ngompa/kernel-rpm
1
0
Fork 0
forked from rpms/kernel
Code Pull Requests Activity

Rebase the kernel lockdown patch set

Browse Source 
Use the latest version of the kernel lockdown patch set. This includes a
few configuration renames:

CONFIG_KEXEC_VERIFY_SIG became CONFIG_KEXEC_SIG and
CONFIG_KEXEC_SIG_FORCE was added. CONFIG_KEXEC_SIG_FORCE=n because the
"kexec_file: Restrict at runtime if the kernel is locked down" patch
enforces the signature requirement when the kernel is locked down.

CONFIG_LOCK_DOWN_MANDATORY got renamed to CONFIG_LOCK_DOWN_KERNEL_FORCE
and remains false as LOCK_DOWN_IN_EFI_SECURE_BOOT covers enabling it for
EFI Secure Boot users.

Finally, the SysRq patches got dropped for the present.
This commit is contained in:
Jeremy Cline 2019-04-15 11:10:59 -04:00
parent 8495ba147b
commit 4b5e4234be
11 changed files with 843 additions and 630 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
configs/fedora/generic/x86/CONFIG_KEXEC_SIG Normal file
View File

@ -0,0 +1 @@
CONFIG_KEXEC_SIG=y

1
configs/fedora/generic/x86/CONFIG_KEXEC_SIG_FORCE Normal file
View File

@ -0,0 +1 @@
# CONFIG_KEXEC_SIG_FORCE is not set

1
configs/fedora/generic/x86/CONFIG_KEXEC_VERIFY_SIG
View File

@ -1 +0,0 @@
CONFIG_KEXEC_VERIFY_SIG=y

1
configs/fedora/generic/x86/CONFIG_LOCK_DOWN_KERNEL_FORCE Normal file
View File

@ -0,0 +1 @@
# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set

1
configs/fedora/generic/x86/CONFIG_LOCK_DOWN_MANDATORY
View File

@ -1 +0,0 @@
# CONFIG_LOCK_DOWN_MANDATORY is not set

1346
efi-lockdown.patch
View File

File diff suppressed because it is too large Load Diff

84
efi-secureboot.patch
View File

@ -1,43 +1,3 @@
From b96ff1fd9e94772fde7b58fd69969d1a1c87eb6d Mon Sep 17 00:00:00 2001
From: Dave Young <dyoung@redhat.com>
Date: Tue, 27 Feb 2018 10:04:51 +0000
Subject: [PATCH 07/31] Copy secure_boot flag in boot params across kexec
reboot
Kexec reboot in case secure boot being enabled does not keep the secure
boot mode in new kernel, so later one can load unsigned kernel via legacy
kexec_load. In this state, the system is missing the protections provided
by secure boot.
Adding a patch to fix this by retain the secure_boot flag in original
kernel.
secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
stub. Fixing this issue by copying secure_boot flag across kexec reboot.
Signed-off-by: Dave Young <dyoung@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: kexec@lists.infradead.org
---
arch/x86/kernel/kexec-bzimage64.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index fb095ba0c02f..7d0fac5bcbbe 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
if (efi_enabled(EFI_OLD_MEMMAP))
return 0;
+ params->secure_boot = boot_params.secure_boot;
ei->efi_loader_signature = current_ei->efi_loader_signature;
ei->efi_systab = current_ei->efi_systab;
ei->efi_systab_hi = current_ei->efi_systab_hi;
--
2.14.3
From b5123d0553f4ed5e734f6457696cdd30228d1eee Mon Sep 17 00:00:00 2001 From b5123d0553f4ed5e734f6457696cdd30228d1eee Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com> From: David Howells <dhowells@redhat.com>
Date: Tue, 27 Feb 2018 10:04:55 +0000 Date: Tue, 27 Feb 2018 10:04:55 +0000
@ -221,10 +181,10 @@ cc: linux-efi@vger.kernel.org
4 files changed, 20 insertions(+), 3 deletions(-) 4 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index a7c240f00d78..1277d1857c5c 100644 index adeee6329f55..27a54ec878bd 100644
--- a/arch/x86/kernel/setup.c --- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c
@@ -64,6 +64,7 @@ @@ -65,6 +65,7 @@
#include <linux/dma-mapping.h> #include <linux/dma-mapping.h>
#include <linux/ctype.h> #include <linux/ctype.h>
#include <linux/uaccess.h> #include <linux/uaccess.h>
@ -232,16 +192,18 @@ index a7c240f00d78..1277d1857c5c 100644
#include <linux/percpu.h> #include <linux/percpu.h>
#include <linux/crash_dump.h> #include <linux/crash_dump.h>
@@ -997,6 +998,8 @@ void __init setup_arch(char **cmdline_p) @@ -1005,6 +1006,10 @@ void __init setup_arch(char **cmdline_p)
if (efi_enabled(EFI_BOOT)) if (efi_enabled(EFI_BOOT))
efi_init(); efi_init();
+ efi_set_secure_boot(boot_params.secure_boot); + efi_set_secure_boot(boot_params.secure_boot);
+ +
init_lockdown(); + init_lockdown()
+
dmi_scan_machine(); dmi_scan_machine();
@@ -1150,8 +1154,6 @@ void __init setup_arch(char **cmdline_p) dmi_memdev_walk();
dmi_set_dump_stack_arch_desc();
@@ -1159,8 +1164,6 @@ void __init setup_arch(char **cmdline_p)
/* Allocate bigger log buffer */ /* Allocate bigger log buffer */
setup_log_buf(1); setup_log_buf(1);
@ -264,12 +226,12 @@ index ce261e1765ff..7aff55b309a6 100644
return simple_setattr(dentry, ia); return simple_setattr(dentry, ia);
} }
diff --git a/security/Kconfig b/security/Kconfig diff --git a/security/Kconfig b/security/Kconfig
index 461d5acc3616..13fdada1ffc2 100644 index 9c343f262bdd..30788bc47863 100644
--- a/security/Kconfig --- a/security/Kconfig
+++ b/security/Kconfig +++ b/security/Kconfig
@@ -248,6 +248,20 @@ config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ @@ -244,6 +244,20 @@ config LOCK_DOWN_KERNEL_FORCE
Allow the lockdown on a kernel to be lifted, by pressing a SysRq key help
combination on a wired keyboard. On x86, this is SysRq+x. Enable the kernel lock down functionality automatically at boot.
+config LOCK_DOWN_IN_EFI_SECURE_BOOT +config LOCK_DOWN_IN_EFI_SECURE_BOOT
+ bool "Lock down the kernel in EFI Secure Boot mode" + bool "Lock down the kernel in EFI Secure Boot mode"
@ -285,24 +247,24 @@ index 461d5acc3616..13fdada1ffc2 100644
+ Enabling this option turns on results in kernel lockdown being + Enabling this option turns on results in kernel lockdown being
+ triggered if EFI Secure Boot is set. + triggered if EFI Secure Boot is set.
+ +
source "security/selinux/Kconfig" source "security/selinux/Kconfig"
source "security/smack/Kconfig" source "security/smack/Kconfig"
source "security/tomoyo/Kconfig"
diff --git a/security/lock_down.c b/security/lock_down.c diff --git a/security/lock_down.c b/security/lock_down.c
index 2c6b00f0c229..527f7e51dc8d 100644 index ee00ca2677e7..bb4dc7838f3e 100644
--- a/security/lock_down.c --- a/security/lock_down.c
+++ b/security/lock_down.c +++ b/security/lock_down.c
@@ -12,6 +12,7 @@ @@ -12,6 +12,7 @@
#include <linux/export.h>
#include <linux/sched.h>
#include <linux/sysrq.h>
+#include <linux/efi.h>
#include <asm/setup.h>
#ifndef CONFIG_LOCK_DOWN_MANDATORY #include <linux/security.h>
@@ -55,6 +55,10 @@ void __init init_lockdown(void) #include <linux/export.h>
#ifdef CONFIG_LOCK_DOWN_MANDATORY +#include <linux/efi.h>
pr_notice("Kernel is locked down from config; see man kernel_lockdown.7\n");
static __ro_after_init bool kernel_locked_down;
@@ -44,6 +45,10 @@ void __init init_lockdown(void)
#ifdef CONFIG_LOCK_DOWN_FORCE
lock_kernel_down("Kernel configuration");
#endif #endif
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT +#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
+ if (efi_enabled(EFI_SECURE_BOOT)) + if (efi_enabled(EFI_SECURE_BOOT))

5
kernel-i686-debug.config
View File

@ -2644,7 +2644,8 @@ CONFIG_KERNEL_GZIP=y
# CONFIG_KERNEL_XZ is not set # CONFIG_KERNEL_XZ is not set
# CONFIG_KEXEC_FILE is not set # CONFIG_KEXEC_FILE is not set
# CONFIG_KEXEC_JUMP is not set # CONFIG_KEXEC_JUMP is not set
CONFIG_KEXEC_VERIFY_SIG=y # CONFIG_KEXEC_SIG_FORCE is not set
CONFIG_KEXEC_SIG=y
CONFIG_KEXEC=y CONFIG_KEXEC=y
# CONFIG_KEYBOARD_ADC is not set # CONFIG_KEYBOARD_ADC is not set
# CONFIG_KEYBOARD_ADP5588 is not set # CONFIG_KEYBOARD_ADP5588 is not set
@ -2827,8 +2828,8 @@ CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set # CONFIG_LOCALVERSION_AUTO is not set
CONFIG_LOCKD=m CONFIG_LOCKD=m
# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
CONFIG_LOCK_DOWN_KERNEL=y CONFIG_LOCK_DOWN_KERNEL=y
# CONFIG_LOCK_DOWN_MANDATORY is not set
CONFIG_LOCKD_V4=y CONFIG_LOCKD_V4=y
CONFIG_LOCK_STAT=y CONFIG_LOCK_STAT=y
CONFIG_LOCK_TORTURE_TEST=m CONFIG_LOCK_TORTURE_TEST=m

5
kernel-i686.config
View File

@ -2625,7 +2625,8 @@ CONFIG_KERNEL_GZIP=y
# CONFIG_KERNEL_XZ is not set # CONFIG_KERNEL_XZ is not set
# CONFIG_KEXEC_FILE is not set # CONFIG_KEXEC_FILE is not set
# CONFIG_KEXEC_JUMP is not set # CONFIG_KEXEC_JUMP is not set
CONFIG_KEXEC_VERIFY_SIG=y # CONFIG_KEXEC_SIG_FORCE is not set
CONFIG_KEXEC_SIG=y
CONFIG_KEXEC=y CONFIG_KEXEC=y
# CONFIG_KEYBOARD_ADC is not set # CONFIG_KEYBOARD_ADC is not set
# CONFIG_KEYBOARD_ADP5588 is not set # CONFIG_KEYBOARD_ADP5588 is not set
@ -2808,8 +2809,8 @@ CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set # CONFIG_LOCALVERSION_AUTO is not set
CONFIG_LOCKD=m CONFIG_LOCKD=m
# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
CONFIG_LOCK_DOWN_KERNEL=y CONFIG_LOCK_DOWN_KERNEL=y
# CONFIG_LOCK_DOWN_MANDATORY is not set
CONFIG_LOCKD_V4=y CONFIG_LOCKD_V4=y
# CONFIG_LOCK_STAT is not set # CONFIG_LOCK_STAT is not set
# CONFIG_LOCK_TORTURE_TEST is not set # CONFIG_LOCK_TORTURE_TEST is not set

5
kernel-x86_64-debug.config
View File

@ -2701,7 +2701,8 @@ CONFIG_KERNEL_GZIP=y
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
CONFIG_KEXEC_FILE=y CONFIG_KEXEC_FILE=y
CONFIG_KEXEC_JUMP=y CONFIG_KEXEC_JUMP=y
CONFIG_KEXEC_VERIFY_SIG=y # CONFIG_KEXEC_SIG_FORCE is not set
CONFIG_KEXEC_SIG=y
CONFIG_KEXEC=y CONFIG_KEXEC=y
# CONFIG_KEYBOARD_ADC is not set # CONFIG_KEYBOARD_ADC is not set
# CONFIG_KEYBOARD_ADP5588 is not set # CONFIG_KEYBOARD_ADP5588 is not set
@ -2884,8 +2885,8 @@ CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set # CONFIG_LOCALVERSION_AUTO is not set
CONFIG_LOCKD=m CONFIG_LOCKD=m
CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
CONFIG_LOCK_DOWN_KERNEL=y CONFIG_LOCK_DOWN_KERNEL=y
# CONFIG_LOCK_DOWN_MANDATORY is not set
CONFIG_LOCKD_V4=y CONFIG_LOCKD_V4=y
CONFIG_LOCK_STAT=y CONFIG_LOCK_STAT=y
CONFIG_LOCK_TORTURE_TEST=m CONFIG_LOCK_TORTURE_TEST=m

5
kernel-x86_64.config
View File

@ -2682,7 +2682,8 @@ CONFIG_KERNEL_GZIP=y
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
CONFIG_KEXEC_FILE=y CONFIG_KEXEC_FILE=y
CONFIG_KEXEC_JUMP=y CONFIG_KEXEC_JUMP=y
CONFIG_KEXEC_VERIFY_SIG=y # CONFIG_KEXEC_SIG_FORCE is not set
CONFIG_KEXEC_SIG=y
CONFIG_KEXEC=y CONFIG_KEXEC=y
# CONFIG_KEYBOARD_ADC is not set # CONFIG_KEYBOARD_ADC is not set
# CONFIG_KEYBOARD_ADP5588 is not set # CONFIG_KEYBOARD_ADP5588 is not set
@ -2865,8 +2866,8 @@ CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set # CONFIG_LOCALVERSION_AUTO is not set
CONFIG_LOCKD=m CONFIG_LOCKD=m
CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
CONFIG_LOCK_DOWN_KERNEL=y CONFIG_LOCK_DOWN_KERNEL=y
# CONFIG_LOCK_DOWN_MANDATORY is not set
CONFIG_LOCKD_V4=y CONFIG_LOCKD_V4=y
# CONFIG_LOCK_STAT is not set # CONFIG_LOCK_STAT is not set
# CONFIG_LOCK_TORTURE_TEST is not set # CONFIG_LOCK_TORTURE_TEST is not set