Switch to using modsign-post-KS upstream with x509 certs

This commit is contained in:
Josh Boyer 2012-09-25 12:02:24 -04:00
parent 7e6e483520
commit f0f4ff23f1
7 changed files with 9497 additions and 10704 deletions

10
genkey
View File

@ -1,10 +0,0 @@
%pubring modsign.pub
%secring modsign.sec
%no-protection: yes
%transient-key: yes
Key-Type: RSA
Key-Length: 2048
Name-Real: Fedora Project
Name-Comment: Kernel Module GPG key
%commit

View File

@ -62,7 +62,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
%global baserelease 3
%global baserelease 4
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@ -551,19 +551,20 @@ BuildRequires: rpm-build >= 4.9.0-1, elfutils >= elfutils-0.153-1
%endif
%if %{signmodules}
BuildRequires: gnupg
BuildRequires: openssl
BuildRequires: pesign >= 0.10-4
%endif
Source0: ftp://ftp.kernel.org/pub/linux/kernel/v3.0/linux-%{kversion}.tar.xz
%if %{signmodules}
Source11: genkey
Source11: x509.genkey
%endif
Source15: merge.pl
Source16: mod-extra.list
Source17: mod-extra.sh
Source18: mod-extra-sign.sh
Source19: Makefile.release
Source20: Makefile.config
@ -680,10 +681,10 @@ Patch700: linux-2.6-e1000-ich9-montevina.patch
Patch800: linux-2.6-crash-driver.patch
# crypto/
Patch900: modsign-20120816.patch
Patch900: modsign-post-KS-jwb.patch
# secure boot
Patch1000: secure-boot-20120809.patch
Patch1000: secure-boot-20120924.patch
# Improve PCI support on UEFI
Patch1100: handle-efi-roms.patch
@ -1393,10 +1394,10 @@ ApplyPatch linux-2.6-crash-driver.patch
ApplyPatch linux-2.6-e1000-ich9-montevina.patch
# crypto/
ApplyPatch modsign-20120816.patch
ApplyPatch modsign-post-KS-jwb.patch
# secure boot
ApplyPatch secure-boot-20120809.patch
ApplyPatch secure-boot-20120924.patch
# Improved PCI support for UEFI
ApplyPatch handle-efi-roms.patch
@ -1623,13 +1624,6 @@ BuildKernel() {
# we'll get it from the linux-firmware package and we don't want conflicts
make -s ARCH=$Arch INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_install KERNELRELEASE=$KernelVer mod-fw=
%if %{signmodules}
if [ -z "$(readelf -n $(find fs/ -name \*.ko | head -n 1) | grep module.sig)" ]; then
echo "ERROR: modules are NOT signed" >&2;
exit 1;
fi
%endif
%ifarch %{vdso_arches}
make -s ARCH=$Arch INSTALL_MOD_PATH=$RPM_BUILD_ROOT vdso_install KERNELRELEASE=$KernelVer
if [ ! -s ldconfig-kernel.conf ]; then
@ -1753,6 +1747,12 @@ BuildKernel() {
# Call the modules-extra script to move things around
%{SOURCE17} $RPM_BUILD_ROOT/lib/modules/$KernelVer %{SOURCE16}
%if %{signmodules}
# Save off the .tmp_versions/ directory. We'll use it in the
# __debug_install_post macro below to sign the right things
cp -r .tmp_versions .tmp_versions.sign${Flavour:+.${Flavour}}
%endif
# remove files that will be auto generated by depmod at rpm -i time
for i in alias alias.bin builtin.bin ccwmap dep dep.bin ieee1394map inputmap isapnpmap ofmap pcimap seriomap symbols symbols.bin usbmap devname softdep
do
@ -1875,9 +1875,56 @@ find Documentation -type d | xargs chmod u+w
# This macro is used by %%install, so we must redefine it before that.
%define debug_package %{nil}
# In the modsign case, we do 3 things. 1) We check the "flavour" and hard
# code the value in the following invocations. This is somewhat sub-optimal
# but we're doing this inside of an RPM macro and it isn't as easy as it
# could be because of that. 2) We restore the .tmp_versions/ directory from
# the one we saved off in BuildKernel above. This is to make sure we're
# signing the modules we actually built/installed in that flavour. 3) We
# grab the arch and invoke 'make modules_sign' and the mod-extra-sign.sh
# commands to actually sign the modules.
#
# We have to do all of those things _after_ find-debuginfo runs, otherwise
# that will strip the signature off of the modules.
%if %{with_debuginfo}
%define __debug_install_post \
/usr/lib/rpm/find-debuginfo.sh %{debuginfo_args} %{_builddir}/%{?buildsubdir}\
if [ "%{signmodules}" == "1" ]; \
then \
if [ "%{with_pae}" != "0" ]; \
then \
Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-PAE.config | cut -b 3-` \
rm -rf .tmp_versions \
mv .tmp_versions.sign.PAE .tmp_versions \
make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.PAE \
%{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAE/extra/ \
fi \
if [ "%{with_debug}" != "0" ]; \
then \
Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-debug.config | cut -b 3-` \
rm -rf .tmp_versions \
mv .tmp_versions.sign.debug .tmp_versions \
make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.debug \
%{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.debug/extra/ \
fi \
if [ "%{with_pae_debug}" != "0" ]; \
then \
Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-PAEdebug.config | cut -b 3-` \
rm -rf .tmp_versions \
mv .tmp_versions.sign.PAEdebug .tmp_versions \
make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.PAEdebug \
%{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAEdebug/extra/ \
fi \
if [ "%{with_up}" != "0" ]; \
then \
Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}.config | cut -b 3-` \
rm -rf .tmp_versions \
mv .tmp_versions.sign .tmp_versions \
make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL} \
%{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/extra/ \
fi \
fi \
%{nil}
%ifnarch noarch
@ -2263,6 +2310,7 @@ fi
* Tue Sep 25 2012 Josh Boyer <jwboyer@redhat.com>
- Move the modules-extra processing to a script
- Prep mod-extra.sh for signed modules
- Switch to using modsign-post-KS upstream with x509 certs
* Tue Sep 25 2012 Josh Boyer <jwboyer@redhat.com> - 3.6.0-0.rc7.git1.2
- Update team driver from net-next from Jiri Pirko

28
mod-extra-sign.sh Executable file
View File

@ -0,0 +1,28 @@
#! /bin/bash
# We need to sign modules we've moved from <path>/kernel/ to <path>/extra/
# during mod-extra processing by hand. The 'modules_sign' Kbuild target can
# "handle" out-of-tree modules, but it does that by not signing them. Plus,
# the modules we've moved aren't actually out-of-tree. We've just shifted
# them to a different location behind Kbuild's back because we are mean.
# This essentially duplicates the 'modules_sign' Kbuild target and runs the
# same commands for those modules.
moddir=$1
modules=`find $moddir -name *.ko`
MODSECKEY="./signing_key.priv"
MODPUBKEY="./signing_key.x509"
for mod in $modules
do
dir=`dirname $mod`
file=`basename $mod`
sh ./scripts/sign-file ${MODSECKEY} ${MODPUBKEY} ${dir}/${file} \
${dir}/${file}.signed
mv ${dir}/${file}.signed ${dir}/${file}
rm -f ${dir}/${file}.{sig,dig}
done

File diff suppressed because it is too large Load Diff

9153
modsign-post-KS-jwb.patch Normal file

File diff suppressed because it is too large Load Diff

View File

@ -1,7 +1,7 @@
From 617309bdd75bbce794ae2d41d44e7b76fb8c6d8b Mon Sep 17 00:00:00 2001
From 57c0dbcbafaa724313c672830ff0087f56a84c47 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 8 Mar 2012 09:56:33 -0500
Subject: [PATCH 01/13] Secure boot: Add new capability
Date: Thu, 20 Sep 2012 10:40:56 -0400
Subject: [PATCH 01/14] Secure boot: Add new capability
Secure boot adds certain policy requirements, including that root must not
be able to do anything that could cause the kernel to execute arbitrary code.
@ -15,7 +15,7 @@ Signed-off-by: Matthew Garrett <mjg@redhat.com>
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index d10b7ed..6a39163 100644
index d10b7ed..4345bc8 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -364,7 +364,11 @@ struct cpu_vfs_cap_data {
@ -23,22 +23,22 @@ index d10b7ed..6a39163 100644
#define CAP_BLOCK_SUSPEND 36
-#define CAP_LAST_CAP CAP_BLOCK_SUSPEND
+/* Allow things that are dangerous under secure boot */
+/* Allow things that trivially permit root to modify the running kernel */
+
+#define CAP_SECURE_FIRMWARE 37
+#define CAP_COMPROMISE_KERNEL 37
+
+#define CAP_LAST_CAP CAP_SECURE_FIRMWARE
+#define CAP_LAST_CAP CAP_COMPROMISE_KERNEL
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
--
1.7.11.2
1.7.11.4
From ac892cb2320872717005736c8ef88208c12e61ee Mon Sep 17 00:00:00 2001
From 95fd8148be46036e20fc64c480104d2a2b454e27 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 8 Mar 2012 10:10:38 -0500
Subject: [PATCH 02/13] PCI: Lock down BAR access in secure boot environments
Date: Thu, 20 Sep 2012 10:40:57 -0400
Subject: [PATCH 02/14] PCI: Lock down BAR access in secure boot environments
Any hardware that can potentially generate DMA has to be locked down from
userspace in order to avoid it being possible for an attacker to cause
@ -53,14 +53,14 @@ Signed-off-by: Matthew Garrett <mjg@redhat.com>
3 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
index 6869009..a1ad0f7 100644
index 6869009..c03fb85 100644
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -542,6 +542,9 @@ pci_write_config(struct file* filp, struct kobject *kobj,
loff_t init_off = off;
u8 *data = (u8*) buf;
+ if (!capable(CAP_SECURE_FIRMWARE))
+ if (!capable(CAP_COMPROMISE_KERNEL))
+ return -EPERM;
+
if (off > dev->cfg_size)
@ -70,7 +70,7 @@ index 6869009..a1ad0f7 100644
resource_size_t start, end;
int i;
+ if (!capable(CAP_SECURE_FIRMWARE))
+ if (!capable(CAP_COMPROMISE_KERNEL))
+ return -EPERM;
+
for (i = 0; i < PCI_ROM_RESOURCE; i++)
@ -80,21 +80,21 @@ index 6869009..a1ad0f7 100644
struct bin_attribute *attr, char *buf,
loff_t off, size_t count)
{
+ if (!capable(CAP_SECURE_FIRMWARE))
+ if (!capable(CAP_COMPROMISE_KERNEL))
+ return -EPERM;
+
return pci_resource_io(filp, kobj, attr, buf, off, count, true);
}
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
index 27911b5..01d4753 100644
index 27911b5..ac8c9a5 100644
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -135,6 +135,9 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof
int size = dp->size;
int cnt;
+ if (!capable(CAP_SECURE_FIRMWARE))
+ if (!capable(CAP_COMPROMISE_KERNEL))
+ return -EPERM;
+
if (pos >= size)
@ -104,7 +104,7 @@ index 27911b5..01d4753 100644
#endif /* HAVE_PCI_MMAP */
int ret = 0;
+ if (!capable(CAP_SECURE_FIRMWARE))
+ if (!capable(CAP_COMPROMISE_KERNEL))
+ return -EPERM;
+
switch (cmd) {
@ -115,12 +115,12 @@ index 27911b5..01d4753 100644
int i, ret;
- if (!capable(CAP_SYS_RAWIO))
+ if (!capable(CAP_SYS_RAWIO) || !capable(CAP_SECURE_FIRMWARE))
+ if (!capable(CAP_SYS_RAWIO) || !capable(CAP_COMPROMISE_KERNEL))
return -EPERM;
/* Make sure the caller is mapping a real resource for this device */
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
index e1c1ec5..a778ba9 100644
index e1c1ec5..97e785f 100644
--- a/drivers/pci/syscall.c
+++ b/drivers/pci/syscall.c
@@ -92,7 +92,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
@ -128,18 +128,18 @@ index e1c1ec5..a778ba9 100644
int err = 0;
- if (!capable(CAP_SYS_ADMIN))
+ if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SECURE_FIRMWARE))
+ if (!capable(CAP_SYS_ADMIN) || !capable(CAP_COMPROMISE_KERNEL))
return -EPERM;
dev = pci_get_bus_and_slot(bus, dfn);
--
1.7.11.2
1.7.11.4
From 4c02feefb934d587f03c74cc48e8d58904416c68 Mon Sep 17 00:00:00 2001
From 2d23d2726583d79062e58abcc32c7dd027d312aa Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 8 Mar 2012 10:35:59 -0500
Subject: [PATCH 03/13] x86: Lock down IO port access in secure boot
Date: Thu, 20 Sep 2012 10:40:58 -0400
Subject: [PATCH 03/14] x86: Lock down IO port access in secure boot
environments
IO port access would permit users to gain access to PCI configuration
@ -154,7 +154,7 @@ Signed-off-by: Matthew Garrett <mjg@redhat.com>
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
index 8c96897..c3a1bb2 100644
index 8c96897..a2578c4 100644
--- a/arch/x86/kernel/ioport.c
+++ b/arch/x86/kernel/ioport.c
@@ -28,7 +28,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
@ -162,7 +162,7 @@ index 8c96897..c3a1bb2 100644
if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
return -EINVAL;
- if (turn_on && !capable(CAP_SYS_RAWIO))
+ if (turn_on && (!capable(CAP_SYS_RAWIO) || !capable(CAP_SECURE_FIRMWARE)))
+ if (turn_on && (!capable(CAP_SYS_RAWIO) || !capable(CAP_COMPROMISE_KERNEL)))
return -EPERM;
/*
@ -171,32 +171,32 @@ index 8c96897..c3a1bb2 100644
/* Trying to gain more privileges? */
if (level > old) {
- if (!capable(CAP_SYS_RAWIO))
+ if (!capable(CAP_SYS_RAWIO) || !capable(CAP_SECURE_FIRMWARE))
+ if (!capable(CAP_SYS_RAWIO) || !capable(CAP_COMPROMISE_KERNEL))
return -EPERM;
}
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index e5eedfa..8f5f872 100644
index e5eedfa..1e0a660 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -597,6 +597,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
unsigned long i = *ppos;
const char __user * tmp = buf;
+ if (!capable(CAP_SECURE_FIRMWARE))
+ if (!capable(CAP_COMPROMISE_KERNEL))
+ return -EPERM;
+
if (!access_ok(VERIFY_READ, buf, count))
return -EFAULT;
while (count-- > 0 && i < 65536) {
--
1.7.11.2
1.7.11.4
From d379d102316075d51011b81748433530d294a70c Mon Sep 17 00:00:00 2001
From e063cb2f3a667d2540682d4bdbef91fdb23b1a84 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Fri, 9 Mar 2012 08:39:37 -0500
Subject: [PATCH 04/13] ACPI: Limit access to custom_method
Date: Thu, 20 Sep 2012 10:40:59 -0400
Subject: [PATCH 04/14] ACPI: Limit access to custom_method
It must be impossible for even root to get code executed in kernel context
under a secure boot environment. custom_method effectively allows arbitrary
@ -208,27 +208,27 @@ Signed-off-by: Matthew Garrett <mjg@redhat.com>
1 file changed, 3 insertions(+)
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
index 5d42c24..3e78014 100644
index 5d42c24..247d58b 100644
--- a/drivers/acpi/custom_method.c
+++ b/drivers/acpi/custom_method.c
@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
struct acpi_table_header table;
acpi_status status;
+ if (!capable(CAP_SECURE_FIRMWARE))
+ if (!capable(CAP_COMPROMISE_KERNEL))
+ return -EPERM;
+
if (!(*ppos)) {
/* parse the table header to get the table length */
if (count <= sizeof(struct acpi_table_header))
--
1.7.11.2
1.7.11.4
From afc7c002eb264fc745a38fb6ec322be4928338dd Mon Sep 17 00:00:00 2001
From a1cccbd084c7355dcb2be7ae2934f168ce9ba9d5 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Fri, 9 Mar 2012 08:46:50 -0500
Subject: [PATCH 05/13] asus-wmi: Restrict debugfs interface
Date: Thu, 20 Sep 2012 10:41:00 -0400
Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface
We have no way of validating what all of the Asus WMI methods do on a
given machine, and there's a risk that some will allow hardware state to
@ -241,47 +241,47 @@ Signed-off-by: Matthew Garrett <mjg@redhat.com>
1 file changed, 9 insertions(+)
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
index c7a36f6..0fb58bc 100644
index 2eb9fe8..61e055d 100644
--- a/drivers/platform/x86/asus-wmi.c
+++ b/drivers/platform/x86/asus-wmi.c
@@ -1509,6 +1509,9 @@ static int show_dsts(struct seq_file *m, void *data)
@@ -1523,6 +1523,9 @@ static int show_dsts(struct seq_file *m, void *data)
int err;
u32 retval = -1;
+ if (!capable(CAP_SECURE_FIRMWARE))
+ if (!capable(CAP_COMPROMISE_KERNEL))
+ return -EPERM;
+
err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
if (err < 0)
@@ -1525,6 +1528,9 @@ static int show_devs(struct seq_file *m, void *data)
@@ -1539,6 +1542,9 @@ static int show_devs(struct seq_file *m, void *data)
int err;
u32 retval = -1;
+ if (!capable(CAP_SECURE_FIRMWARE))
+ if (!capable(CAP_COMPROMISE_KERNEL))
+ return -EPERM;
+
err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
&retval);
@@ -1549,6 +1555,9 @@ static int show_call(struct seq_file *m, void *data)
@@ -1563,6 +1569,9 @@ static int show_call(struct seq_file *m, void *data)
union acpi_object *obj;
acpi_status status;
+ if (!capable(CAP_SECURE_FIRMWARE))
+ if (!capable(CAP_COMPROMISE_KERNEL))
+ return -EPERM;
+
status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
1, asus->debug.method_id,
&input, &output);
--
1.7.11.2
1.7.11.4
From 21bd1f0da09b40a0ba50636267f7eac8f839a336 Mon Sep 17 00:00:00 2001
From 1c9e53b626268f82509062751eda14e8572717cf Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Fri, 9 Mar 2012 09:28:15 -0500
Subject: [PATCH 06/13] Restrict /dev/mem and /dev/kmem in secure boot setups
Date: Thu, 20 Sep 2012 10:41:01 -0400
Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem in secure boot setups
Allowing users to write to address space makes it possible for the kernel
to be subverted. Restrict this when we need to protect the kernel.
@ -292,14 +292,14 @@ Signed-off-by: Matthew Garrett <mjg@redhat.com>
1 file changed, 6 insertions(+)
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 8f5f872..c1de8e1 100644
index 1e0a660..33eb947 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -158,6 +158,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
unsigned long copied;
void *ptr;
+ if (!capable(CAP_SECURE_FIRMWARE))
+ if (!capable(CAP_COMPROMISE_KERNEL))
+ return -EPERM;
+
if (!valid_phys_addr_range(p, count))
@ -309,96 +309,86 @@ index 8f5f872..c1de8e1 100644
char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
int err = 0;
+ if (!capable(CAP_SECURE_FIRMWARE))
+ if (!capable(CAP_COMPROMISE_KERNEL))
+ return -EPERM;
+
if (p < (unsigned long) high_memory) {
unsigned long to_write = min_t(unsigned long, count,
(unsigned long)high_memory - p);
--
1.7.11.2
1.7.11.4
From 1940a18cd651113f5b46f5a41290065963d6fbad Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Fri, 9 Mar 2012 11:47:56 -0500
Subject: [PATCH 07/13] kexec: Disable in a secure boot environment
kexec could be used as a vector for a malicious user to use a signed kernel
to circumvent the secure boot trust model. In the long run we'll want to
support signed kexec payloads, but for the moment we should just disable
loading entirely in that situation.
Signed-off-by: Matthew Garrett <mjg@redhat.com>
---
kernel/kexec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index 0668d58..48852ec 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -944,7 +944,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
int result;
/* We only trust the superuser with rebooting the system. */
- if (!capable(CAP_SYS_BOOT))
+ if (!capable(CAP_SYS_BOOT) || !capable(CAP_SECURE_FIRMWARE))
return -EPERM;
/*
--
1.7.11.2
From c83bad5d60b8f02ebbedf9b4c4b69cdee49a7976 Mon Sep 17 00:00:00 2001
From fbf919bf372b9a7a08bdacac8129d47ced1b1f19 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Mon, 25 Jun 2012 19:45:15 -0400
Subject: [PATCH 08/13] Secure boot: Add a dummy kernel parameter that will
Date: Thu, 20 Sep 2012 10:41:02 -0400
Subject: [PATCH 07/14] Secure boot: Add a dummy kernel parameter that will
switch on Secure Boot mode
This forcibly drops CAP_SECURE_FIRMWARE from both cap_permitted and cap_bset
This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset
in the init_cred struct, which everything else inherits from. This works on
any machine and can be used to develop even if the box doesn't have UEFI.
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
---
kernel/cred.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
Documentation/kernel-parameters.txt | 7 +++++++
kernel/cred.c | 17 +++++++++++++++++
2 files changed, 24 insertions(+)
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 9b2b8d3..93978d5 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -2562,6 +2562,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
Note: increases power consumption, thus should only be
enabled if running jitter sensitive (HPC/RT) workloads.
+ secureboot_enable=
+ [KNL] Enables an emulated UEFI Secure Boot mode. This
+ locks down various aspects of the kernel guarded by the
+ CAP_COMPROMISE_KERNEL capability. This includes things
+ like /dev/mem, IO port access, and other areas. It can
+ be used on non-UEFI machines for testing purposes.
+
security= [SECURITY] Choose a security module to enable at boot.
If this boot parameter is not specified, only the first
security module asking for security registration will be
diff --git a/kernel/cred.c b/kernel/cred.c
index de728ac..0d71d02 100644
index de728ac..7e6e83f 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -623,6 +623,20 @@ void __init cred_init(void)
@@ -623,6 +623,23 @@ void __init cred_init(void)
0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
}
+/* Dummy Secure Boot enable option to fake out UEFI SB=1 */
+static int __init secureboot_enable(char *str)
+void __init secureboot_enable()
+{
+ pr_info("Secure boot enabled\n");
+ cap_lower((&init_cred)->cap_bset, CAP_COMPROMISE_KERNEL);
+ cap_lower((&init_cred)->cap_permitted, CAP_COMPROMISE_KERNEL);
+}
+
+/* Dummy Secure Boot enable option to fake out UEFI SB=1 */
+static int __init secureboot_enable_opt(char *str)
+{
+ int sb_enable = !!simple_strtol(str, NULL, 0);
+ pr_info("Secure Boot mode %s\n", (sb_enable ? "enabled" : "disabled"));
+ if (sb_enable) {
+ cap_lower((&init_cred)->cap_bset, CAP_SECURE_FIRMWARE);
+ cap_lower((&init_cred)->cap_permitted, CAP_SECURE_FIRMWARE);
+ }
+ if (sb_enable)
+ secureboot_enable();
+ return 1;
+}
+__setup("secureboot_enable=", secureboot_enable);
+__setup("secureboot_enable=", secureboot_enable_opt);
+
/**
* prepare_kernel_cred - Prepare a set of credentials for a kernel service
* @daemon: A userspace daemon to be used as a reference
--
1.7.11.2
1.7.11.4
From b70595f1523ecadc4ce9d43e9a0c465436ed1007 Mon Sep 17 00:00:00 2001
From 43ed7865d867ae692e30227d66fa58cdecbd9269 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Wed, 18 Jul 2012 11:28:00 -0400
Subject: [PATCH 09/13] efi: Enable secure boot lockdown automatically when
Date: Thu, 20 Sep 2012 10:41:03 -0400
Subject: [PATCH 08/14] efi: Enable secure boot lockdown automatically when
enabled in firmware
The firmware has a set of flags that indicate whether secure boot is enabled
@ -407,13 +397,26 @@ down.
Signed-off-by: Matthew Garrett <mjg@redhat.com>
---
Documentation/x86/zero-page.txt | 2 ++
arch/x86/boot/compressed/eboot.c | 32 ++++++++++++++++++++++++++++++++
arch/x86/include/asm/bootparam.h | 3 ++-
arch/x86/kernel/setup.c | 3 +++
include/linux/cred.h | 2 ++
kernel/cred.c | 18 +++++++++++-------
5 files changed, 50 insertions(+), 8 deletions(-)
5 files changed, 41 insertions(+), 1 deletion(-)
diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
index cf5437d..7f9ed48 100644
--- a/Documentation/x86/zero-page.txt
+++ b/Documentation/x86/zero-page.txt
@@ -27,6 +27,8 @@ Offset Proto Name Meaning
1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below)
1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer
(below)
+1EB/001 ALL kbd_status Numlock is enabled
+1EC/001 ALL secure_boot Kernel should enable secure boot lockdowns
290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
2D0/A00 ALL e820_map E820 memory map table
(array of struct e820entry)
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index b3e0227..3789356 100644
--- a/arch/x86/boot/compressed/eboot.c
@ -505,54 +508,19 @@ index ebbed2c..a24faf1 100644
/*
* check for validity of credentials
*/
diff --git a/kernel/cred.c b/kernel/cred.c
index 0d71d02..c43e2b0 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -623,19 +623,23 @@ void __init cred_init(void)
0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
}
+void __init secureboot_enable()
+{
+ pr_info("Secure boot enabled\n");
+ cap_lower((&init_cred)->cap_bset, CAP_SECURE_FIRMWARE);
+ cap_lower((&init_cred)->cap_permitted, CAP_SECURE_FIRMWARE);
+}
+
/* Dummy Secure Boot enable option to fake out UEFI SB=1 */
-static int __init secureboot_enable(char *str)
+static int __init secureboot_enable_opt(char *str)
{
int sb_enable = !!simple_strtol(str, NULL, 0);
- pr_info("Secure Boot mode %s\n", (sb_enable ? "enabled" : "disabled"));
- if (sb_enable) {
- cap_lower((&init_cred)->cap_bset, CAP_SECURE_FIRMWARE);
- cap_lower((&init_cred)->cap_permitted, CAP_SECURE_FIRMWARE);
- }
+ if (sb_enable)
+ secureboot_enable();
return 1;
}
-__setup("secureboot_enable=", secureboot_enable);
+__setup("secureboot_enable=", secureboot_enable_opt);
/**
* prepare_kernel_cred - Prepare a set of credentials for a kernel service
--
1.7.11.2
1.7.11.4
From 411c18c35ccacb1a9e3f3dc67383a6431e110e17 Mon Sep 17 00:00:00 2001
From 3acf1ceb5f6f3be9103c9da16ddc24afc6d8b02a Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Mon, 25 Jun 2012 19:57:30 -0400
Subject: [PATCH 10/13] acpi: Ignore acpi_rsdp kernel parameter in a secure
Date: Thu, 20 Sep 2012 10:41:04 -0400
Subject: [PATCH 09/14] acpi: Ignore acpi_rsdp kernel parameter in a secure
boot environment
This option allows userspace to pass the RSDP address to the kernel. This
could potentially be used to circumvent the secure boot trust model.
We ignore the setting if we don't have the CAP_SECURE_FIRMWARE capability.
We ignore the setting if we don't have the CAP_COMPROMISE_KERNEL capability.
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
---
@ -560,7 +528,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
index 9eaf708..50c94e4 100644
index 9eaf708..f94341b 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -246,7 +246,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
@ -568,18 +536,83 @@ index 9eaf708..50c94e4 100644
{
#ifdef CONFIG_KEXEC
- if (acpi_rsdp)
+ if (acpi_rsdp && capable(CAP_SECURE_FIRMWARE))
+ if (acpi_rsdp && capable(CAP_COMPROMISE_KERNEL))
return acpi_rsdp;
#endif
--
1.7.11.2
1.7.11.4
From 7bf87e8da8c7b57ba7f9448855c8ec84c684fb65 Mon Sep 17 00:00:00 2001
From 03fb06d272ddc1062e610521c5cfdbe42f251209 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Thu, 20 Sep 2012 10:41:05 -0400
Subject: [PATCH 10/14] SELinux: define mapping for new Secure Boot capability
Add the name of the new Secure Boot capability. This allows SELinux
policies to properly map CAP_COMPROMISE_KERNEL to the appropriate
capability class.
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
---
security/selinux/include/classmap.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index df2de54..70e2834 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -146,8 +146,8 @@ struct security_class_mapping secclass_map[] = {
{ "memprotect", { "mmap_zero", NULL } },
{ "peer", { "recv", NULL } },
{ "capability2",
- { "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend",
- NULL } },
+ { "mac_override", "mac_admin", "syslog", "wake_alarm",
+ "block_suspend", "compromise_kernel", NULL } },
{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
{ "tun_socket",
{ COMMON_SOCK_PERMS, NULL } },
--
1.7.11.4
From 0cfaa5ecf01f8eaaa2a84d88b7258a94ac9a1bfe Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Tue, 4 Sep 2012 11:55:13 -0400
Subject: [PATCH 11/14] kexec: Disable in a secure boot environment
kexec could be used as a vector for a malicious user to use a signed kernel
to circumvent the secure boot trust model. In the long run we'll want to
support signed kexec payloads, but for the moment we should just disable
loading entirely in that situation.
Signed-off-by: Matthew Garrett <mjg@redhat.com>
---
kernel/kexec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index 0668d58..8b976a5 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -944,7 +944,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
int result;
/* We only trust the superuser with rebooting the system. */
- if (!capable(CAP_SYS_BOOT))
+ if (!capable(CAP_SYS_BOOT) || !capable(CAP_COMPROMISE_KERNEL))
return -EPERM;
/*
--
1.7.11.4
From 895c46276788b3711aee05a1a1d685eff69d48b9 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Mon, 25 Jun 2012 21:29:46 -0400
Subject: [PATCH 11/13] Documentation: kernel-parameters.txt remove
Subject: [PATCH 12/14] Documentation: kernel-parameters.txt remove
capability.disable
Remove the documentation for capability.disable. The code supporting this
@ -597,7 +630,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
1 file changed, 6 deletions(-)
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index ad7e2e5..33c4029 100644
index 93978d5..e3e5f8c 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -446,12 +446,6 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
@ -614,98 +647,13 @@ index ad7e2e5..33c4029 100644
See Documentation/s390/CommonIO for details.
--
1.7.11.2
1.7.11.4
From ec0ca55ba3d1c2a59b0c0b6e38f7ae9966d676aa Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Tue, 26 Jun 2012 14:15:51 -0400
Subject: [PATCH 12/13] SELinux: define mapping for new Secure Boot capability
Add the name of the new Secure Boot capability. This allows SELinux
policies to properly map CAP_SECURE_FIRMWARE to the appropriate
capability class.
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
---
security/selinux/include/classmap.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index df2de54..0a1e348 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -146,8 +146,8 @@ struct security_class_mapping secclass_map[] = {
{ "memprotect", { "mmap_zero", NULL } },
{ "peer", { "recv", NULL } },
{ "capability2",
- { "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend",
- NULL } },
+ { "mac_override", "mac_admin", "syslog", "wake_alarm",
+ "block_suspend", "secure_firmware", NULL } },
{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
{ "tun_socket",
{ COMMON_SOCK_PERMS, NULL } },
--
1.7.11.2
From 0a90e99e45f5c8eddd3b8cfcd63a4c6355c5688d Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Tue, 26 Jun 2012 16:27:26 -0400
Subject: [PATCH 13/13] modsign: Reject unsigned modules in a Secure Boot
environment
If a machine is booted into a Secure Boot environment, we need to
protect the trust model. This requires that all modules be signed
with a key that is in the kernel's _modsign keyring. We add a
capability check and reject modules that are not signed.
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
---
kernel/module-verify.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/kernel/module-verify.c b/kernel/module-verify.c
index 22036d4..f6821b3 100644
--- a/kernel/module-verify.c
+++ b/kernel/module-verify.c
@@ -31,6 +31,7 @@
#include <linux/modsign.h>
#include <linux/moduleparam.h>
#include <linux/fips.h>
+#include <linux/capability.h>
#include <keys/crypto-type.h>
#include "module-verify.h"
#include "module-verify-defs.h"
@@ -699,7 +700,7 @@ int module_verify(const Elf_Ehdr *hdr, size_t size, bool *_gpgsig_ok)
/* The ELF checker found the sig for us if it exists */
if (mvdata.sig_index <= 0) {
/* Deal with an unsigned module */
- if (modsign_signedonly) {
+ if (modsign_signedonly || !capable(CAP_SECURE_FIRMWARE)) {
pr_err("An attempt to load unsigned module was rejected\n");
return -EKEYREJECTED;
} else {
@@ -736,7 +737,7 @@ out:
break;
case -ENOKEY: /* Signed, but we don't have the public key */
pr_err("Module signed with unknown public key\n");
- if (!modsign_signedonly) {
+ if (!modsign_signedonly && capable(CAP_SECURE_FIRMWARE)) {
/* Allow a module to be signed with an unknown public
* key unless we're enforcing.
*/
--
1.7.11.2
From: Matthew Garrett <mjg@redhat.com>
To: matt.fleming@intel.com
Cc: linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org,
x86@kernel.org, Matthew Garrett <mjg@redhat.com>
Date: Thu, 26 Jul 2012 18:00:00 -0400
Message-Id: <1343340000-7587-1-git-send-email-mjg@redhat.com>
Subject: [PATCH] efi: Build EFI stub with EFI-appropriate options
From 294d339c63b0f67a362efaa62713f26d9f496da8 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Thu, 26 Jul 2012 18:00:00 -0400
Subject: [PATCH 13/14] efi: Build EFI stub with EFI-appropriate options
We can't assume the presence of the red zone while we're still in a boot
services environment, so we should build with -fno-red-zone to avoid
@ -714,7 +662,7 @@ simpler.
Signed-off-by: Matthew Garrett <mjg@redhat.com>
---
arch/x86/boot/compressed/Makefile | 3 +++
arch/x86/boot/compressed/Makefile | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
@ -731,4 +679,48 @@ index e398bb5..8a84501 100644
ifeq ($(CONFIG_EFI_STUB), y)
VMLINUX_OBJS += $(obj)/eboot.o $(obj)/efi_stub_$(BITS).o
endif
--
1.7.11.4
From d1a225668878a3339adcd7ce0be256e857360ada Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Tue, 26 Jun 2012 16:27:26 -0400
Subject: [PATCH 14/14] modsign: Reject unsigned modules in a Secure Boot
environment
If a machine is booted into a Secure Boot environment, we need to
protect the trust model. This requires that all modules be signed
with a key that is in the kernel's _modsign keyring. We add a
capability check and reject modules that are not signed.
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
---
kernel/module.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/module.c b/kernel/module.c
index de16959..5af69cc 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2463,7 +2463,7 @@ static int module_sig_check(struct load_info *info,
}
/* Not having a signature is only an error if we're strict. */
- if (!err && !info->sig_ok && sig_enforce)
+ if (!err && !info->sig_ok && (sig_enforce || !capable(CAP_COMPROMISE_KERNEL)))
err = -EKEYREJECTED;
return err;
@@ -2475,7 +2475,7 @@ found_marker:
if (err < 0 && fips_enabled)
panic("Module verification failed with error %d in FIPS mode\n",
err);
- if (err == -ENOKEY && !sig_enforce)
+ if (err == -ENOKEY && (!sig_enforce && capable(CAP_COMPROMISE_KERNEL)))
err = 0;
return err;
}
--
1.7.11.4

16
x509.genkey Normal file
View File

@ -0,0 +1,16 @@
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
x509_extensions = myexts
[ req_distinguished_name ]
O = Fedora
CN = Fedora kernel signing key
emailAddress = kernel-team@fedoraproject.org
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid