Re: [PATCH RFC 0/4] Add firmware signature file check

Takashi Iwai ti...@suse.de wrote: this is a patch series to add the support for firmware signature check. At this time, the kernel checks extra signature file (*.sig) for each firmware, instead of embedded signature. It's just a quick hack using the existing module signing mechanism, thus

Re: [PATCH RFC 0/4] Add firmware signature file check

David Howells dhowe...@redhat.com wrote: Takashi Iwai ti...@suse.de wrote: this is a patch series to add the support for firmware signature check. At this time, the kernel checks extra signature file (*.sig) for each firmware, instead of embedded signature. It's just a quick hack

[PATCH 02/28] Include missing linux/magic.h inclusions [RFC]

Include missing linux/magic.h inclusions where the source file is currently expecting to get magic numbers through linux/proc_fs.h. Signed-off-by: David Howells dhowe...@redhat.com cc: linux-efi@vger.kernel.org --- drivers/firmware/efivars.c |1 + fs/proc/inode.c|1 + 2

[PATCH 01/28] Include missing linux/slab.h inclusions [RFC]

Include missing linux/slab.h inclusions where the source file is currently expecting to get kmalloc() and co. through linux/proc_fs.h. Signed-off-by: David Howells dhowe...@redhat.com cc: linux-s...@vger.kernel.org cc: sparcli...@vger.kernel.org cc: linux-efi@vger.kernel.org cc: linux

Why kernel lockdown?

Alexei Starovoitov wrote: > Also is there a description of what this lockdown trying to accomplish? Austin S. Hemmelgarn wrote: > ... but for any kind of proper security analysis, you need to better clarify > your threat model. 'Prevent

Re: [PATCH 1/5] efi: Move the x86 secure boot switch to generic code

Sorry, I forgot to include a cover note. These five patches would replace 1-3 & 6 from my Kernel Lockdown series. The additional patch moves the secure boot switch from x86 to generic code. David -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to

[PATCH 1/5] efi: Move the x86 secure boot switch to generic code

Move the switch-statement in x86's setup_arch() that inteprets the secure_boot boot parameter to generic code. Suggested-by: Ard Biesheuvel <ard.biesheu...@linaro.org> Signed-off-by: David Howells <dhowe...@redhat.com> --- arch/x86/kernel/setup.c| 14 +--

[PATCH 2/5] efi: Add EFI_SECURE_BOOT bit

hether secure boot mode is enabled so that it can be disabled. Signed-off-by: Josh Boyer <jwbo...@fedoraproject.org> Signed-off-by: David Howells <dhowe...@redhat.com> cc: linux-efi@vger.kernel.org --- drivers/firmware/efi/secure_boot.c |1 + include/linux/efi.h|1

[PATCH 3/5] Add the ability to lock down access to the running kernel image

registers and disallowing hibernation, Signed-off-by: David Howells <dhowe...@redhat.com> --- include/linux/kernel.h |9 + include/linux/security.h | 11 +++ security/Kconfig | 15 +++ security/Makefile|3 +++ security/lock_down.c

[PATCH 5/5] Add a sysrq option to exit secure boot mode

From: Kyle McMartin <k...@redhat.com> Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running kernel image to be modified. This lifts the lockdown. Signed-off-by: Kyle McMartin <k...@redhat.com> Signed-off-by: David Howells <dhowe...@redhat.com> cc: x...@ker

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Mimi Zohar wrote: > > Okay, fair enough. I can stick in an OR with an IS_ENABLED on some IMA > > symbol. CONFIG_IMA_KEXEC maybe? And also require IMA be enabled? > > Not quite, since as Dave pointed out, IMA is policy driven. As a > policy is installed, we could

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

Andy Shevchenko wrote: > > From: Matthew Garrett > > > > We have no way of validating what all of the Asus WMI methods do on a given > > machine - and there's a risk that some will allow hardware state to be > > manipulated in such a way

[PATCH 00/24] Kernel lockdown

on the hwparam branch, which I posted separately. David --- Dave Young (1): Copy secure_boot flag in boot params across kexec reboot David Howells (7): Add the ability to lock down access to the running kernel image efi: Lock down the kernel if booted in secure boot mode Enforce

[PATCH 04/24] Enforce module signatures if the kernel is locked down

If the kernel is locked down, require that all modules have valid signatures that we can verify. Signed-off-by: David Howells <dhowe...@redhat.com> --- kernel/module.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/module.c b/kernel/module.c index 7eba6d

[PATCH 01/24] efi: Add EFI_SECURE_BOOT bit

hether secure boot mode is enabled so that it can be disabled. Signed-off-by: Josh Boyer <jwbo...@fedoraproject.org> Signed-off-by: David Howells <dhowe...@redhat.com> --- arch/x86/kernel/setup.c |1 + include/linux/efi.h |1 + 2 files changed, 2 insertions(+) diff --git

[PATCH 02/24] Add the ability to lock down access to the running kernel image

registers and disallowing hibernation, Signed-off-by: David Howells <dhowe...@redhat.com> --- include/linux/kernel.h |9 + include/linux/security.h | 11 +++ security/Kconfig | 15 +++ security/Makefile|3 +++ security/lock_down.c

[PATCH 03/24] efi: Lock down the kernel if booted in secure boot mode

- if the kernel is secure-booted. Signed-off-by: David Howells <dhowe...@redhat.com> --- arch/x86/Kconfig| 12 arch/x86/kernel/setup.c |8 +++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index cc98d5

[PATCH 00/24] Kernel lockdown

on the hwparam branch, which I posted separately. David --- Chun-Yi Lee (1): kexec_file: Disable at runtime if securelevel has been set Dave Young (1): Copy secure_boot flag in boot params across kexec reboot David Howells (7): Add the ability to lock down access to the running kernel

[PATCH 08/24] Copy secure_boot flag in boot params across kexec reboot

to fix this by retain the secure_boot flag in original kernel. secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the stub. Fixing this issue by copying secure_boot flag across kexec reboot. Signed-off-by: Dave Young <dyo...@redhat.com> Signed-off-by: David Ho

[PATCH 05/24] Restrict /dev/mem and /dev/kmem when the kernel is locked down

ebula.com> Signed-off-by: David Howells <dhowe...@redhat.com> --- drivers/char/mem.c |6 ++ 1 file changed, 6 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c index 6d9cc2d39d22..f8144049bda3 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -163,6 +163,9

[PATCH 07/24] kexec: Disable at runtime if the kernel is locked down

nature on the image to be booted. Signed-off-by: Matthew Garrett <matthew.garr...@nebula.com> Signed-off-by: David Howells <dhowe...@redhat.com> --- kernel/kexec.c |7 +++ 1 file changed, 7 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c index 980936a90ee6..4

[PATCH 06/24] Add a sysrq option to exit secure boot mode

From: Kyle McMartin <k...@redhat.com> Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running kernel image to be modified. This lifts the lockdown. Signed-off-by: Kyle McMartin <k...@redhat.com> Signed-off-by: David Howells <dhowe...@redhat.com> ---

[PATCH 10/24] hibernate: Disable when the kernel is locked down

ed-off-by: Josh Boyer <jwbo...@fedoraproject.org> Signed-off-by: David Howells <dhowe...@redhat.com> --- kernel/power/hibernate.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c index a8b978c35a6a..50cca5dcb62f 1

[PATCH 02/24] Add the ability to lock down access to the running kernel image

registers and disallowing hibernation, Signed-off-by: David Howells <dhowe...@redhat.com> --- include/linux/kernel.h |9 + include/linux/security.h | 11 +++ security/Kconfig | 15 +++ security/Makefile|3 +++ security/lock_down.c

[PATCH 05/24] Restrict /dev/mem and /dev/kmem when the kernel is locked down

ebula.com> Signed-off-by: David Howells <dhowe...@redhat.com> --- drivers/char/mem.c |6 ++ 1 file changed, 6 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c index 6d9cc2d39d22..f8144049bda3 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -163,6 +163,9

[PATCH 17/24] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down

<jwbo...@redhat.com> Signed-off-by: David Howells <dhowe...@redhat.com> --- drivers/acpi/osl.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c index db78d353bab1..d4d4ba348451 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.

[PATCH 16/24] ACPI: Limit access to custom_method when the kernel is locked down

thew.garr...@nebula.com> Signed-off-by: David Howells <dhowe...@redhat.com> --- drivers/acpi/custom_method.c |3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c index c68e72414a67..e4d721c330c0 100644 --- a/drivers/acpi/custom_meth

[PATCH 14/24] x86: Restrict MSR access when the kernel is locked down

thew Garrett <matthew.garr...@nebula.com> Signed-off-by: David Howells <dhowe...@redhat.com> --- arch/x86/kernel/msr.c |7 +++ 1 file changed, 7 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c index ef688804f80d..fbcce028e502 100644 --- a/arch/x86/kernel/msr

[PATCH 12/24] PCI: Lock down BAR access when the kernel is locked down

future we can potentially relax this for sufficiently IOMMU-isolated devices. Signed-off-by: Matthew Garrett <matthew.garr...@nebula.com> Signed-off-by: David Howells <dhowe...@redhat.com> --- drivers/pci/pci-sysfs.c |9 + drivers/pci/proc.c |8 +++- dri

[PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

module loading restrictions. Prevent that if the kernel is locked down. Signed-off-by: Matthew Garrett <matthew.garr...@nebula.com> Signed-off-by: David Howells <dhowe...@redhat.com> --- drivers/platform/x86/asus-wmi.c |9 + 1 file changed, 9 insertions(+) diff --git a/dr

[PATCH 11/24] uswsusp: Disable when the kernel is locked down

From: Matthew Garrett <mj...@srcf.ucam.org> uswsusp allows a user process to dump and then restore kernel state, which makes it possible to modify the running kernel. Disable this if the kernel is locked down. Signed-off-by: Matthew Garrett <mj...@srcf.ucam.org> Signed-off-by: D

[PATCH 13/24] x86: Lock down IO port access when the kernel is locked down

efault. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett <matthew.garr...@nebula.com> Signed-off-by: David Howells <dhowe...@redhat.com> --- arch/x86/kernel/ioport.c |4 ++-- drivers/char/mem.c |2 +

[PATCH 01/24] efi: Add EFI_SECURE_BOOT bit

hether secure boot mode is enabled so that it can be disabled. Signed-off-by: Josh Boyer <jwbo...@fedoraproject.org> Signed-off-by: David Howells <dhowe...@redhat.com> --- arch/x86/kernel/setup.c |1 + include/linux/efi.h |1 + 2 files changed, 2 insertions(+) diff --git

[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

tt <mj...@srcf.ucam.org> Signed-off-by: Chun-Yi Lee <j...@suse.com> Signed-off-by: David Howells <dhowe...@redhat.com> --- kernel/kexec_file.c |6 ++ 1 file changed, 6 insertions(+) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index b118735fea9d..f6937eecd1eb 100644 -

[PATCH 06/24] Add a sysrq option to exit secure boot mode

From: Kyle McMartin <k...@redhat.com> Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running kernel image to be modified. This lifts the lockdown. Signed-off-by: Kyle McMartin <k...@redhat.com> Signed-off-by: David Howells <dhowe...@redhat.com> ---

[PATCH 03/24] efi: Lock down the kernel if booted in secure boot mode

- if the kernel is secure-booted. Signed-off-by: David Howells <dhowe...@redhat.com> --- arch/x86/Kconfig| 12 arch/x86/kernel/setup.c |8 +++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index cc98d5

[PATCH 04/24] Enforce module signatures if the kernel is locked down

If the kernel is locked down, require that all modules have valid signatures that we can verify. Signed-off-by: David Howells <dhowe...@redhat.com> --- kernel/module.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/module.c b/kernel/module.c index 7eba6d

[PATCH 08/24] Copy secure_boot flag in boot params across kexec reboot

to fix this by retain the secure_boot flag in original kernel. secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the stub. Fixing this issue by copying secure_boot flag across kexec reboot. Signed-off-by: Dave Young <dyo...@redhat.com> Signed-off-by: David Ho

[PATCH 19/24] acpi: Disable APEI error injection if the kernel is locked down

method to load unauthenticated privileged code, the effect of these errors may persist across reboots and affect trust in the underlying hardware, so disable error injection through EINJ if the kernel is locked down. Signed-off-by: Linn Crosetto <l...@hpe.com> Signed-off-by: David Howells <dhow

[PATCH 18/24] acpi: Disable ACPI table override if the kernel is locked down

el is set, the kernel should disallow any unauthenticated changes to kernel space. ACPI tables contain code invoked by the kernel, so do not allow ACPI tables to be overridden if the kernel is locked down. Signed-off-by: Linn Crosetto <l...@hpe.com> Signed-off-by: David Howells <dhowe...@redhat.

Re: [PATCH 00/24] Kernel lockdown

James Morris wrote: > > The patches can be found here also: > > > > > > http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=efi-lockdown > > > > Do you mean the branch 'efi-lock-down' ? Sorry, yes. David -- To unsubscribe from this list: send the

Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down

Rafael J. Wysocki wrote: > You probably want to disable hibernation altogether in this case. See patch 10. Does that mean patch 11 is superfluous? David -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to

[PATCH 00/24] Kernel lockdown

David Howells (7): Add the ability to lock down access to the running kernel image efi: Lock down the kernel if booted in secure boot mode Enforce module signatures if the kernel is locked down scsi: Lock down the eata driver Prohibit PCMCIA CIS storage when the kernel

[PATCH 02/24] Add the ability to lock down access to the running kernel image

registers and disallowing hibernation, Signed-off-by: David Howells <dhowe...@redhat.com> --- include/linux/kernel.h |9 + include/linux/security.h | 11 +++ security/Kconfig | 15 +++ security/Makefile|3 +++ security/lock_down.c

[PATCH 19/24] acpi: Disable APEI error injection if the kernel is locked down

method to load unauthenticated privileged code, the effect of these errors may persist across reboots and affect trust in the underlying hardware, so disable error injection through EINJ if the kernel is locked down. Signed-off-by: Linn Crosetto <l...@hpe.com> Signed-off-by: David Howells <dhow

[PATCH 24/24] Lock down module params that specify hardware parameters (eg. ioport)

Provided an annotation for module parameters that specify hardware parameters (such as io ports, iomem addresses, irqs, dma channels, fixed dma buffers and other types). Suggested-by: Alan Cox <gno...@lxorguk.ukuu.org.uk> Signed-off-by: David Howells <dhowe...@redhat.com> --- ker

[PATCH 21/24] scsi: Lock down the eata driver

ed-off-by: David Howells <dhowe...@redhat.com> cc: Dario Ballabio <ballabio_da...@emc.com> cc: "James E.J. Bottomley" <j...@linux.vnet.ibm.com> cc: "Martin K. Petersen" <martin.peter...@oracle.com> cc: linux-s...@vger.kernel.org --- drivers/scsi/eata.c |7 ++

[PATCH 20/24] bpf: Restrict kernel image access functions when the kernel is locked down

ctions when the kernel is locked down. Signed-off-by: Chun-Yi Lee <j...@suse.com> Signed-off-by: David Howells <dhowe...@redhat.com> cc: net...@vger.kernel.org --- kernel/trace/bpf_trace.c | 11 +++ 1 file changed, 11 insertions(+) diff --git a/kernel/trace/bpf_trac

[PATCH 04/24] Enforce module signatures if the kernel is locked down

If the kernel is locked down, require that all modules have valid signatures that we can verify. Signed-off-by: David Howells <dhowe...@redhat.com> --- kernel/module.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/module.c b/kernel/module.c index 7eba6d

Re: [PATCH 01/24] efi: Add EFI_SECURE_BOOT bit

Ard Biesheuvel wrote: > > @@ -1184,6 +1184,7 @@ void __init setup_arch(char **cmdline_p) > > pr_info("Secure boot disabled\n"); > > break; > > case efi_secureboot_mode_enabled: > > +

Re: [PATCH 00/24] Kernel lockdown

Let me try sending this again again. Lee, Chun-Yi as a name causes the mail dispatcher to break :-/ David -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at

[PATCH 10/24] hibernate: Disable when the kernel is locked down

ed-off-by: Josh Boyer <jwbo...@fedoraproject.org> Signed-off-by: David Howells <dhowe...@redhat.com> cc: linux...@vger.kernel.org --- kernel/power/hibernate.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c

[PATCH 13/24] x86: Lock down IO port access when the kernel is locked down

efault. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett <matthew.garr...@nebula.com> Signed-off-by: David Howells <dhowe...@redhat.com> cc: x...@kernel.org --- arch/x86/kernel/ioport.c |4 ++-- drivers/char/

[PATCH 07/24] kexec: Disable at runtime if the kernel is locked down

nature on the image to be booted. Signed-off-by: Matthew Garrett <matthew.garr...@nebula.com> Signed-off-by: David Howells <dhowe...@redhat.com> cc: ke...@lists.infradead.org --- kernel/kexec.c |7 +++ 1 file changed, 7 insertions(+) diff --git a/kernel/kexec.c b/ke

[PATCH 03/24] efi: Lock down the kernel if booted in secure boot mode

- if the kernel is secure-booted. Signed-off-by: David Howells <dhowe...@redhat.com> cc: linux-efi@vger.kernel.org --- arch/x86/Kconfig| 12 arch/x86/kernel/setup.c |8 +++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/ar

[PATCH 05/24] Restrict /dev/mem and /dev/kmem when the kernel is locked down

ebula.com> Signed-off-by: David Howells <dhowe...@redhat.com> --- drivers/char/mem.c |6 ++ 1 file changed, 6 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c index 6d9cc2d39d22..f8144049bda3 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -163,6 +163,9

[PATCH 23/24] Lock down TIOCSSERIAL

-Hartman <gre...@linuxfoundation.org> Signed-off-by: David Howells <dhowe...@redhat.com> cc: Jiri Slaby <jsl...@suse.com> --- drivers/tty/serial/serial_core.c |6 ++ 1 file changed, 6 insertions(+) diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/s

[PATCH 22/24] Prohibit PCMCIA CIS storage when the kernel is locked down

Prohibit replacement of the PCMCIA Card Information Structure when the kernel is locked down. Suggested-by: Dominik Brodowski <li...@dominikbrodowski.net> Signed-off-by: David Howells <dhowe...@redhat.com> cc: linux-pcm...@lists.infradead.org --- drivers/pcmcia/cistpl.c |5 +

[PATCH 16/24] ACPI: Limit access to custom_method when the kernel is locked down

thew.garr...@nebula.com> Signed-off-by: David Howells <dhowe...@redhat.com> cc: linux-a...@vger.kernel.org --- drivers/acpi/custom_method.c |3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c index c68e72414a67..e4d721c330c0 100644

[PATCH 14/24] x86: Restrict MSR access when the kernel is locked down

; Signed-off-by: David Howells <dhowe...@redhat.com> Acked-by: Kees Cook <keesc...@chromium.org> cc: x...@kernel.org --- arch/x86/kernel/msr.c |7 +++ 1 file changed, 7 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c index ef688804f80d..fbcce028e502 100644 ---

[PATCH 18/24] acpi: Disable ACPI table override if the kernel is locked down

el is set, the kernel should disallow any unauthenticated changes to kernel space. ACPI tables contain code invoked by the kernel, so do not allow ACPI tables to be overridden if the kernel is locked down. Signed-off-by: Linn Crosetto <l...@hpe.com> Signed-off-by: David Howells <dhowe...@red

[PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

module loading restrictions. Prevent that if the kernel is locked down. Signed-off-by: Matthew Garrett <matthew.garr...@nebula.com> Signed-off-by: David Howells <dhowe...@redhat.com> cc: acpi4asus-u...@lists.sourceforge.net cc: platform-driver-...@vger.kernel.org --- drivers/platf

[PATCH 12/24] PCI: Lock down BAR access when the kernel is locked down

future we can potentially relax this for sufficiently IOMMU-isolated devices. Signed-off-by: Matthew Garrett <matthew.garr...@nebula.com> Signed-off-by: David Howells <dhowe...@redhat.com> cc: linux-...@vger.kernel.org --- drivers/pci/pci-sysfs.c |9 + drivers/pci/

[PATCH 08/24] Copy secure_boot flag in boot params across kexec reboot

to fix this by retain the secure_boot flag in original kernel. secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the stub. Fixing this issue by copying secure_boot flag across kexec reboot. Signed-off-by: Dave Young <dyo...@redhat.com> Signed-off-by: David Ho

[PATCH 11/24] uswsusp: Disable when the kernel is locked down

From: Matthew Garrett <mj...@srcf.ucam.org> uswsusp allows a user process to dump and then restore kernel state, which makes it possible to modify the running kernel. Disable this if the kernel is locked down. Signed-off-by: Matthew Garrett <mj...@srcf.ucam.org> Signed-off-by: D

[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

tt <mj...@srcf.ucam.org> Signed-off-by: Chun-Yi Lee <j...@suse.com> Signed-off-by: David Howells <dhowe...@redhat.com> cc: ke...@lists.infradead.org --- kernel/kexec_file.c |6 ++ 1 file changed, 6 insertions(+) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index b1

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

Andy Shevchenko wrote: > >> It looks a bit fragile when responsility of whatever reasons kernel > >> can't serve become a driver burden. > >> Can we fix this in debugfs framework instead? > > > > Fix it with debugfs how? We can't offload the decision to userspace. >

Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode

Ard Biesheuvel wrote: > That does bring me to another EFI related point: many of these patches > are x86 specific for no good reason. Note that the sysrq one is awkward since the key chosen *is* arch-specific. SysRq+x can't be arbitrarily assigned to this since some

Re: [PATCH 20/24] bpf: Restrict kernel image access functions when the kernel is locked down

Alexei Starovoitov wrote: > this will obviously break the program. Yeah. But if it allows one to twiddle the kernel image or gain access to crypto material... > How about disabling loading tracing programs during the lockdown completely? Interesting thought.

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

Ben Hutchings wrote: > > Shouldn't this now appear under /sys/kernel/tracing/ ? > > True, but old tracing scripts didn't go away. Conversion to a symlink would fix that. David -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

Ben Hutchings wrote: > - tracing (now tracefs, but it's expected to appear under debugfs) Shouldn't this now appear under /sys/kernel/tracing/ ? David -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

Ben Hutchings wrote: > So it's generally not going to be OK to turn off debugfs. There will > probably need to be a distinction between believed-safe and unsafe > directories/files. Any suggestion on how to mark this distinction? I'd prefer not to modify every read/write

Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down

Oliver Neukum wrote: > Your swap partition may be located on an NVDIMM or be encrypted. An NVDIMM should be considered the same as any other persistent storage. It may be encrypted, but where's the key stored, how easy is it to retrieve and does the swapout code know this? >

Re: [PATCH 17/24] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down

Dave Young wrote: > > > This option allows userspace to pass the RSDP address to the kernel, which > > > makes it possible for a user to circumvent any restrictions imposed on > > > loading modules. Ignore the option when the kernel is locked down. > > > > I'm not really

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Mimi Zohar wrote: > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) > > > + return -EPERM; > > > + > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > in  kernel_read_file_from_fd().  

Re: [PATCH v5 01/32] x86: Documentation for AMD Secure Memory Encryption (SME)

Borislav Petkov wrote: > "Subject: [PATCH v5 01/32] x86: Add documentation for AMD Secure Memory > Encryption (SME)" Or: x86: Document AMD Secure Memory Encryption (SME) support David -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body

Re: [PATCH] efi: remove duplicate 'const' specifiers

t;) > Signed-off-by: Arnd Bergmann <a...@arndb.de> Reviewed-by: David Howells <dhowe...@redhat.com> -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Problem with new X.509 is_hash_blacklisted() interface

Ard Biesheuvel wrote: > > This can be told to skip a particular algorithm for when the caller > > has one precalculated. The precalculated hash can be passed to > > is_hash_blacklisted(). This would typically be the case for a signed > > X.509

Re: Problem with new X.509 is_hash_blacklisted() interface

James Bottomley <james.bottom...@hansenpartnership.com> wrote: > Added by > > commit 436529562df2748fd9918f578205b22cf8ced277 > Author: David Howells <dhowe...@redhat.com> > Date: Mon Apr 3 16:07:25 2017 +0100 > > X.509: Allow X.509 certs to be blacklist

[PATCH 1/5] efi: Move the x86 secure boot switch to generic code

Move the switch-statement in x86's setup_arch() that inteprets the secure_boot boot parameter to generic code. Suggested-by: Ard Biesheuvel <ard.biesheu...@linaro.org> Signed-off-by: David Howells <dhowe...@redhat.com> --- arch/x86/kernel/setup.c | 14 +--

[PATCH 3/5] Add the ability to lock down access to the running kernel image

registers and disallowing hibernation, Signed-off-by: David Howells <dhowe...@redhat.com> Acked-by: James Morris <james.l.mor...@oracle.com> --- include/linux/kernel.h |9 + include/linux/security.h | 11 +++ security/Kconfig | 15 +++ secur

[PATCH 5/5] Add a sysrq option to exit secure boot mode

From: Kyle McMartin <k...@redhat.com> Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running kernel image to be modified. This lifts the lockdown. Signed-off-by: Kyle McMartin <k...@redhat.com> Signed-off-by: David Howells <dhowe...@redhat.com> cc: x...@ker

[PATCH 4/5] efi: Lock down the kernel if booted in secure boot mode

- if the kernel is secure-booted. Signed-off-by: David Howells <dhowe...@redhat.com> cc: linux-efi@vger.kernel.org --- drivers/firmware/efi/Kconfig |1 + drivers/firmware/efi/secureboot.c | 10 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/fi

Re: [PATCH 1/5] efi: Move the x86 secure boot switch to generic code

Ard Biesheuvel wrote: > > + UEFI Secure Boot provides a mechanism for ensuring that the > > firmware > > + will only load signed bootloaders and kernels. Secure boot mode > > may > > + be determined from EFI variables provided by the BIOS if

[PATCH 0/5] security, efi: Set lockdown if in secure boot mode

as there's a bug in Grub whereby it doesn't initialise the boot_params correctly. The incorrect initialisation causes sanitize_boot_params() to be triggered, thereby zapping the secure boot flag determined by the EFI boot wrapper. David --- David Howells (3): efi: Move the x86 secure b

[PATCH 2/5] efi: Add EFI_SECURE_BOOT bit

hether secure boot mode is enabled so that it can be disabled. Signed-off-by: Josh Boyer <jwbo...@fedoraproject.org> Signed-off-by: David Howells <dhowe...@redhat.com> cc: linux-efi@vger.kernel.org --- drivers/firmware/efi/secureboot.c |1 + include/linux/efi.h |1 +

Re: [PATCH 3/5] Add the ability to lock down access to the running kernel image

Casey Schaufler wrote: > You called out five distinct features in 0/5, so how about > a bit for each of those? Actually, there are more than five in that list - there are three in the first item - and I'm not sure the remaining categories are quite as well defined as I

Re: [PATCH 3/5] Add the ability to lock down access to the running kernel image

Casey Schaufler wrote: > > +#ifdef CONFIG_LOCK_DOWN_KERNEL > > +extern bool kernel_is_locked_down(void); > > +#else > > +static inline bool kernel_is_locked_down(void) > > Should this be a bool or an int? I can imagine that someone is going to want > various different

Re: [PATCH 0/5] security, efi: Set lockdown if in secure boot mode

Ard Biesheuvel wrote: > - The series conflates 'UEFI secure boot support' with 'kernel lock > down support'. I think this has been brought up before, but I really > think we should have a cleaner separation between the feature (locking > down various bits of the kernel

Re: [PATCH 0/5] security, efi: Set lockdown if in secure boot mode

Ard Biesheuvel wrote: > and print a subsequent line for every lockdown feature that is enabled, e.g., > > lockdown: disabling MSRs > lockdown: disabling hibernate support There's another problem with this idea: the lockdown facility is passive - it doesn't go looking

Re: [PATCH 1/5] efi: Move the x86 secure boot switch to generic code

Hi Ard, Any thoughts on these patches? Thanks, David -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

[GIT PULL] Hardware module parameter annotation for secure boot

David Howells (38): Annotate module params that specify hardware parameters (eg. ioport) Annotate hardware config module parameters in arch/x86/mm/ Annotate hardware config module parameters in drivers/char/ipmi/ Annotate hardware config module parameters in drivers

Re: [PATCH 0/5] security, efi: Set lockdown if in secure boot mode

Ard Biesheuvel wrote: > No, I am fine with keeping this as a single series. I don't want > anything under drivers/efi to imply policy regarding lockdown. Kernel > lockdown should be a feature that lives somewhere else, and which > contains a CONFIG_ option that implies

Re: Draft manpage explaining kernel lockdown

Florian Weimer wrote: > > Lockdown is typically enabled during boot and may be terminated, if > > configured, by typing a special key combination on a directly attached > > physical keyboard. > > Does this include a Bluetooth keyboard (which might not actually exist and >

Draft manpage explaining kernel lockdown

--- .\" .\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved. .\" Written by David Howells (dhowe...@redhat.com) .\" .\" %%%LICENSE_START(GPLv2+_SW_ONEPARA) .\" This program is free software; you can redistribute it and/or .\" modify it under the terms of the GNU General Public L

Re: Draft manpage explaining kernel lockdown

Johannes Berg wrote: > > Only validly signed wifi databases may be use. > > We don't even have this yet, and when we do, we want this to be the > case for typical configurations regardless of lockdown. Okay. David -- To unsubscribe from this list: send the line

Re: [PATCH 26/30] Lock down ftrace

Jiri Kosina wrote: > > The idea is to prevent cryptographic data for filesystems and other things > > from being read out of the kernel memory as well as to prevent unauthorised > > modification of kernel memory. > > Then it would make sense to actually lock down dumping of

Re: [PATCH 26/30] Lock down ftrace

Okay, I've dropped the ftrace lockdown patch for the moment from my git branch. David -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH 26/30] Lock down ftrace

Jiri Kosina wrote: > > This prevents crypto data theft by analysis of execution patterns, and, if > > in future ftrace also logs the register contents at the time, will prevent > > data theft by that mechanism also. > > I fail to see how this fits into the secure boot security

Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown

Alan Cox wrote: > So you don't actually need to sign a lot of PC class firmware because > it's already signed. Whilst that may be true, we either have to check signatures on every bit of firmware that the appropriate driver doesn't say is meant to be signed or not

  1   2   3   >