Re: [PATCH v2 07/10] powerpc/configs/skiroot: Enable security features

Tue, 28 Jan 2020 17:30:23 -0800 

Joel Stanley <j...@jms.id.au> writes:

> On Tue, 21 Jan 2020 at 04:30, Michael Ellerman <m...@ellerman.id.au> wrote:
>>
>> From: Joel Stanley <j...@jms.id.au>
>>
>> This turns on HARDENED_USERCOPY with HARDENED_USERCOPY_PAGESPAN, and
>> FORTIFY_SOURCE.
>>
>> It also enables SECURITY_LOCKDOWN_LSM with _EARLY and
>> LOCK_DOWN_KERNEL_FORCE_INTEGRITY options enabled. This still allows
>> xmon to be used in read-only mode.
>>
>> MODULE_SIG is selected by lockdown, so it is still enabled.
>>
>> Signed-off-by: Joel Stanley <j...@jms.id.au>
>> [mpe: Switch to lockdown integrity mode per oohal]
>> Signed-off-by: Michael Ellerman <m...@ellerman.id.au>
>
> I did some testing and with change we break kexec. As it's critical
> for this kernel to be able to kexec we need to set KEXEC_FILE=y if
> we're setting FORCE_INTEGRITY=y.
>
> I've tested your series with that modification made and userspace was
> once again able to kexec (with -s).

Has the changes that enable this landed in kexec-lite and petitboot yet?
I had to manually patch them when I was experimenting with it
recently...

Regards,
Daniel

>
> Cheers,
>
> Joel
>
>> ---
>>  arch/powerpc/configs/skiroot_defconfig | 11 ++++++++++-
>>  1 file changed, 10 insertions(+), 1 deletion(-)
>>
>> v2: Switch to lockdown integrity mode rather than confidentiality as noticed 
>> by
>> dja and discussed with jms and oohal.
>>
>> diff --git a/arch/powerpc/configs/skiroot_defconfig 
>> b/arch/powerpc/configs/skiroot_defconfig
>> index 24a210fe0049..93b478436a2b 100644
>> --- a/arch/powerpc/configs/skiroot_defconfig
>> +++ b/arch/powerpc/configs/skiroot_defconfig
>> @@ -49,7 +49,6 @@ CONFIG_JUMP_LABEL=y
>>  CONFIG_STRICT_KERNEL_RWX=y
>>  CONFIG_MODULES=y
>>  CONFIG_MODULE_UNLOAD=y
>> -CONFIG_MODULE_SIG=y
>>  CONFIG_MODULE_SIG_FORCE=y
>>  CONFIG_MODULE_SIG_SHA512=y
>>  CONFIG_PARTITION_ADVANCED=y
>> @@ -272,6 +271,16 @@ CONFIG_NLS_ASCII=y
>>  CONFIG_NLS_ISO8859_1=y
>>  CONFIG_NLS_UTF8=y
>>  CONFIG_ENCRYPTED_KEYS=y
>> +CONFIG_SECURITY=y
>> +CONFIG_HARDENED_USERCOPY=y
>> +# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
>> +CONFIG_HARDENED_USERCOPY_PAGESPAN=y
>> +CONFIG_FORTIFY_SOURCE=y
>> +CONFIG_SECURITY_LOCKDOWN_LSM=y
>> +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
>> +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
>> +# CONFIG_INTEGRITY is not set
>> +CONFIG_LSM="yama,loadpin,safesetid,integrity"
>>  # CONFIG_CRYPTO_HW is not set
>>  CONFIG_CRC16=y
>>  CONFIG_CRC_ITU_T=y
>> --
>> 2.21.1
>>

Reply via email to