Takashi Iwai ti...@suse.de wrote:
this is a patch series to add the support for firmware signature
check. At this time, the kernel checks extra signature file (*.sig)
for each firmware, instead of embedded signature.
It's just a quick hack using the existing module signing mechanism,
thus
David Howells dhowe...@redhat.com wrote:
Takashi Iwai ti...@suse.de wrote:
this is a patch series to add the support for firmware signature
check. At this time, the kernel checks extra signature file (*.sig)
for each firmware, instead of embedded signature.
It's just a quick hack
Include missing linux/magic.h inclusions where the source file is currently
expecting to get magic numbers through linux/proc_fs.h.
Signed-off-by: David Howells dhowe...@redhat.com
cc: linux-efi@vger.kernel.org
---
drivers/firmware/efivars.c |1 +
fs/proc/inode.c|1 +
2
Include missing linux/slab.h inclusions where the source file is currently
expecting to get kmalloc() and co. through linux/proc_fs.h.
Signed-off-by: David Howells dhowe...@redhat.com
cc: linux-s...@vger.kernel.org
cc: sparcli...@vger.kernel.org
cc: linux-efi@vger.kernel.org
cc: linux
Alexei Starovoitov wrote:
> Also is there a description of what this lockdown trying to accomplish?
Austin S. Hemmelgarn wrote:
> ... but for any kind of proper security analysis, you need to better clarify
> your threat model. 'Prevent
Sorry, I forgot to include a cover note.
These five patches would replace 1-3 & 6 from my Kernel Lockdown series. The
additional patch moves the secure boot switch from x86 to generic code.
David
--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message to
Move the switch-statement in x86's setup_arch() that inteprets the
secure_boot boot parameter to generic code.
Suggested-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
Signed-off-by: David Howells <dhowe...@redhat.com>
---
arch/x86/kernel/setup.c| 14 +--
hether secure boot mode is enabled so that it can be disabled.
Signed-off-by: Josh Boyer <jwbo...@fedoraproject.org>
Signed-off-by: David Howells <dhowe...@redhat.com>
cc: linux-efi@vger.kernel.org
---
drivers/firmware/efi/secure_boot.c |1 +
include/linux/efi.h|1
registers and disallowing hibernation,
Signed-off-by: David Howells <dhowe...@redhat.com>
---
include/linux/kernel.h |9 +
include/linux/security.h | 11 +++
security/Kconfig | 15 +++
security/Makefile|3 +++
security/lock_down.c
From: Kyle McMartin <k...@redhat.com>
Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running
kernel image to be modified. This lifts the lockdown.
Signed-off-by: Kyle McMartin <k...@redhat.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
cc: x...@ker
Mimi Zohar wrote:
> > Okay, fair enough. I can stick in an OR with an IS_ENABLED on some IMA
> > symbol. CONFIG_IMA_KEXEC maybe? And also require IMA be enabled?
>
> Not quite, since as Dave pointed out, IMA is policy driven. As a
> policy is installed, we could
Andy Shevchenko wrote:
> > From: Matthew Garrett
> >
> > We have no way of validating what all of the Asus WMI methods do on a given
> > machine - and there's a risk that some will allow hardware state to be
> > manipulated in such a way
on the hwparam branch, which I posted separately.
David
---
Dave Young (1):
Copy secure_boot flag in boot params across kexec reboot
David Howells (7):
Add the ability to lock down access to the running kernel image
efi: Lock down the kernel if booted in secure boot mode
Enforce
If the kernel is locked down, require that all modules have valid
signatures that we can verify.
Signed-off-by: David Howells <dhowe...@redhat.com>
---
kernel/module.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/module.c b/kernel/module.c
index 7eba6d
hether secure boot mode is enabled so that it can be disabled.
Signed-off-by: Josh Boyer <jwbo...@fedoraproject.org>
Signed-off-by: David Howells <dhowe...@redhat.com>
---
arch/x86/kernel/setup.c |1 +
include/linux/efi.h |1 +
2 files changed, 2 insertions(+)
diff --git
registers and disallowing hibernation,
Signed-off-by: David Howells <dhowe...@redhat.com>
---
include/linux/kernel.h |9 +
include/linux/security.h | 11 +++
security/Kconfig | 15 +++
security/Makefile|3 +++
security/lock_down.c
- if the kernel is secure-booted.
Signed-off-by: David Howells <dhowe...@redhat.com>
---
arch/x86/Kconfig| 12
arch/x86/kernel/setup.c |8 +++-
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index cc98d5
on the hwparam branch, which I posted separately.
David
---
Chun-Yi Lee (1):
kexec_file: Disable at runtime if securelevel has been set
Dave Young (1):
Copy secure_boot flag in boot params across kexec reboot
David Howells (7):
Add the ability to lock down access to the running kernel
to fix this by retain the secure_boot flag in original
kernel.
secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
stub. Fixing this issue by copying secure_boot flag across kexec reboot.
Signed-off-by: Dave Young <dyo...@redhat.com>
Signed-off-by: David Ho
ebula.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
---
drivers/char/mem.c |6 ++
1 file changed, 6 insertions(+)
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 6d9cc2d39d22..f8144049bda3 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -163,6 +163,9
nature on the
image to be booted.
Signed-off-by: Matthew Garrett <matthew.garr...@nebula.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
---
kernel/kexec.c |7 +++
1 file changed, 7 insertions(+)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index 980936a90ee6..4
From: Kyle McMartin <k...@redhat.com>
Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running
kernel image to be modified. This lifts the lockdown.
Signed-off-by: Kyle McMartin <k...@redhat.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
---
ed-off-by: Josh Boyer <jwbo...@fedoraproject.org>
Signed-off-by: David Howells <dhowe...@redhat.com>
---
kernel/power/hibernate.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index a8b978c35a6a..50cca5dcb62f 1
registers and disallowing hibernation,
Signed-off-by: David Howells <dhowe...@redhat.com>
---
include/linux/kernel.h |9 +
include/linux/security.h | 11 +++
security/Kconfig | 15 +++
security/Makefile|3 +++
security/lock_down.c
ebula.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
---
drivers/char/mem.c |6 ++
1 file changed, 6 insertions(+)
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 6d9cc2d39d22..f8144049bda3 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -163,6 +163,9
<jwbo...@redhat.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
---
drivers/acpi/osl.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
index db78d353bab1..d4d4ba348451 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.
thew.garr...@nebula.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
---
drivers/acpi/custom_method.c |3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
index c68e72414a67..e4d721c330c0 100644
--- a/drivers/acpi/custom_meth
thew Garrett <matthew.garr...@nebula.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
---
arch/x86/kernel/msr.c |7 +++
1 file changed, 7 insertions(+)
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
index ef688804f80d..fbcce028e502 100644
--- a/arch/x86/kernel/msr
future we can potentially relax this for
sufficiently IOMMU-isolated devices.
Signed-off-by: Matthew Garrett <matthew.garr...@nebula.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
---
drivers/pci/pci-sysfs.c |9 +
drivers/pci/proc.c |8 +++-
dri
module loading restrictions. Prevent that if the
kernel is locked down.
Signed-off-by: Matthew Garrett <matthew.garr...@nebula.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
---
drivers/platform/x86/asus-wmi.c |9 +
1 file changed, 9 insertions(+)
diff --git a/dr
From: Matthew Garrett <mj...@srcf.ucam.org>
uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to modify the running kernel. Disable this if the kernel
is locked down.
Signed-off-by: Matthew Garrett <mj...@srcf.ucam.org>
Signed-off-by: D
efault.
This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
KDDISABIO console ioctls.
Signed-off-by: Matthew Garrett <matthew.garr...@nebula.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
---
arch/x86/kernel/ioport.c |4 ++--
drivers/char/mem.c |2 +
hether secure boot mode is enabled so that it can be disabled.
Signed-off-by: Josh Boyer <jwbo...@fedoraproject.org>
Signed-off-by: David Howells <dhowe...@redhat.com>
---
arch/x86/kernel/setup.c |1 +
include/linux/efi.h |1 +
2 files changed, 2 insertions(+)
diff --git
tt <mj...@srcf.ucam.org>
Signed-off-by: Chun-Yi Lee <j...@suse.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
---
kernel/kexec_file.c |6 ++
1 file changed, 6 insertions(+)
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index b118735fea9d..f6937eecd1eb 100644
-
From: Kyle McMartin <k...@redhat.com>
Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running
kernel image to be modified. This lifts the lockdown.
Signed-off-by: Kyle McMartin <k...@redhat.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
---
- if the kernel is secure-booted.
Signed-off-by: David Howells <dhowe...@redhat.com>
---
arch/x86/Kconfig| 12
arch/x86/kernel/setup.c |8 +++-
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index cc98d5
If the kernel is locked down, require that all modules have valid
signatures that we can verify.
Signed-off-by: David Howells <dhowe...@redhat.com>
---
kernel/module.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/module.c b/kernel/module.c
index 7eba6d
to fix this by retain the secure_boot flag in original
kernel.
secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
stub. Fixing this issue by copying secure_boot flag across kexec reboot.
Signed-off-by: Dave Young <dyo...@redhat.com>
Signed-off-by: David Ho
method to load unauthenticated privileged code,
the effect of these errors may persist across reboots and affect trust in
the underlying hardware, so disable error injection through EINJ if
the kernel is locked down.
Signed-off-by: Linn Crosetto <l...@hpe.com>
Signed-off-by: David Howells <dhow
el is set, the kernel should disallow any unauthenticated
changes to kernel space. ACPI tables contain code invoked by the kernel,
so do not allow ACPI tables to be overridden if the kernel is locked down.
Signed-off-by: Linn Crosetto <l...@hpe.com>
Signed-off-by: David Howells <dhowe...@redhat.
James Morris wrote:
> > The patches can be found here also:
> >
> >
> > http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=efi-lockdown
> >
>
> Do you mean the branch 'efi-lock-down' ?
Sorry, yes.
David
--
To unsubscribe from this list: send the
Rafael J. Wysocki wrote:
> You probably want to disable hibernation altogether in this case.
See patch 10. Does that mean patch 11 is superfluous?
David
--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message to
David Howells (7):
Add the ability to lock down access to the running kernel image
efi: Lock down the kernel if booted in secure boot mode
Enforce module signatures if the kernel is locked down
scsi: Lock down the eata driver
Prohibit PCMCIA CIS storage when the kernel
registers and disallowing hibernation,
Signed-off-by: David Howells <dhowe...@redhat.com>
---
include/linux/kernel.h |9 +
include/linux/security.h | 11 +++
security/Kconfig | 15 +++
security/Makefile|3 +++
security/lock_down.c
method to load unauthenticated privileged code,
the effect of these errors may persist across reboots and affect trust in
the underlying hardware, so disable error injection through EINJ if
the kernel is locked down.
Signed-off-by: Linn Crosetto <l...@hpe.com>
Signed-off-by: David Howells <dhow
Provided an annotation for module parameters that specify hardware
parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
dma buffers and other types).
Suggested-by: Alan Cox <gno...@lxorguk.ukuu.org.uk>
Signed-off-by: David Howells <dhowe...@redhat.com>
---
ker
ed-off-by: David Howells <dhowe...@redhat.com>
cc: Dario Ballabio <ballabio_da...@emc.com>
cc: "James E.J. Bottomley" <j...@linux.vnet.ibm.com>
cc: "Martin K. Petersen" <martin.peter...@oracle.com>
cc: linux-s...@vger.kernel.org
---
drivers/scsi/eata.c |7 ++
ctions when the kernel is
locked down.
Signed-off-by: Chun-Yi Lee <j...@suse.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
cc: net...@vger.kernel.org
---
kernel/trace/bpf_trace.c | 11 +++
1 file changed, 11 insertions(+)
diff --git a/kernel/trace/bpf_trac
If the kernel is locked down, require that all modules have valid
signatures that we can verify.
Signed-off-by: David Howells <dhowe...@redhat.com>
---
kernel/module.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/module.c b/kernel/module.c
index 7eba6d
Ard Biesheuvel wrote:
> > @@ -1184,6 +1184,7 @@ void __init setup_arch(char **cmdline_p)
> > pr_info("Secure boot disabled\n");
> > break;
> > case efi_secureboot_mode_enabled:
> > +
Let me try sending this again again. Lee, Chun-Yi as a name causes the mail
dispatcher to break :-/
David
--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message to majord...@vger.kernel.org
More majordomo info at
ed-off-by: Josh Boyer <jwbo...@fedoraproject.org>
Signed-off-by: David Howells <dhowe...@redhat.com>
cc: linux...@vger.kernel.org
---
kernel/power/hibernate.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
efault.
This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
KDDISABIO console ioctls.
Signed-off-by: Matthew Garrett <matthew.garr...@nebula.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
cc: x...@kernel.org
---
arch/x86/kernel/ioport.c |4 ++--
drivers/char/
nature on the
image to be booted.
Signed-off-by: Matthew Garrett <matthew.garr...@nebula.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
cc: ke...@lists.infradead.org
---
kernel/kexec.c |7 +++
1 file changed, 7 insertions(+)
diff --git a/kernel/kexec.c b/ke
- if the kernel is secure-booted.
Signed-off-by: David Howells <dhowe...@redhat.com>
cc: linux-efi@vger.kernel.org
---
arch/x86/Kconfig| 12
arch/x86/kernel/setup.c |8 +++-
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/arch/x86/Kconfig b/ar
ebula.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
---
drivers/char/mem.c |6 ++
1 file changed, 6 insertions(+)
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 6d9cc2d39d22..f8144049bda3 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -163,6 +163,9
-Hartman <gre...@linuxfoundation.org>
Signed-off-by: David Howells <dhowe...@redhat.com>
cc: Jiri Slaby <jsl...@suse.com>
---
drivers/tty/serial/serial_core.c |6 ++
1 file changed, 6 insertions(+)
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/s
Prohibit replacement of the PCMCIA Card Information Structure when the
kernel is locked down.
Suggested-by: Dominik Brodowski <li...@dominikbrodowski.net>
Signed-off-by: David Howells <dhowe...@redhat.com>
cc: linux-pcm...@lists.infradead.org
---
drivers/pcmcia/cistpl.c |5 +
thew.garr...@nebula.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
cc: linux-a...@vger.kernel.org
---
drivers/acpi/custom_method.c |3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
index c68e72414a67..e4d721c330c0 100644
;
Signed-off-by: David Howells <dhowe...@redhat.com>
Acked-by: Kees Cook <keesc...@chromium.org>
cc: x...@kernel.org
---
arch/x86/kernel/msr.c |7 +++
1 file changed, 7 insertions(+)
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
index ef688804f80d..fbcce028e502 100644
---
el is set, the kernel should disallow any unauthenticated
changes to kernel space. ACPI tables contain code invoked by the kernel,
so do not allow ACPI tables to be overridden if the kernel is locked down.
Signed-off-by: Linn Crosetto <l...@hpe.com>
Signed-off-by: David Howells <dhowe...@red
module loading restrictions. Prevent that if the
kernel is locked down.
Signed-off-by: Matthew Garrett <matthew.garr...@nebula.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
cc: acpi4asus-u...@lists.sourceforge.net
cc: platform-driver-...@vger.kernel.org
---
drivers/platf
future we can potentially relax this for
sufficiently IOMMU-isolated devices.
Signed-off-by: Matthew Garrett <matthew.garr...@nebula.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
cc: linux-...@vger.kernel.org
---
drivers/pci/pci-sysfs.c |9 +
drivers/pci/
to fix this by retain the secure_boot flag in original
kernel.
secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
stub. Fixing this issue by copying secure_boot flag across kexec reboot.
Signed-off-by: Dave Young <dyo...@redhat.com>
Signed-off-by: David Ho
From: Matthew Garrett <mj...@srcf.ucam.org>
uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to modify the running kernel. Disable this if the kernel
is locked down.
Signed-off-by: Matthew Garrett <mj...@srcf.ucam.org>
Signed-off-by: D
tt <mj...@srcf.ucam.org>
Signed-off-by: Chun-Yi Lee <j...@suse.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
cc: ke...@lists.infradead.org
---
kernel/kexec_file.c |6 ++
1 file changed, 6 insertions(+)
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index b1
Andy Shevchenko wrote:
> >> It looks a bit fragile when responsility of whatever reasons kernel
> >> can't serve become a driver burden.
> >> Can we fix this in debugfs framework instead?
> >
> > Fix it with debugfs how? We can't offload the decision to userspace.
>
Ard Biesheuvel wrote:
> That does bring me to another EFI related point: many of these patches
> are x86 specific for no good reason.
Note that the sysrq one is awkward since the key chosen *is* arch-specific.
SysRq+x can't be arbitrarily assigned to this since some
Alexei Starovoitov wrote:
> this will obviously break the program.
Yeah. But if it allows one to twiddle the kernel image or gain access to
crypto material...
> How about disabling loading tracing programs during the lockdown completely?
Interesting thought.
Ben Hutchings wrote:
> > Shouldn't this now appear under /sys/kernel/tracing/ ?
>
> True, but old tracing scripts didn't go away.
Conversion to a symlink would fix that.
David
--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a
Ben Hutchings wrote:
> - tracing (now tracefs, but it's expected to appear under debugfs)
Shouldn't this now appear under /sys/kernel/tracing/ ?
David
--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message to
Ben Hutchings wrote:
> So it's generally not going to be OK to turn off debugfs. There will
> probably need to be a distinction between believed-safe and unsafe
> directories/files.
Any suggestion on how to mark this distinction? I'd prefer not to modify
every read/write
Oliver Neukum wrote:
> Your swap partition may be located on an NVDIMM or be encrypted.
An NVDIMM should be considered the same as any other persistent storage.
It may be encrypted, but where's the key stored, how easy is it to retrieve
and does the swapout code know this?
>
Dave Young wrote:
> > > This option allows userspace to pass the RSDP address to the kernel, which
> > > makes it possible for a user to circumvent any restrictions imposed on
> > > loading modules. Ignore the option when the kernel is locked down.
> >
> > I'm not really
Mimi Zohar wrote:
> > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
> > > + return -EPERM;
> > > +
> > >
>
> IMA can be used to verify file signatures too, based on the LSM hooks
> in kernel_read_file_from_fd().
Borislav Petkov wrote:
> "Subject: [PATCH v5 01/32] x86: Add documentation for AMD Secure Memory
> Encryption (SME)"
Or:
x86: Document AMD Secure Memory Encryption (SME) support
David
--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body
t;)
> Signed-off-by: Arnd Bergmann <a...@arndb.de>
Reviewed-by: David Howells <dhowe...@redhat.com>
--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Ard Biesheuvel wrote:
> > This can be told to skip a particular algorithm for when the caller
> > has one precalculated. The precalculated hash can be passed to
> > is_hash_blacklisted(). This would typically be the case for a signed
> > X.509
James Bottomley <james.bottom...@hansenpartnership.com> wrote:
> Added by
>
> commit 436529562df2748fd9918f578205b22cf8ced277
> Author: David Howells <dhowe...@redhat.com>
> Date: Mon Apr 3 16:07:25 2017 +0100
>
> X.509: Allow X.509 certs to be blacklist
Move the switch-statement in x86's setup_arch() that inteprets the
secure_boot boot parameter to generic code.
Suggested-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
Signed-off-by: David Howells <dhowe...@redhat.com>
---
arch/x86/kernel/setup.c | 14 +--
registers and disallowing hibernation,
Signed-off-by: David Howells <dhowe...@redhat.com>
Acked-by: James Morris <james.l.mor...@oracle.com>
---
include/linux/kernel.h |9 +
include/linux/security.h | 11 +++
security/Kconfig | 15 +++
secur
From: Kyle McMartin <k...@redhat.com>
Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running
kernel image to be modified. This lifts the lockdown.
Signed-off-by: Kyle McMartin <k...@redhat.com>
Signed-off-by: David Howells <dhowe...@redhat.com>
cc: x...@ker
- if the kernel is secure-booted.
Signed-off-by: David Howells <dhowe...@redhat.com>
cc: linux-efi@vger.kernel.org
---
drivers/firmware/efi/Kconfig |1 +
drivers/firmware/efi/secureboot.c | 10 +-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/fi
Ard Biesheuvel wrote:
> > + UEFI Secure Boot provides a mechanism for ensuring that the
> > firmware
> > + will only load signed bootloaders and kernels. Secure boot mode
> > may
> > + be determined from EFI variables provided by the BIOS if
as there's a bug in Grub whereby it
doesn't initialise the boot_params correctly. The incorrect initialisation
causes sanitize_boot_params() to be triggered, thereby zapping the secure
boot flag determined by the EFI boot wrapper.
David
---
David Howells (3):
efi: Move the x86 secure b
hether secure boot mode is enabled so that it can be disabled.
Signed-off-by: Josh Boyer <jwbo...@fedoraproject.org>
Signed-off-by: David Howells <dhowe...@redhat.com>
cc: linux-efi@vger.kernel.org
---
drivers/firmware/efi/secureboot.c |1 +
include/linux/efi.h |1 +
Casey Schaufler wrote:
> You called out five distinct features in 0/5, so how about
> a bit for each of those?
Actually, there are more than five in that list - there are three in the first
item - and I'm not sure the remaining categories are quite as well defined as
I
Casey Schaufler wrote:
> > +#ifdef CONFIG_LOCK_DOWN_KERNEL
> > +extern bool kernel_is_locked_down(void);
> > +#else
> > +static inline bool kernel_is_locked_down(void)
>
> Should this be a bool or an int? I can imagine that someone is going to want
> various different
Ard Biesheuvel wrote:
> - The series conflates 'UEFI secure boot support' with 'kernel lock
> down support'. I think this has been brought up before, but I really
> think we should have a cleaner separation between the feature (locking
> down various bits of the kernel
Ard Biesheuvel wrote:
> and print a subsequent line for every lockdown feature that is enabled, e.g.,
>
> lockdown: disabling MSRs
> lockdown: disabling hibernate support
There's another problem with this idea: the lockdown facility is passive - it
doesn't go looking
Hi Ard,
Any thoughts on these patches?
Thanks,
David
--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
David Howells (38):
Annotate module params that specify hardware parameters (eg. ioport)
Annotate hardware config module parameters in arch/x86/mm/
Annotate hardware config module parameters in drivers/char/ipmi/
Annotate hardware config module parameters in drivers
Ard Biesheuvel wrote:
> No, I am fine with keeping this as a single series. I don't want
> anything under drivers/efi to imply policy regarding lockdown. Kernel
> lockdown should be a feature that lives somewhere else, and which
> contains a CONFIG_ option that implies
Florian Weimer wrote:
> > Lockdown is typically enabled during boot and may be terminated, if
> > configured, by typing a special key combination on a directly attached
> > physical keyboard.
>
> Does this include a Bluetooth keyboard (which might not actually exist and
>
---
.\"
.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
.\" Written by David Howells (dhowe...@redhat.com)
.\"
.\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
.\" This program is free software; you can redistribute it and/or
.\" modify it under the terms of the GNU General Public L
Johannes Berg wrote:
> > Only validly signed wifi databases may be use.
>
> We don't even have this yet, and when we do, we want this to be the
> case for typical configurations regardless of lockdown.
Okay.
David
--
To unsubscribe from this list: send the line
Jiri Kosina wrote:
> > The idea is to prevent cryptographic data for filesystems and other things
> > from being read out of the kernel memory as well as to prevent unauthorised
> > modification of kernel memory.
>
> Then it would make sense to actually lock down dumping of
Okay, I've dropped the ftrace lockdown patch for the moment from my git
branch.
David
--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Jiri Kosina wrote:
> > This prevents crypto data theft by analysis of execution patterns, and, if
> > in future ftrace also logs the register contents at the time, will prevent
> > data theft by that mechanism also.
>
> I fail to see how this fits into the secure boot security
Alan Cox wrote:
> So you don't actually need to sign a lot of PC class firmware because
> it's already signed.
Whilst that may be true, we either have to check signatures on every bit of
firmware that the appropriate driver doesn't say is meant to be signed or not
1 - 100 of 206 matches
Mail list logo