Add system_keyring patches back in

This commit is contained in:
Josh Boyer 2013-09-03 17:26:36 -04:00
parent 663b7fc9c8
commit d7ee6f3b0e
6 changed files with 1853 additions and 246 deletions

View File

@ -441,12 +441,13 @@ CONFIG_VMWARE_VMCI_VSOCKETS=m
CONFIG_XZ_DEC_X86=y
CONFIG_MPILIB=y
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
CONFIG_MODULE_SIG_SHA256=y
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_BLACKLIST=y
CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
CONFIG_EFI_SIGNATURE_LIST_PARSER=y

View File

@ -62,7 +62,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
%global baserelease 1
%global baserelease 3
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@ -651,6 +651,7 @@ Patch800: crash-driver.patch
# keys
Patch900: keys-expand-keyring.patch
Patch901: keys-krb-support.patch
Patch902: keys-x509-improv.patch
# secure boot
Patch1000: secure-modules.patch
@ -1394,6 +1395,7 @@ ApplyPatch crash-driver.patch
# keys
ApplyPatch keys-expand-keyring.patch
ApplyPatch keys-krb-support.patch
ApplyPatch keys-x509-improv.patch
# secure boot
ApplyPatch secure-modules.patch
@ -2280,6 +2282,9 @@ fi
# ||----w |
# || ||
%changelog
* Tue Sep 03 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-3
- Add system_keyring patches back in
* Tue Sep 03 2013 Kyle McMartin <kyle@redhat.com>
- Pull in some Calxeda highbank fixes that are destined for 3.12
- Add a %with_extra twiddle to disable building kernel-modules-extra

1580
keys-x509-improv.patch Normal file

File diff suppressed because it is too large Load Diff

View File

@ -1,4 +1,4 @@
From cff9d37c9529fca5ff853f0050c7f0de0e819ea7 Mon Sep 17 00:00:00 2001
From 725d7e7fb9ca1065102e640cf8af606169e63075 Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells@redhat.com>
Date: Tue, 23 Oct 2012 09:30:54 -0400
Subject: [PATCH 1/4] Add EFI signature data types
@ -53,7 +53,7 @@ index eed2202..1da1b3c 100644
1.8.3.1
From 2ce1c1d0d7110c4b06d65e4c8506f6c54aa72628 Mon Sep 17 00:00:00 2001
From f204253a34b477c5d68df711326a694b58e51c76 Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells@redhat.com>
Date: Tue, 23 Oct 2012 09:36:28 -0400
Subject: [PATCH 2/4] Add an EFI signature blob parser and key loader.
@ -65,9 +65,9 @@ Signed-off-by: David Howells <dhowells@redhat.com>
---
crypto/asymmetric_keys/Kconfig | 8 +++
crypto/asymmetric_keys/Makefile | 1 +
crypto/asymmetric_keys/efi_parser.c | 108 ++++++++++++++++++++++++++++++++++++
crypto/asymmetric_keys/efi_parser.c | 109 ++++++++++++++++++++++++++++++++++++
include/linux/efi.h | 4 ++
4 files changed, 121 insertions(+)
4 files changed, 122 insertions(+)
create mode 100644 crypto/asymmetric_keys/efi_parser.c
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
@ -101,10 +101,10 @@ index 0727204..cd8388e 100644
# X.509 Certificate handling
diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c
new file mode 100644
index 0000000..636feb1
index 0000000..424896a
--- /dev/null
+++ b/crypto/asymmetric_keys/efi_parser.c
@@ -0,0 +1,108 @@
@@ -0,0 +1,109 @@
+/* EFI signature/key/certificate list parser
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
@ -195,7 +195,8 @@ index 0000000..636feb1
+ esize - sizeof(*elem),
+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+ KEY_USR_VIEW,
+ KEY_ALLOC_NOT_IN_QUOTA);
+ KEY_ALLOC_NOT_IN_QUOTA |
+ KEY_ALLOC_TRUSTED);
+
+ if (IS_ERR(key))
+ pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
@ -232,10 +233,10 @@ index 1da1b3c..42a1d25 100644
1.8.3.1
From 0e4e8acfd0932bbf6b02112218092c810d9469a5 Mon Sep 17 00:00:00 2001
From cebc8870a8f0b97b2585a07d9957ead0f21cdc8a Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 26 Oct 2012 12:36:24 -0400
Subject: [PATCH 3/4] MODSIGN: Add module certificate blacklist keyring
Subject: [PATCH 3/4] KEYS: Add a system blacklist keyring
This adds an additional keyring that is used to store certificates that
are blacklisted. This keyring is searched first when loading signed modules
@ -244,86 +245,57 @@ useful in cases where third party certificates are used for module signing.
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
---
init/Kconfig | 8 ++++++++
kernel/modsign_pubkey.c | 14 ++++++++++++++
kernel/module-internal.h | 3 +++
kernel/module_signing.c | 12 ++++++++++++
4 files changed, 37 insertions(+)
include/keys/system_keyring.h | 4 ++++
init/Kconfig | 9 +++++++++
kernel/module_signing.c | 12 ++++++++++++
kernel/system_keyring.c | 17 +++++++++++++++++
4 files changed, 42 insertions(+)
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 8dabc39..e466de1 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -18,6 +18,10 @@
extern struct key *system_trusted_keyring;
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+extern struct key *system_blacklist_keyring;
+#endif
+
#endif
#endif /* _KEYS_SYSTEM_KEYRING_H */
diff --git a/init/Kconfig b/init/Kconfig
index fed81b5..b4fa2d1 100644
index 9f3cfdc..547f617 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1772,6 +1772,14 @@ config MODULE_SIG_ALL
comment "Do not forget to sign required modules with scripts/sign-file"
depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
@@ -1676,6 +1676,15 @@ config SYSTEM_TRUSTED_KEYRING
+config MODULE_SIG_BLACKLIST
+ bool "Support for blacklisting module signature certificates"
+ depends on MODULE_SIG
Keys in this keyring are used by module signature checking.
+config SYSTEM_BLACKLIST_KEYRING
+ bool "Provide system-wide ring of blacklisted keys"
+ depends on KEYS
+ help
+ This adds support for keeping a blacklist of certificates that
+ should not pass module signature verification. If a module is
+ signed with something in this keyring, the load will be rejected.
+ Provide a system keyring to which blacklisted keys can be added. Keys
+ in the keyring are considered entirely untrusted. Keys in this keyring
+ are used by the module signature checking to reject loading of modules
+ signed with a blacklisted key.
+
choice
prompt "Which hash algorithm should modules be signed with?"
depends on MODULE_SIG
diff --git a/kernel/modsign_pubkey.c b/kernel/modsign_pubkey.c
index 2b6e699..4cd408d 100644
--- a/kernel/modsign_pubkey.c
+++ b/kernel/modsign_pubkey.c
@@ -17,6 +17,9 @@
#include "module-internal.h"
struct key *modsign_keyring;
+#ifdef CONFIG_MODULE_SIG_BLACKLIST
+struct key *modsign_blacklist;
+#endif
extern __initdata const u8 modsign_certificate_list[];
extern __initdata const u8 modsign_certificate_list_end[];
@@ -43,6 +46,17 @@ static __init int module_verify_init(void)
if (IS_ERR(modsign_keyring))
panic("Can't allocate module signing keyring\n");
+#ifdef CONFIG_MODULE_SIG_BLACKLIST
+ modsign_blacklist = keyring_alloc(".modsign_blacklist",
+ KUIDT_INIT(0), KGIDT_INIT(0),
+ current_cred(),
+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+ KEY_USR_VIEW | KEY_USR_READ,
+ KEY_ALLOC_NOT_IN_QUOTA, NULL);
+ if (IS_ERR(modsign_blacklist))
+ panic("Can't allocate module signing blacklist keyring\n");
+#endif
+
return 0;
}
diff --git a/kernel/module-internal.h b/kernel/module-internal.h
index 24f9247..51a8380 100644
--- a/kernel/module-internal.h
+++ b/kernel/module-internal.h
@@ -10,5 +10,8 @@
*/
extern struct key *modsign_keyring;
+#ifdef CONFIG_MODULE_SIG_BLACKLIST
+extern struct key *modsign_blacklist;
+#endif
extern int mod_verify_sig(const void *mod, unsigned long *_modlen);
menuconfig MODULES
bool "Enable loadable module support"
help
diff --git a/kernel/module_signing.c b/kernel/module_signing.c
index f2970bd..5423195 100644
index 0b6b870..0a29b40 100644
--- a/kernel/module_signing.c
+++ b/kernel/module_signing.c
@@ -157,6 +157,18 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len,
@@ -158,6 +158,18 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len,
pr_debug("Look up: \"%s\"\n", id);
+#ifdef CONFIG_MODULE_SIG_BLACKLIST
+ key = keyring_search(make_key_ref(modsign_blacklist, 1),
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+ key = keyring_search(make_key_ref(system_blacklist_keyring, 1),
+ &key_type_asymmetric, id);
+ if (!IS_ERR(key)) {
+ /* module is signed with a cert in the blacklist. reject */
@ -334,20 +306,55 @@ index f2970bd..5423195 100644
+ }
+#endif
+
key = keyring_search(make_key_ref(modsign_keyring, 1),
key = keyring_search(make_key_ref(system_trusted_keyring, 1),
&key_type_asymmetric, id);
if (IS_ERR(key))
diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c
index 4ca7072..b19cc6e 100644
--- a/kernel/system_keyring.c
+++ b/kernel/system_keyring.c
@@ -20,6 +20,9 @@
struct key *system_trusted_keyring;
EXPORT_SYMBOL_GPL(system_trusted_keyring);
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+struct key *system_blacklist_keyring;
+#endif
extern __initdata const u8 system_certificate_list[];
extern __initdata const u8 system_certificate_list_end[];
@@ -41,6 +44,20 @@ static __init int system_trusted_keyring_init(void)
panic("Can't allocate system trusted keyring\n");
set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags);
+
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+ system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring",
+ KUIDT_INIT(0), KGIDT_INIT(0),
+ current_cred(),
+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+ KEY_USR_VIEW | KEY_USR_READ,
+ KEY_ALLOC_NOT_IN_QUOTA, NULL);
+ if (IS_ERR(system_blacklist_keyring))
+ panic("Can't allocate system blacklist keyring\n");
+
+ set_bit(KEY_FLAG_TRUSTED_ONLY, &system_blacklist_keyring->flags);
+#endif
+
return 0;
}
--
1.8.3.1
From c558b46370e850851a94795df67b7c57aecc48ea Mon Sep 17 00:00:00 2001
From aa4f39ac51f8b9f589c13766e5e32a5b7794ed68 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 26 Oct 2012 12:42:16 -0400
Subject: [PATCH 4/4] MODSIGN: Import certificates from UEFI Secure Boot
Secure Boot stores a list of allowed certificates in the 'db' variable.
This imports those certificates into the module signing keyring. This
This imports those certificates into the system trusted keyring. This
allows for a third party signing certificate to be used in conjunction
with signed modules. By importing the public certificate into the 'db'
variable, a user can allow a module signed with that certificate to
@ -356,7 +363,7 @@ in the 'MokListRT' variable. We import those as well.
In the opposite case, Secure Boot maintains a list of disallowed
certificates in the 'dbx' variable. We load those certificates into
the newly introduced module blacklist keyring and forbid any module
the newly introduced system blacklist keyring and forbid any module
signed with those from loading.
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
@ -364,8 +371,8 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
include/linux/efi.h | 6 ++++
init/Kconfig | 9 +++++
kernel/Makefile | 3 ++
kernel/modsign_uefi.c | 91 +++++++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 109 insertions(+)
kernel/modsign_uefi.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 110 insertions(+)
create mode 100644 kernel/modsign_uefi.c
diff --git a/include/linux/efi.h b/include/linux/efi.h
@ -386,16 +393,16 @@ index 42a1d25..d3e6036 100644
efi_guid_t guid;
u64 table;
diff --git a/init/Kconfig b/init/Kconfig
index b4fa2d1..94ce526 100644
index 547f617..8e943bf 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1780,6 +1780,15 @@ config MODULE_SIG_BLACKLIST
should not pass module signature verification. If a module is
signed with something in this keyring, the load will be rejected.
@@ -1794,6 +1794,15 @@ config MODULE_SIG_ALL
comment "Do not forget to sign required modules with scripts/sign-file"
depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
+config MODULE_SIG_UEFI
+ bool "Allow modules signed with certs stored in UEFI"
+ depends on MODULE_SIG && MODULE_SIG_BLACKLIST && EFI
+ depends on MODULE_SIG && SYSTEM_BLACKLIST_KEYRING && EFI
+ select EFI_SIGNATURE_LIST_PARSER
+ help
+ This will import certificates stored in UEFI and allow modules
@ -406,18 +413,18 @@ index b4fa2d1..94ce526 100644
prompt "Which hash algorithm should modules be signed with?"
depends on MODULE_SIG
diff --git a/kernel/Makefile b/kernel/Makefile
index 35ef118..6ca1fea 100644
index 1ff5e3b..f9b9998 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -55,6 +55,7 @@ obj-$(CONFIG_PROVE_LOCKING) += spinlock.o
obj-$(CONFIG_UID16) += uid16.o
@@ -56,6 +56,7 @@ obj-$(CONFIG_UID16) += uid16.o
obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
obj-$(CONFIG_MODULES) += module.o
obj-$(CONFIG_MODULE_SIG) += module_signing.o modsign_pubkey.o modsign_certificate.o
obj-$(CONFIG_MODULE_SIG) += module_signing.o
+obj-$(CONFIG_MODULE_SIG_UEFI) += modsign_uefi.o
obj-$(CONFIG_KALLSYMS) += kallsyms.o
obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
obj-$(CONFIG_KEXEC) += kexec.o
@@ -114,6 +115,8 @@ obj-$(CONFIG_CONTEXT_TRACKING) += context_tracking.o
@@ -115,6 +116,8 @@ obj-$(CONFIG_CONTEXT_TRACKING) += context_tracking.o
$(obj)/configs.o: $(obj)/config_data.h
@ -428,10 +435,10 @@ index 35ef118..6ca1fea 100644
targets += config_data.gz
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
new file mode 100644
index 0000000..7eae5b4
index 0000000..94b0eb3
--- /dev/null
+++ b/kernel/modsign_uefi.c
@@ -0,0 +1,91 @@
@@ -0,0 +1,92 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/cred.h>
@ -439,6 +446,7 @@ index 0000000..7eae5b4
+#include <linux/efi.h>
+#include <linux/slab.h>
+#include <keys/asymmetric-type.h>
+#include <keys/system_keyring.h>
+#include "module-internal.h"
+
+static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
@ -493,7 +501,7 @@ index 0000000..7eae5b4
+ if (!db) {
+ pr_err("MODSIGN: Couldn't get UEFI db list\n");
+ } else {
+ rc = parse_efi_signature_list(db, dbsize, modsign_keyring);
+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
+ if (rc)
+ pr_err("Couldn't parse db signatures: %d\n", rc);
+ kfree(db);
@ -503,7 +511,7 @@ index 0000000..7eae5b4
+ if (!mok) {
+ pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
+ } else {
+ rc = parse_efi_signature_list(mok, moksize, modsign_keyring);
+ rc = parse_efi_signature_list(mok, moksize, system_trusted_keyring);
+ if (rc)
+ pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
+ kfree(mok);
@ -514,7 +522,7 @@ index 0000000..7eae5b4
+ pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
+ } else {
+ rc = parse_efi_signature_list(dbx, dbxsize,
+ modsign_blacklist);
+ system_blacklist_keyring);
+ if (rc)
+ pr_err("Couldn't parse dbx signatures: %d\n", rc);
+ kfree(dbx);

View File

@ -1,4 +1,4 @@
From 4fe6d11d21b548d6e8272cc8cad5fcc6150ef081 Mon Sep 17 00:00:00 2001
From ffe1ee94d526900ce1e5191cdd38934477dd209a Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 26 Oct 2012 14:02:09 -0400
Subject: [PATCH] hibernate: Disable in a signed modules environment
@ -12,8 +12,8 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.com>
---
kernel/power/hibernate.c | 16 +++++++++++++++-
kernel/power/main.c | 7 ++++++-
kernel/power/user.c | 5 +++++
3 files changed, 26 insertions(+), 2 deletions(-)
kernel/power/user.c | 1 +
3 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index b26f5f1..e65228b 100644
@ -96,28 +96,17 @@ index 1d1bf63..300f300 100644
if (s != buf)
/* convert the last space to a newline */
diff --git a/kernel/power/user.c b/kernel/power/user.c
index 4ed81e7..b714ee6 100644
index 15cb72f..fa85ed5 100644
--- a/kernel/power/user.c
+++ b/kernel/power/user.c
@@ -24,6 +24,8 @@
#include <linux/console.h>
@@ -25,6 +25,7 @@
#include <linux/cpu.h>
#include <linux/freezer.h>
#include <linux/module.h>
+#include <linux/efi.h>
+#include <linux/module.h>
#include <asm/uaccess.h>
@@ -48,6 +50,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
struct snapshot_data *data;
int error;
+ if (secure_modules())
+ return -EPERM;
+
lock_system_sleep();
if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
--
1.8.3.1

View File

@ -1,7 +1,7 @@
From 17832506ee9b52bc8e00c2ec89b49257998171ed Mon Sep 17 00:00:00 2001
From 8dea807503a1ba88d9e27595daae7f86ec968711 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Mon, 19 Aug 2013 13:26:02 -0400
Subject: [PATCH 01/13] Add secure_modules() call
Date: Fri, 9 Aug 2013 17:58:15 -0400
Subject: [PATCH 01/14] Add secure_modules() call
Provide a single call to allow kernel code to determine whether the system
has been configured to either disable module loading entirely or to load
@ -39,7 +39,7 @@ index 46f1ea0..0c266b2 100644
#ifdef CONFIG_SYSFS
diff --git a/kernel/module.c b/kernel/module.c
index 2069158..499ee57 100644
index 2069158..0e94acf 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -3852,3 +3852,13 @@ void module_layout(struct module *mod,
@ -55,15 +55,15 @@ index 2069158..499ee57 100644
+ return modules_disabled;
+#endif
+}
+EXPORT_SYMBOL_GPL(secure_modules);
+EXPORT_SYMBOL(secure_modules);
--
1.8.3.1
From e347503648ace6a4b71dfb566365f1aa19657746 Mon Sep 17 00:00:00 2001
From 9b7b3f6283bf784e4ea1c34e52646b12971b2823 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Mon, 19 Aug 2013 13:26:03 -0400
Subject: [PATCH 02/13] PCI: Lock down BAR access when module security is
Date: Thu, 8 Mar 2012 10:10:38 -0500
Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is
enabled
Any hardware that can potentially generate DMA has to be locked down from
@ -179,10 +179,10 @@ index e1c1ec5..bffbf71 100644
1.8.3.1
From b846e3958d3f4ff875ec958efba8b681ccbae04e Mon Sep 17 00:00:00 2001
From aac2425a2664c09c2a369e1eec6e7a5bc2713cb1 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Mon, 19 Aug 2013 13:26:04 -0400
Subject: [PATCH 03/13] x86: Lock down IO port access when module security is
Date: Thu, 8 Mar 2012 10:35:59 -0500
Subject: [PATCH 03/14] x86: Lock down IO port access when module security is
enabled
IO port access would permit users to gain access to PCI configuration
@ -252,10 +252,10 @@ index f895a8c..1af8664 100644
1.8.3.1
From 8c11e2cc989eece2d4978cfbc83f9b898f3cd1aa Mon Sep 17 00:00:00 2001
From e7f9789c7eedf291972666befee726ff8e7126f6 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Mon, 19 Aug 2013 13:26:05 -0400
Subject: [PATCH 04/13] ACPI: Limit access to custom_method
Date: Fri, 9 Mar 2012 08:39:37 -0500
Subject: [PATCH 04/14] ACPI: Limit access to custom_method
custom_method effectively allows arbitrary access to system memory, making
it possible for an attacker to circumvent restrictions on module loading.
@ -263,22 +263,14 @@ Disable it if any such restrictions have been enabled.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
---
drivers/acpi/custom_method.c | 4 ++++
1 file changed, 4 insertions(+)
drivers/acpi/custom_method.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
index 12b62f2..55a013f 100644
index 12b62f2..50647b3 100644
--- a/drivers/acpi/custom_method.c
+++ b/drivers/acpi/custom_method.c
@@ -7,6 +7,7 @@
#include <linux/kernel.h>
#include <linux/uaccess.h>
#include <linux/debugfs.h>
+#include <linux/module.h>
#include <acpi/acpi_drivers.h>
#include "internal.h"
@@ -29,6 +30,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
struct acpi_table_header table;
acpi_status status;
@ -292,10 +284,10 @@ index 12b62f2..55a013f 100644
1.8.3.1
From 968ccfb32df5d5c9673c57641ebf90b25c0df880 Mon Sep 17 00:00:00 2001
From d81cd6628c821d47bd086354cbc57b1474f3c1a8 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Mon, 19 Aug 2013 13:26:06 -0400
Subject: [PATCH 05/13] asus-wmi: Restrict debugfs interface when module
Date: Fri, 9 Mar 2012 08:46:50 -0500
Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module
loading is restricted
We have no way of validating what all of the Asus WMI methods do on a
@ -347,10 +339,10 @@ index 19c313b..db18ef66 100644
1.8.3.1
From e492d0a80bb591c34391757f97fc5aa8eb198e4f Mon Sep 17 00:00:00 2001
From df75e984729ef50bb691b4d15472529fcd81580b Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Mon, 19 Aug 2013 13:26:07 -0400
Subject: [PATCH 06/13] Restrict /dev/mem and /dev/kmem when module loading is
Date: Fri, 9 Mar 2012 09:28:15 -0500
Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is
restricted
Allowing users to write to address space makes it possible for the kernel
@ -390,10 +382,10 @@ index 1af8664..61406c8 100644
1.8.3.1
From 145913d656bfe8216032b38a576ac150699521e5 Mon Sep 17 00:00:00 2001
From 78955913cc46cc5e5c7f2c71c1b07a5c18e06456 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Mon, 19 Aug 2013 13:26:08 -0400
Subject: [PATCH 07/13] acpi: Ignore acpi_rsdp kernel parameter when module
Date: Mon, 25 Jun 2012 19:57:30 -0400
Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module
loading is restricted
This option allows userspace to pass the RSDP address to the kernel, which
@ -430,10 +422,95 @@ index 6ab2c35..e4c4410 100644
1.8.3.1
From 012ac79f54ab746114d8276d8858a3df18b10e22 Mon Sep 17 00:00:00 2001
From 23aae9143fbece326b3a26bf5ba48956c99cabe4 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Mon, 19 Aug 2013 13:26:10 -0400
Subject: [PATCH 08/13] x86: Restrict MSR access when module loading is
Date: Fri, 9 Aug 2013 03:33:56 -0400
Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module
loading restrictions
kexec permits the loading and execution of arbitrary code in ring 0, which
is something that module signing enforcement is meant to prevent. It makes
sense to disable kexec in this situation.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
---
kernel/kexec.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index 59f7b55..3e2b63a 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -32,6 +32,7 @@
#include <linux/vmalloc.h>
#include <linux/swap.h>
#include <linux/syscore_ops.h>
+#include <linux/module.h>
#include <asm/page.h>
#include <asm/uaccess.h>
@@ -943,6 +944,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
return -EPERM;
/*
+ * kexec can be used to circumvent module loading restrictions, so
+ * prevent loading in that case
+ */
+ if (secure_modules())
+ return -EPERM;
+
+ /*
* Verify we have a legal set of flags
* This leaves us room for future extensions.
*/
--
1.8.3.1
From 218cd49aa2d6a085c5c4edc0396200864f0b54ad Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 3 Sep 2013 11:23:29 -0400
Subject: [PATCH 09/14] uswsusp: Disable when module loading is restricted
uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to avoid module loading restrictions. Prevent this when
any restrictions have been imposed on loading modules.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
---
kernel/power/user.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/kernel/power/user.c b/kernel/power/user.c
index 4ed81e7..15cb72f 100644
--- a/kernel/power/user.c
+++ b/kernel/power/user.c
@@ -24,6 +24,7 @@
#include <linux/console.h>
#include <linux/cpu.h>
#include <linux/freezer.h>
+#include <linux/module.h>
#include <asm/uaccess.h>
@@ -48,6 +49,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
struct snapshot_data *data;
int error;
+ if (secure_modules())
+ return -EPERM;
+
lock_system_sleep();
if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
--
1.8.3.1
From beeaac053d4ae57dc65be1da8b46e5d4bc6542b8 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 8 Feb 2013 11:12:13 -0800
Subject: [PATCH 10/14] x86: Restrict MSR access when module loading is
restricted
Writing to MSRs should not be allowed if module loading is restricted,
@ -475,51 +552,10 @@ index 88458fa..d08f7e3 100644
1.8.3.1
From a44d2968968fd667c8cbeba7c043f674d17e7ce7 Mon Sep 17 00:00:00 2001
From b4331711c52aff0a6a9cef0f4b52fe261874d6f2 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Mon, 19 Aug 2013 13:26:09 -0400
Subject: [PATCH 09/13] kexec: Disable at runtime if the kernel enforces module
loading restrictions
kexec permits the loading and execution of arbitrary code in ring 0, which
is something that module signing enforcement is meant to prevent. It makes
sense to disable kexec in this situation.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
---
kernel/kexec.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index 59f7b55..1a7690f 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -32,6 +32,7 @@
#include <linux/vmalloc.h>
#include <linux/swap.h>
#include <linux/syscore_ops.h>
+#include <linux/module.h>
#include <asm/page.h>
#include <asm/uaccess.h>
@@ -1645,6 +1646,9 @@ int kernel_kexec(void)
goto Unlock;
}
+ if (secure_modules())
+ return -EPERM;
+
#ifdef CONFIG_KEXEC_JUMP
if (kexec_image->preserve_context) {
lock_system_sleep();
--
1.8.3.1
From f8f879da5dcc060a990a3b660aa5f340429cc4ed Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Mon, 19 Aug 2013 13:26:11 -0400
Subject: [PATCH 10/13] Add option to automatically enforce module signatures
Date: Fri, 9 Aug 2013 18:36:30 -0400
Subject: [PATCH 11/14] Add option to automatically enforce module signatures
when in Secure Boot mode
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
@ -528,17 +564,15 @@ require that all kernel modules also be signed. Add a configuration option
that enforces this automatically when enabled.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
---
Documentation/x86/zero-page.txt | 2 ++
arch/x86/Kconfig | 10 ++++++++++
arch/x86/boot/compressed/eboot.c | 33 +++++++++++++++++++++++++++++++++
arch/x86/include/asm/bootparam_utils.h | 8 ++++++--
arch/x86/include/uapi/asm/bootparam.h | 3 ++-
arch/x86/kernel/setup.c | 6 ++++++
include/linux/module.h | 6 ++++++
kernel/module.c | 7 +++++++
8 files changed, 72 insertions(+), 3 deletions(-)
Documentation/x86/zero-page.txt | 2 ++
arch/x86/Kconfig | 10 ++++++++++
arch/x86/boot/compressed/eboot.c | 36 +++++++++++++++++++++++++++++++++++
arch/x86/include/uapi/asm/bootparam.h | 3 ++-
arch/x86/kernel/setup.c | 6 ++++++
include/linux/module.h | 6 ++++++
kernel/module.c | 7 +++++++
7 files changed, 69 insertions(+), 1 deletion(-)
diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
index 199f453..ec38acf 100644
@ -575,14 +609,22 @@ index b32ebf9..6a6c19b 100644
def_bool y
prompt "Enable seccomp to safely compute untrusted bytecode"
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index b7388a4..145294d 100644
index b7388a4..53bfe4f 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -861,6 +861,37 @@ fail:
@@ -12,6 +12,7 @@
#include <asm/efi.h>
#include <asm/setup.h>
#include <asm/desc.h>
+#include <asm/bootparam_utils.h>
#undef memcpy /* Use memcpy from misc.c */
@@ -861,6 +862,37 @@ fail:
return status;
}
+static int get_secure_boot(efi_system_table_t *_table)
+static int get_secure_boot(void)
+{
+ u8 sb, setup;
+ unsigned long datasize = sizeof(sb);
@ -616,37 +658,19 @@ index b7388a4..145294d 100644
/*
* Because the x86 boot code expects to be passed a boot_params we
* need to create one ourselves (usually the bootloader would create
@@ -1169,6 +1200,8 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
@@ -1169,6 +1201,10 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE)
goto fail;
+ boot_params->secure_boot = get_secure_boot(sys_table);
+ sanitize_boot_params(boot_params);
+
+ boot_params->secure_boot = get_secure_boot();
+
setup_graphics(boot_params);
setup_efi_pci(boot_params);
diff --git a/arch/x86/include/asm/bootparam_utils.h b/arch/x86/include/asm/bootparam_utils.h
index 4a8cb8d..25f9cf1 100644
--- a/arch/x86/include/asm/bootparam_utils.h
+++ b/arch/x86/include/asm/bootparam_utils.h
@@ -38,9 +38,13 @@ static void sanitize_boot_params(struct boot_params *boot_params)
memset(&boot_params->ext_ramdisk_image, 0,
(char *)&boot_params->efi_info -
(char *)&boot_params->ext_ramdisk_image);
- memset(&boot_params->kbd_status, 0,
+ memset(&boot_params->kbd_status, 0, sizeof(boot_params->kbd_status));
+ /* don't clear boot_params->secure_boot. we set that ourselves
+ * earlier.
+ */
+ memset(&boot_params->_pad5[0], 0,
(char *)&boot_params->hdr -
- (char *)&boot_params->kbd_status);
+ (char *)&boot_params->_pad5[0]);
memset(&boot_params->_pad7[0], 0,
(char *)&boot_params->edd_mbr_sig_buffer[0] -
(char *)&boot_params->_pad7[0]);
diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
index c15ddaf..d35da96 100644
index c15ddaf..85d7685 100644
--- a/arch/x86/include/uapi/asm/bootparam.h
+++ b/arch/x86/include/uapi/asm/bootparam.h
@@ -131,7 +131,8 @@ struct boot_params {
@ -655,7 +679,7 @@ index c15ddaf..d35da96 100644
__u8 kbd_status; /* 0x1eb */
- __u8 _pad5[3]; /* 0x1ec */
+ __u8 secure_boot; /* 0x1ec */
+ __u8 _pad5[2]; /* 0x1ec */
+ __u8 _pad5[2]; /* 0x1ed */
/*
* The sentinel is set to a nonzero value (0xff) in header.S.
*
@ -694,7 +718,7 @@ index 0c266b2..5a6374a 100644
extern int modules_disabled; /* for sysctl */
diff --git a/kernel/module.c b/kernel/module.c
index 499ee57..bc7c987 100644
index 0e94acf..974139b 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -3853,6 +3853,13 @@ void module_layout(struct module *mod,
@ -715,10 +739,10 @@ index 499ee57..bc7c987 100644
1.8.3.1
From b1604407fff69b17b598af03888a9efda0d58f2b Mon Sep 17 00:00:00 2001
From bb28516d346e6511f1e012321c48eb142763e539 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Tue, 5 Feb 2013 19:25:05 -0500
Subject: [PATCH 11/13] efi: Disable secure boot if shim is in insecure mode
Subject: [PATCH 12/14] efi: Disable secure boot if shim is in insecure mode
A user can manually tell the shim boot loader to disable validation of
images it loads. When a user does this, it creates a UEFI variable called
@ -732,12 +756,12 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index 145294d..545d4a6 100644
index 53bfe4f..946028b 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -863,8 +863,9 @@ fail:
@@ -864,8 +864,9 @@ fail:
static int get_secure_boot(efi_system_table_t *_table)
static int get_secure_boot(void)
{
- u8 sb, setup;
+ u8 sb, setup, moksbstate;
@ -746,7 +770,7 @@ index 145294d..545d4a6 100644
efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
efi_status_t status;
@@ -888,6 +889,23 @@ static int get_secure_boot(efi_system_table_t *_table)
@@ -889,6 +890,23 @@ static int get_secure_boot(void)
if (setup == 1)
return 0;
@ -774,10 +798,10 @@ index 145294d..545d4a6 100644
1.8.3.1
From 4d8b5cab923a2df15e1f33b3f0511366f9f98756 Mon Sep 17 00:00:00 2001
From 4c8824bac8d4284e66c39c365ba84151f2d78e87 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 27 Aug 2013 13:28:43 -0400
Subject: [PATCH 12/13] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
Subject: [PATCH 13/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
The functionality of the config option is dependent upon the platform being
UEFI based. Reflect this in the config deps.
@ -805,10 +829,10 @@ index 6a6c19b..10498ec 100644
1.8.3.1
From a87ca6498b8a9f8e3c1d7e6ef7ef4e233ec8639d Mon Sep 17 00:00:00 2001
From 871b0ed1847c3c5413a4ca72ecf18735858f7708 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 27 Aug 2013 13:33:03 -0400
Subject: [PATCH 13/13] efi: Add EFI_SECURE_BOOT bit
Subject: [PATCH 14/14] efi: Add EFI_SECURE_BOOT bit
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
for use with efi_enabled.