f2c60e
From 646ac5c07196bc3680e34188e55c8cc3565f65e7 Mon Sep 17 00:00:00 2001
f2c60e
From: David Howells <dhowells@redhat.com>
f2c60e
Date: Wed, 24 May 2017 14:56:00 +0100
f2c60e
Subject: [PATCH 01/26] Add the ability to lock down access to the running
f2c60e
 kernel image
f2c60e
f2c60e
Provide a single call to allow kernel code to determine whether the system
f2c60e
should be locked down, thereby disallowing various accesses that might
f2c60e
allow the running kernel image to be changed including the loading of
f2c60e
modules that aren't validly signed with a key we recognise, fiddling with
f2c60e
MSR registers and disallowing hibernation,
f2c60e
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
Acked-by: James Morris <james.l.morris@oracle.com>
f2c60e
---
f2c60e
 include/linux/kernel.h   | 17 ++++++++++++++
f2c60e
 include/linux/security.h |  8 +++++++
f2c60e
 security/Kconfig         |  8 +++++++
f2c60e
 security/Makefile        |  3 +++
f2c60e
 security/lock_down.c     | 60 ++++++++++++++++++++++++++++++++++++++++++++++++
f2c60e
 5 files changed, 96 insertions(+)
f2c60e
 create mode 100644 security/lock_down.c
f2c60e
f2c60e
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
f2c60e
index 0ad4c3044cf9..362da2e4bf53 100644
f2c60e
--- a/include/linux/kernel.h
f2c60e
+++ b/include/linux/kernel.h
f2c60e
@@ -287,6 +287,23 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err)
f2c60e
 { }
f2c60e
 #endif
f2c60e
f2c60e
+#ifdef CONFIG_LOCK_DOWN_KERNEL
f2c60e
+extern bool __kernel_is_locked_down(const char *what, bool first);
f2c60e
+#else
f2c60e
+static inline bool __kernel_is_locked_down(const char *what, bool first)
f2c60e
+{
f2c60e
+	return false;
f2c60e
+}
f2c60e
+#endif
f2c60e
+
f2c60e
+#define kernel_is_locked_down(what)					\
f2c60e
+	({								\
f2c60e
+		static bool message_given;				\
f2c60e
+		bool locked_down = __kernel_is_locked_down(what, !message_given); \
f2c60e
+		message_given = true;					\
f2c60e
+		locked_down;						\
f2c60e
+	})
f2c60e
+
f2c60e
 /* Internal, do not use. */
f2c60e
 int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
f2c60e
 int __must_check _kstrtol(const char *s, unsigned int base, long *res);
f2c60e
diff --git a/include/linux/security.h b/include/linux/security.h
f2c60e
index ce6265960d6c..310775476b68 100644
f2c60e
--- a/include/linux/security.h
f2c60e
+++ b/include/linux/security.h
f2c60e
@@ -1753,5 +1753,13 @@ static inline void free_secdata(void *secdata)
f2c60e
 { }
f2c60e
 #endif /* CONFIG_SECURITY */
f2c60e
f2c60e
+#ifdef CONFIG_LOCK_DOWN_KERNEL
f2c60e
+extern void __init init_lockdown(void);
f2c60e
+#else
f2c60e
+static inline void __init init_lockdown(void)
f2c60e
+{
f2c60e
+}
f2c60e
+#endif
f2c60e
+
f2c60e
 #endif /* ! __LINUX_SECURITY_H */
f2c60e
f2c60e
diff --git a/security/Kconfig b/security/Kconfig
f2c60e
index e8e449444e65..8e01fd59ae7e 100644
f2c60e
--- a/security/Kconfig
f2c60e
+++ b/security/Kconfig
f2c60e
@@ -205,6 +205,14 @@ config STATIC_USERMODEHELPER_PATH
f2c60e
 	  If you wish for all usermode helper programs to be disabled,
f2c60e
 	  specify an empty string here (i.e. "").
f2c60e
f2c60e
+config LOCK_DOWN_KERNEL
f2c60e
+	bool "Allow the kernel to be 'locked down'"
f2c60e
+	help
f2c60e
+	  Allow the kernel to be locked down under certain circumstances, for
f2c60e
+	  instance if UEFI secure boot is enabled.  Locking down the kernel
f2c60e
+	  turns off various features that might otherwise allow access to the
f2c60e
+	  kernel image (eg. setting MSR registers).
f2c60e
+
f2c60e
 source security/selinux/Kconfig
f2c60e
 source security/smack/Kconfig
f2c60e
 source security/tomoyo/Kconfig
f2c60e
diff --git a/security/Makefile b/security/Makefile
f2c60e
index f2d71cdb8e19..8c4a43e3d4e0 100644
f2c60e
--- a/security/Makefile
f2c60e
+++ b/security/Makefile
f2c60e
@@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
f2c60e
 # Object integrity file lists
f2c60e
 subdir-$(CONFIG_INTEGRITY)		+= integrity
f2c60e
 obj-$(CONFIG_INTEGRITY)			+= integrity/
f2c60e
+
f2c60e
+# Allow the kernel to be locked down
f2c60e
+obj-$(CONFIG_LOCK_DOWN_KERNEL)		+= lock_down.o
f2c60e
diff --git a/security/lock_down.c b/security/lock_down.c
f2c60e
new file mode 100644
f2c60e
index 000000000000..d8595c0e6673
f2c60e
--- /dev/null
f2c60e
+++ b/security/lock_down.c
f2c60e
@@ -0,0 +1,60 @@
f2c60e
+/* Lock down the kernel
f2c60e
+ *
f2c60e
+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
f2c60e
+ * Written by David Howells (dhowells@redhat.com)
f2c60e
+ *
f2c60e
+ * This program is free software; you can redistribute it and/or
f2c60e
+ * modify it under the terms of the GNU General Public Licence
f2c60e
+ * as published by the Free Software Foundation; either version
f2c60e
+ * 2 of the Licence, or (at your option) any later version.
f2c60e
+ */
f2c60e
+
f2c60e
+#include <linux/security.h>
f2c60e
+#include <linux/export.h>
f2c60e
+
f2c60e
+static __ro_after_init bool kernel_locked_down;
f2c60e
+
f2c60e
+/*
f2c60e
+ * Put the kernel into lock-down mode.
f2c60e
+ */
f2c60e
+static void __init lock_kernel_down(const char *where)
f2c60e
+{
f2c60e
+	if (!kernel_locked_down) {
f2c60e
+		kernel_locked_down = true;
f2c60e
+		pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",
f2c60e
+			  where);
f2c60e
+	}
f2c60e
+}
f2c60e
+
f2c60e
+static int __init lockdown_param(char *ignored)
f2c60e
+{
f2c60e
+	lock_kernel_down("command line");
f2c60e
+	return 0;
f2c60e
+}
f2c60e
+
f2c60e
+early_param("lockdown", lockdown_param);
f2c60e
+
f2c60e
+/*
f2c60e
+ * Lock the kernel down from very early in the arch setup.  This must happen
f2c60e
+ * prior to things like ACPI being initialised.
f2c60e
+ */
f2c60e
+void __init init_lockdown(void)
f2c60e
+{
f2c60e
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
f2c60e
+	if (efi_enabled(EFI_SECURE_BOOT))
f2c60e
+		lock_kernel_down("EFI secure boot");
f2c60e
+#endif
f2c60e
+}
f2c60e
+
f2c60e
+/**
f2c60e
+ * kernel_is_locked_down - Find out if the kernel is locked down
f2c60e
+ * @what: Tag to use in notice generated if lockdown is in effect
f2c60e
+ */
f2c60e
+bool __kernel_is_locked_down(const char *what, bool first)
f2c60e
+{
f2c60e
+	if (what && first && kernel_locked_down)
f2c60e
+		pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n",
f2c60e
+			  what);
f2c60e
+	return kernel_locked_down;
f2c60e
+}
f2c60e
+EXPORT_SYMBOL(__kernel_is_locked_down);
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From 2c46467f43bc54324de5474a8355f98c692309e4 Mon Sep 17 00:00:00 2001
f2c60e
From: Kyle McMartin <kyle@redhat.com>
f2c60e
Date: Wed, 18 Oct 2017 14:02:25 +0100
f2c60e
Subject: [PATCH 02/26] Add a SysRq option to lift kernel lockdown
f2c60e
f2c60e
Make an option to provide a sysrq key that will lift the kernel lockdown,
f2c60e
thereby allowing the running kernel image to be accessed and modified.
f2c60e
f2c60e
On x86_64 this is triggered with SysRq+x, but this key may not be available
f2c60e
on all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h.
f2c60e
f2c60e
Signed-off-by: Kyle McMartin <kyle@redhat.com>
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
cc: x86@kernel.org
f2c60e
---
f2c60e
 arch/x86/include/asm/setup.h |  2 ++
f2c60e
 drivers/input/misc/uinput.c  |  1 +
f2c60e
 drivers/tty/sysrq.c          | 19 ++++++++++++------
f2c60e
 include/linux/input.h        |  5 +++++
f2c60e
 include/linux/sysrq.h        |  8 +++++++-
f2c60e
 kernel/debug/kdb/kdb_main.c  |  2 +-
f2c60e
 security/Kconfig             |  8 ++++++++
f2c60e
 security/lock_down.c         | 47 ++++++++++++++++++++++++++++++++++++++++++++
f2c60e
 8 files changed, 84 insertions(+), 8 deletions(-)
f2c60e
f2c60e
diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h
f2c60e
index a65cf544686a..863f77582c09 100644
f2c60e
--- a/arch/x86/include/asm/setup.h
f2c60e
+++ b/arch/x86/include/asm/setup.h
f2c60e
@@ -8,6 +8,8 @@
f2c60e
 #include <linux/linkage.h>
f2c60e
 #include <asm/page_types.h>
f2c60e
f2c60e
+#define LOCKDOWN_LIFT_KEY 'x'
f2c60e
+
f2c60e
 #ifdef __i386__
f2c60e
f2c60e
 #include <linux/pfn.h>
f2c60e
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
f2c60e
index 443151de90c6..45a1f5460805 100644
f2c60e
--- a/drivers/input/misc/uinput.c
f2c60e
+++ b/drivers/input/misc/uinput.c
f2c60e
@@ -408,6 +408,7 @@ static int uinput_allocate_device(struct uinput_device *udev)
f2c60e
 	if (!udev->dev)
f2c60e
 		return -ENOMEM;
f2c60e
f2c60e
+	udev->dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;
f2c60e
 	udev->dev->event = uinput_dev_event;
f2c60e
 	input_set_drvdata(udev->dev, udev);
f2c60e
f2c60e
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
f2c60e
index 3ffc1ce29023..8b766dbad6dd 100644
f2c60e
--- a/drivers/tty/sysrq.c
f2c60e
+++ b/drivers/tty/sysrq.c
f2c60e
@@ -481,6 +481,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
f2c60e
 	/* x: May be registered on mips for TLB dump */
f2c60e
 	/* x: May be registered on ppc/powerpc for xmon */
f2c60e
 	/* x: May be registered on sparc64 for global PMU dump */
f2c60e
+	/* x: May be registered on x86_64 for disabling secure boot */
f2c60e
 	NULL,				/* x */
f2c60e
 	/* y: May be registered on sparc64 for global register dump */
f2c60e
 	NULL,				/* y */
f2c60e
@@ -524,7 +525,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
f2c60e
                 sysrq_key_table[i] = op_p;
f2c60e
 }
f2c60e
f2c60e
-void __handle_sysrq(int key, bool check_mask)
f2c60e
+void __handle_sysrq(int key, unsigned int from)
f2c60e
 {
f2c60e
 	struct sysrq_key_op *op_p;
f2c60e
 	int orig_log_level;
f2c60e
@@ -544,11 +545,15 @@ void __handle_sysrq(int key, bool check_mask)
f2c60e
f2c60e
         op_p = __sysrq_get_key_op(key);
f2c60e
         if (op_p) {
f2c60e
+		/* Ban synthetic events from some sysrq functionality */
f2c60e
+		if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
f2c60e
+		    op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
f2c60e
+			printk("This sysrq operation is disabled from userspace.\n");
f2c60e
 		/*
f2c60e
 		 * Should we check for enabled operations (/proc/sysrq-trigger
f2c60e
 		 * should not) and is the invoked operation enabled?
f2c60e
 		 */
f2c60e
-		if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
f2c60e
+		if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
f2c60e
 			pr_cont("%s\n", op_p->action_msg);
f2c60e
 			console_loglevel = orig_log_level;
f2c60e
 			op_p->handler(key);
f2c60e
@@ -580,7 +585,7 @@ void __handle_sysrq(int key, bool check_mask)
f2c60e
 void handle_sysrq(int key)
f2c60e
 {
f2c60e
 	if (sysrq_on())
f2c60e
-		__handle_sysrq(key, true);
f2c60e
+		__handle_sysrq(key, SYSRQ_FROM_KERNEL);
f2c60e
 }
f2c60e
 EXPORT_SYMBOL(handle_sysrq);
f2c60e
f2c60e
@@ -661,7 +666,7 @@ static void sysrq_do_reset(unsigned long _state)
f2c60e
 static void sysrq_handle_reset_request(struct sysrq_state *state)
f2c60e
 {
f2c60e
 	if (state->reset_requested)
f2c60e
-		__handle_sysrq(sysrq_xlate[KEY_B], false);
f2c60e
+		__handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL);
f2c60e
f2c60e
 	if (sysrq_reset_downtime_ms)
f2c60e
 		mod_timer(&state->keyreset_timer,
f2c60e
@@ -812,8 +817,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
f2c60e
f2c60e
 	default:
f2c60e
 		if (sysrq->active && value && value != 2) {
f2c60e
+			int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ?
f2c60e
+					SYSRQ_FROM_SYNTHETIC : 0;
f2c60e
 			sysrq->need_reinject = false;
f2c60e
-			__handle_sysrq(sysrq_xlate[code], true);
f2c60e
+			__handle_sysrq(sysrq_xlate[code], from);
f2c60e
 		}
f2c60e
 		break;
f2c60e
 	}
f2c60e
@@ -1097,7 +1104,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
f2c60e
f2c60e
 		if (get_user(c, buf))
f2c60e
 			return -EFAULT;
f2c60e
-		__handle_sysrq(c, false);
f2c60e
+		__handle_sysrq(c, SYSRQ_FROM_PROC);
f2c60e
 	}
f2c60e
f2c60e
 	return count;
f2c60e
diff --git a/include/linux/input.h b/include/linux/input.h
f2c60e
index fb5e23c7ed98..9d2b45a21ade 100644
f2c60e
--- a/include/linux/input.h
f2c60e
+++ b/include/linux/input.h
f2c60e
@@ -42,6 +42,7 @@ struct input_value {
f2c60e
  * @phys: physical path to the device in the system hierarchy
f2c60e
  * @uniq: unique identification code for the device (if device has it)
f2c60e
  * @id: id of the device (struct input_id)
f2c60e
+ * @flags: input device flags (SYNTHETIC, etc.)
f2c60e
  * @propbit: bitmap of device properties and quirks
f2c60e
  * @evbit: bitmap of types of events supported by the device (EV_KEY,
f2c60e
  *	EV_REL, etc.)
f2c60e
@@ -124,6 +125,8 @@ struct input_dev {
f2c60e
 	const char *uniq;
f2c60e
 	struct input_id id;
f2c60e
f2c60e
+	unsigned int flags;
f2c60e
+
f2c60e
 	unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)];
f2c60e
f2c60e
 	unsigned long evbit[BITS_TO_LONGS(EV_CNT)];
f2c60e
@@ -190,6 +193,8 @@ struct input_dev {
f2c60e
 };
f2c60e
 #define to_input_dev(d) container_of(d, struct input_dev, dev)
f2c60e
f2c60e
+#define	INPUTDEV_FLAGS_SYNTHETIC	0x000000001
f2c60e
+
f2c60e
 /*
f2c60e
  * Verify that we are in sync with input_device_id mod_devicetable.h #defines
f2c60e
  */
f2c60e
diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
f2c60e
index 387fa7d05c98..f7c52a9ea394 100644
f2c60e
--- a/include/linux/sysrq.h
f2c60e
+++ b/include/linux/sysrq.h
f2c60e
@@ -28,6 +28,8 @@
f2c60e
 #define SYSRQ_ENABLE_BOOT	0x0080
f2c60e
 #define SYSRQ_ENABLE_RTNICE	0x0100
f2c60e
f2c60e
+#define SYSRQ_DISABLE_USERSPACE	0x00010000
f2c60e
+
f2c60e
 struct sysrq_key_op {
f2c60e
 	void (*handler)(int);
f2c60e
 	char *help_msg;
f2c60e
@@ -42,8 +44,12 @@ struct sysrq_key_op {
f2c60e
  * are available -- else NULL's).
f2c60e
  */
f2c60e
f2c60e
+#define SYSRQ_FROM_KERNEL	0x0001
f2c60e
+#define SYSRQ_FROM_PROC		0x0002
f2c60e
+#define SYSRQ_FROM_SYNTHETIC	0x0004
f2c60e
+
f2c60e
 void handle_sysrq(int key);
f2c60e
-void __handle_sysrq(int key, bool check_mask);
f2c60e
+void __handle_sysrq(int key, unsigned int from);
f2c60e
 int register_sysrq_key(int key, struct sysrq_key_op *op);
f2c60e
 int unregister_sysrq_key(int key, struct sysrq_key_op *op);
f2c60e
 struct sysrq_key_op *__sysrq_get_key_op(int key);
f2c60e
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
f2c60e
index c8146d53ca67..b480cadf9272 100644
f2c60e
--- a/kernel/debug/kdb/kdb_main.c
f2c60e
+++ b/kernel/debug/kdb/kdb_main.c
f2c60e
@@ -1970,7 +1970,7 @@ static int kdb_sr(int argc, const char **argv)
f2c60e
 		return KDB_ARGCOUNT;
f2c60e
f2c60e
 	kdb_trap_printk++;
f2c60e
-	__handle_sysrq(*argv[1], check_mask);
f2c60e
+	__handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0);
f2c60e
 	kdb_trap_printk--;
f2c60e
f2c60e
 	return 0;
f2c60e
diff --git a/security/Kconfig b/security/Kconfig
f2c60e
index 8e01fd59ae7e..453cc89c198a 100644
f2c60e
--- a/security/Kconfig
f2c60e
+++ b/security/Kconfig
f2c60e
@@ -213,6 +213,14 @@ config LOCK_DOWN_KERNEL
f2c60e
 	  turns off various features that might otherwise allow access to the
f2c60e
 	  kernel image (eg. setting MSR registers).
f2c60e
f2c60e
+config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
f2c60e
+	bool "Allow the kernel lockdown to be lifted by SysRq"
f2c60e
+	depends on LOCK_DOWN_KERNEL && MAGIC_SYSRQ
f2c60e
+	help
f2c60e
+	  Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
f2c60e
+	  combination on a wired keyboard.
f2c60e
+
f2c60e
+
f2c60e
 source security/selinux/Kconfig
f2c60e
 source security/smack/Kconfig
f2c60e
 source security/tomoyo/Kconfig
f2c60e
diff --git a/security/lock_down.c b/security/lock_down.c
f2c60e
index d8595c0e6673..2c6b00f0c229 100644
f2c60e
--- a/security/lock_down.c
f2c60e
+++ b/security/lock_down.c
f2c60e
@@ -11,8 +11,14 @@
f2c60e
f2c60e
 #include <linux/security.h>
f2c60e
 #include <linux/export.h>
f2c60e
+#include <linux/sysrq.h>
f2c60e
+#include <asm/setup.h>
f2c60e
f2c60e
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
f2c60e
+static __read_mostly bool kernel_locked_down;
f2c60e
+#else
f2c60e
 static __ro_after_init bool kernel_locked_down;
f2c60e
+#endif
f2c60e
f2c60e
 /*
f2c60e
  * Put the kernel into lock-down mode.
f2c60e
@@ -58,3 +64,44 @@ bool __kernel_is_locked_down(const char *what, bool first)
f2c60e
 	return kernel_locked_down;
f2c60e
 }
f2c60e
 EXPORT_SYMBOL(__kernel_is_locked_down);
f2c60e
+
f2c60e
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
f2c60e
+
f2c60e
+/*
f2c60e
+ * Take the kernel out of lockdown mode.
f2c60e
+ */
f2c60e
+static void lift_kernel_lockdown(void)
f2c60e
+{
f2c60e
+	pr_notice("Lifting lockdown\n");
f2c60e
+	kernel_locked_down = false;
f2c60e
+}
f2c60e
+
f2c60e
+/*
f2c60e
+ * Allow lockdown to be lifted by pressing something like SysRq+x (and not by
f2c60e
+ * echoing the appropriate letter into the sysrq-trigger file).
f2c60e
+ */
f2c60e
+static void sysrq_handle_lockdown_lift(int key)
f2c60e
+{
f2c60e
+	if (kernel_locked_down)
f2c60e
+		lift_kernel_lockdown();
f2c60e
+}
f2c60e
+
f2c60e
+static struct sysrq_key_op lockdown_lift_sysrq_op = {
f2c60e
+	.handler	= sysrq_handle_lockdown_lift,
f2c60e
+	.help_msg	= "unSB(x)",
f2c60e
+	.action_msg	= "Disabling Secure Boot restrictions",
f2c60e
+	.enable_mask	= SYSRQ_DISABLE_USERSPACE,
f2c60e
+};
f2c60e
+
f2c60e
+static int __init lockdown_lift_sysrq(void)
f2c60e
+{
f2c60e
+	if (kernel_locked_down) {
f2c60e
+		lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;
f2c60e
+		register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);
f2c60e
+	}
f2c60e
+	return 0;
f2c60e
+}
f2c60e
+
f2c60e
+late_initcall(lockdown_lift_sysrq);
f2c60e
+
f2c60e
+#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From 4c389db9daee3a3a444339a7d789de1d9366f736 Mon Sep 17 00:00:00 2001
f2c60e
From: David Howells <dhowells@redhat.com>
f2c60e
Date: Wed, 24 May 2017 14:56:01 +0100
f2c60e
Subject: [PATCH 03/26] Enforce module signatures if the kernel is locked down
f2c60e
f2c60e
If the kernel is locked down, require that all modules have valid
f2c60e
signatures that we can verify.
f2c60e
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
f2c60e
Reviewed-by: James Morris <james.l.morris@oracle.com>
f2c60e
---
f2c60e
 kernel/module.c | 3 ++-
f2c60e
 1 file changed, 2 insertions(+), 1 deletion(-)
f2c60e
f2c60e
diff --git a/kernel/module.c b/kernel/module.c
f2c60e
index de66ec825992..3d9a3270c179 100644
f2c60e
--- a/kernel/module.c
f2c60e
+++ b/kernel/module.c
f2c60e
@@ -2781,7 +2781,8 @@ static int module_sig_check(struct load_info *info, int flags)
f2c60e
 	}
f2c60e
f2c60e
 	/* Not having a signature is only an error if we're strict. */
f2c60e
-	if (err == -ENOKEY && !sig_enforce)
f2c60e
+	if (err == -ENOKEY && !sig_enforce &&
f2c60e
+	    !kernel_is_locked_down("Loading of unsigned modules"))
f2c60e
 		err = 0;
f2c60e
f2c60e
 	return err;
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From 59312c44aa46939a14b3fbfeb510f94b4a73c8a1 Mon Sep 17 00:00:00 2001
f2c60e
From: Matthew Garrett <matthew.garrett@nebula.com>
f2c60e
Date: Wed, 24 May 2017 14:56:02 +0100
f2c60e
Subject: [PATCH 04/26] Restrict /dev/{mem,kmem,port} when the kernel is locked
f2c60e
 down
f2c60e
f2c60e
Allowing users to read and write to core kernel memory makes it possible
f2c60e
for the kernel to be subverted, avoiding module loading restrictions, and
f2c60e
also to steal cryptographic information.
f2c60e
f2c60e
Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
f2c60e
been locked down to prevent this.
f2c60e
f2c60e
Also disallow /dev/port from being opened to prevent raw ioport access and
f2c60e
thus DMA from being used to accomplish the same thing.
f2c60e
f2c60e
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
f2c60e
---
f2c60e
 drivers/char/mem.c | 2 ++
f2c60e
 1 file changed, 2 insertions(+)
f2c60e
f2c60e
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
f2c60e
index 593a8818aca9..0ce5ac0a5c6b 100644
f2c60e
--- a/drivers/char/mem.c
f2c60e
+++ b/drivers/char/mem.c
f2c60e
@@ -762,6 +762,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
f2c60e
f2c60e
 static int open_port(struct inode *inode, struct file *filp)
f2c60e
 {
f2c60e
+	if (kernel_is_locked_down("/dev/mem,kmem,port"))
f2c60e
+		return -EPERM;
f2c60e
 	return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
f2c60e
 }
f2c60e
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From 6304f16efd61e66701f4b331e95da3cafb5f5f76 Mon Sep 17 00:00:00 2001
f2c60e
From: Matthew Garrett <matthew.garrett@nebula.com>
f2c60e
Date: Wed, 24 May 2017 14:56:02 +0100
f2c60e
Subject: [PATCH 05/26] kexec: Disable at runtime if the kernel is locked down
f2c60e
f2c60e
kexec permits the loading and execution of arbitrary code in ring 0, which
f2c60e
is something that lock-down is meant to prevent. It makes sense to disable
f2c60e
kexec in this situation.
f2c60e
f2c60e
This does not affect kexec_file_load() which can check for a signature on the
f2c60e
image to be booted.
f2c60e
f2c60e
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
Acked-by: Dave Young <dyoung@redhat.com>
f2c60e
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
f2c60e
Reviewed-by: James Morris <james.l.morris@oracle.com>
f2c60e
cc: kexec@lists.infradead.org
f2c60e
---
f2c60e
 kernel/kexec.c | 7 +++++++
f2c60e
 1 file changed, 7 insertions(+)
f2c60e
f2c60e
diff --git a/kernel/kexec.c b/kernel/kexec.c
f2c60e
index e62ec4dc6620..7dadfed9b676 100644
f2c60e
--- a/kernel/kexec.c
f2c60e
+++ b/kernel/kexec.c
f2c60e
@@ -202,6 +202,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
f2c60e
 		return -EPERM;
f2c60e
f2c60e
 	/*
f2c60e
+	 * kexec can be used to circumvent module loading restrictions, so
f2c60e
+	 * prevent loading in that case
f2c60e
+	 */
f2c60e
+	if (kernel_is_locked_down("kexec of unsigned images"))
f2c60e
+		return -EPERM;
f2c60e
+
f2c60e
+	/*
f2c60e
 	 * Verify we have a legal set of flags
f2c60e
 	 * This leaves us room for future extensions.
f2c60e
 	 */
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From cd00079900870855cea3573253a95c331ccab523 Mon Sep 17 00:00:00 2001
f2c60e
From: Dave Young <dyoung@redhat.com>
f2c60e
Date: Wed, 24 May 2017 14:56:02 +0100
f2c60e
Subject: [PATCH 06/26] Copy secure_boot flag in boot params across kexec
f2c60e
 reboot
f2c60e
f2c60e
Kexec reboot in case secure boot being enabled does not keep the secure
f2c60e
boot mode in new kernel, so later one can load unsigned kernel via legacy
f2c60e
kexec_load.  In this state, the system is missing the protections provided
f2c60e
by secure boot.
f2c60e
f2c60e
Adding a patch to fix this by retain the secure_boot flag in original
f2c60e
kernel.
f2c60e
f2c60e
secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
f2c60e
stub.  Fixing this issue by copying secure_boot flag across kexec reboot.
f2c60e
f2c60e
Signed-off-by: Dave Young <dyoung@redhat.com>
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
f2c60e
cc: kexec@lists.infradead.org
f2c60e
---
f2c60e
 arch/x86/kernel/kexec-bzimage64.c | 1 +
f2c60e
 1 file changed, 1 insertion(+)
f2c60e
f2c60e
diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
f2c60e
index fb095ba0c02f..7d0fac5bcbbe 100644
f2c60e
--- a/arch/x86/kernel/kexec-bzimage64.c
f2c60e
+++ b/arch/x86/kernel/kexec-bzimage64.c
f2c60e
@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
f2c60e
 	if (efi_enabled(EFI_OLD_MEMMAP))
f2c60e
 		return 0;
f2c60e
f2c60e
+	params->secure_boot = boot_params.secure_boot;
f2c60e
 	ei->efi_loader_signature = current_ei->efi_loader_signature;
f2c60e
 	ei->efi_systab = current_ei->efi_systab;
f2c60e
 	ei->efi_systab_hi = current_ei->efi_systab_hi;
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From de2ac5da82fc55156134820ba32095710b935ad5 Mon Sep 17 00:00:00 2001
f2c60e
From: Chun-Yi Lee <joeyli.kernel@gmail.com>
f2c60e
Date: Wed, 24 May 2017 14:56:03 +0100
f2c60e
Subject: [PATCH 07/26] kexec_file: Disable at runtime if the kernel is locked
f2c60e
 down
f2c60e
f2c60e
When KEXEC_VERIFY_SIG is not enabled, kernel should not load images
f2c60e
through kexec_file systemcall if the kernel is locked down.
f2c60e
f2c60e
This code was showed in Matthew's patch but not in git:
f2c60e
https://lkml.org/lkml/2015/3/13/778
f2c60e
f2c60e
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
f2c60e
Signed-off-by: Chun-Yi Lee <jlee@suse.com>
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
Reviewed-by: James Morris <james.l.morris@oracle.com>
f2c60e
cc: kexec@lists.infradead.org
f2c60e
---
f2c60e
 kernel/kexec_file.c | 7 +++++++
f2c60e
 1 file changed, 7 insertions(+)
f2c60e
f2c60e
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
f2c60e
index 9f48f4412297..ff6523f2dcc2 100644
f2c60e
--- a/kernel/kexec_file.c
f2c60e
+++ b/kernel/kexec_file.c
f2c60e
@@ -255,6 +255,13 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
f2c60e
 	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
f2c60e
 		return -EPERM;
f2c60e
f2c60e
+	/* Don't permit images to be loaded into trusted kernels if we're not
f2c60e
+	 * going to verify the signature on them
f2c60e
+	 */
f2c60e
+	if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) &&
f2c60e
+	    kernel_is_locked_down("kexec of unsigned images"))
f2c60e
+		return -EPERM;
f2c60e
+
f2c60e
 	/* Make sure we have a legal set of flags */
f2c60e
 	if (flags != (flags & KEXEC_FILE_FLAGS))
f2c60e
 		return -EINVAL;
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From ba823f2b5125605fcbac150fe27e622fd224ea61 Mon Sep 17 00:00:00 2001
f2c60e
From: Josh Boyer <jwboyer@fedoraproject.org>
f2c60e
Date: Wed, 24 May 2017 14:56:03 +0100
f2c60e
Subject: [PATCH 08/26] hibernate: Disable when the kernel is locked down
f2c60e
f2c60e
There is currently no way to verify the resume image when returning
f2c60e
from hibernate.  This might compromise the signed modules trust model,
f2c60e
so until we can work with signed hibernate images we disable it when the
f2c60e
kernel is locked down.
f2c60e
f2c60e
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
f2c60e
cc: linux-pm@vger.kernel.org
f2c60e
---
f2c60e
 kernel/power/hibernate.c | 2 +-
f2c60e
 1 file changed, 1 insertion(+), 1 deletion(-)
f2c60e
f2c60e
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
f2c60e
index a5c36e9c56a6..f2eafefeec50 100644
f2c60e
--- a/kernel/power/hibernate.c
f2c60e
+++ b/kernel/power/hibernate.c
f2c60e
@@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
f2c60e
f2c60e
 bool hibernation_available(void)
f2c60e
 {
f2c60e
-	return (nohibernate == 0);
f2c60e
+	return nohibernate == 0 && !kernel_is_locked_down("Hibernation");
f2c60e
 }
f2c60e
f2c60e
 /**
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From 9e78666a6153d72c3e50160a30ead699ba508d8f Mon Sep 17 00:00:00 2001
f2c60e
From: Matthew Garrett <mjg59@srcf.ucam.org>
f2c60e
Date: Wed, 24 May 2017 14:56:03 +0100
f2c60e
Subject: [PATCH 09/26] uswsusp: Disable when the kernel is locked down
f2c60e
f2c60e
uswsusp allows a user process to dump and then restore kernel state, which
f2c60e
makes it possible to modify the running kernel.  Disable this if the kernel
f2c60e
is locked down.
f2c60e
f2c60e
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
f2c60e
Reviewed-by: James Morris <james.l.morris@oracle.com>
f2c60e
cc: linux-pm@vger.kernel.org
f2c60e
---
f2c60e
 kernel/power/user.c | 3 +++
f2c60e
 1 file changed, 3 insertions(+)
f2c60e
f2c60e
diff --git a/kernel/power/user.c b/kernel/power/user.c
f2c60e
index 22df9f7ff672..678ade9decfe 100644
f2c60e
--- a/kernel/power/user.c
f2c60e
+++ b/kernel/power/user.c
f2c60e
@@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
f2c60e
 	if (!hibernation_available())
f2c60e
 		return -EPERM;
f2c60e
f2c60e
+	if (kernel_is_locked_down("/dev/snapshot"))
f2c60e
+		return -EPERM;
f2c60e
+
f2c60e
 	lock_system_sleep();
f2c60e
f2c60e
 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From 334fa071b01ced7f48b2920208addfb1eab5d0fe Mon Sep 17 00:00:00 2001
f2c60e
From: Matthew Garrett <matthew.garrett@nebula.com>
f2c60e
Date: Wed, 24 May 2017 14:56:03 +0100
f2c60e
Subject: [PATCH 10/26] PCI: Lock down BAR access when the kernel is locked
f2c60e
 down
f2c60e
f2c60e
Any hardware that can potentially generate DMA has to be locked down in
f2c60e
order to avoid it being possible for an attacker to modify kernel code,
f2c60e
allowing them to circumvent disabled module loading or module signing.
f2c60e
Default to paranoid - in future we can potentially relax this for
f2c60e
sufficiently IOMMU-isolated devices.
f2c60e
f2c60e
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
f2c60e
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
f2c60e
cc: linux-pci@vger.kernel.org
f2c60e
---
f2c60e
 drivers/pci/pci-sysfs.c | 9 +++++++++
f2c60e
 drivers/pci/proc.c      | 9 ++++++++-
f2c60e
 drivers/pci/syscall.c   | 3 ++-
f2c60e
 3 files changed, 19 insertions(+), 2 deletions(-)
f2c60e
f2c60e
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
f2c60e
index 1eecfa301f7f..e1a3b0e765c2 100644
f2c60e
--- a/drivers/pci/pci-sysfs.c
f2c60e
+++ b/drivers/pci/pci-sysfs.c
f2c60e
@@ -881,6 +881,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
f2c60e
 	loff_t init_off = off;
f2c60e
 	u8 *data = (u8 *) buf;
f2c60e
f2c60e
+	if (kernel_is_locked_down("Direct PCI access"))
f2c60e
+		return -EPERM;
f2c60e
+
f2c60e
 	if (off > dev->cfg_size)
f2c60e
 		return 0;
f2c60e
 	if (off + count > dev->cfg_size) {
f2c60e
@@ -1175,6 +1178,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
f2c60e
 	enum pci_mmap_state mmap_type;
f2c60e
 	struct resource *res = &pdev->resource[bar];
f2c60e
f2c60e
+	if (kernel_is_locked_down("Direct PCI access"))
f2c60e
+		return -EPERM;
f2c60e
+
f2c60e
 	if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
f2c60e
 		return -EINVAL;
f2c60e
f2c60e
@@ -1255,6 +1261,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
f2c60e
 				     struct bin_attribute *attr, char *buf,
f2c60e
 				     loff_t off, size_t count)
f2c60e
 {
f2c60e
+	if (kernel_is_locked_down("Direct PCI access"))
f2c60e
+		return -EPERM;
f2c60e
+
f2c60e
 	return pci_resource_io(filp, kobj, attr, buf, off, count, true);
f2c60e
 }
f2c60e
f2c60e
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
f2c60e
index 098360d7ff81..a6c53d855daa 100644
f2c60e
--- a/drivers/pci/proc.c
f2c60e
+++ b/drivers/pci/proc.c
f2c60e
@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
f2c60e
 	int size = dev->cfg_size;
f2c60e
 	int cnt;
f2c60e
f2c60e
+	if (kernel_is_locked_down("Direct PCI access"))
f2c60e
+		return -EPERM;
f2c60e
+
f2c60e
 	if (pos >= size)
f2c60e
 		return 0;
f2c60e
 	if (nbytes >= size)
f2c60e
@@ -195,6 +198,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
f2c60e
 #endif /* HAVE_PCI_MMAP */
f2c60e
 	int ret = 0;
f2c60e
f2c60e
+	if (kernel_is_locked_down("Direct PCI access"))
f2c60e
+		return -EPERM;
f2c60e
+
f2c60e
 	switch (cmd) {
f2c60e
 	case PCIIOC_CONTROLLER:
f2c60e
 		ret = pci_domain_nr(dev->bus);
f2c60e
@@ -236,7 +242,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
f2c60e
 	struct pci_filp_private *fpriv = file->private_data;
f2c60e
 	int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM;
f2c60e
f2c60e
-	if (!capable(CAP_SYS_RAWIO))
f2c60e
+	if (!capable(CAP_SYS_RAWIO) ||
f2c60e
+	    kernel_is_locked_down("Direct PCI access"))
f2c60e
 		return -EPERM;
f2c60e
f2c60e
 	if (fpriv->mmap_state == pci_mmap_io) {
f2c60e
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
f2c60e
index 9bf993e1f71e..afa01cc3ceec 100644
f2c60e
--- a/drivers/pci/syscall.c
f2c60e
+++ b/drivers/pci/syscall.c
f2c60e
@@ -92,7 +92,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
f2c60e
 	u32 dword;
f2c60e
 	int err = 0;
f2c60e
f2c60e
-	if (!capable(CAP_SYS_ADMIN))
f2c60e
+	if (!capable(CAP_SYS_ADMIN) ||
f2c60e
+	    kernel_is_locked_down("Direct PCI access"))
f2c60e
 		return -EPERM;
f2c60e
f2c60e
 	dev = pci_get_bus_and_slot(bus, dfn);
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From 7e608c45ac2ab6c8e125aaf3993b8257352ac631 Mon Sep 17 00:00:00 2001
f2c60e
From: Matthew Garrett <matthew.garrett@nebula.com>
f2c60e
Date: Wed, 24 May 2017 14:56:04 +0100
f2c60e
Subject: [PATCH 11/26] x86: Lock down IO port access when the kernel is locked
f2c60e
 down
f2c60e
f2c60e
IO port access would permit users to gain access to PCI configuration
f2c60e
registers, which in turn (on a lot of hardware) give access to MMIO
f2c60e
register space. This would potentially permit root to trigger arbitrary
f2c60e
DMA, so lock it down by default.
f2c60e
f2c60e
This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
f2c60e
KDDISABIO console ioctls.
f2c60e
f2c60e
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
f2c60e
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
f2c60e
cc: x86@kernel.org
f2c60e
---
f2c60e
 arch/x86/kernel/ioport.c | 6 ++++--
f2c60e
 1 file changed, 4 insertions(+), 2 deletions(-)
f2c60e
f2c60e
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
f2c60e
index 9c3cf0944bce..2c0f058651c5 100644
f2c60e
--- a/arch/x86/kernel/ioport.c
f2c60e
+++ b/arch/x86/kernel/ioport.c
f2c60e
@@ -30,7 +30,8 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
f2c60e
f2c60e
 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
f2c60e
 		return -EINVAL;
f2c60e
-	if (turn_on && !capable(CAP_SYS_RAWIO))
f2c60e
+	if (turn_on && (!capable(CAP_SYS_RAWIO) ||
f2c60e
+			kernel_is_locked_down("ioperm")))
f2c60e
 		return -EPERM;
f2c60e
f2c60e
 	/*
f2c60e
@@ -120,7 +121,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
f2c60e
 		return -EINVAL;
f2c60e
 	/* Trying to gain more privileges? */
f2c60e
 	if (level > old) {
f2c60e
-		if (!capable(CAP_SYS_RAWIO))
f2c60e
+		if (!capable(CAP_SYS_RAWIO) ||
f2c60e
+		    kernel_is_locked_down("iopl"))
f2c60e
 			return -EPERM;
f2c60e
 	}
f2c60e
 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From 2644bf492568e3733bc841112c6e8628a6e01b8e Mon Sep 17 00:00:00 2001
f2c60e
From: Matthew Garrett <matthew.garrett@nebula.com>
f2c60e
Date: Wed, 24 May 2017 14:56:04 +0100
f2c60e
Subject: [PATCH 12/26] x86/msr: Restrict MSR access when the kernel is locked
f2c60e
 down
f2c60e
f2c60e
Writing to MSRs should not be allowed if the kernel is locked down, since
f2c60e
it could lead to execution of arbitrary code in kernel mode.  Based on a
f2c60e
patch by Kees Cook.
f2c60e
f2c60e
MSR accesses are logged for the purposes of building up a whitelist as per
f2c60e
Alan Cox's suggestion.
f2c60e
f2c60e
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
Acked-by: Kees Cook <keescook@chromium.org>
f2c60e
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
f2c60e
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
f2c60e
cc: x86@kernel.org
f2c60e
---
f2c60e
 arch/x86/kernel/msr.c | 10 ++++++++++
f2c60e
 1 file changed, 10 insertions(+)
f2c60e
f2c60e
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
f2c60e
index ef688804f80d..dfb61d358196 100644
f2c60e
--- a/arch/x86/kernel/msr.c
f2c60e
+++ b/arch/x86/kernel/msr.c
f2c60e
@@ -84,6 +84,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
f2c60e
 	int err = 0;
f2c60e
 	ssize_t bytes = 0;
f2c60e
f2c60e
+	if (kernel_is_locked_down("Direct MSR access")) {
f2c60e
+		pr_info("Direct access to MSR %x\n", reg);
f2c60e
+		return -EPERM;
f2c60e
+	}
f2c60e
+
f2c60e
 	if (count % 8)
f2c60e
 		return -EINVAL;	/* Invalid chunk size */
f2c60e
f2c60e
@@ -135,6 +140,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
f2c60e
 			err = -EFAULT;
f2c60e
 			break;
f2c60e
 		}
f2c60e
+		if (kernel_is_locked_down("Direct MSR access")) {
f2c60e
+			pr_info("Direct access to MSR %x\n", regs[1]); /* Display %ecx */
f2c60e
+			err = -EPERM;
f2c60e
+			break;
f2c60e
+		}
f2c60e
 		err = wrmsr_safe_regs_on_cpu(cpu, regs);
f2c60e
 		if (err)
f2c60e
 			break;
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From e6850fffe186e252cc94e8747e589076e215ca1a Mon Sep 17 00:00:00 2001
f2c60e
From: Matthew Garrett <matthew.garrett@nebula.com>
f2c60e
Date: Wed, 24 May 2017 14:56:04 +0100
f2c60e
Subject: [PATCH 13/26] asus-wmi: Restrict debugfs interface when the kernel is
f2c60e
 locked down
f2c60e
f2c60e
We have no way of validating what all of the Asus WMI methods do on a given
f2c60e
machine - and there's a risk that some will allow hardware state to be
f2c60e
manipulated in such a way that arbitrary code can be executed in the
f2c60e
kernel, circumventing module loading restrictions.  Prevent that if the
f2c60e
kernel is locked down.
f2c60e
f2c60e
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
f2c60e
cc: acpi4asus-user@lists.sourceforge.net
f2c60e
cc: platform-driver-x86@vger.kernel.org
f2c60e
---
f2c60e
 drivers/platform/x86/asus-wmi.c | 9 +++++++++
f2c60e
 1 file changed, 9 insertions(+)
f2c60e
f2c60e
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
f2c60e
index 48e1541dc8d4..ef5587469337 100644
f2c60e
--- a/drivers/platform/x86/asus-wmi.c
f2c60e
+++ b/drivers/platform/x86/asus-wmi.c
f2c60e
@@ -1905,6 +1905,9 @@ static int show_dsts(struct seq_file *m, void *data)
f2c60e
 	int err;
f2c60e
 	u32 retval = -1;
f2c60e
f2c60e
+	if (kernel_is_locked_down("Asus WMI"))
f2c60e
+		return -EPERM;
f2c60e
+
f2c60e
 	err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
f2c60e
f2c60e
 	if (err < 0)
f2c60e
@@ -1921,6 +1924,9 @@ static int show_devs(struct seq_file *m, void *data)
f2c60e
 	int err;
f2c60e
 	u32 retval = -1;
f2c60e
f2c60e
+	if (kernel_is_locked_down("Asus WMI"))
f2c60e
+		return -EPERM;
f2c60e
+
f2c60e
 	err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
f2c60e
 				    &retval);
f2c60e
f2c60e
@@ -1945,6 +1951,9 @@ static int show_call(struct seq_file *m, void *data)
f2c60e
 	union acpi_object *obj;
f2c60e
 	acpi_status status;
f2c60e
f2c60e
+	if (kernel_is_locked_down("Asus WMI"))
f2c60e
+		return -EPERM;
f2c60e
+
f2c60e
 	status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
f2c60e
 				     0, asus->debug.method_id,
f2c60e
 				     &input, &output);
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From 6dda2a4dbc8bb80efaa55aba6d54382e986305c5 Mon Sep 17 00:00:00 2001
f2c60e
From: Matthew Garrett <matthew.garrett@nebula.com>
f2c60e
Date: Wed, 24 May 2017 14:56:04 +0100
f2c60e
Subject: [PATCH 14/26] ACPI: Limit access to custom_method when the kernel is
f2c60e
 locked down
f2c60e
f2c60e
custom_method effectively allows arbitrary access to system memory, making
f2c60e
it possible for an attacker to circumvent restrictions on module loading.
f2c60e
Disable it if the kernel is locked down.
f2c60e
f2c60e
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
f2c60e
cc: linux-acpi@vger.kernel.org
f2c60e
---
f2c60e
 drivers/acpi/custom_method.c | 3 +++
f2c60e
 1 file changed, 3 insertions(+)
f2c60e
f2c60e
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
f2c60e
index c68e72414a67..b33fba70ec51 100644
f2c60e
--- a/drivers/acpi/custom_method.c
f2c60e
+++ b/drivers/acpi/custom_method.c
f2c60e
@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
f2c60e
 	struct acpi_table_header table;
f2c60e
 	acpi_status status;
f2c60e
f2c60e
+	if (kernel_is_locked_down("ACPI custom methods"))
f2c60e
+		return -EPERM;
f2c60e
+
f2c60e
 	if (!(*ppos)) {
f2c60e
 		/* parse the table header to get the table length */
f2c60e
 		if (count <= sizeof(struct acpi_table_header))
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From 64caa33410f85663cf0a65e4c09b8b8d28a219ad Mon Sep 17 00:00:00 2001
f2c60e
From: Josh Boyer <jwboyer@redhat.com>
f2c60e
Date: Wed, 24 May 2017 14:56:05 +0100
f2c60e
Subject: [PATCH 15/26] acpi: Ignore acpi_rsdp kernel param when the kernel has
f2c60e
 been locked down
f2c60e
f2c60e
This option allows userspace to pass the RSDP address to the kernel, which
f2c60e
makes it possible for a user to modify the workings of hardware .  Reject
f2c60e
the option when the kernel is locked down.
f2c60e
f2c60e
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
f2c60e
cc: Dave Young <dyoung@redhat.com>
f2c60e
cc: linux-acpi@vger.kernel.org
f2c60e
---
f2c60e
 drivers/acpi/osl.c | 2 +-
f2c60e
 1 file changed, 1 insertion(+), 1 deletion(-)
f2c60e
f2c60e
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
f2c60e
index db78d353bab1..36c6527c1b0a 100644
f2c60e
--- a/drivers/acpi/osl.c
f2c60e
+++ b/drivers/acpi/osl.c
f2c60e
@@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
f2c60e
 	acpi_physical_address pa = 0;
f2c60e
f2c60e
 #ifdef CONFIG_KEXEC
f2c60e
-	if (acpi_rsdp)
f2c60e
+	if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification"))
f2c60e
 		return acpi_rsdp;
f2c60e
 #endif
f2c60e
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From d87ce06969f2d4da0c864e8a4cf6c820d950cd1f Mon Sep 17 00:00:00 2001
f2c60e
From: Linn Crosetto <linn@hpe.com>
f2c60e
Date: Wed, 24 May 2017 14:56:05 +0100
f2c60e
Subject: [PATCH 16/26] acpi: Disable ACPI table override if the kernel is
f2c60e
 locked down
f2c60e
f2c60e
From the kernel documentation (initrd_table_override.txt):
f2c60e
f2c60e
  If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
f2c60e
  to override nearly any ACPI table provided by the BIOS with an
f2c60e
  instrumented, modified one.
f2c60e
f2c60e
When securelevel is set, the kernel should disallow any unauthenticated
f2c60e
changes to kernel space.  ACPI tables contain code invoked by the kernel,
f2c60e
so do not allow ACPI tables to be overridden if the kernel is locked down.
f2c60e
f2c60e
Signed-off-by: Linn Crosetto <linn@hpe.com>
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
f2c60e
cc: linux-acpi@vger.kernel.org
f2c60e
---
f2c60e
 drivers/acpi/tables.c | 5 +++++
f2c60e
 1 file changed, 5 insertions(+)
f2c60e
f2c60e
diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
f2c60e
index 80ce2a7d224b..5cc13c42daf9 100644
f2c60e
--- a/drivers/acpi/tables.c
f2c60e
+++ b/drivers/acpi/tables.c
f2c60e
@@ -526,6 +526,11 @@ void __init acpi_table_upgrade(void)
f2c60e
 	if (table_nr == 0)
f2c60e
 		return;
f2c60e
f2c60e
+	if (kernel_is_locked_down("ACPI table override")) {
f2c60e
+		pr_notice("kernel is locked down, ignoring table override\n");
f2c60e
+		return;
f2c60e
+	}
f2c60e
+
f2c60e
 	acpi_tables_addr =
f2c60e
 		memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
f2c60e
 				       all_tables_size, PAGE_SIZE);
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From 547e2ca9cbfd420a15dd70e1c1c24b7040f88058 Mon Sep 17 00:00:00 2001
f2c60e
From: Linn Crosetto <linn@hpe.com>
f2c60e
Date: Wed, 24 May 2017 14:56:05 +0100
f2c60e
Subject: [PATCH 17/26] acpi: Disable APEI error injection if the kernel is
f2c60e
 locked down
f2c60e
f2c60e
ACPI provides an error injection mechanism, EINJ, for debugging and testing
f2c60e
the ACPI Platform Error Interface (APEI) and other RAS features.  If
f2c60e
supported by the firmware, ACPI specification 5.0 and later provide for a
f2c60e
way to specify a physical memory address to which to inject the error.
f2c60e
f2c60e
Injecting errors through EINJ can produce errors which to the platform are
f2c60e
indistinguishable from real hardware errors.  This can have undesirable
f2c60e
side-effects, such as causing the platform to mark hardware as needing
f2c60e
replacement.
f2c60e
f2c60e
While it does not provide a method to load unauthenticated privileged code,
f2c60e
the effect of these errors may persist across reboots and affect trust in
f2c60e
the underlying hardware, so disable error injection through EINJ if
f2c60e
the kernel is locked down.
f2c60e
f2c60e
Signed-off-by: Linn Crosetto <linn@hpe.com>
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
f2c60e
cc: linux-acpi@vger.kernel.org
f2c60e
---
f2c60e
 drivers/acpi/apei/einj.c | 3 +++
f2c60e
 1 file changed, 3 insertions(+)
f2c60e
f2c60e
diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c
f2c60e
index b38737c83a24..6d71e1e97b20 100644
f2c60e
--- a/drivers/acpi/apei/einj.c
f2c60e
+++ b/drivers/acpi/apei/einj.c
f2c60e
@@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
f2c60e
 	int rc;
f2c60e
 	u64 base_addr, size;
f2c60e
f2c60e
+	if (kernel_is_locked_down("ACPI error injection"))
f2c60e
+		return -EPERM;
f2c60e
+
f2c60e
 	/* If user manually set "flags", make sure it is legal */
f2c60e
 	if (flags && (flags &
f2c60e
 		~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From abbf8de44feab5f50b316d6491926d8d9029cb49 Mon Sep 17 00:00:00 2001
f2c60e
From: David Howells <dhowells@redhat.com>
f2c60e
Date: Wed, 24 May 2017 14:56:06 +0100
f2c60e
Subject: [PATCH 18/26] scsi: Lock down the eata driver
f2c60e
f2c60e
When the kernel is running in secure boot mode, we lock down the kernel to
f2c60e
prevent userspace from modifying the running kernel image.  Whilst this
f2c60e
includes prohibiting access to things like /dev/mem, it must also prevent
f2c60e
access by means of configuring driver modules in such a way as to cause a
f2c60e
device to access or modify the kernel image.
f2c60e
f2c60e
The eata driver takes a single string parameter that contains a slew of
f2c60e
settings, including hardware resource configuration.  Prohibit use of the
f2c60e
parameter if the kernel is locked down.
f2c60e
f2c60e
Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
cc: Dario Ballabio <ballabio_dario@emc.com>
f2c60e
cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>
f2c60e
cc: "Martin K. Petersen" <martin.petersen@oracle.com>
f2c60e
cc: linux-scsi@vger.kernel.org
f2c60e
---
f2c60e
 drivers/scsi/eata.c | 5 ++++-
f2c60e
 1 file changed, 4 insertions(+), 1 deletion(-)
f2c60e
f2c60e
diff --git a/drivers/scsi/eata.c b/drivers/scsi/eata.c
f2c60e
index 6501c330d8c8..72fceaa8f3da 100644
f2c60e
--- a/drivers/scsi/eata.c
f2c60e
+++ b/drivers/scsi/eata.c
f2c60e
@@ -1552,8 +1552,11 @@ static int eata2x_detect(struct scsi_host_template *tpnt)
f2c60e
f2c60e
 	tpnt->proc_name = "eata2x";
f2c60e
f2c60e
-	if (strlen(boot_options))
f2c60e
+	if (strlen(boot_options)) {
f2c60e
+		if (kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels"))
f2c60e
+			return -EPERM;
f2c60e
 		option_setup(boot_options);
f2c60e
+	}
f2c60e
f2c60e
 #if defined(MODULE)
f2c60e
 	/* io_port could have been modified when loading as a module */
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From 116b02dff661d497c10099862b8b86e6cd2262ae Mon Sep 17 00:00:00 2001
f2c60e
From: David Howells <dhowells@redhat.com>
f2c60e
Date: Wed, 24 May 2017 14:56:06 +0100
f2c60e
Subject: [PATCH 19/26] Prohibit PCMCIA CIS storage when the kernel is locked
f2c60e
 down
f2c60e
f2c60e
Prohibit replacement of the PCMCIA Card Information Structure when the
f2c60e
kernel is locked down.
f2c60e
f2c60e
Suggested-by: Dominik Brodowski <linux@dominikbrodowski.net>
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
cc: linux-pcmcia@lists.infradead.org
f2c60e
---
f2c60e
 drivers/pcmcia/cistpl.c | 3 +++
f2c60e
 1 file changed, 3 insertions(+)
f2c60e
f2c60e
diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
f2c60e
index 55ef7d1fd8da..b7a0e42eeb25 100644
f2c60e
--- a/drivers/pcmcia/cistpl.c
f2c60e
+++ b/drivers/pcmcia/cistpl.c
f2c60e
@@ -1578,6 +1578,9 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
f2c60e
 	struct pcmcia_socket *s;
f2c60e
 	int error;
f2c60e
f2c60e
+	if (kernel_is_locked_down("Direct PCMCIA CIS storage"))
f2c60e
+		return -EPERM;
f2c60e
+
f2c60e
 	s = to_socket(container_of(kobj, struct device, kobj));
f2c60e
f2c60e
 	if (off)
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From f3dc03aa368cfde123bc1b60bda287091c9d43b4 Mon Sep 17 00:00:00 2001
f2c60e
From: David Howells <dhowells@redhat.com>
f2c60e
Date: Wed, 24 May 2017 14:56:06 +0100
f2c60e
Subject: [PATCH 20/26] Lock down TIOCSSERIAL
f2c60e
f2c60e
Lock down TIOCSSERIAL as that can be used to change the ioport and irq
f2c60e
settings on a serial port.  This only appears to be an issue for the serial
f2c60e
drivers that use the core serial code.  All other drivers seem to either
f2c60e
ignore attempts to change port/irq or give an error.
f2c60e
f2c60e
Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
cc: Jiri Slaby <jslaby@suse.com>
f2c60e
---
f2c60e
 drivers/tty/serial/serial_core.c | 6 ++++++
f2c60e
 1 file changed, 6 insertions(+)
f2c60e
f2c60e
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
f2c60e
index 3a14cccbd7ff..41f0922ad842 100644
f2c60e
--- a/drivers/tty/serial/serial_core.c
f2c60e
+++ b/drivers/tty/serial/serial_core.c
f2c60e
@@ -842,6 +842,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
f2c60e
 	new_flags = (__force upf_t)new_info->flags;
f2c60e
 	old_custom_divisor = uport->custom_divisor;
f2c60e
f2c60e
+	if ((change_port || change_irq) &&
f2c60e
+	    kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels")) {
f2c60e
+		retval = -EPERM;
f2c60e
+		goto exit;
f2c60e
+	}
f2c60e
+
f2c60e
 	if (!capable(CAP_SYS_ADMIN)) {
f2c60e
 		retval = -EPERM;
f2c60e
 		if (change_irq || change_port ||
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From 9d266defc89a73c6dcca3b67ad70b95ac99b8e53 Mon Sep 17 00:00:00 2001
f2c60e
From: David Howells <dhowells@redhat.com>
f2c60e
Date: Wed, 24 May 2017 14:56:06 +0100
f2c60e
Subject: [PATCH 21/26] Lock down module params that specify hardware
f2c60e
 parameters (eg. ioport)
f2c60e
f2c60e
Provided an annotation for module parameters that specify hardware
f2c60e
parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
f2c60e
dma buffers and other types).
f2c60e
f2c60e
Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
---
f2c60e
 kernel/params.c | 26 +++++++++++++++++++++-----
f2c60e
 1 file changed, 21 insertions(+), 5 deletions(-)
f2c60e
f2c60e
diff --git a/kernel/params.c b/kernel/params.c
f2c60e
index 60b2d8101355..422979adb60a 100644
f2c60e
--- a/kernel/params.c
f2c60e
+++ b/kernel/params.c
f2c60e
@@ -108,13 +108,19 @@ bool parameq(const char *a, const char *b)
f2c60e
 	return parameqn(a, b, strlen(a)+1);
f2c60e
 }
f2c60e
f2c60e
-static void param_check_unsafe(const struct kernel_param *kp)
f2c60e
+static bool param_check_unsafe(const struct kernel_param *kp,
f2c60e
+			       const char *doing)
f2c60e
 {
f2c60e
 	if (kp->flags & KERNEL_PARAM_FL_UNSAFE) {
f2c60e
 		pr_warn("Setting dangerous option %s - tainting kernel\n",
f2c60e
 			kp->name);
f2c60e
 		add_taint(TAINT_USER, LOCKDEP_STILL_OK);
f2c60e
 	}
f2c60e
+
f2c60e
+	if (kp->flags & KERNEL_PARAM_FL_HWPARAM &&
f2c60e
+	    kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels"))
f2c60e
+		return false;
f2c60e
+	return true;
f2c60e
 }
f2c60e
f2c60e
 static int parse_one(char *param,
f2c60e
@@ -144,8 +150,10 @@ static int parse_one(char *param,
f2c60e
 			pr_debug("handling %s with %p\n", param,
f2c60e
 				params[i].ops->set);
f2c60e
 			kernel_param_lock(params[i].mod);
f2c60e
-			param_check_unsafe(&params[i]);
f2c60e
-			err = params[i].ops->set(val, &params[i]);
f2c60e
+			if (param_check_unsafe(&params[i], doing))
f2c60e
+				err = params[i].ops->set(val, &params[i]);
f2c60e
+			else
f2c60e
+				err = -EPERM;
f2c60e
 			kernel_param_unlock(params[i].mod);
f2c60e
 			return err;
f2c60e
 		}
f2c60e
@@ -556,6 +564,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr,
f2c60e
 	return count;
f2c60e
 }
f2c60e
f2c60e
+#ifdef CONFIG_MODULES
f2c60e
+#define mod_name(mod) (mod)->name
f2c60e
+#else
f2c60e
+#define mod_name(mod) "unknown"
f2c60e
+#endif
f2c60e
+
f2c60e
 /* sysfs always hands a nul-terminated string in buf.  We rely on that. */
f2c60e
 static ssize_t param_attr_store(struct module_attribute *mattr,
f2c60e
 				struct module_kobject *mk,
f2c60e
@@ -568,8 +582,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr,
f2c60e
 		return -EPERM;
f2c60e
f2c60e
 	kernel_param_lock(mk->mod);
f2c60e
-	param_check_unsafe(attribute->param);
f2c60e
-	err = attribute->param->ops->set(buf, attribute->param);
f2c60e
+	if (param_check_unsafe(attribute->param, mod_name(mk->mod)))
f2c60e
+		err = attribute->param->ops->set(buf, attribute->param);
f2c60e
+	else
f2c60e
+		err = -EPERM;
f2c60e
 	kernel_param_unlock(mk->mod);
f2c60e
 	if (!err)
f2c60e
 		return len;
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From 17a8caed6507846edd0a7016cdcd97fe46cca263 Mon Sep 17 00:00:00 2001
f2c60e
From: David Howells <dhowells@redhat.com>
f2c60e
Date: Wed, 24 May 2017 14:56:07 +0100
f2c60e
Subject: [PATCH 22/26] x86/mmiotrace: Lock down the testmmiotrace module
f2c60e
f2c60e
The testmmiotrace module shouldn't be permitted when the kernel is locked
f2c60e
down as it can be used to arbitrarily read and write MMIO space.
f2c60e
f2c60e
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
f2c60e
Signed-off-by: David Howells 
f2c60e
cc: Thomas Gleixner <tglx@linutronix.de>
f2c60e
cc: Steven Rostedt <rostedt@goodmis.org>
f2c60e
cc: Ingo Molnar <mingo@kernel.org>
f2c60e
cc: "H. Peter Anvin" <hpa@zytor.com>
f2c60e
cc: x86@kernel.org
f2c60e
---
f2c60e
 arch/x86/mm/testmmiotrace.c | 3 +++
f2c60e
 1 file changed, 3 insertions(+)
f2c60e
f2c60e
diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c
f2c60e
index f6ae6830b341..bbaad357f5d7 100644
f2c60e
--- a/arch/x86/mm/testmmiotrace.c
f2c60e
+++ b/arch/x86/mm/testmmiotrace.c
f2c60e
@@ -115,6 +115,9 @@ static int __init init(void)
f2c60e
 {
f2c60e
 	unsigned long size = (read_far) ? (8 << 20) : (16 << 10);
f2c60e
f2c60e
+	if (kernel_is_locked_down("MMIO trace testing"))
f2c60e
+		return -EPERM;
f2c60e
+
f2c60e
 	if (mmio_address == 0) {
f2c60e
 		pr_err("you have to use the module argument mmio_address.\n");
f2c60e
 		pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n");
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From 79ae67bf5f7eda526abaa80b01b19e08c1ed3558 Mon Sep 17 00:00:00 2001
f2c60e
From: David Howells <dhowells@redhat.com>
f2c60e
Date: Wed, 18 Oct 2017 17:28:02 +0100
f2c60e
Subject: [PATCH 23/26] debugfs: Disallow use of debugfs files when the kernel
f2c60e
 is locked down
f2c60e
f2c60e
Disallow opening of debugfs files when the kernel is locked down as various
f2c60e
drivers give raw access to hardware through debugfs.
f2c60e
f2c60e
Accesses to tracefs should use /sys/kernel/tracing/ rather than
f2c60e
/sys/kernel/debug/tracing/.  Possibly a symlink should be emplaced.
f2c60e
f2c60e
Normal device interaction should be done through configfs or a miscdev, not
f2c60e
debugfs.
f2c60e
f2c60e
Note that this makes it unnecessary to specifically lock down show_dsts(),
f2c60e
show_devs() and show_call() in the asus-wmi driver.
f2c60e
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
cc: Andy Shevchenko <andy.shevchenko@gmail.com>
f2c60e
cc: acpi4asus-user@lists.sourceforge.net
f2c60e
cc: platform-driver-x86@vger.kernel.org
f2c60e
cc: Matthew Garrett <matthew.garrett@nebula.com>
f2c60e
cc: Thomas Gleixner <tglx@linutronix.de>
f2c60e
---
f2c60e
 fs/debugfs/file.c | 6 ++++++
f2c60e
 1 file changed, 6 insertions(+)
f2c60e
f2c60e
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
f2c60e
index 6dabc4a10396..32b5168a7e91 100644
f2c60e
--- a/fs/debugfs/file.c
f2c60e
+++ b/fs/debugfs/file.c
f2c60e
@@ -103,6 +103,9 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
f2c60e
 	const struct file_operations *real_fops = NULL;
f2c60e
 	int srcu_idx, r;
f2c60e
f2c60e
+	if (kernel_is_locked_down("debugfs"))
f2c60e
+		return -EPERM;
f2c60e
+
f2c60e
 	r = debugfs_use_file_start(dentry, &srcu_idx);
f2c60e
 	if (r) {
f2c60e
 		r = -ENOENT;
f2c60e
@@ -232,6 +235,9 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
f2c60e
 	struct file_operations *proxy_fops = NULL;
f2c60e
 	int srcu_idx, r;
f2c60e
f2c60e
+	if (kernel_is_locked_down("debugfs"))
f2c60e
+		return -EPERM;
f2c60e
+
f2c60e
 	r = debugfs_use_file_start(dentry, &srcu_idx);
f2c60e
 	if (r) {
f2c60e
 		r = -ENOENT;
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From 87ed5c02f0946c855730420cbf1daa6a2dfc54d7 Mon Sep 17 00:00:00 2001
f2c60e
From: David Howells <dhowells@redhat.com>
f2c60e
Date: Thu, 19 Oct 2017 13:58:19 +0100
f2c60e
Subject: [PATCH 24/26] Lock down /proc/kcore
f2c60e
f2c60e
Disallow access to /proc/kcore when the kernel is locked down to prevent
f2c60e
access to cryptographic data.
f2c60e
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
Reviewed-by: James Morris <james.l.morris@oracle.com>
f2c60e
---
f2c60e
 fs/proc/kcore.c | 2 ++
f2c60e
 1 file changed, 2 insertions(+)
f2c60e
f2c60e
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
f2c60e
index 45629f4b5402..176cf749e650 100644
f2c60e
--- a/fs/proc/kcore.c
f2c60e
+++ b/fs/proc/kcore.c
f2c60e
@@ -549,6 +549,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
f2c60e
f2c60e
 static int open_kcore(struct inode *inode, struct file *filp)
f2c60e
 {
f2c60e
+	if (kernel_is_locked_down("/proc/kcore"))
f2c60e
+		return -EPERM;
f2c60e
 	if (!capable(CAP_SYS_RAWIO))
f2c60e
 		return -EPERM;
f2c60e
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From 2bce9ca3a24e0b35dcf665e6ba082f0a796c6aad Mon Sep 17 00:00:00 2001
f2c60e
From: David Howells <dhowells@redhat.com>
f2c60e
Date: Thu, 19 Oct 2017 14:18:53 +0100
f2c60e
Subject: [PATCH 25/26] efi: Add an EFI_SECURE_BOOT flag to indicate secure
f2c60e
 boot mode
f2c60e
f2c60e
UEFI machines can be booted in Secure Boot mode.  Add an EFI_SECURE_BOOT
f2c60e
flag that can be passed to efi_enabled() to find out whether secure boot is
f2c60e
enabled.
f2c60e
f2c60e
Move the switch-statement in x86's setup_arch() that inteprets the
f2c60e
secure_boot boot parameter to generic code and set the bit there.
f2c60e
f2c60e
Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
f2c60e
cc: linux-efi@vger.kernel.org
f2c60e
---
f2c60e
 arch/x86/kernel/setup.c           | 14 +-------------
f2c60e
 drivers/firmware/efi/Makefile     |  1 +
f2c60e
 drivers/firmware/efi/secureboot.c | 38 ++++++++++++++++++++++++++++++++++++++
f2c60e
 include/linux/efi.h               | 16 ++++++++++------
f2c60e
 4 files changed, 50 insertions(+), 19 deletions(-)
f2c60e
 create mode 100644 drivers/firmware/efi/secureboot.c
f2c60e
f2c60e
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
f2c60e
index 0957dd73d127..7c2162f9e769 100644
f2c60e
--- a/arch/x86/kernel/setup.c
f2c60e
+++ b/arch/x86/kernel/setup.c
f2c60e
@@ -1197,19 +1197,7 @@ void __init setup_arch(char **cmdline_p)
f2c60e
 	/* Allocate bigger log buffer */
f2c60e
 	setup_log_buf(1);
f2c60e
f2c60e
-	if (efi_enabled(EFI_BOOT)) {
f2c60e
-		switch (boot_params.secure_boot) {
f2c60e
-		case efi_secureboot_mode_disabled:
f2c60e
-			pr_info("Secure boot disabled\n");
f2c60e
-			break;
f2c60e
-		case efi_secureboot_mode_enabled:
f2c60e
-			pr_info("Secure boot enabled\n");
f2c60e
-			break;
f2c60e
-		default:
f2c60e
-			pr_info("Secure boot could not be determined\n");
f2c60e
-			break;
f2c60e
-		}
f2c60e
-	}
f2c60e
+	efi_set_secure_boot(boot_params.secure_boot);
f2c60e
f2c60e
 	reserve_initrd();
f2c60e
f2c60e
diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile
f2c60e
index 0329d319d89a..883f9f7eefc6 100644
f2c60e
--- a/drivers/firmware/efi/Makefile
f2c60e
+++ b/drivers/firmware/efi/Makefile
f2c60e
@@ -23,6 +23,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP)		+= fake_mem.o
f2c60e
 obj-$(CONFIG_EFI_BOOTLOADER_CONTROL)	+= efibc.o
f2c60e
 obj-$(CONFIG_EFI_TEST)			+= test/
f2c60e
 obj-$(CONFIG_EFI_DEV_PATH_PARSER)	+= dev-path-parser.o
f2c60e
+obj-$(CONFIG_EFI)			+= secureboot.o
f2c60e
 obj-$(CONFIG_APPLE_PROPERTIES)		+= apple-properties.o
f2c60e
f2c60e
 arm-obj-$(CONFIG_EFI)			:= arm-init.o arm-runtime.o
f2c60e
diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
f2c60e
new file mode 100644
f2c60e
index 000000000000..9070055de0a1
f2c60e
--- /dev/null
f2c60e
+++ b/drivers/firmware/efi/secureboot.c
f2c60e
@@ -0,0 +1,38 @@
f2c60e
+/* Core kernel secure boot support.
f2c60e
+ *
f2c60e
+ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
f2c60e
+ * Written by David Howells (dhowells@redhat.com)
f2c60e
+ *
f2c60e
+ * This program is free software; you can redistribute it and/or
f2c60e
+ * modify it under the terms of the GNU General Public Licence
f2c60e
+ * as published by the Free Software Foundation; either version
f2c60e
+ * 2 of the Licence, or (at your option) any later version.
f2c60e
+ */
f2c60e
+
f2c60e
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
f2c60e
+
f2c60e
+#include <linux/efi.h>
f2c60e
+#include <linux/kernel.h>
f2c60e
+#include <linux/printk.h>
f2c60e
+
f2c60e
+/*
f2c60e
+ * Decide what to do when UEFI secure boot mode is enabled.
f2c60e
+ */
f2c60e
+void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
f2c60e
+{
f2c60e
+	if (efi_enabled(EFI_BOOT)) {
f2c60e
+		switch (mode) {
f2c60e
+		case efi_secureboot_mode_disabled:
f2c60e
+			pr_info("Secure boot disabled\n");
f2c60e
+			break;
f2c60e
+		case efi_secureboot_mode_enabled:
f2c60e
+			set_bit(EFI_SECURE_BOOT, &efi.flags);
f2c60e
+			pr_info("Secure boot enabled\n");
f2c60e
+			break;
f2c60e
+		default:
f2c60e
+			pr_warning("Secure boot could not be determined (mode %u)\n",
f2c60e
+				   mode);
f2c60e
+			break;
f2c60e
+		}
f2c60e
+	}
f2c60e
+}
f2c60e
diff --git a/include/linux/efi.h b/include/linux/efi.h
f2c60e
index 66f4a4e79f4b..7c7a7e33e4d1 100644
f2c60e
--- a/include/linux/efi.h
f2c60e
+++ b/include/linux/efi.h
f2c60e
@@ -1103,6 +1103,14 @@ extern int __init efi_setup_pcdp_console(char *);
f2c60e
 #define EFI_DBG			8	/* Print additional debug info at runtime */
f2c60e
 #define EFI_NX_PE_DATA		9	/* Can runtime data regions be mapped non-executable? */
f2c60e
 #define EFI_MEM_ATTR		10	/* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
f2c60e
+#define EFI_SECURE_BOOT		11	/* Are we in Secure Boot mode? */
f2c60e
+
f2c60e
+enum efi_secureboot_mode {
f2c60e
+	efi_secureboot_mode_unset,
f2c60e
+	efi_secureboot_mode_unknown,
f2c60e
+	efi_secureboot_mode_disabled,
f2c60e
+	efi_secureboot_mode_enabled,
f2c60e
+};
f2c60e
f2c60e
 #ifdef CONFIG_EFI
f2c60e
 /*
f2c60e
@@ -1115,6 +1123,7 @@ static inline bool efi_enabled(int feature)
f2c60e
 extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused);
f2c60e
f2c60e
 extern bool efi_is_table_address(unsigned long phys_addr);
f2c60e
+extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode);
f2c60e
 #else
f2c60e
 static inline bool efi_enabled(int feature)
f2c60e
 {
f2c60e
@@ -1133,6 +1142,7 @@ static inline bool efi_is_table_address(unsigned long phys_addr)
f2c60e
 {
f2c60e
 	return false;
f2c60e
 }
f2c60e
+static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {}
f2c60e
 #endif
f2c60e
f2c60e
 extern int efi_status_to_err(efi_status_t status);
f2c60e
@@ -1518,12 +1528,6 @@ efi_status_t efi_setup_gop(efi_system_table_t *sys_table_arg,
Pablo Greco 6f1816
 
f2c60e
 extern void efi_call_virt_check_flags(unsigned long flags, const char *call);
f2c60e
f2c60e
-enum efi_secureboot_mode {
f2c60e
-	efi_secureboot_mode_unset,
f2c60e
-	efi_secureboot_mode_unknown,
f2c60e
-	efi_secureboot_mode_disabled,
f2c60e
-	efi_secureboot_mode_enabled,
f2c60e
-};
f2c60e
 enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table);
f2c60e
f2c60e
 #ifdef CONFIG_RESET_ATTACK_MITIGATION
f2c60e
-- 
f2c60e
2.13.6
f2c60e
f2c60e
From 163d6a313399a4d50c5c7e42e3dd642ca8d495d7 Mon Sep 17 00:00:00 2001
f2c60e
From: David Howells <dhowells@redhat.com>
f2c60e
Date: Thu, 19 Oct 2017 14:05:02 +0100
f2c60e
Subject: [PATCH 26/26] efi: Lock down the kernel if booted in secure boot mode
f2c60e
f2c60e
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
f2c60e
only load signed bootloaders and kernels.  Certain use cases may also
f2c60e
require that all kernel modules also be signed.  Add a configuration option
f2c60e
that to lock down the kernel - which includes requiring validly signed
f2c60e
modules - if the kernel is secure-booted.
f2c60e
f2c60e
Signed-off-by: David Howells <dhowells@redhat.com>
f2c60e
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
f2c60e
cc: linux-efi@vger.kernel.org
f2c60e
---
f2c60e
 arch/x86/kernel/setup.c |  6 ++++--
f2c60e
 security/Kconfig        | 14 ++++++++++++++
f2c60e
 security/lock_down.c    |  1 +
f2c60e
 3 files changed, 19 insertions(+), 2 deletions(-)
f2c60e
f2c60e
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
f2c60e
index 7c2162f9e769..4e38327efb2e 100644
f2c60e
--- a/arch/x86/kernel/setup.c
f2c60e
+++ b/arch/x86/kernel/setup.c
f2c60e
@@ -64,6 +64,7 @@
f2c60e
 #include <linux/dma-mapping.h>
f2c60e
 #include <linux/ctype.h>
f2c60e
 #include <linux/uaccess.h>
f2c60e
+#include <linux/security.h>
f2c60e
f2c60e
 #include <linux/percpu.h>
f2c60e
 #include <linux/crash_dump.h>
f2c60e
@@ -1039,6 +1040,9 @@ void __init setup_arch(char **cmdline_p)
f2c60e
 	if (efi_enabled(EFI_BOOT))
f2c60e
 		efi_init();
f2c60e
f2c60e
+	efi_set_secure_boot(boot_params.secure_boot);
f2c60e
+	init_lockdown();
f2c60e
+
f2c60e
 	dmi_scan_machine();
f2c60e
 	dmi_memdev_walk();
f2c60e
 	dmi_set_dump_stack_arch_desc();
f2c60e
@@ -1197,8 +1201,6 @@ void __init setup_arch(char **cmdline_p)
f2c60e
 	/* Allocate bigger log buffer */
f2c60e
 	setup_log_buf(1);
f2c60e
f2c60e
-	efi_set_secure_boot(boot_params.secure_boot);
f2c60e
-
f2c60e
 	reserve_initrd();
f2c60e
f2c60e
 	acpi_table_upgrade();
f2c60e
diff --git a/security/Kconfig b/security/Kconfig
f2c60e
index 453cc89c198a..974731ac4f85 100644
f2c60e
--- a/security/Kconfig
f2c60e
+++ b/security/Kconfig
f2c60e
@@ -220,6 +220,20 @@ config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
f2c60e
 	  Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
f2c60e
 	  combination on a wired keyboard.
f2c60e
f2c60e
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
f2c60e
+	bool "Lock down the kernel in EFI Secure Boot mode"
f2c60e
+	default n
f2c60e
+	select LOCK_DOWN_KERNEL
f2c60e
+	depends on EFI
f2c60e
+	help
f2c60e
+	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
f2c60e
+	  will only load signed bootloaders and kernels.  Secure boot mode may
f2c60e
+	  be determined from EFI variables provided by the system firmware if
f2c60e
+	  not indicated by the boot parameters.
f2c60e
+
f2c60e
+	  Enabling this option turns on results in kernel lockdown being
f2c60e
+	  triggered if EFI Secure Boot is set.
f2c60e
+
f2c60e
f2c60e
 source security/selinux/Kconfig
f2c60e
 source security/smack/Kconfig
f2c60e
diff --git a/security/lock_down.c b/security/lock_down.c
f2c60e
index 2c6b00f0c229..527f7e51dc8d 100644
f2c60e
--- a/security/lock_down.c
f2c60e
+++ b/security/lock_down.c
f2c60e
@@ -12,6 +12,7 @@
f2c60e
 #include <linux/security.h>
f2c60e
 #include <linux/export.h>
f2c60e
 #include <linux/sysrq.h>
f2c60e
+#include <linux/efi.h>
f2c60e
 #include <asm/setup.h>
f2c60e
f2c60e
 #ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
f2c60e
-- 
f2c60e
2.13.6
f2c60e