Re: [PATCH v2 07/10] powerpc/configs/skiroot: Enable security features
Joel Stanley writes: > On Tue, 21 Jan 2020 at 04:30, Michael Ellerman wrote: >> >> From: Joel Stanley >> >> This turns on HARDENED_USERCOPY with HARDENED_USERCOPY_PAGESPAN, and >> FORTIFY_SOURCE. >> >> It also enables SECURITY_LOCKDOWN_LSM with _EARLY and >> LOCK_DOWN_KERNEL_FORCE_INTEGRITY options enabled. This still allows >> xmon to be used in read-only mode. >> >> MODULE_SIG is selected by lockdown, so it is still enabled. >> >> Signed-off-by: Joel Stanley >> [mpe: Switch to lockdown integrity mode per oohal] >> Signed-off-by: Michael Ellerman > > I did some testing and with change we break kexec. As it's critical > for this kernel to be able to kexec we need to set KEXEC_FILE=y if > we're setting FORCE_INTEGRITY=y. > > I've tested your series with that modification made and userspace was > once again able to kexec (with -s). Has the changes that enable this landed in kexec-lite and petitboot yet? I had to manually patch them when I was experimenting with it recently... Regards, Daniel > > Cheers, > > Joel > >> --- >> arch/powerpc/configs/skiroot_defconfig | 11 ++- >> 1 file changed, 10 insertions(+), 1 deletion(-) >> >> v2: Switch to lockdown integrity mode rather than confidentiality as noticed >> by >> dja and discussed with jms and oohal. >> >> diff --git a/arch/powerpc/configs/skiroot_defconfig >> b/arch/powerpc/configs/skiroot_defconfig >> index 24a210fe0049..93b478436a2b 100644 >> --- a/arch/powerpc/configs/skiroot_defconfig >> +++ b/arch/powerpc/configs/skiroot_defconfig >> @@ -49,7 +49,6 @@ CONFIG_JUMP_LABEL=y >> CONFIG_STRICT_KERNEL_RWX=y >> CONFIG_MODULES=y >> CONFIG_MODULE_UNLOAD=y >> -CONFIG_MODULE_SIG=y >> CONFIG_MODULE_SIG_FORCE=y >> CONFIG_MODULE_SIG_SHA512=y >> CONFIG_PARTITION_ADVANCED=y >> @@ -272,6 +271,16 @@ CONFIG_NLS_ASCII=y >> CONFIG_NLS_ISO8859_1=y >> CONFIG_NLS_UTF8=y >> CONFIG_ENCRYPTED_KEYS=y >> +CONFIG_SECURITY=y >> +CONFIG_HARDENED_USERCOPY=y >> +# CONFIG_HARDENED_USERCOPY_FALLBACK is not set >> +CONFIG_HARDENED_USERCOPY_PAGESPAN=y >> +CONFIG_FORTIFY_SOURCE=y >> +CONFIG_SECURITY_LOCKDOWN_LSM=y >> +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y >> +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y >> +# CONFIG_INTEGRITY is not set >> +CONFIG_LSM="yama,loadpin,safesetid,integrity" >> # CONFIG_CRYPTO_HW is not set >> CONFIG_CRC16=y >> CONFIG_CRC_ITU_T=y >> -- >> 2.21.1 >>
Re: [PATCH v2 07/10] powerpc/configs/skiroot: Enable security features
On Tue, 21 Jan 2020 at 04:30, Michael Ellerman wrote: > > From: Joel Stanley > > This turns on HARDENED_USERCOPY with HARDENED_USERCOPY_PAGESPAN, and > FORTIFY_SOURCE. > > It also enables SECURITY_LOCKDOWN_LSM with _EARLY and > LOCK_DOWN_KERNEL_FORCE_INTEGRITY options enabled. This still allows > xmon to be used in read-only mode. > > MODULE_SIG is selected by lockdown, so it is still enabled. > > Signed-off-by: Joel Stanley > [mpe: Switch to lockdown integrity mode per oohal] > Signed-off-by: Michael Ellerman I did some testing and with change we break kexec. As it's critical for this kernel to be able to kexec we need to set KEXEC_FILE=y if we're setting FORCE_INTEGRITY=y. I've tested your series with that modification made and userspace was once again able to kexec (with -s). Cheers, Joel > --- > arch/powerpc/configs/skiroot_defconfig | 11 ++- > 1 file changed, 10 insertions(+), 1 deletion(-) > > v2: Switch to lockdown integrity mode rather than confidentiality as noticed > by > dja and discussed with jms and oohal. > > diff --git a/arch/powerpc/configs/skiroot_defconfig > b/arch/powerpc/configs/skiroot_defconfig > index 24a210fe0049..93b478436a2b 100644 > --- a/arch/powerpc/configs/skiroot_defconfig > +++ b/arch/powerpc/configs/skiroot_defconfig > @@ -49,7 +49,6 @@ CONFIG_JUMP_LABEL=y > CONFIG_STRICT_KERNEL_RWX=y > CONFIG_MODULES=y > CONFIG_MODULE_UNLOAD=y > -CONFIG_MODULE_SIG=y > CONFIG_MODULE_SIG_FORCE=y > CONFIG_MODULE_SIG_SHA512=y > CONFIG_PARTITION_ADVANCED=y > @@ -272,6 +271,16 @@ CONFIG_NLS_ASCII=y > CONFIG_NLS_ISO8859_1=y > CONFIG_NLS_UTF8=y > CONFIG_ENCRYPTED_KEYS=y > +CONFIG_SECURITY=y > +CONFIG_HARDENED_USERCOPY=y > +# CONFIG_HARDENED_USERCOPY_FALLBACK is not set > +CONFIG_HARDENED_USERCOPY_PAGESPAN=y > +CONFIG_FORTIFY_SOURCE=y > +CONFIG_SECURITY_LOCKDOWN_LSM=y > +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y > +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y > +# CONFIG_INTEGRITY is not set > +CONFIG_LSM="yama,loadpin,safesetid,integrity" > # CONFIG_CRYPTO_HW is not set > CONFIG_CRC16=y > CONFIG_CRC_ITU_T=y > -- > 2.21.1 >
[PATCH v2 07/10] powerpc/configs/skiroot: Enable security features
From: Joel Stanley This turns on HARDENED_USERCOPY with HARDENED_USERCOPY_PAGESPAN, and FORTIFY_SOURCE. It also enables SECURITY_LOCKDOWN_LSM with _EARLY and LOCK_DOWN_KERNEL_FORCE_INTEGRITY options enabled. This still allows xmon to be used in read-only mode. MODULE_SIG is selected by lockdown, so it is still enabled. Signed-off-by: Joel Stanley [mpe: Switch to lockdown integrity mode per oohal] Signed-off-by: Michael Ellerman --- arch/powerpc/configs/skiroot_defconfig | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) v2: Switch to lockdown integrity mode rather than confidentiality as noticed by dja and discussed with jms and oohal. diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig index 24a210fe0049..93b478436a2b 100644 --- a/arch/powerpc/configs/skiroot_defconfig +++ b/arch/powerpc/configs/skiroot_defconfig @@ -49,7 +49,6 @@ CONFIG_JUMP_LABEL=y CONFIG_STRICT_KERNEL_RWX=y CONFIG_MODULES=y CONFIG_MODULE_UNLOAD=y -CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_SHA512=y CONFIG_PARTITION_ADVANCED=y @@ -272,6 +271,16 @@ CONFIG_NLS_ASCII=y CONFIG_NLS_ISO8859_1=y CONFIG_NLS_UTF8=y CONFIG_ENCRYPTED_KEYS=y +CONFIG_SECURITY=y +CONFIG_HARDENED_USERCOPY=y +# CONFIG_HARDENED_USERCOPY_FALLBACK is not set +CONFIG_HARDENED_USERCOPY_PAGESPAN=y +CONFIG_FORTIFY_SOURCE=y +CONFIG_SECURITY_LOCKDOWN_LSM=y +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y +# CONFIG_INTEGRITY is not set +CONFIG_LSM="yama,loadpin,safesetid,integrity" # CONFIG_CRYPTO_HW is not set CONFIG_CRC16=y CONFIG_CRC_ITU_T=y -- 2.21.1