed-off-by: Chun-Yi Lee <jlee@suse.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: James Morris <james.l.morris@oracle.com> +cc: kexec@lists.infradead.org +--- + kernel/kexec_file.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +Index: linux/kernel/kexec_file.c +=================================================================== +--- linux.orig/kernel/kexec_file.c ++++ linux/kernel/kexec_file.c +@@ -328,6 +328,14 @@ SYSCALL_DEFINE5(kexec_file_load, int, ke + if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) + return -EPERM; + ++ /* Don't permit images to be loaded into trusted kernels if we're not ++ * going to verify the signature on them ++ */ ++ if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && ++ !is_ima_appraise_enabled() && ++ kernel_is_locked_down("kexec of unsigned images")) ++ return -EPERM; ++ + /* Make sure we have a legal set of flags */ + if (flags != (flags & KEXEC_FILE_FLAGS)) + return -EINVAL; diff --git a/debian/patches/features/all/lockdown/0009-hibernate-Disable-when-the-kernel-is-locked-down.patch b/debian/patches/features/all/lockdown/0009-hibernate-Disable-when-the-kernel-is-locked-down.patch new file mode 100644 index 000000000..56060f80a --- /dev/null +++ b/debian/patches/features/all/lockdown/0009-hibernate-Disable-when-the-kernel-is-locked-down.patch @@ -0,0 +1,31 @@ +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Wed, 8 Nov 2017 15:11:33 +0000 +Subject: [09/29] hibernate: Disable when the kernel is locked down +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=480ddca2a40c2efd1c01cfa20d8f6c1377ddafe3 + +There is currently no way to verify the resume image when returning +from hibernate. This might compromise the signed modules trust model, +so until we can work with signed hibernate images we disable it when the +kernel is locked down. + +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +cc: linux-pm@vger.kernel.org +--- + kernel/power/hibernate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: linux/kernel/power/hibernate.c +=================================================================== +--- linux.orig/kernel/power/hibernate.c ++++ linux/kernel/power/hibernate.c +@@ -70,7 +70,7 @@ static const struct platform_hibernation + + bool hibernation_available(void) + { +- return (nohibernate == 0); ++ return nohibernate == 0 && !kernel_is_locked_down("Hibernation"); + } + + /** diff --git a/debian/patches/features/all/lockdown/0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch b/debian/patches/features/all/lockdown/0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch new file mode 100644 index 000000000..79b5f3461 --- /dev/null +++ b/debian/patches/features/all/lockdown/0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch @@ -0,0 +1,32 @@ +From: Matthew Garrett <mjg59@srcf.ucam.org> +Date: Wed, 8 Nov 2017 15:11:33 +0000 +Subject: [10/29] uswsusp: Disable when the kernel is locked down +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=706def46d58e9c69e91db506305485731f615e44 + +uswsusp allows a user process to dump and then restore kernel state, which +makes it possible to modify the running kernel. Disable this if the kernel +is locked down. + +Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +Reviewed-by: James Morris <james.l.morris@oracle.com> +cc: linux-pm@vger.kernel.org +--- + kernel/power/user.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: linux/kernel/power/user.c +=================================================================== +--- linux.orig/kernel/power/user.c ++++ linux/kernel/power/user.c +@@ -52,6 +52,9 @@ static int snapshot_open(struct inode *i + if (!hibernation_available()) + return -EPERM; + ++ if (kernel_is_locked_down("/dev/snapshot")) ++ return -EPERM; ++ + lock_system_sleep(); + + if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { diff --git a/debian/patches/features/all/lockdown/0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch b/debian/patches/features/all/lockdown/0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch new file mode 100644 index 000000000..1f9186ab3 --- /dev/null +++ b/debian/patches/features/all/lockdown/0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch @@ -0,0 +1,104 @@ +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Wed, 8 Nov 2017 15:11:33 +0000 +Subject: [11/29] PCI: Lock down BAR access when the kernel is locked down +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=d107d11fd7ac982a34b1233722cb3e72f9fe5a20 + +Any hardware that can potentially generate DMA has to be locked down in +order to avoid it being possible for an attacker to modify kernel code, +allowing them to circumvent disabled module loading or module signing. +Default to paranoid - in future we can potentially relax this for +sufficiently IOMMU-isolated devices. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Acked-by: Bjorn Helgaas <bhelgaas@google.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +cc: linux-pci@vger.kernel.org +--- + drivers/pci/pci-sysfs.c | 9 +++++++++ + drivers/pci/proc.c | 9 ++++++++- + drivers/pci/syscall.c | 3 ++- + 3 files changed, 19 insertions(+), 2 deletions(-) + +Index: linux/drivers/pci/pci-sysfs.c +=================================================================== +--- linux.orig/drivers/pci/pci-sysfs.c ++++ linux/drivers/pci/pci-sysfs.c +@@ -905,6 +905,9 @@ static ssize_t pci_write_config(struct f + loff_t init_off = off; + u8 *data = (u8 *) buf; + ++ if (kernel_is_locked_down("Direct PCI access")) ++ return -EPERM; ++ + if (off > dev->cfg_size) + return 0; + if (off + count > dev->cfg_size) { +@@ -1167,6 +1170,9 @@ static int pci_mmap_resource(struct kobj + enum pci_mmap_state mmap_type; + struct resource *res = &pdev->resource[bar]; + ++ if (kernel_is_locked_down("Direct PCI access")) ++ return -EPERM; ++ + if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start)) + return -EINVAL; + +@@ -1242,6 +1248,9 @@ static ssize_t pci_write_resource_io(str + struct bin_attribute *attr, char *buf, + loff_t off, size_t count) + { ++ if (kernel_is_locked_down("Direct PCI access")) ++ return -EPERM; ++ + return pci_resource_io(filp, kobj, attr, buf, off, count, true); + } + +Index: linux/drivers/pci/proc.c +=================================================================== +--- linux.orig/drivers/pci/proc.c ++++ linux/drivers/pci/proc.c +@@ -117,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct + int size = dev->cfg_size; + int cnt; + ++ if (kernel_is_locked_down("Direct PCI access")) ++ return -EPERM; ++ + if (pos >= size) + return 0; + if (nbytes >= size) +@@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct fi + #endif /* HAVE_PCI_MMAP */ + int ret = 0; + ++ if (kernel_is_locked_down("Direct PCI access")) ++ return -EPERM; ++ + switch (cmd) { + case PCIIOC_CONTROLLER: + ret = pci_domain_nr(dev->bus); +@@ -237,7 +243,8 @@ static int proc_bus_pci_mmap(struct file + struct pci_filp_private *fpriv = file->private_data; + int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM; + +- if (!capable(CAP_SYS_RAWIO)) ++ if (!capable(CAP_SYS_RAWIO) || ++ kernel_is_locked_down("Direct PCI access")) + return -EPERM; + + if (fpriv->mmap_state == pci_mmap_io) { +Index: linux/drivers/pci/syscall.c +=================================================================== +--- linux.orig/drivers/pci/syscall.c ++++ linux/drivers/pci/syscall.c +@@ -90,7 +90,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigne + u32 dword; + int err = 0; + +- if (!capable(CAP_SYS_ADMIN)) ++ if (!capable(CAP_SYS_ADMIN) || ++ kernel_is_locked_down("Direct PCI access")) + return -EPERM; + + dev = pci_get_domain_bus_and_slot(0, bus, dfn); diff --git a/debian/patches/features/all/lockdown/0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch b/debian/patches/features/all/lockdown/0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch new file mode 100644 index 000000000..3a9d69dcb --- /dev/null +++ b/debian/patches/features/all/lockdown/0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch @@ -0,0 +1,46 @@ +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Wed, 8 Nov 2017 15:11:34 +0000 +Subject: [12/29] x86: Lock down IO port access when the kernel is locked down +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=00ebba940247d4c37c06da4aedecf6b80db213cf + +IO port access would permit users to gain access to PCI configuration +registers, which in turn (on a lot of hardware) give access to MMIO +register space. This would potentially permit root to trigger arbitrary +DMA, so lock it down by default. + +This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and +KDDISABIO console ioctls. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: Thomas Gleixner <tglx@linutronix.de> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +cc: x86@kernel.org +--- + arch/x86/kernel/ioport.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +Index: linux/arch/x86/kernel/ioport.c +=================================================================== +--- linux.orig/arch/x86/kernel/ioport.c ++++ linux/arch/x86/kernel/ioport.c +@@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, uns + + if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) + return -EINVAL; +- if (turn_on && !capable(CAP_SYS_RAWIO)) ++ if (turn_on && (!capable(CAP_SYS_RAWIO) || ++ kernel_is_locked_down("ioperm"))) + return -EPERM; + + /* +@@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, leve + return -EINVAL; + /* Trying to gain more privileges? */ + if (level > old) { +- if (!capable(CAP_SYS_RAWIO)) ++ if (!capable(CAP_SYS_RAWIO) || ++ kernel_is_locked_down("iopl")) + return -EPERM; + } + regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/debian/patches/features/all/lockdown/0013-x86-msr-Restrict-MSR-access-when-the-kernel-is-locke.patch b/debian/patches/features/all/lockdown/0013-x86-msr-Restrict-MSR-access-when-the-kernel-is-locke.patch new file mode 100644 index 000000000..1a7a4d879 --- /dev/null +++ b/debian/patches/features/all/lockdown/0013-x86-msr-Restrict-MSR-access-when-the-kernel-is-locke.patch @@ -0,0 +1,50 @@ +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Wed, 8 Nov 2017 15:11:34 +0000 +Subject: [13/29] x86/msr: Restrict MSR access when the kernel is locked down +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=696dcddb285558b4febf318fe620a344d2b2fa47 + +Writing to MSRs should not be allowed if the kernel is locked down, since +it could lead to execution of arbitrary code in kernel mode. Based on a +patch by Kees Cook. + +MSR accesses are logged for the purposes of building up a whitelist as per +Alan Cox's suggestion. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Acked-by: Kees Cook <keescook@chromium.org> +Reviewed-by: Thomas Gleixner <tglx@linutronix.de> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +cc: x86@kernel.org +--- + arch/x86/kernel/msr.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +Index: linux/arch/x86/kernel/msr.c +=================================================================== +--- linux.orig/arch/x86/kernel/msr.c ++++ linux/arch/x86/kernel/msr.c +@@ -84,6 +84,11 @@ static ssize_t msr_write(struct file *fi + int err = 0; + ssize_t bytes = 0; + ++ if (kernel_is_locked_down("Direct MSR access")) { ++ pr_info("Direct access to MSR %x\n", reg); ++ return -EPERM; ++ } ++ + if (count % 8) + return -EINVAL; /* Invalid chunk size */ + +@@ -135,6 +140,11 @@ static long msr_ioctl(struct file *file, + err = -EFAULT; + break; + } ++ if (kernel_is_locked_down("Direct MSR access")) { ++ pr_info("Direct access to MSR %x\n", regs[1]); /* Display %ecx */ ++ err = -EPERM; ++ break; ++ } + err = wrmsr_safe_regs_on_cpu(cpu, regs); + if (err) + break; diff --git a/debian/patches/features/all/lockdown/0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch b/debian/patches/features/all/lockdown/0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch new file mode 100644 index 000000000..295b46e88 --- /dev/null +++ b/debian/patches/features/all/lockdown/0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch @@ -0,0 +1,55 @@ +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Wed, 8 Nov 2017 15:11:34 +0000 +Subject: [14/29] asus-wmi: Restrict debugfs interface when the kernel is + locked down +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=2e6d31b3176ee27d216bb92a3b108f6b19d4719a + +We have no way of validating what all of the Asus WMI methods do on a given +machine - and there's a risk that some will allow hardware state to be +manipulated in such a way that arbitrary code can be executed in the +kernel, circumventing module loading restrictions. Prevent that if the +kernel is locked down. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +cc: acpi4asus-user@lists.sourceforge.net +cc: platform-driver-x86@vger.kernel.org +--- + drivers/platform/x86/asus-wmi.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +Index: linux/drivers/platform/x86/asus-wmi.c +=================================================================== +--- linux.orig/drivers/platform/x86/asus-wmi.c ++++ linux/drivers/platform/x86/asus-wmi.c +@@ -2002,6 +2002,9 @@ static int show_dsts(struct seq_file *m, + int err; + u32 retval = -1; + ++ if (kernel_is_locked_down("Asus WMI")) ++ return -EPERM; ++ + err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval); + + if (err < 0) +@@ -2018,6 +2021,9 @@ static int show_devs(struct seq_file *m, + int err; + u32 retval = -1; + ++ if (kernel_is_locked_down("Asus WMI")) ++ return -EPERM; ++ + err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param, + &retval); + +@@ -2042,6 +2048,9 @@ static int show_call(struct seq_file *m, + union acpi_object *obj; + acpi_status status; + ++ if (kernel_is_locked_down("Asus WMI")) ++ return -EPERM; ++ + status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID, + 0, asus->debug.method_id, + &input, &output); diff --git a/debian/patches/features/all/lockdown/0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch b/debian/patches/features/all/lockdown/0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch new file mode 100644 index 000000000..17778da72 --- /dev/null +++ b/debian/patches/features/all/lockdown/0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch @@ -0,0 +1,32 @@ +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Wed, 8 Nov 2017 15:11:34 +0000 +Subject: [15/29] ACPI: Limit access to custom_method when the kernel is locked + down +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=5ff99c830aacf02f25816a0da427216fb63ba16d + +custom_method effectively allows arbitrary access to system memory, making +it possible for an attacker to circumvent restrictions on module loading. +Disable it if the kernel is locked down. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +cc: linux-acpi@vger.kernel.org +--- + drivers/acpi/custom_method.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: linux/drivers/acpi/custom_method.c +=================================================================== +--- linux.orig/drivers/acpi/custom_method.c ++++ linux/drivers/acpi/custom_method.c +@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *fil + struct acpi_table_header table; + acpi_status status; + ++ if (kernel_is_locked_down("ACPI custom methods")) ++ return -EPERM; ++ + if (!(*ppos)) { + /* parse the table header to get the table length */ + if (count <= sizeof(struct acpi_table_header)) diff --git a/debian/patches/features/all/lockdown/0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch b/debian/patches/features/all/lockdown/0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch new file mode 100644 index 000000000..f8ee397c8 --- /dev/null +++ b/debian/patches/features/all/lockdown/0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch @@ -0,0 +1,32 @@ +From: Josh Boyer <jwboyer@redhat.com> +Date: Wed, 8 Nov 2017 15:11:34 +0000 +Subject: [16/29] acpi: Ignore acpi_rsdp kernel param when the kernel has been + locked down +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=67890a0361626ec3e035264656896c77670c414b + +This option allows userspace to pass the RSDP address to the kernel, which +makes it possible for a user to modify the workings of hardware . Reject +the option when the kernel is locked down. + +Signed-off-by: Josh Boyer <jwboyer@redhat.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +cc: Dave Young <dyoung@redhat.com> +cc: linux-acpi@vger.kernel.org +--- + drivers/acpi/osl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: linux/drivers/acpi/osl.c +=================================================================== +--- linux.orig/drivers/acpi/osl.c ++++ linux/drivers/acpi/osl.c +@@ -194,7 +194,7 @@ acpi_physical_address __init acpi_os_get + acpi_physical_address pa; + + #ifdef CONFIG_KEXEC +- if (acpi_rsdp) ++ if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification")) + return acpi_rsdp; + #endif + pa = acpi_arch_get_root_pointer(); diff --git a/debian/patches/features/all/lockdown/0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch b/debian/patches/features/all/lockdown/0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch new file mode 100644 index 000000000..fd12eedb2 --- /dev/null +++ b/debian/patches/features/all/lockdown/0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch @@ -0,0 +1,40 @@ +From: Linn Crosetto <linn@hpe.com> +Date: Wed, 8 Nov 2017 15:11:34 +0000 +Subject: [17/29] acpi: Disable ACPI table override if the kernel is locked + down +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=5976d26de05569951641ebeb95f7240993b66063 + +From the kernel documentation (initrd_table_override.txt): + + If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible + to override nearly any ACPI table provided by the BIOS with an + instrumented, modified one. + +When securelevel is set, the kernel should disallow any unauthenticated +changes to kernel space. ACPI tables contain code invoked by the kernel, +so do not allow ACPI tables to be overridden if the kernel is locked down. + +Signed-off-by: Linn Crosetto <linn@hpe.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +cc: linux-acpi@vger.kernel.org +--- + drivers/acpi/tables.c | 5 +++++ + 1 file changed, 5 insertions(+) + +Index: linux/drivers/acpi/tables.c +=================================================================== +--- linux.orig/drivers/acpi/tables.c ++++ linux/drivers/acpi/tables.c +@@ -532,6 +532,11 @@ void __init acpi_table_upgrade(void) + if (table_nr == 0) + return; + ++ if (kernel_is_locked_down("ACPI table override")) { ++ pr_notice("kernel is locked down, ignoring table override\n"); ++ return; ++ } ++ + acpi_tables_addr = + memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, + all_tables_size, PAGE_SIZE); diff --git a/debian/patches/features/all/lockdown/0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch b/debian/patches/features/all/lockdown/0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch new file mode 100644 index 000000000..396a506ac --- /dev/null +++ b/debian/patches/features/all/lockdown/0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch @@ -0,0 +1,43 @@ +From: Linn Crosetto <linn@hpe.com> +Date: Wed, 8 Nov 2017 15:11:35 +0000 +Subject: [18/29] acpi: Disable APEI error injection if the kernel is locked + down +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a9c239382bce17b9108f941130392151d5fff262 + +ACPI provides an error injection mechanism, EINJ, for debugging and testing +the ACPI Platform Error Interface (APEI) and other RAS features. If +supported by the firmware, ACPI specification 5.0 and later provide for a +way to specify a physical memory address to which to inject the error. + +Injecting errors through EINJ can produce errors which to the platform are +indistinguishable from real hardware errors. This can have undesirable +side-effects, such as causing the platform to mark hardware as needing +replacement. + +While it does not provide a method to load unauthenticated privileged code, +the effect of these errors may persist across reboots and affect trust in +the underlying hardware, so disable error injection through EINJ if +the kernel is locked down. + +Signed-off-by: Linn Crosetto <linn@hpe.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +cc: linux-acpi@vger.kernel.org +--- + drivers/acpi/apei/einj.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: linux/drivers/acpi/apei/einj.c +=================================================================== +--- linux.orig/drivers/acpi/apei/einj.c ++++ linux/drivers/acpi/apei/einj.c +@@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u + int rc; + u64 base_addr, size; + ++ if (kernel_is_locked_down("ACPI error injection")) ++ return -EPERM; ++ + /* If user manually set "flags", make sure it is legal */ + if (flags && (flags & + ~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF))) diff --git a/debian/patches/features/all/lockdown/0020-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch b/debian/patches/features/all/lockdown/0020-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch new file mode 100644 index 000000000..2ed56ad5b --- /dev/null +++ b/debian/patches/features/all/lockdown/0020-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch @@ -0,0 +1,29 @@ +From: David Howells <dhowells@redhat.com> +Date: Wed, 8 Nov 2017 15:11:35 +0000 +Subject: [20/29] Prohibit PCMCIA CIS storage when the kernel is locked down +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=18b2dfc74efeafbdbb8f5d4d28da6334b7e1f1ac + +Prohibit replacement of the PCMCIA Card Information Structure when the +kernel is locked down. + +Suggested-by: Dominik Brodowski <linux@dominikbrodowski.net> +Signed-off-by: David Howells <dhowells@redhat.com> +cc: linux-pcmcia@lists.infradead.org +--- + drivers/pcmcia/cistpl.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: linux/drivers/pcmcia/cistpl.c +=================================================================== +--- linux.orig/drivers/pcmcia/cistpl.c ++++ linux/drivers/pcmcia/cistpl.c +@@ -1578,6 +1578,9 @@ static ssize_t pccard_store_cis(struct f + struct pcmcia_socket *s; + int error; + ++ if (kernel_is_locked_down("Direct PCMCIA CIS storage")) ++ return -EPERM; ++ + s = to_socket(container_of(kobj, struct device, kobj)); + + if (off) diff --git a/debian/patches/features/all/lockdown/0021-Lock-down-TIOCSSERIAL.patch b/debian/patches/features/all/lockdown/0021-Lock-down-TIOCSSERIAL.patch new file mode 100644 index 000000000..d906326a9 --- /dev/null +++ b/debian/patches/features/all/lockdown/0021-Lock-down-TIOCSSERIAL.patch @@ -0,0 +1,34 @@ +From: David Howells <dhowells@redhat.com> +Date: Wed, 8 Nov 2017 15:11:35 +0000 +Subject: [21/29] Lock down TIOCSSERIAL +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=f5fdeda0622ca040961521819794193777a03e8a + +Lock down TIOCSSERIAL as that can be used to change the ioport and irq +settings on a serial port. This only appears to be an issue for the serial +drivers that use the core serial code. All other drivers seem to either +ignore attempts to change port/irq or give an error. + +Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: David Howells <dhowells@redhat.com> +cc: Jiri Slaby <jslaby@suse.com> +--- + drivers/tty/serial/serial_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: linux/drivers/tty/serial/serial_core.c +=================================================================== +--- linux.orig/drivers/tty/serial/serial_core.c ++++ linux/drivers/tty/serial/serial_core.c +@@ -850,6 +850,12 @@ static int uart_set_info(struct tty_stru + new_flags = (__force upf_t)new_info->flags; + old_custom_divisor = uport->custom_divisor; + ++ if ((change_port || change_irq) && ++ kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels")) { ++ retval = -EPERM; ++ goto exit; ++ } ++ + if (!capable(CAP_SYS_ADMIN)) { + retval = -EPERM; + if (change_irq || change_port || diff --git a/debian/patches/features/all/lockdown/0022-Lock-down-module-params-that-specify-hardware-parame.patch b/debian/patches/features/all/lockdown/0022-Lock-down-module-params-that-specify-hardware-parame.patch new file mode 100644 index 000000000..3582e3106 --- /dev/null +++ b/debian/patches/features/all/lockdown/0022-Lock-down-module-params-that-specify-hardware-parame.patch @@ -0,0 +1,80 @@ +From: David Howells <dhowells@redhat.com> +Date: Wed, 8 Nov 2017 15:11:36 +0000 +Subject: [22/29] Lock down module params that specify hardware parameters (eg. + ioport) +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=d20a28efda02a7ce70b943c15246ea2f07e780f4 + +Provided an annotation for module parameters that specify hardware +parameters (such as io ports, iomem addresses, irqs, dma channels, fixed +dma buffers and other types). + +Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk> +Signed-off-by: David Howells <dhowells@redhat.com> +--- + kernel/params.c | 26 +++++++++++++++++++++----- + 1 file changed, 21 insertions(+), 5 deletions(-) + +Index: linux/kernel/params.c +=================================================================== +--- linux.orig/kernel/params.c ++++ linux/kernel/params.c +@@ -108,13 +108,19 @@ bool parameq(const char *a, const char * + return parameqn(a, b, strlen(a)+1); + } + +-static void param_check_unsafe(const struct kernel_param *kp) ++static bool param_check_unsafe(const struct kernel_param *kp, ++ const char *doing) + { + if (kp->flags & KERNEL_PARAM_FL_UNSAFE) { + pr_notice("Setting dangerous option %s - tainting kernel\n", + kp->name); + add_taint(TAINT_USER, LOCKDEP_STILL_OK); + } ++ ++ if (kp->flags & KERNEL_PARAM_FL_HWPARAM && ++ kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels")) ++ return false; ++ return true; + } + + static int parse_one(char *param, +@@ -144,8 +150,10 @@ static int parse_one(char *param, + pr_debug("handling %s with %p\n", param, + params[i].ops->set); + kernel_param_lock(params[i].mod); +- param_check_unsafe(¶ms[i]); +- err = params[i].ops->set(val, ¶ms[i]); ++ if (param_check_unsafe(¶ms[i], doing)) ++ err = params[i].ops->set(val, ¶ms[i]); ++ else ++ err = -EPERM; + kernel_param_unlock(params[i].mod); + return err; + } +@@ -553,6 +561,12 @@ static ssize_t param_attr_show(struct mo + return count; + } + ++#ifdef CONFIG_MODULES ++#define mod_name(mod) (mod)->name ++#else ++#define mod_name(mod) "unknown" ++#endif ++ + /* sysfs always hands a nul-terminated string in buf. We rely on that. */ + static ssize_t param_attr_store(struct module_attribute *mattr, + struct module_kobject *mk, +@@ -565,8 +579,10 @@ static ssize_t param_attr_store(struct m + return -EPERM; + + kernel_param_lock(mk->mod); +- param_check_unsafe(attribute->param); +- err = attribute->param->ops->set(buf, attribute->param); ++ if (param_check_unsafe(attribute->param, mod_name(mk->mod))) ++ err = attribute->param->ops->set(buf, attribute->param); ++ else ++ err = -EPERM; + kernel_param_unlock(mk->mod); + if (!err) + return len; diff --git a/debian/patches/features/all/lockdown/0023-x86-mmiotrace-Lock-down-the-testmmiotrace-module.patch b/debian/patches/features/all/lockdown/0023-x86-mmiotrace-Lock-down-the-testmmiotrace-module.patch new file mode 100644 index 000000000..47edb3442 --- /dev/null +++ b/debian/patches/features/all/lockdown/0023-x86-mmiotrace-Lock-down-the-testmmiotrace-module.patch @@ -0,0 +1,33 @@ +From: David Howells <dhowells@redhat.com> +Date: Wed, 8 Nov 2017 15:11:36 +0000 +Subject: [23/29] x86/mmiotrace: Lock down the testmmiotrace module +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=20af3be0bcf6a78e3632770561fba6531dd3b444 + +The testmmiotrace module shouldn't be permitted when the kernel is locked +down as it can be used to arbitrarily read and write MMIO space. + +Suggested-by: Thomas Gleixner <tglx@linutronix.de> +Signed-off-by: David Howells <dhowells@redhat.com +cc: Thomas Gleixner <tglx@linutronix.de> +cc: Steven Rostedt <rostedt@goodmis.org> +cc: Ingo Molnar <mingo@kernel.org> +cc: "H. Peter Anvin" <hpa@zytor.com> +cc: x86@kernel.org +--- + arch/x86/mm/testmmiotrace.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: linux/arch/x86/mm/testmmiotrace.c +=================================================================== +--- linux.orig/arch/x86/mm/testmmiotrace.c ++++ linux/arch/x86/mm/testmmiotrace.c +@@ -115,6 +115,9 @@ static int __init init(void) + { + unsigned long size = (read_far) ? (8 << 20) : (16 << 10); + ++ if (kernel_is_locked_down("MMIO trace testing")) ++ return -EPERM; ++ + if (mmio_address == 0) { + pr_err("you have to use the module argument mmio_address.\n"); + pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n"); diff --git a/debian/patches/features/all/lockdown/0024-debugfs-Disallow-use-of-debugfs-files-when-the-kerne.patch b/debian/patches/features/all/lockdown/0024-debugfs-Disallow-use-of-debugfs-files-when-the-kerne.patch new file mode 100644 index 000000000..2dd3fa020 --- /dev/null +++ b/debian/patches/features/all/lockdown/0024-debugfs-Disallow-use-of-debugfs-files-when-the-kerne.patch @@ -0,0 +1,53 @@ +From: David Howells <dhowells@redhat.com> +Date: Wed, 8 Nov 2017 15:11:36 +0000 +Subject: [24/29] debugfs: Disallow use of debugfs files when the kernel is + locked down +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=118cc5e1c27e1a75640cf2379c1299e12791063e + +Disallow opening of debugfs files when the kernel is locked down as various +drivers give raw access to hardware through debugfs. + +Accesses to tracefs should use /sys/kernel/tracing/ rather than +/sys/kernel/debug/tracing/. Possibly a symlink should be emplaced. + +Normal device interaction should be done through configfs or a miscdev, not +debugfs. + +Note that this makes it unnecessary to specifically lock down show_dsts(), +show_devs() and show_call() in the asus-wmi driver. + +Signed-off-by: David Howells <dhowells@redhat.com> +cc: Andy Shevchenko <andy.shevchenko@gmail.com> +cc: acpi4asus-user@lists.sourceforge.net +cc: platform-driver-x86@vger.kernel.org +cc: Matthew Garrett <matthew.garrett@nebula.com> +cc: Thomas Gleixner <tglx@linutronix.de> +[bwh: Forward-ported to 4.15] +--- + fs/debugfs/file.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: linux/fs/debugfs/file.c +=================================================================== +--- linux.orig/fs/debugfs/file.c ++++ linux/fs/debugfs/file.c +@@ -142,6 +142,9 @@ static int open_proxy_open(struct inode + const struct file_operations *real_fops = NULL; + int r; + ++ if (kernel_is_locked_down("debugfs")) ++ return -EPERM; ++ + r = debugfs_file_get(dentry); + if (r) + return r == -EIO ? -ENOENT : r; +@@ -267,6 +270,9 @@ static int full_proxy_open(struct inode + struct file_operations *proxy_fops = NULL; + int r; + ++ if (kernel_is_locked_down("debugfs")) ++ return -EPERM; ++ + r = debugfs_file_get(dentry); + if (r) + return r == -EIO ? -ENOENT : r; diff --git a/debian/patches/features/all/lockdown/0025-Lock-down-proc-kcore.patch b/debian/patches/features/all/lockdown/0025-Lock-down-proc-kcore.patch new file mode 100644 index 000000000..58df9739b --- /dev/null +++ b/debian/patches/features/all/lockdown/0025-Lock-down-proc-kcore.patch @@ -0,0 +1,27 @@ +From: David Howells <dhowells@redhat.com> +Date: Wed, 8 Nov 2017 15:11:37 +0000 +Subject: [25/29] Lock down /proc/kcore +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=797378dc4498207c3abc1101cfdc9ef2581d8c71 + +Disallow access to /proc/kcore when the kernel is locked down to prevent +access to cryptographic data. + +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: James Morris <james.l.morris@oracle.com> +--- + fs/proc/kcore.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: linux/fs/proc/kcore.c +=================================================================== +--- linux.orig/fs/proc/kcore.c ++++ linux/fs/proc/kcore.c +@@ -545,6 +545,8 @@ out: + + static int open_kcore(struct inode *inode, struct file *filp) + { ++ if (kernel_is_locked_down("/proc/kcore")) ++ return -EPERM; + if (!capable(CAP_SYS_RAWIO)) + return -EPERM; + diff --git a/debian/patches/features/all/lockdown/0026-Lock-down-kprobes.patch b/debian/patches/features/all/lockdown/0026-Lock-down-kprobes.patch new file mode 100644 index 000000000..e7d9f0b4e --- /dev/null +++ b/debian/patches/features/all/lockdown/0026-Lock-down-kprobes.patch @@ -0,0 +1,29 @@ +From: David Howells <dhowells@redhat.com> +Date: Wed, 8 Nov 2017 16:14:12 +0000 +Subject: [26/29] Lock down kprobes +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=cfacbbe6ef95336d99817fb8063c19bd36dfaa3d + +Disallow the creation of kprobes when the kernel is locked down by +preventing their registration. This prevents kprobes from being used to +access kernel memory, either to make modifications or to steal crypto data. + +Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com> +Signed-off-by: David Howells <dhowells@redhat.com> +--- + kernel/kprobes.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: linux/kernel/kprobes.c +=================================================================== +--- linux.orig/kernel/kprobes.c ++++ linux/kernel/kprobes.c +@@ -1548,6 +1548,9 @@ int register_kprobe(struct kprobe *p) + struct module *probed_mod; + kprobe_opcode_t *addr; + ++ if (kernel_is_locked_down("Use of kprobes")) ++ return -EPERM; ++ + /* Adjust probe address from symbol */ + addr = kprobe_addr(p); + if (IS_ERR(addr)) diff --git a/debian/patches/features/all/lockdown/0027-bpf-Restrict-kernel-image-access-functions-when-the-.patch b/debian/patches/features/all/lockdown/0027-bpf-Restrict-kernel-image-access-functions-when-the-.patch new file mode 100644 index 000000000..87273834c --- /dev/null +++ b/debian/patches/features/all/lockdown/0027-bpf-Restrict-kernel-image-access-functions-when-the-.patch @@ -0,0 +1,39 @@ +From: David Howells <dhowells@redhat.com> +Date: Wed, 24 May 2017 14:56:05 +0100 +Subject: [27/29] bpf: Restrict kernel image access functions when the kernel + is locked down +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a13e9f58894129d9fd02fdb81b56ac7590704155 + +There are some bpf functions can be used to read kernel memory: +bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow +private keys in kernel memory (e.g. the hibernation image signing key) to +be read by an eBPF program and kernel memory to be altered without +restriction. + +Completely prohibit the use of BPF when the kernel is locked down. + +Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com> +Signed-off-by: David Howells <dhowells@redhat.com> +cc: netdev@vger.kernel.org +cc: Chun-Yi Lee <jlee@suse.com> +cc: Alexei Starovoitov <alexei.starovoitov@gmail.com> +[bwh: Adjust context to apply after commit dcab51f19b29 + "bpf: Expose check_uarg_tail_zero()"] +--- + kernel/bpf/syscall.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: linux/kernel/bpf/syscall.c +=================================================================== +--- linux.orig/kernel/bpf/syscall.c ++++ linux/kernel/bpf/syscall.c +@@ -2378,6 +2378,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf + if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN)) + return -EPERM; + ++ if (kernel_is_locked_down("BPF")) ++ return -EPERM; ++ + err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size); + if (err) + return err; diff --git a/debian/patches/features/all/lockdown/0028-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch b/debian/patches/features/all/lockdown/0028-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch new file mode 100644 index 000000000..be357055b --- /dev/null +++ b/debian/patches/features/all/lockdown/0028-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch @@ -0,0 +1,152 @@ +From: David Howells <dhowells@redhat.com> +Date: Wed, 8 Nov 2017 15:11:37 +0000 +Subject: [28/29] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=eb4a8603eb727afaeb9c6123eda2eda4b2757bf3 + +UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT +flag that can be passed to efi_enabled() to find out whether secure boot is +enabled. + +Move the switch-statement in x86's setup_arch() that inteprets the +secure_boot boot parameter to generic code and set the bit there. + +Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> +cc: linux-efi@vger.kernel.org +--- + arch/x86/kernel/setup.c | 14 +------------- + drivers/firmware/efi/Makefile | 1 + + drivers/firmware/efi/secureboot.c | 38 ++++++++++++++++++++++++++++++++++++++ + include/linux/efi.h | 16 ++++++++++------ + 4 files changed, 50 insertions(+), 19 deletions(-) + create mode 100644 drivers/firmware/efi/secureboot.c + +Index: linux/arch/x86/kernel/setup.c +=================================================================== +--- linux.orig/arch/x86/kernel/setup.c ++++ linux/arch/x86/kernel/setup.c +@@ -1159,19 +1159,7 @@ void __init setup_arch(char **cmdline_p) + /* Allocate bigger log buffer */ + setup_log_buf(1); + +- if (efi_enabled(EFI_BOOT)) { +- switch (boot_params.secure_boot) { +- case efi_secureboot_mode_disabled: +- pr_info("Secure boot disabled\n"); +- break; +- case efi_secureboot_mode_enabled: +- pr_info("Secure boot enabled\n"); +- break; +- default: +- pr_info("Secure boot could not be determined\n"); +- break; +- } +- } ++ efi_set_secure_boot(boot_params.secure_boot); + + reserve_initrd(); + +Index: linux/drivers/firmware/efi/Makefile +=================================================================== +--- linux.orig/drivers/firmware/efi/Makefile ++++ linux/drivers/firmware/efi/Makefile +@@ -24,6 +24,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP) += fake_m + obj-$(CONFIG_EFI_BOOTLOADER_CONTROL) += efibc.o + obj-$(CONFIG_EFI_TEST) += test/ + obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o ++obj-$(CONFIG_EFI) += secureboot.o + obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o + + arm-obj-$(CONFIG_EFI) := arm-init.o arm-runtime.o +Index: linux/drivers/firmware/efi/secureboot.c +=================================================================== +--- /dev/null ++++ linux/drivers/firmware/efi/secureboot.c +@@ -0,0 +1,38 @@ ++/* Core kernel secure boot support. ++ * ++ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved. ++ * Written by David Howells (dhowells@redhat.com) ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public Licence ++ * as published by the Free Software Foundation; either version ++ * 2 of the Licence, or (at your option) any later version. ++ */ ++ ++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt ++ ++#include <linux/efi.h> ++#include <linux/kernel.h> ++#include <linux/printk.h> ++ ++/* ++ * Decide what to do when UEFI secure boot mode is enabled. ++ */ ++void __init efi_set_secure_boot(enum efi_secureboot_mode mode) ++{ ++ if (efi_enabled(EFI_BOOT)) { ++ switch (mode) { ++ case efi_secureboot_mode_disabled: ++ pr_info("Secure boot disabled\n"); ++ break; ++ case efi_secureboot_mode_enabled: ++ set_bit(EFI_SECURE_BOOT, &efi.flags); ++ pr_info("Secure boot enabled\n"); ++ break; ++ default: ++ pr_warning("Secure boot could not be determined (mode %u)\n", ++ mode); ++ break; ++ } ++ } ++} +Index: linux/include/linux/efi.h +=================================================================== +--- linux.orig/include/linux/efi.h ++++ linux/include/linux/efi.h +@@ -1152,6 +1152,14 @@ extern int __init efi_setup_pcdp_console + #define EFI_DBG 8 /* Print additional debug info at runtime */ + #define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */ + #define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */ ++#define EFI_SECURE_BOOT 11 /* Are we in Secure Boot mode? */ ++ ++enum efi_secureboot_mode { ++ efi_secureboot_mode_unset, ++ efi_secureboot_mode_unknown, ++ efi_secureboot_mode_disabled, ++ efi_secureboot_mode_enabled, ++}; + + #ifdef CONFIG_EFI + /* +@@ -1164,6 +1172,7 @@ static inline bool efi_enabled(int featu + extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused); + + extern bool efi_is_table_address(unsigned long phys_addr); ++extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode); + #else + static inline bool efi_enabled(int feature) + { +@@ -1182,6 +1191,7 @@ static inline bool efi_is_table_address( + { + return false; + } ++static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {} + #endif + + extern int efi_status_to_err(efi_status_t status); +@@ -1572,12 +1582,6 @@ static inline bool efi_runtime_disabled( + + extern void efi_call_virt_check_flags(unsigned long flags, const char *call); + +-enum efi_secureboot_mode { +- efi_secureboot_mode_unset, +- efi_secureboot_mode_unknown, +- efi_secureboot_mode_disabled, +- efi_secureboot_mode_enabled, +-}; + enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table); + + #ifdef CONFIG_RESET_ATTACK_MITIGATION diff --git a/debian/patches/features/all/lockdown/0029-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/debian/patches/features/all/lockdown/0029-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch new file mode 100644 index 000000000..9ab10afb3 --- /dev/null +++ b/debian/patches/features/all/lockdown/0029-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch @@ -0,0 +1,83 @@ +From: David Howells <dhowells@redhat.com> +Date: Wed, 8 Nov 2017 15:11:37 +0000 +Subject: [29/29] efi: Lock down the kernel if booted in secure boot mode +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a364bd945ffc141a7b17cb331bda0d8ad68f7e72 + +UEFI Secure Boot provides a mechanism for ensuring that the firmware will +only load signed bootloaders and kernels. Certain use cases may also +require that all kernel modules also be signed. Add a configuration option +that to lock down the kernel - which includes requiring validly signed +modules - if the kernel is secure-booted. + +Signed-off-by: David Howells <dhowells@redhat.com> +Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> +cc: linux-efi@vger.kernel.org +--- + arch/x86/kernel/setup.c | 6 ++++-- + security/Kconfig | 14 ++++++++++++++ + security/lock_down.c | 1 + + 3 files changed, 19 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -65,6 +65,7 @@ + #include <linux/dma-mapping.h> + #include <linux/ctype.h> + #include <linux/uaccess.h> ++#include <linux/security.h> + + #include <linux/percpu.h> + #include <linux/crash_dump.h> +@@ -1005,6 +1006,9 @@ void __init setup_arch(char **cmdline_p) + if (efi_enabled(EFI_BOOT)) + efi_init(); + ++ efi_set_secure_boot(boot_params.secure_boot); ++ init_lockdown(); ++ + dmi_scan_machine(); + dmi_memdev_walk(); + dmi_set_dump_stack_arch_desc(); +@@ -1159,8 +1163,6 @@ void __init setup_arch(char **cmdline_p) + /* Allocate bigger log buffer */ + setup_log_buf(1); + +- efi_set_secure_boot(boot_params.secure_boot); +- + reserve_initrd(); + + acpi_table_upgrade(); +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -247,6 +247,21 @@ config LOCK_DOWN_KERNEL + turns off various features that might otherwise allow access to the + kernel image (eg. setting MSR registers). + ++config LOCK_DOWN_IN_EFI_SECURE_BOOT ++ bool "Lock down the kernel in EFI Secure Boot mode" ++ default n ++ select LOCK_DOWN_KERNEL ++ depends on EFI ++ help ++ UEFI Secure Boot provides a mechanism for ensuring that the firmware ++ will only load signed bootloaders and kernels. Secure boot mode may ++ be determined from EFI variables provided by the system firmware if ++ not indicated by the boot parameters. ++ ++ Enabling this option turns on results in kernel lockdown being ++ triggered if EFI Secure Boot is set. ++ ++ + source security/selinux/Kconfig + source security/smack/Kconfig + source security/tomoyo/Kconfig +--- a/security/lock_down.c ++++ b/security/lock_down.c +@@ -11,6 +11,7 @@ + + #include <linux/security.h> + #include <linux/export.h> ++#include <linux/efi.h> + + static __ro_after_init bool kernel_locked_down; + diff --git a/debian/patches/features/all/lockdown/0032-efi-Restrict-efivar_ssdt_load-when-the-kernel-is-loc.patch b/debian/patches/features/all/lockdown/0032-efi-Restrict-efivar_ssdt_load-when-the-kernel-is-loc.patch new file mode 100644 index 000000000..bb2f4f60b --- /dev/null +++ b/debian/patches/features/all/lockdown/0032-efi-Restrict-efivar_ssdt_load-when-the-kernel-is-loc.patch @@ -0,0 +1,36 @@ +From: Matthew Garrett <matthewgarrett@google.com> +Date: Wed, 31 Jul 2019 15:16:16 -0700 +Subject: efi: Restrict efivar_ssdt_load when the kernel is locked down +Origin: https://patchwork.kernel.org/patch/11069659/ + +efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an +EFI variable, which gives arbitrary code execution in ring 0. Prevent +that when the kernel is locked down. + +Signed-off-by: Matthew Garrett <mjg59@google.com> +Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> +Reviewed-by: Kees Cook <keescook@chromium.org> +Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> +Cc: linux-efi@vger.kernel.org +[bwh: Convert back to the non-LSM lockdown API] +--- +--- a/drivers/firmware/efi/efi.c ++++ b/drivers/firmware/efi/efi.c +@@ -30,6 +30,7 @@ + #include <linux/acpi.h> + #include <linux/ucs2_string.h> + #include <linux/memblock.h> ++#include <linux/security.h> + + #include <asm/early_ioremap.h> + +@@ -241,6 +242,9 @@ static void generic_ops_unregister(void) + static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata; + static int __init efivar_ssdt_setup(char *str) + { ++ if (kernel_is_locked_down("ACPI tables")) ++ return -EPERM; ++ + if (strlen(str) < sizeof(efivar_ssdt)) + memcpy(efivar_ssdt, str, strlen(str)); + else diff --git a/debian/patches/features/all/lockdown/ACPI-configfs-Disallow-loading-ACPI-tables-when-lock.patch b/debian/patches/features/all/lockdown/ACPI-configfs-Disallow-loading-ACPI-tables-when-lock.patch new file mode 100644 index 000000000..4970a4bd4 --- /dev/null +++ b/debian/patches/features/all/lockdown/ACPI-configfs-Disallow-loading-ACPI-tables-when-lock.patch @@ -0,0 +1,44 @@ +From: "Jason A. Donenfeld" <Jason@zx2c4.com> +Date: Mon, 15 Jun 2020 04:43:32 -0600 +Subject: ACPI: configfs: Disallow loading ACPI tables when locked down +Origin: https://git.kernel.org/linus/75b0cea7bf307f362057cc778efe89af4c615354 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-15780 + +Like other vectors already patched, this one here allows the root +user to load ACPI tables, which enables arbitrary physical address +writes, which in turn makes it possible to disable lockdown. + +Prevents this by checking the lockdown status before allowing a new +ACPI table to be installed. The link in the trailer shows a PoC of +how this might be used. + +Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh +Cc: 5.4+ <stable@vger.kernel.org> # 5.4+ +Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +[Salvatore Bonaccorso: Backport to v4.19.y: Use kernel_is_locked_down instead +of security_locked_down] +--- + drivers/acpi/acpi_configfs.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/acpi_configfs.c ++++ b/drivers/acpi/acpi_configfs.c +@@ -14,6 +14,7 @@ + #include <linux/module.h> + #include <linux/configfs.h> + #include <linux/acpi.h> ++#include <linux/security.h> + + #include "acpica/accommon.h" + #include "acpica/actables.h" +@@ -33,6 +34,9 @@ static ssize_t acpi_table_aml_write(stru + struct acpi_table *table; + int ret; + ++ if (kernel_is_locked_down("Modifying ACPI tables")) ++ return -EPERM; ++ + table = container_of(cfg, struct acpi_table, cfg); + + if (table->header) { diff --git a/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch b/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch new file mode 100644 index 000000000..beb09c3e6 --- /dev/null +++ b/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch @@ -0,0 +1,97 @@ +From: Linn Crosetto <linn@hpe.com> +Date: Tue, 30 Aug 2016 11:54:38 -0600 +Subject: arm64: add kernel config option to lock down when in Secure Boot mode +Bug-Debian: https://bugs.debian.org/831827 +Forwarded: no + +Add a kernel configuration option to lock down the kernel, to restrict +userspace's ability to modify the running kernel when UEFI Secure Boot is +enabled. Based on the x86 patch by Matthew Garrett. + +Determine the state of Secure Boot in the EFI stub and pass this to the +kernel using the FDT. + +Signed-off-by: Linn Crosetto <linn@hpe.com> +[bwh: Forward-ported to 4.10: adjust context] +[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream] +[bwh: Forward-ported to 4.15 and lockdown patch set: + - Pass result of efi_get_secureboot() in stub through to + efi_set_secure_boot() in main kernel + - Use lockdown API and naming] +[bwh: Forward-ported to 4.19.3: adjust context in update_fdt()] +[dannf: Moved init_lockdown() call after uefi_init(), fixing SB detection] +--- + arch/arm64/Kconfig | 13 +++++++++++++ + drivers/firmware/efi/arm-init.c | 7 +++++++ + drivers/firmware/efi/efi.c | 3 ++- + drivers/firmware/efi/libstub/arm-stub.c | 2 +- + drivers/firmware/efi/libstub/efistub.h | 1 + + drivers/firmware/efi/libstub/fdt.c | 7 +++++++ + include/linux/efi.h | 1 + + 7 files changed, 32 insertions(+), 2 deletions(-) + +Index: linux/drivers/firmware/efi/arm-init.c +=================================================================== +--- linux.orig/drivers/firmware/efi/arm-init.c ++++ linux/drivers/firmware/efi/arm-init.c +@@ -21,6 +21,7 @@ + #include <linux/of_fdt.h> + #include <linux/platform_device.h> + #include <linux/screen_info.h> ++#include <linux/security.h> + + #include <asm/efi.h> + +@@ -257,6 +258,9 @@ void __init efi_init(void) + return; + } + ++ efi_set_secure_boot(params.secure_boot); ++ init_lockdown(); ++ + reserve_regions(); + efi_esrt_init(); + +Index: linux/drivers/firmware/efi/efi.c +=================================================================== +--- linux.orig/drivers/firmware/efi/efi.c ++++ linux/drivers/firmware/efi/efi.c +@@ -660,7 +660,8 @@ static __initdata struct params fdt_para + UEFI_PARAM("MemMap Address", "linux,uefi-mmap-start", mmap), + UEFI_PARAM("MemMap Size", "linux,uefi-mmap-size", mmap_size), + UEFI_PARAM("MemMap Desc. Size", "linux,uefi-mmap-desc-size", desc_size), +- UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver) ++ UEFI_PARAM("MemMap Desc. Version", "linux,uefi-mmap-desc-ver", desc_ver), ++ UEFI_PARAM("Secure Boot Enabled", "linux,uefi-secure-boot", secure_boot) + }; + + static __initdata struct params xen_fdt_params[] = { +Index: linux/drivers/firmware/efi/libstub/fdt.c +=================================================================== +--- linux.orig/drivers/firmware/efi/libstub/fdt.c ++++ linux/drivers/firmware/efi/libstub/fdt.c +@@ -159,6 +159,12 @@ static efi_status_t update_fdt(efi_syste + } + } + ++ fdt_val32 = cpu_to_fdt32(efi_get_secureboot(sys_table)); ++ status = fdt_setprop(fdt, node, "linux,uefi-secure-boot", ++ &fdt_val32, sizeof(fdt_val32)); ++ if (status) ++ goto fdt_set_fail; ++ + /* shrink the FDT back to its minimum size */ + fdt_pack(fdt); + +Index: linux/include/linux/efi.h +=================================================================== +--- linux.orig/include/linux/efi.h ++++ linux/include/linux/efi.h +@@ -786,6 +786,7 @@ struct efi_fdt_params { + u32 mmap_size; + u32 desc_size; + u32 desc_ver; ++ u32 secure_boot; + }; + + typedef struct { diff --git a/debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch b/debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch new file mode 100644 index 000000000..7a3b8e9bb --- /dev/null +++ b/debian/patches/features/all/lockdown/enable-cold-boot-attack-mitigation.patch @@ -0,0 +1,50 @@ +From: Matthew Garrett <mjg59@coreos.com> +Date: Tue, 12 Jan 2016 12:51:27 -0800 +Subject: [18/18] Enable cold boot attack mitigation +Origin: https://github.com/mjg59/linux/commit/02d999574936dd234a508c0112a0200c135a5c34 + +[Lukas Wunner: Forward-ported to 4.11: adjust context] +--- + arch/x86/boot/compressed/eboot.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +Index: linux/arch/x86/boot/compressed/eboot.c +=================================================================== +--- linux.orig/arch/x86/boot/compressed/eboot.c ++++ linux/arch/x86/boot/compressed/eboot.c +@@ -372,6 +372,22 @@ void setup_graphics(struct boot_params * + } + } + ++#define MEMORY_ONLY_RESET_CONTROL_GUID \ ++ EFI_GUID (0xe20939be, 0x32d4, 0x41be, 0xa1, 0x50, 0x89, 0x7f, 0x85, 0xd4, 0x98, 0x29) ++ ++static void enable_reset_attack_mitigation(void) ++{ ++ u8 val = 1; ++ efi_guid_t var_guid = MEMORY_ONLY_RESET_CONTROL_GUID; ++ ++ /* Ignore the return value here - there's not really a lot we can do */ ++ efi_early->call((unsigned long)sys_table->runtime->set_variable, ++ L"MemoryOverwriteRequestControl", &var_guid, ++ EFI_VARIABLE_NON_VOLATILE | ++ EFI_VARIABLE_BOOTSERVICE_ACCESS | ++ EFI_VARIABLE_RUNTIME_ACCESS, sizeof(val), val); ++} ++ + /* + * Because the x86 boot code expects to be passed a boot_params we + * need to create one ourselves (usually the bootloader would create +@@ -783,6 +799,12 @@ efi_main(struct efi_config *c, struct bo + efi_parse_options((char *)cmdline_paddr); + + /* ++ * Ask the firmware to clear memory if we don't have a clean ++ * shutdown ++ */ ++ enable_reset_attack_mitigation(); ++ ++ /* + * If the boot loader gave us a value for secure_boot then we use that, + * otherwise we ask the BIOS. + */ diff --git a/debian/patches/features/all/lockdown/lockdown-refer-to-debian-wiki-until-manual-page-exists.patch b/debian/patches/features/all/lockdown/lockdown-refer-to-debian-wiki-until-manual-page-exists.patch new file mode 100644 index 000000000..586be8cab --- /dev/null +++ b/debian/patches/features/all/lockdown/lockdown-refer-to-debian-wiki-until-manual-page-exists.patch @@ -0,0 +1,34 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Sun, 21 Apr 2019 00:17:13 +0100 +Subject: lockdown: Refer to Debian wiki until manual page exists +Forwarded: not-needed + +The lockdown denial log message currently refers to a +"kernel_lockdown.7" manual page, which is supposed to document it. +That manual page hasn't been accepted by the man-pages project and +doesn't even seem to have been submitted yet. For now, refer to the +Debian wiki. + +--- +Index: linux/security/lock_down.c +=================================================================== +--- linux.orig/security/lock_down.c ++++ linux/security/lock_down.c +@@ -28,7 +28,7 @@ static void __init lock_kernel_down(cons + { + if (!kernel_locked_down) { + kernel_locked_down = true; +- pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n", ++ pr_notice("Kernel is locked down from %s; see https://wiki.debian.org/SecureBoot\n", + where); + } + } +@@ -60,7 +60,7 @@ void __init init_lockdown(void) + bool __kernel_is_locked_down(const char *what, bool first) + { + if (what && first && kernel_locked_down) +- pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", ++ pr_notice("Lockdown: %s is restricted; see https://wiki.debian.org/SecureBoot\n", + what); + return kernel_locked_down; + } diff --git a/debian/patches/features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch b/debian/patches/features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch new file mode 100644 index 000000000..f02392f10 --- /dev/null +++ b/debian/patches/features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch @@ -0,0 +1,41 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Fri, 03 Jun 2016 00:48:39 +0100 +Subject: mtd: Disable slram and phram when locked down +Forwarded: no + +The slram and phram drivers both allow mapping regions of physical +address space such that they can then be read and written by userland +through the MTD interface. This is probably usable to manipulate +hardware into overwriting kernel code on many systems. Prevent that +if locked down. + +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +Index: linux/drivers/mtd/devices/phram.c +=================================================================== +--- linux.orig/drivers/mtd/devices/phram.c ++++ linux/drivers/mtd/devices/phram.c +@@ -219,6 +219,9 @@ static int phram_setup(const char *val) + uint64_t len; + int i, ret; + ++ if (kernel_is_locked_down("Command line-specified device addresses")) ++ return -EPERM; ++ + if (strnlen(val, sizeof(buf)) >= sizeof(buf)) + parse_err("parameter too long\n"); + +Index: linux/drivers/mtd/devices/slram.c +=================================================================== +--- linux.orig/drivers/mtd/devices/slram.c ++++ linux/drivers/mtd/devices/slram.c +@@ -226,6 +226,9 @@ static int parse_cmdline(char *devname, + unsigned long devstart; + unsigned long devlength; + ++ if (kernel_is_locked_down("Command line-specified device addresses")) ++ return -EPERM; ++ + if ((!devname) || (!szstart) || (!szlength)) { + unregister_devices(); + return(-EINVAL); |