Re: [PATCH 7/9] powerpc/configs/skiroot: Enable security features
On Thu, 16 Jan 2020 at 07:10, Oliver O'Halloran wrote: > > On Thu, Jan 16, 2020 at 4:00 PM Daniel Axtens wrote: > > > > Michael Ellerman writes: > > > > > From: Joel Stanley > > > > > > This turns on HARDENED_USERCOPY with HARDENED_USERCOPY_PAGESPAN, and > > > FORTIFY_SOURCE. > > > > > > It also enables SECURITY_LOCKDOWN_LSM with _EARLY and > > > LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY options enabled. > > > > > > > As I said before, this will disable xmon entirely. If we want to set > > this, we should compile out xmon. But if we want xmon in read-only mode > > to be an option, we should pick integrity mode. > > > > I don't really mind, because I don't work with skiroot very > > much. Oliver, Joel, Nayna, you all do stuff around this sort of level - > > is this a problem for any of you? > > Keep it enabled and force INTEGRITY mode. There are some cases where > xmon is the only method for debugging a crashing skiroot (hello SMC > BMCs) so I'd rather it remained available. If there's some actual > security benefit to disabling it entirely then someone should > articulate that. Ack.
Re: [PATCH 7/9] powerpc/configs/skiroot: Enable security features
On Thu, Jan 16, 2020 at 4:00 PM Daniel Axtens wrote: > > Michael Ellerman writes: > > > From: Joel Stanley > > > > This turns on HARDENED_USERCOPY with HARDENED_USERCOPY_PAGESPAN, and > > FORTIFY_SOURCE. > > > > It also enables SECURITY_LOCKDOWN_LSM with _EARLY and > > LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY options enabled. > > > > As I said before, this will disable xmon entirely. If we want to set > this, we should compile out xmon. But if we want xmon in read-only mode > to be an option, we should pick integrity mode. > > I don't really mind, because I don't work with skiroot very > much. Oliver, Joel, Nayna, you all do stuff around this sort of level - > is this a problem for any of you? Keep it enabled and force INTEGRITY mode. There are some cases where xmon is the only method for debugging a crashing skiroot (hello SMC BMCs) so I'd rather it remained available. If there's some actual security benefit to disabling it entirely then someone should articulate that. Oliver
Re: [PATCH 7/9] powerpc/configs/skiroot: Enable security features
Michael Ellerman writes: > From: Joel Stanley > > This turns on HARDENED_USERCOPY with HARDENED_USERCOPY_PAGESPAN, and > FORTIFY_SOURCE. > > It also enables SECURITY_LOCKDOWN_LSM with _EARLY and > LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY options enabled. > As I said before, this will disable xmon entirely. If we want to set this, we should compile out xmon. But if we want xmon in read-only mode to be an option, we should pick integrity mode. I don't really mind, because I don't work with skiroot very much. Oliver, Joel, Nayna, you all do stuff around this sort of level - is this a problem for any of you? Regards, Daniel > MODULE_SIG is selected by lockdown, so it is still enabled. > > Signed-off-by: Joel Stanley > Signed-off-by: Michael Ellerman > --- > arch/powerpc/configs/skiroot_defconfig | 11 ++- > 1 file changed, 10 insertions(+), 1 deletion(-) > > diff --git a/arch/powerpc/configs/skiroot_defconfig > b/arch/powerpc/configs/skiroot_defconfig > index 24a210fe0049..bd661a9a9410 100644 > --- a/arch/powerpc/configs/skiroot_defconfig > +++ b/arch/powerpc/configs/skiroot_defconfig > @@ -49,7 +49,6 @@ CONFIG_JUMP_LABEL=y > CONFIG_STRICT_KERNEL_RWX=y > CONFIG_MODULES=y > CONFIG_MODULE_UNLOAD=y > -CONFIG_MODULE_SIG=y > CONFIG_MODULE_SIG_FORCE=y > CONFIG_MODULE_SIG_SHA512=y > CONFIG_PARTITION_ADVANCED=y > @@ -272,6 +271,16 @@ CONFIG_NLS_ASCII=y > CONFIG_NLS_ISO8859_1=y > CONFIG_NLS_UTF8=y > CONFIG_ENCRYPTED_KEYS=y > +CONFIG_SECURITY=y > +CONFIG_HARDENED_USERCOPY=y > +# CONFIG_HARDENED_USERCOPY_FALLBACK is not set > +CONFIG_HARDENED_USERCOPY_PAGESPAN=y > +CONFIG_FORTIFY_SOURCE=y > +CONFIG_SECURITY_LOCKDOWN_LSM=y > +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y > +CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y > +# CONFIG_INTEGRITY is not set > +CONFIG_LSM="yama,loadpin,safesetid,integrity" > # CONFIG_CRYPTO_HW is not set > CONFIG_CRC16=y > CONFIG_CRC_ITU_T=y > -- > 2.21.1
[PATCH 7/9] powerpc/configs/skiroot: Enable security features
From: Joel Stanley This turns on HARDENED_USERCOPY with HARDENED_USERCOPY_PAGESPAN, and FORTIFY_SOURCE. It also enables SECURITY_LOCKDOWN_LSM with _EARLY and LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY options enabled. MODULE_SIG is selected by lockdown, so it is still enabled. Signed-off-by: Joel Stanley Signed-off-by: Michael Ellerman --- arch/powerpc/configs/skiroot_defconfig | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig index 24a210fe0049..bd661a9a9410 100644 --- a/arch/powerpc/configs/skiroot_defconfig +++ b/arch/powerpc/configs/skiroot_defconfig @@ -49,7 +49,6 @@ CONFIG_JUMP_LABEL=y CONFIG_STRICT_KERNEL_RWX=y CONFIG_MODULES=y CONFIG_MODULE_UNLOAD=y -CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_SHA512=y CONFIG_PARTITION_ADVANCED=y @@ -272,6 +271,16 @@ CONFIG_NLS_ASCII=y CONFIG_NLS_ISO8859_1=y CONFIG_NLS_UTF8=y CONFIG_ENCRYPTED_KEYS=y +CONFIG_SECURITY=y +CONFIG_HARDENED_USERCOPY=y +# CONFIG_HARDENED_USERCOPY_FALLBACK is not set +CONFIG_HARDENED_USERCOPY_PAGESPAN=y +CONFIG_FORTIFY_SOURCE=y +CONFIG_SECURITY_LOCKDOWN_LSM=y +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y +# CONFIG_INTEGRITY is not set +CONFIG_LSM="yama,loadpin,safesetid,integrity" # CONFIG_CRYPTO_HW is not set CONFIG_CRC16=y CONFIG_CRC_ITU_T=y -- 2.21.1