[PATCH 00/30] security, efi: Add kernel lockdown

David Howells dhowells at redhat.com
Thu Nov 9 17:30:36 UTC 2017


Here's a set of patches to institute a "locked-down mode" in the kernel and
to trigger that mode if the kernel is booted in secure-boot mode or through
the command line.

Enabling CONFIG_LOCK_DOWN_KERNEL makes lockdown mode available.

Enabling CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ will allow a SysRq combination
to lift the lockdown.  On x86 this is SysRq+x.  The keys must be pressed on
an attached keyboard.

Enabling CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT will cause EFI secure boot to
trigger kernel lockdown.

Inside the kernel, kernel_is_locked_down() is used to check if the kernel
is in lockdown mode.

Note that the secure boot mode entry doesn't work if the kernel is booted
from older versions of i386/x86_64 Grub as there's a bug in Grub whereby it
doesn't initialise the boot_params correctly.  The incorrect initialisation
causes sanitize_boot_params() to be triggered, thereby zapping the secure
boot flag determined by the EFI boot wrapper.

A manual page, kernel_lockdown.7, is proposed, to which people will be
directed by messages in dmesg.  This lists the features that are restricted
amongst other things.  [Note: I need to update this to mention IMA, so I'll
reply with that later].

Changes:

 (*) Made /dev/mem and /dev/kmem explicitly unopenable in lockdown mode,
     rather than being unopenable as a side effect of /dev/port being made
     unopenable.

 (*) Added lockdowns for ftrace and kprobes.

 (*) Made the bpf lockdown prohibit the use of sys_bpf entirely.

 (*) Made IMA require secure_boot rules in lockdown mode.

 (*) Made module signing and kexec allow unsigned images if IMA has been
     used to validate the image.


The patches can be found here also:

	http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=efi-lock-down

David
---
Chun-Yi Lee (1):
      kexec_file: Restrict at runtime if the kernel is locked down

Dave Young (1):
      Copy secure_boot flag in boot params across kexec reboot

David Howells (14):
      Add the ability to lock down access to the running kernel image
      Enforce module signatures if the kernel is locked down
      scsi: Lock down the eata driver
      Prohibit PCMCIA CIS storage when the kernel is locked down
      Lock down TIOCSSERIAL
      Lock down module params that specify hardware parameters (eg. ioport)
      x86/mmiotrace: Lock down the testmmiotrace module
      debugfs: Disallow use of debugfs files when the kernel is locked down
      Lock down /proc/kcore
      Lock down ftrace
      Lock down kprobes
      bpf: Restrict kernel image access functions when the kernel is locked down
      efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
      efi: Lock down the kernel if booted in secure boot mode

Josh Boyer (2):
      hibernate: Disable when the kernel is locked down
      acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down

Kyle McMartin (1):
      Add a SysRq option to lift kernel lockdown

Linn Crosetto (2):
      acpi: Disable ACPI table override if the kernel is locked down
      acpi: Disable APEI error injection if the kernel is locked down

Matthew Garrett (8):
      Restrict /dev/{mem,kmem,port} when the kernel is locked down
      kexec: Disable at runtime if the kernel is locked down
      uswsusp: Disable when the kernel is locked down
      PCI: Lock down BAR access when the kernel is locked down
      x86: Lock down IO port access when the kernel is locked down
      x86/msr: Restrict MSR access when the kernel is locked down
      asus-wmi: Restrict debugfs interface when the kernel is locked down
      ACPI: Limit access to custom_method when the kernel is locked down

Mimi Zohar (1):
      ima: require secure_boot rules in lockdown mode


 arch/x86/include/asm/setup.h        |    2 +
 arch/x86/kernel/ioport.c            |    6 +-
 arch/x86/kernel/kexec-bzimage64.c   |    1 
 arch/x86/kernel/msr.c               |   10 +++
 arch/x86/kernel/setup.c             |   18 +-----
 arch/x86/mm/testmmiotrace.c         |    3 +
 drivers/acpi/apei/einj.c            |    3 +
 drivers/acpi/custom_method.c        |    3 +
 drivers/acpi/osl.c                  |    2 -
 drivers/acpi/tables.c               |    5 ++
 drivers/char/mem.c                  |    2 +
 drivers/firmware/efi/Makefile       |    1 
 drivers/firmware/efi/secureboot.c   |   38 ++++++++++++
 drivers/input/misc/uinput.c         |    1 
 drivers/pci/pci-sysfs.c             |    9 +++
 drivers/pci/proc.c                  |    9 +++
 drivers/pci/syscall.c               |    3 +
 drivers/pcmcia/cistpl.c             |    3 +
 drivers/platform/x86/asus-wmi.c     |    9 +++
 drivers/scsi/eata.c                 |    5 +-
 drivers/tty/serial/serial_core.c    |    6 ++
 drivers/tty/sysrq.c                 |   19 ++++--
 fs/debugfs/file.c                   |    6 ++
 fs/proc/kcore.c                     |    2 +
 include/linux/efi.h                 |   16 +++--
 include/linux/input.h               |    5 ++
 include/linux/kernel.h              |   17 ++++++
 include/linux/security.h            |    8 +++
 include/linux/sysrq.h               |    8 ++-
 kernel/bpf/syscall.c                |    3 +
 kernel/debug/kdb/kdb_main.c         |    2 -
 kernel/kexec.c                      |    7 ++
 kernel/kexec_file.c                 |    8 +++
 kernel/kprobes.c                    |    3 +
 kernel/module.c                     |   19 ++++--
 kernel/params.c                     |   26 +++++++-
 kernel/power/hibernate.c            |    2 -
 kernel/power/user.c                 |    3 +
 kernel/trace/ftrace.c               |   22 +++++++
 security/Kconfig                    |   32 ++++++++++
 security/Makefile                   |    3 +
 security/integrity/ima/ima_policy.c |   39 +++++++++----
 security/lock_down.c                |  108 +++++++++++++++++++++++++++++++++++
 43 files changed, 440 insertions(+), 57 deletions(-)
 create mode 100644 drivers/firmware/efi/secureboot.c
 create mode 100644 security/lock_down.c

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list