Draft manpage explaining kernel lockdown

Draft manpage explaining kernel lockdown

[David Howells]

Hi Ard, Michael,

Attached is a draft for a manual page (kernel_lockdown.7) that I intend to
point at from messages emitted when the kernel prohibits something because the
kernel is in 'lockdown' mode, typically triggered by EFI secure boot.

Let me know what you think.

David
---
.\"
.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
.\" Written by David Howells (dhowells@redhat.com)
.\"
.\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
.\" This program is free software; you can redistribute it and/or
.\" modify it under the terms of the GNU General Public License
.\" as published by the Free Software Foundation; either version
.\" 2 of the License, or (at your option) any later version.
.\" %%%LICENSE_END
.\"
.TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual"
.SH NAME
Kernel Lockdown \- Kernel image access prevention feature
.SH DESCRIPTION
The Kernel Lockdown feature is designed to prevent both direct and indirect
access to a running kernel image, attempting to protect against unauthorised
modification of the kernel image and to prevent access to security and
cryptographic data located in kernel memory, whilst still permitting driver
modules to be loaded.
.P
Lockdown is typically enabled during boot and may be terminated, if configured,
by typing a special key combination on a directly attached physical keyboard.
.P
If a prohibited or restricted feature is accessed or used, the kernel will emit
a message that looks like:
.P
.RS
	Lockdown: X is restricted, see man kernel_lockdown(7)
.RE
.P
where X indicates what is restricted.
.P
On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
if the system boots in EFI Secure Boot mode.
.P
If the kernel is appropriately configured, lockdown may be lifted by typing the
appropriate sequence on a directly attached physical keyboard.  For x86
machines, this is
.IR SysRq+x .
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH COVERAGE
When lockdown is in effect, a number of things are disabled or restricted in
use.  This includes special device files and kernel services that allow direct
access of the kernel image:
.P
.RS
/dev/mem
.br
/dev/kmem
.br
/dev/kcore
.br
/dev/ioports
.br
BPF memory access functions
.RE
.P
and the ability to directly configure and control devices, so as to prevent the
use of a device to access or modify a kernel image:
.P
.RS
The use of module parameters that directly specify hardware parameters to
drivers through the kernel command line or when loading a module.
.P
The use of direct PCI BAR access.
.P
The use of the ioperm and iopl instructions on x86.
.P
The use of the KD*IO console ioctls.
.P
The use of the TIOCSSERIAL serial ioctl.
.P
The alteration of MSR registers on x86.
.P
The replacement of the PCMCIA CIS.
.P
The overriding of ACPI tables.
.P
The use of ACPI error injection.
.P
The specification of the ACPI RDSP address.
.P
The use of ACPI custom methods.
.RE
.P
The following facilities are restricted:
.P
.RS
Only validly signed modules may be loaded.
.P
Only validly signed binaries may be kexec'd.
.P
Only validly signed device firmware may be loaded.
.P
Only validly signed wifi databases may be use.
.P
Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
saved to a medium that can then be accessed.
.P
Use of debugfs is not permitted as this allows a whole range of actions
including direct configuration of, access to and driving of hardware.
.RE
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
.ad l
.nh

Draft manpage explaining kernel lockdown

[David Howells]

Hi Ard, Michael,

Attached is a draft for a manual page (kernel_lockdown.7) that I intend to
point at from messages emitted when the kernel prohibits something because the
kernel is in 'lockdown' mode, typically triggered by EFI secure boot.

Let me know what you think.

David
---
.\"
.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
.\" Written by David Howells (dhowells@redhat.com)
.\"
.\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
.\" This program is free software; you can redistribute it and/or
.\" modify it under the terms of the GNU General Public License
.\" as published by the Free Software Foundation; either version
.\" 2 of the License, or (at your option) any later version.
.\" %%%LICENSE_END
.\"
.TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual"
.SH NAME
Kernel Lockdown \- Kernel image access prevention feature
.SH DESCRIPTION
The Kernel Lockdown feature is designed to prevent both direct and indirect
access to a running kernel image, attempting to protect against unauthorised
modification of the kernel image and to prevent access to security and
cryptographic data located in kernel memory, whilst still permitting driver
modules to be loaded.
.P
Lockdown is typically enabled during boot and may be terminated, if configured,
by typing a special key combination on a directly attached physical keyboard.
.P
If a prohibited or restricted feature is accessed or used, the kernel will emit
a message that looks like:
.P
.RS
	Lockdown: X is restricted, see man kernel_lockdown(7)
.RE
.P
where X indicates what is restricted.
.P
On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
if the system boots in EFI Secure Boot mode.
.P
If the kernel is appropriately configured, lockdown may be lifted by typing the
appropriate sequence on a directly attached physical keyboard.  For x86
machines, this is
.IR SysRq+x .
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH COVERAGE
When lockdown is in effect, a number of things are disabled or restricted in
use.  This includes special device files and kernel services that allow direct
access of the kernel image:
.P
.RS
/dev/mem
.br
/dev/kmem
.br
/dev/kcore
.br
/dev/ioports
.br
BPF memory access functions
.RE
.P
and the ability to directly configure and control devices, so as to prevent the
use of a device to access or modify a kernel image:
.P
.RS
The use of module parameters that directly specify hardware parameters to
drivers through the kernel command line or when loading a module.
.P
The use of direct PCI BAR access.
.P
The use of the ioperm and iopl instructions on x86.
.P
The use of the KD*IO console ioctls.
.P
The use of the TIOCSSERIAL serial ioctl.
.P
The alteration of MSR registers on x86.
.P
The replacement of the PCMCIA CIS.
.P
The overriding of ACPI tables.
.P
The use of ACPI error injection.
.P
The specification of the ACPI RDSP address.
.P
The use of ACPI custom methods.
.RE
.P
The following facilities are restricted:
.P
.RS
Only validly signed modules may be loaded.
.P
Only validly signed binaries may be kexec'd.
.P
Only validly signed device firmware may be loaded.
.P
Only validly signed wifi databases may be use.
.P
Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
saved to a medium that can then be accessed.
.P
Use of debugfs is not permitted as this allows a whole range of actions
including direct configuration of, access to and driving of hardware.
.RE
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
.ad l
.nh

Draft manpage explaining kernel lockdown

[David Howells]

Hi Ard, Michael,

Attached is a draft for a manual page (kernel_lockdown.7) that I intend to
point at from messages emitted when the kernel prohibits something because the
kernel is in 'lockdown' mode, typically triggered by EFI secure boot.

Let me know what you think.

David
---
.\"
.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
.\" Written by David Howells (dhowells at redhat.com)
.\"
.\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
.\" This program is free software; you can redistribute it and/or
.\" modify it under the terms of the GNU General Public License
.\" as published by the Free Software Foundation; either version
.\" 2 of the License, or (at your option) any later version.
.\" %%%LICENSE_END
.\"
.TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual"
.SH NAME
Kernel Lockdown \- Kernel image access prevention feature
.SH DESCRIPTION
The Kernel Lockdown feature is designed to prevent both direct and indirect
access to a running kernel image, attempting to protect against unauthorised
modification of the kernel image and to prevent access to security and
cryptographic data located in kernel memory, whilst still permitting driver
modules to be loaded.
.P
Lockdown is typically enabled during boot and may be terminated, if configured,
by typing a special key combination on a directly attached physical keyboard.
.P
If a prohibited or restricted feature is accessed or used, the kernel will emit
a message that looks like:
.P
.RS
	Lockdown: X is restricted, see man kernel_lockdown(7)
.RE
.P
where X indicates what is restricted.
.P
On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
if the system boots in EFI Secure Boot mode.
.P
If the kernel is appropriately configured, lockdown may be lifted by typing the
appropriate sequence on a directly attached physical keyboard.  For x86
machines, this is
.IR SysRq+x .
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH COVERAGE
When lockdown is in effect, a number of things are disabled or restricted in
use.  This includes special device files and kernel services that allow direct
access of the kernel image:
.P
.RS
/dev/mem
.br
/dev/kmem
.br
/dev/kcore
.br
/dev/ioports
.br
BPF memory access functions
.RE
.P
and the ability to directly configure and control devices, so as to prevent the
use of a device to access or modify a kernel image:
.P
.RS
The use of module parameters that directly specify hardware parameters to
drivers through the kernel command line or when loading a module.
.P
The use of direct PCI BAR access.
.P
The use of the ioperm and iopl instructions on x86.
.P
The use of the KD*IO console ioctls.
.P
The use of the TIOCSSERIAL serial ioctl.
.P
The alteration of MSR registers on x86.
.P
The replacement of the PCMCIA CIS.
.P
The overriding of ACPI tables.
.P
The use of ACPI error injection.
.P
The specification of the ACPI RDSP address.
.P
The use of ACPI custom methods.
.RE
.P
The following facilities are restricted:
.P
.RS
Only validly signed modules may be loaded.
.P
Only validly signed binaries may be kexec'd.
.P
Only validly signed device firmware may be loaded.
.P
Only validly signed wifi databases may be use.
.P
Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
saved to a medium that can then be accessed.
.P
Use of debugfs is not permitted as this allows a whole range of actions
including direct configuration of, access to and driving of hardware.
.RE
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
.ad l
.nh

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Draft manpage explaining kernel lockdown

[Johannes Berg]

On Thu, 2017-10-05 at 12:00 +0100, David Howells wrote:
> 
> Only validly signed wifi databases may be use.

We don't even have this yet, and when we do, we want this to be the
case for typical configurations regardless of lockdown.

johannes

Re: Draft manpage explaining kernel lockdown

[Johannes Berg]

On Thu, 2017-10-05 at 12:00 +0100, David Howells wrote:
> 
> Only validly signed wifi databases may be use.

We don't even have this yet, and when we do, we want this to be the
case for typical configurations regardless of lockdown.

johannes

Draft manpage explaining kernel lockdown

[Johannes Berg]

On Thu, 2017-10-05 at 12:00 +0100, David Howells wrote:
> 
> Only validly signed wifi databases may be use.

We don't even have this yet, and when we do, we want this to be the
case for typical configurations regardless of lockdown.

johannes
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Draft manpage explaining kernel lockdown

[Florian Weimer]

On 10/05/2017 01:00 PM, David Howells wrote:
> Lockdown is typically enabled during boot and may be terminated, if configured,
> by typing a special key combination on a directly attached physical keyboard.

Does this include a Bluetooth keyboard (which might not actually exist 
and might in reality be another server in the same rack, of course).

Thanks,
Florian

Re: Draft manpage explaining kernel lockdown

[Florian Weimer]

On 10/05/2017 01:00 PM, David Howells wrote:
> Lockdown is typically enabled during boot and may be terminated, if configured,
> by typing a special key combination on a directly attached physical keyboard.

Does this include a Bluetooth keyboard (which might not actually exist 
and might in reality be another server in the same rack, of course).

Thanks,
Florian

Re: Draft manpage explaining kernel lockdown

[Florian Weimer]

On 10/05/2017 01:00 PM, David Howells wrote:
> Lockdown is typically enabled during boot and may be terminated, if configured,
> by typing a special key combination on a directly attached physical keyboard.

Does this include a Bluetooth keyboard (which might not actually exist 
and might in reality be another server in the same rack, of course).

Thanks,
Florian

Draft manpage explaining kernel lockdown

[Florian Weimer]

On 10/05/2017 01:00 PM, David Howells wrote:
> Lockdown is typically enabled during boot and may be terminated, if configured,
> by typing a special key combination on a directly attached physical keyboard.

Does this include a Bluetooth keyboard (which might not actually exist 
and might in reality be another server in the same rack, of course).

Thanks,
Florian
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Draft manpage explaining kernel lockdown

[David Howells]

Johannes Berg <johannes@sipsolutions.net> wrote:

> > Only validly signed wifi databases may be use.
> 
> We don't even have this yet, and when we do, we want this to be the
> case for typical configurations regardless of lockdown.

Okay.

David

Re: Draft manpage explaining kernel lockdown

[David Howells]

Johannes Berg <johannes@sipsolutions.net> wrote:

> > Only validly signed wifi databases may be use.
> 
> We don't even have this yet, and when we do, we want this to be the
> case for typical configurations regardless of lockdown.

Okay.

David

Draft manpage explaining kernel lockdown

[David Howells]

Johannes Berg <johannes@sipsolutions.net> wrote:

> > Only validly signed wifi databases may be use.
> 
> We don't even have this yet, and when we do, we want this to be the
> case for typical configurations regardless of lockdown.

Okay.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Draft manpage explaining kernel lockdown

[David Howells]

Florian Weimer <fweimer@redhat.com> wrote:

> > Lockdown is typically enabled during boot and may be terminated, if
> > configured, by typing a special key combination on a directly attached
> > physical keyboard.
> 
> Does this include a Bluetooth keyboard (which might not actually exist and
> might in reality be another server in the same rack, of course).

Ummm...  Interesting question.  I'm not sure how to tell.  I think it
shouldn't include a Bluetooth keyboard, and not even a serial console.

David

Re: Draft manpage explaining kernel lockdown

[David Howells]

Florian Weimer <fweimer@redhat.com> wrote:

> > Lockdown is typically enabled during boot and may be terminated, if
> > configured, by typing a special key combination on a directly attached
> > physical keyboard.
> 
> Does this include a Bluetooth keyboard (which might not actually exist and
> might in reality be another server in the same rack, of course).

Ummm...  Interesting question.  I'm not sure how to tell.  I think it
shouldn't include a Bluetooth keyboard, and not even a serial console.

David

Draft manpage explaining kernel lockdown

[David Howells]

Florian Weimer <fweimer@redhat.com> wrote:

> > Lockdown is typically enabled during boot and may be terminated, if
> > configured, by typing a special key combination on a directly attached
> > physical keyboard.
> 
> Does this include a Bluetooth keyboard (which might not actually exist and
> might in reality be another server in the same rack, of course).

Ummm...  Interesting question.  I'm not sure how to tell.  I think it
shouldn't include a Bluetooth keyboard, and not even a serial console.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Draft manpage explaining kernel lockdown

[Ard Biesheuvel]

On 5 October 2017 at 12:00, David Howells <dhowells@redhat.com> wrote:
> Hi Ard, Michael,
>
> Attached is a draft for a manual page (kernel_lockdown.7) that I intend to
> point at from messages emitted when the kernel prohibits something because the
> kernel is in 'lockdown' mode, typically triggered by EFI secure boot.
>
> Let me know what you think.
>

> David
> ---
> .\"
> .\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
> .\" Written by David Howells (dhowells@redhat.com)
> .\"
> .\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
> .\" This program is free software; you can redistribute it and/or
> .\" modify it under the terms of the GNU General Public License
> .\" as published by the Free Software Foundation; either version
> .\" 2 of the License, or (at your option) any later version.
> .\" %%%LICENSE_END
> .\"
> .TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual"
> .SH NAME
> Kernel Lockdown \- Kernel image access prevention feature
> .SH DESCRIPTION
> The Kernel Lockdown feature is designed to prevent both direct and indirect
> access to a running kernel image, attempting to protect against unauthorised
> modification of the kernel image and to prevent access to security and
> cryptographic data located in kernel memory, whilst still permitting driver
> modules to be loaded.
> .P
> Lockdown is typically enabled during boot and may be terminated, if configured,
> by typing a special key combination on a directly attached physical keyboard.
> .P
> If a prohibited or restricted feature is accessed or used, the kernel will emit
> a message that looks like:
> .P
> .RS
>         Lockdown: X is restricted, see man kernel_lockdown(7)
> .RE
> .P
> where X indicates what is restricted.
> .P
> On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
> if the system boots in EFI Secure Boot mode.
> .P
> If the kernel is appropriately configured, lockdown may be lifted by typing the
> appropriate sequence on a directly attached physical keyboard.  For x86
> machines, this is
> .IR SysRq+x .
> .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
> .SH COVERAGE
> When lockdown is in effect, a number of things are disabled or restricted in
> use.  This includes special device files and kernel services that allow direct
> access of the kernel image:
> .P
> .RS
> /dev/mem
> .br
> /dev/kmem
> .br
> /dev/kcore
> .br
> /dev/ioports
> .br
> BPF memory access functions
> .RE
> .P
> and the ability to directly configure and control devices, so as to prevent the
> use of a device to access or modify a kernel image:
> .P
> .RS
> The use of module parameters that directly specify hardware parameters to
> drivers through the kernel command line or when loading a module.
> .P
> The use of direct PCI BAR access.
> .P
> The use of the ioperm and iopl instructions on x86.
> .P
> The use of the KD*IO console ioctls.
> .P
> The use of the TIOCSSERIAL serial ioctl.
> .P
> The alteration of MSR registers on x86.
> .P
> The replacement of the PCMCIA CIS.
> .P
> The overriding of ACPI tables.
> .P
> The use of ACPI error injection.
> .P
> The specification of the ACPI RDSP address.
> .P
> The use of ACPI custom methods.
> .RE
> .P
> The following facilities are restricted:
> .P
> .RS
> Only validly signed modules may be loaded.
> .P
> Only validly signed binaries may be kexec'd.
> .P
> Only validly signed device firmware may be loaded.
> .P
> Only validly signed wifi databases may be use.
> .P
> Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
> saved to a medium that can then be accessed.
> .P
> Use of debugfs is not permitted as this allows a whole range of actions
> including direct configuration of, access to and driving of hardware.
> .RE
> .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
> .SH SEE ALSO
> .ad l
> .nh
>

Hello David,

Thanks for putting this together. I will let others comment on the
details, but in general, this fully addresses my concern regarding the
unrealistic expectations one might create when printing 'your kernel
is in lockdown mode' into the kernel log without any clarification
what this might mean for your particular system.

Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

Re: Draft manpage explaining kernel lockdown

[Ard Biesheuvel]

On 5 October 2017 at 12:00, David Howells <dhowells@redhat.com> wrote:
> Hi Ard, Michael,
>
> Attached is a draft for a manual page (kernel_lockdown.7) that I intend to
> point at from messages emitted when the kernel prohibits something because the
> kernel is in 'lockdown' mode, typically triggered by EFI secure boot.
>
> Let me know what you think.
>

> David
> ---
> .\"
> .\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
> .\" Written by David Howells (dhowells@redhat.com)
> .\"
> .\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
> .\" This program is free software; you can redistribute it and/or
> .\" modify it under the terms of the GNU General Public License
> .\" as published by the Free Software Foundation; either version
> .\" 2 of the License, or (at your option) any later version.
> .\" %%%LICENSE_END
> .\"
> .TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual"
> .SH NAME
> Kernel Lockdown \- Kernel image access prevention feature
> .SH DESCRIPTION
> The Kernel Lockdown feature is designed to prevent both direct and indirect
> access to a running kernel image, attempting to protect against unauthorised
> modification of the kernel image and to prevent access to security and
> cryptographic data located in kernel memory, whilst still permitting driver
> modules to be loaded.
> .P
> Lockdown is typically enabled during boot and may be terminated, if configured,
> by typing a special key combination on a directly attached physical keyboard.
> .P
> If a prohibited or restricted feature is accessed or used, the kernel will emit
> a message that looks like:
> .P
> .RS
>         Lockdown: X is restricted, see man kernel_lockdown(7)
> .RE
> .P
> where X indicates what is restricted.
> .P
> On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
> if the system boots in EFI Secure Boot mode.
> .P
> If the kernel is appropriately configured, lockdown may be lifted by typing the
> appropriate sequence on a directly attached physical keyboard.  For x86
> machines, this is
> .IR SysRq+x .
> .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
> .SH COVERAGE
> When lockdown is in effect, a number of things are disabled or restricted in
> use.  This includes special device files and kernel services that allow direct
> access of the kernel image:
> .P
> .RS
> /dev/mem
> .br
> /dev/kmem
> .br
> /dev/kcore
> .br
> /dev/ioports
> .br
> BPF memory access functions
> .RE
> .P
> and the ability to directly configure and control devices, so as to prevent the
> use of a device to access or modify a kernel image:
> .P
> .RS
> The use of module parameters that directly specify hardware parameters to
> drivers through the kernel command line or when loading a module.
> .P
> The use of direct PCI BAR access.
> .P
> The use of the ioperm and iopl instructions on x86.
> .P
> The use of the KD*IO console ioctls.
> .P
> The use of the TIOCSSERIAL serial ioctl.
> .P
> The alteration of MSR registers on x86.
> .P
> The replacement of the PCMCIA CIS.
> .P
> The overriding of ACPI tables.
> .P
> The use of ACPI error injection.
> .P
> The specification of the ACPI RDSP address.
> .P
> The use of ACPI custom methods.
> .RE
> .P
> The following facilities are restricted:
> .P
> .RS
> Only validly signed modules may be loaded.
> .P
> Only validly signed binaries may be kexec'd.
> .P
> Only validly signed device firmware may be loaded.
> .P
> Only validly signed wifi databases may be use.
> .P
> Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
> saved to a medium that can then be accessed.
> .P
> Use of debugfs is not permitted as this allows a whole range of actions
> including direct configuration of, access to and driving of hardware.
> .RE
> .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
> .SH SEE ALSO
> .ad l
> .nh
>

Hello David,

Thanks for putting this together. I will let others comment on the
details, but in general, this fully addresses my concern regarding the
unrealistic expectations one might create when printing 'your kernel
is in lockdown mode' into the kernel log without any clarification
what this might mean for your particular system.

Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

Draft manpage explaining kernel lockdown

[Ard Biesheuvel]

On 5 October 2017 at 12:00, David Howells <dhowells@redhat.com> wrote:
> Hi Ard, Michael,
>
> Attached is a draft for a manual page (kernel_lockdown.7) that I intend to
> point at from messages emitted when the kernel prohibits something because the
> kernel is in 'lockdown' mode, typically triggered by EFI secure boot.
>
> Let me know what you think.
>

> David
> ---
> .\"
> .\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
> .\" Written by David Howells (dhowells at redhat.com)
> .\"
> .\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
> .\" This program is free software; you can redistribute it and/or
> .\" modify it under the terms of the GNU General Public License
> .\" as published by the Free Software Foundation; either version
> .\" 2 of the License, or (at your option) any later version.
> .\" %%%LICENSE_END
> .\"
> .TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual"
> .SH NAME
> Kernel Lockdown \- Kernel image access prevention feature
> .SH DESCRIPTION
> The Kernel Lockdown feature is designed to prevent both direct and indirect
> access to a running kernel image, attempting to protect against unauthorised
> modification of the kernel image and to prevent access to security and
> cryptographic data located in kernel memory, whilst still permitting driver
> modules to be loaded.
> .P
> Lockdown is typically enabled during boot and may be terminated, if configured,
> by typing a special key combination on a directly attached physical keyboard.
> .P
> If a prohibited or restricted feature is accessed or used, the kernel will emit
> a message that looks like:
> .P
> .RS
>         Lockdown: X is restricted, see man kernel_lockdown(7)
> .RE
> .P
> where X indicates what is restricted.
> .P
> On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
> if the system boots in EFI Secure Boot mode.
> .P
> If the kernel is appropriately configured, lockdown may be lifted by typing the
> appropriate sequence on a directly attached physical keyboard.  For x86
> machines, this is
> .IR SysRq+x .
> .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
> .SH COVERAGE
> When lockdown is in effect, a number of things are disabled or restricted in
> use.  This includes special device files and kernel services that allow direct
> access of the kernel image:
> .P
> .RS
> /dev/mem
> .br
> /dev/kmem
> .br
> /dev/kcore
> .br
> /dev/ioports
> .br
> BPF memory access functions
> .RE
> .P
> and the ability to directly configure and control devices, so as to prevent the
> use of a device to access or modify a kernel image:
> .P
> .RS
> The use of module parameters that directly specify hardware parameters to
> drivers through the kernel command line or when loading a module.
> .P
> The use of direct PCI BAR access.
> .P
> The use of the ioperm and iopl instructions on x86.
> .P
> The use of the KD*IO console ioctls.
> .P
> The use of the TIOCSSERIAL serial ioctl.
> .P
> The alteration of MSR registers on x86.
> .P
> The replacement of the PCMCIA CIS.
> .P
> The overriding of ACPI tables.
> .P
> The use of ACPI error injection.
> .P
> The specification of the ACPI RDSP address.
> .P
> The use of ACPI custom methods.
> .RE
> .P
> The following facilities are restricted:
> .P
> .RS
> Only validly signed modules may be loaded.
> .P
> Only validly signed binaries may be kexec'd.
> .P
> Only validly signed device firmware may be loaded.
> .P
> Only validly signed wifi databases may be use.
> .P
> Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
> saved to a medium that can then be accessed.
> .P
> Use of debugfs is not permitted as this allows a whole range of actions
> including direct configuration of, access to and driving of hardware.
> .RE
> .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
> .SH SEE ALSO
> .ad l
> .nh
>

Hello David,

Thanks for putting this together. I will let others comment on the
details, but in general, this fully addresses my concern regarding the
unrealistic expectations one might create when printing 'your kernel
is in lockdown mode' into the kernel log without any clarification
what this might mean for your particular system.

Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Draft manpage explaining kernel lockdown

[Randy Dunlap]

On 10/05/17 04:07, Johannes Berg wrote:
> On Thu, 2017-10-05 at 12:00 +0100, David Howells wrote:
>>
>> Only validly signed wifi databases may be use.

s/use/used/

> We don't even have this yet, and when we do, we want this to be the
> case for typical configurations regardless of lockdown.


-- 
~Randy

Re: Draft manpage explaining kernel lockdown

[Randy Dunlap]

On 10/05/17 04:07, Johannes Berg wrote:
> On Thu, 2017-10-05 at 12:00 +0100, David Howells wrote:
>>
>> Only validly signed wifi databases may be use.

s/use/used/

> We don't even have this yet, and when we do, we want this to be the
> case for typical configurations regardless of lockdown.


-- 
~Randy

Draft manpage explaining kernel lockdown

[Randy Dunlap]

On 10/05/17 04:07, Johannes Berg wrote:
> On Thu, 2017-10-05 at 12:00 +0100, David Howells wrote:
>>
>> Only validly signed wifi databases may be use.

s/use/used/

> We don't even have this yet, and when we do, we want this to be the
> case for typical configurations regardless of lockdown.


-- 
~Randy
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Draft manpage explaining kernel lockdown

[joeyli]

Hi David,

On Thu, Oct 05, 2017 at 12:00:24PM +0100, David Howells wrote:
> Hi Ard, Michael,
> 
> Attached is a draft for a manual page (kernel_lockdown.7) that I intend to
> point at from messages emitted when the kernel prohibits something because the
> kernel is in 'lockdown' mode, typically triggered by EFI secure boot.
> 
> Let me know what you think.
> 
> David
> ---
[...snip]
> When lockdown is in effect, a number of things are disabled or restricted in
> use.  This includes special device files and kernel services that allow direct
> access of the kernel image:
> .P
> .RS
> /dev/mem
> .br
> /dev/kmem
> .br
> /dev/kcore
> .br
> /dev/ioports
> .br
> BPF memory access functions

Some information for note...

The BPF functions bpf_probe_read(), bpf_trace_printk() and
bpf_probe_write_user() need to be lockdown to avoid accessing
arbitrary addess.

Our original idea is trying to filter out senstivie data address
at runtime by eBPF verifier. But it can not be success. Gary Lin has
investigated and comment:

  Although eBPF verifier can stop the reading from the hard-coded address, 
  it's not able to stop reading arguments in the probed functions. So if 
  the malicious user attaches a eBPF program to a function that is used to 
  process the sensitive data, the eBPF program can print those arguments 
  easily and this might leak the passwords or private keys.

If we readlly want to allow eBPF code to access memory, then I think that the
bpf bytecode should be signed by trused key in system keyring.

> .RE
> .P

Another function may needs to be restrictred:

- The perf_event_open() with PERF_SAMPLE_REGS_INTR

  Jann Horn raised this concern. The tool can be used to grab register
  to peep sensitive data. We may need to block this tracing function.

Regards
Joey Lee

Re: Draft manpage explaining kernel lockdown

[joeyli]

Hi David,

On Thu, Oct 05, 2017 at 12:00:24PM +0100, David Howells wrote:
> Hi Ard, Michael,
> 
> Attached is a draft for a manual page (kernel_lockdown.7) that I intend to
> point at from messages emitted when the kernel prohibits something because the
> kernel is in 'lockdown' mode, typically triggered by EFI secure boot.
> 
> Let me know what you think.
> 
> David
> ---
[...snip]
> When lockdown is in effect, a number of things are disabled or restricted in
> use.  This includes special device files and kernel services that allow direct
> access of the kernel image:
> .P
> .RS
> /dev/mem
> .br
> /dev/kmem
> .br
> /dev/kcore
> .br
> /dev/ioports
> .br
> BPF memory access functions

Some information for note...

The BPF functions bpf_probe_read(), bpf_trace_printk() and
bpf_probe_write_user() need to be lockdown to avoid accessing
arbitrary addess.

Our original idea is trying to filter out senstivie data address
at runtime by eBPF verifier. But it can not be success. Gary Lin has
investigated and comment:

  Although eBPF verifier can stop the reading from the hard-coded address, 
  it's not able to stop reading arguments in the probed functions. So if 
  the malicious user attaches a eBPF program to a function that is used to 
  process the sensitive data, the eBPF program can print those arguments 
  easily and this might leak the passwords or private keys.

If we readlly want to allow eBPF code to access memory, then I think that the
bpf bytecode should be signed by trused key in system keyring.

> .RE
> .P

Another function may needs to be restrictred:

- The perf_event_open() with PERF_SAMPLE_REGS_INTR

  Jann Horn raised this concern. The tool can be used to grab register
  to peep sensitive data. We may need to block this tracing function.

Regards
Joey Lee

Re: Draft manpage explaining kernel lockdown

[joeyli]

Hi David,

On Thu, Oct 05, 2017 at 12:00:24PM +0100, David Howells wrote:
> Hi Ard, Michael,
> 
> Attached is a draft for a manual page (kernel_lockdown.7) that I intend to
> point at from messages emitted when the kernel prohibits something because the
> kernel is in 'lockdown' mode, typically triggered by EFI secure boot.
> 
> Let me know what you think.
> 
> David
> ---
[...snip]
> When lockdown is in effect, a number of things are disabled or restricted in
> use.  This includes special device files and kernel services that allow direct
> access of the kernel image:
> .P
> .RS
> /dev/mem
> .br
> /dev/kmem
> .br
> /dev/kcore
> .br
> /dev/ioports
> .br
> BPF memory access functions

Some information for note...

The BPF functions bpf_probe_read(), bpf_trace_printk() and
bpf_probe_write_user() need to be lockdown to avoid accessing
arbitrary addess.

Our original idea is trying to filter out senstivie data address
at runtime by eBPF verifier. But it can not be success. Gary Lin has
investigated and comment:

  Although eBPF verifier can stop the reading from the hard-coded address, 
  it's not able to stop reading arguments in the probed functions. So if 
  the malicious user attaches a eBPF program to a function that is used to 
  process the sensitive data, the eBPF program can print those arguments 
  easily and this might leak the passwords or private keys.

If we readlly want to allow eBPF code to access memory, then I think that the
bpf bytecode should be signed by trused key in system keyring.

> .RE
> .P

Another function may needs to be restrictred:

- The perf_event_open() with PERF_SAMPLE_REGS_INTR

  Jann Horn raised this concern. The tool can be used to grab register
  to peep sensitive data. We may need to block this tracing function.

Regards
Joey Lee
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Draft manpage explaining kernel lockdown

[joeyli]

Hi David,

On Thu, Oct 05, 2017 at 12:00:24PM +0100, David Howells wrote:
> Hi Ard, Michael,
> 
> Attached is a draft for a manual page (kernel_lockdown.7) that I intend to
> point at from messages emitted when the kernel prohibits something because the
> kernel is in 'lockdown' mode, typically triggered by EFI secure boot.
> 
> Let me know what you think.
> 
> David
> ---
[...snip]
> When lockdown is in effect, a number of things are disabled or restricted in
> use.  This includes special device files and kernel services that allow direct
> access of the kernel image:
> .P
> .RS
> /dev/mem
> .br
> /dev/kmem
> .br
> /dev/kcore
> .br
> /dev/ioports
> .br
> BPF memory access functions

Some information for note...

The BPF functions bpf_probe_read(), bpf_trace_printk() and
bpf_probe_write_user() need to be lockdown to avoid accessing
arbitrary addess.

Our original idea is trying to filter out senstivie data address
at runtime by eBPF verifier. But it can not be success. Gary Lin has
investigated and comment:

  Although eBPF verifier can stop the reading from the hard-coded address, 
  it's not able to stop reading arguments in the probed functions. So if 
  the malicious user attaches a eBPF program to a function that is used to 
  process the sensitive data, the eBPF program can print those arguments 
  easily and this might leak the passwords or private keys.

If we readlly want to allow eBPF code to access memory, then I think that the
bpf bytecode should be signed by trused key in system keyring.

> .RE
> .P

Another function may needs to be restrictred:

- The perf_event_open() with PERF_SAMPLE_REGS_INTR

  Jann Horn raised this concern. The tool can be used to grab register
  to peep sensitive data. We may need to block this tracing function.

Regards
Joey Lee
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Draft manpage explaining kernel lockdown

[Michael Kerrisk (man-pages)]

Hi David,

On 10/05/2017 01:00 PM, David Howells wrote:
> Hi Ard, Michael,
> 
> Attached is a draft for a manual page (kernel_lockdown.7) that I intend to
> point at from messages emitted when the kernel prohibits something because the
> kernel is in 'lockdown' mode, typically triggered by EFI secure boot.
> 
> Let me know what you think.

Thanks for the page proposal. Several people sent feedback. Will you
revise the draft?

Thanks,

Michael


> David
> ---
> .\"
> .\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
> .\" Written by David Howells (dhowells@redhat.com)
> .\"
> .\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
> .\" This program is free software; you can redistribute it and/or
> .\" modify it under the terms of the GNU General Public License
> .\" as published by the Free Software Foundation; either version
> .\" 2 of the License, or (at your option) any later version.
> .\" %%%LICENSE_END
> .\"
> .TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual"
> .SH NAME
> Kernel Lockdown \- Kernel image access prevention feature
> .SH DESCRIPTION
> The Kernel Lockdown feature is designed to prevent both direct and indirect
> access to a running kernel image, attempting to protect against unauthorised
> modification of the kernel image and to prevent access to security and
> cryptographic data located in kernel memory, whilst still permitting driver
> modules to be loaded.
> .P
> Lockdown is typically enabled during boot and may be terminated, if configured,
> by typing a special key combination on a directly attached physical keyboard.
> .P
> If a prohibited or restricted feature is accessed or used, the kernel will emit
> a message that looks like:
> .P
> .RS
> 	Lockdown: X is restricted, see man kernel_lockdown(7)
> .RE
> .P
> where X indicates what is restricted.
> .P
> On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
> if the system boots in EFI Secure Boot mode.
> .P
> If the kernel is appropriately configured, lockdown may be lifted by typing the
> appropriate sequence on a directly attached physical keyboard.  For x86
> machines, this is
> .IR SysRq+x .
> .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
> .SH COVERAGE
> When lockdown is in effect, a number of things are disabled or restricted in
> use.  This includes special device files and kernel services that allow direct
> access of the kernel image:
> .P
> .RS
> /dev/mem
> .br
> /dev/kmem
> .br
> /dev/kcore
> .br
> /dev/ioports
> .br
> BPF memory access functions
> .RE
> .P
> and the ability to directly configure and control devices, so as to prevent the
> use of a device to access or modify a kernel image:
> .P
> .RS
> The use of module parameters that directly specify hardware parameters to
> drivers through the kernel command line or when loading a module.
> .P
> The use of direct PCI BAR access.
> .P
> The use of the ioperm and iopl instructions on x86.
> .P
> The use of the KD*IO console ioctls.
> .P
> The use of the TIOCSSERIAL serial ioctl.
> .P
> The alteration of MSR registers on x86.
> .P
> The replacement of the PCMCIA CIS.
> .P
> The overriding of ACPI tables.
> .P
> The use of ACPI error injection.
> .P
> The specification of the ACPI RDSP address.
> .P
> The use of ACPI custom methods.
> .RE
> .P
> The following facilities are restricted:
> .P
> .RS
> Only validly signed modules may be loaded.
> .P
> Only validly signed binaries may be kexec'd.
> .P
> Only validly signed device firmware may be loaded.
> .P
> Only validly signed wifi databases may be use.
> .P
> Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
> saved to a medium that can then be accessed.
> .P
> Use of debugfs is not permitted as this allows a whole range of actions
> including direct configuration of, access to and driving of hardware.
> .RE
> .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
> .SH SEE ALSO
> .ad l
> .nh
> 
> 


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/

Re: Draft manpage explaining kernel lockdown

[Michael Kerrisk (man-pages)]

Hi David,

On 10/05/2017 01:00 PM, David Howells wrote:
> Hi Ard, Michael,
> 
> Attached is a draft for a manual page (kernel_lockdown.7) that I intend to
> point at from messages emitted when the kernel prohibits something because the
> kernel is in 'lockdown' mode, typically triggered by EFI secure boot.
> 
> Let me know what you think.

Thanks for the page proposal. Several people sent feedback. Will you
revise the draft?

Thanks,

Michael


> David
> ---
> .\"
> .\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
> .\" Written by David Howells (dhowells@redhat.com)
> .\"
> .\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
> .\" This program is free software; you can redistribute it and/or
> .\" modify it under the terms of the GNU General Public License
> .\" as published by the Free Software Foundation; either version
> .\" 2 of the License, or (at your option) any later version.
> .\" %%%LICENSE_END
> .\"
> .TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual"
> .SH NAME
> Kernel Lockdown \- Kernel image access prevention feature
> .SH DESCRIPTION
> The Kernel Lockdown feature is designed to prevent both direct and indirect
> access to a running kernel image, attempting to protect against unauthorised
> modification of the kernel image and to prevent access to security and
> cryptographic data located in kernel memory, whilst still permitting driver
> modules to be loaded.
> .P
> Lockdown is typically enabled during boot and may be terminated, if configured,
> by typing a special key combination on a directly attached physical keyboard.
> .P
> If a prohibited or restricted feature is accessed or used, the kernel will emit
> a message that looks like:
> .P
> .RS
> 	Lockdown: X is restricted, see man kernel_lockdown(7)
> .RE
> .P
> where X indicates what is restricted.
> .P
> On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
> if the system boots in EFI Secure Boot mode.
> .P
> If the kernel is appropriately configured, lockdown may be lifted by typing the
> appropriate sequence on a directly attached physical keyboard.  For x86
> machines, this is
> .IR SysRq+x .
> .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
> .SH COVERAGE
> When lockdown is in effect, a number of things are disabled or restricted in
> use.  This includes special device files and kernel services that allow direct
> access of the kernel image:
> .P
> .RS
> /dev/mem
> .br
> /dev/kmem
> .br
> /dev/kcore
> .br
> /dev/ioports
> .br
> BPF memory access functions
> .RE
> .P
> and the ability to directly configure and control devices, so as to prevent the
> use of a device to access or modify a kernel image:
> .P
> .RS
> The use of module parameters that directly specify hardware parameters to
> drivers through the kernel command line or when loading a module.
> .P
> The use of direct PCI BAR access.
> .P
> The use of the ioperm and iopl instructions on x86.
> .P
> The use of the KD*IO console ioctls.
> .P
> The use of the TIOCSSERIAL serial ioctl.
> .P
> The alteration of MSR registers on x86.
> .P
> The replacement of the PCMCIA CIS.
> .P
> The overriding of ACPI tables.
> .P
> The use of ACPI error injection.
> .P
> The specification of the ACPI RDSP address.
> .P
> The use of ACPI custom methods.
> .RE
> .P
> The following facilities are restricted:
> .P
> .RS
> Only validly signed modules may be loaded.
> .P
> Only validly signed binaries may be kexec'd.
> .P
> Only validly signed device firmware may be loaded.
> .P
> Only validly signed wifi databases may be use.
> .P
> Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
> saved to a medium that can then be accessed.
> .P
> Use of debugfs is not permitted as this allows a whole range of actions
> including direct configuration of, access to and driving of hardware.
> .RE
> .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
> .SH SEE ALSO
> .ad l
> .nh
> 
> 


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/

Draft manpage explaining kernel lockdown

[Michael Kerrisk (man-pages)]

Hi David,

On 10/05/2017 01:00 PM, David Howells wrote:
> Hi Ard, Michael,
> 
> Attached is a draft for a manual page (kernel_lockdown.7) that I intend to
> point at from messages emitted when the kernel prohibits something because the
> kernel is in 'lockdown' mode, typically triggered by EFI secure boot.
> 
> Let me know what you think.

Thanks for the page proposal. Several people sent feedback. Will you
revise the draft?

Thanks,

Michael


> David
> ---
> .\"
> .\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
> .\" Written by David Howells (dhowells at redhat.com)
> .\"
> .\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
> .\" This program is free software; you can redistribute it and/or
> .\" modify it under the terms of the GNU General Public License
> .\" as published by the Free Software Foundation; either version
> .\" 2 of the License, or (at your option) any later version.
> .\" %%%LICENSE_END
> .\"
> .TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual"
> .SH NAME
> Kernel Lockdown \- Kernel image access prevention feature
> .SH DESCRIPTION
> The Kernel Lockdown feature is designed to prevent both direct and indirect
> access to a running kernel image, attempting to protect against unauthorised
> modification of the kernel image and to prevent access to security and
> cryptographic data located in kernel memory, whilst still permitting driver
> modules to be loaded.
> .P
> Lockdown is typically enabled during boot and may be terminated, if configured,
> by typing a special key combination on a directly attached physical keyboard.
> .P
> If a prohibited or restricted feature is accessed or used, the kernel will emit
> a message that looks like:
> .P
> .RS
> 	Lockdown: X is restricted, see man kernel_lockdown(7)
> .RE
> .P
> where X indicates what is restricted.
> .P
> On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
> if the system boots in EFI Secure Boot mode.
> .P
> If the kernel is appropriately configured, lockdown may be lifted by typing the
> appropriate sequence on a directly attached physical keyboard.  For x86
> machines, this is
> .IR SysRq+x .
> .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
> .SH COVERAGE
> When lockdown is in effect, a number of things are disabled or restricted in
> use.  This includes special device files and kernel services that allow direct
> access of the kernel image:
> .P
> .RS
> /dev/mem
> .br
> /dev/kmem
> .br
> /dev/kcore
> .br
> /dev/ioports
> .br
> BPF memory access functions
> .RE
> .P
> and the ability to directly configure and control devices, so as to prevent the
> use of a device to access or modify a kernel image:
> .P
> .RS
> The use of module parameters that directly specify hardware parameters to
> drivers through the kernel command line or when loading a module.
> .P
> The use of direct PCI BAR access.
> .P
> The use of the ioperm and iopl instructions on x86.
> .P
> The use of the KD*IO console ioctls.
> .P
> The use of the TIOCSSERIAL serial ioctl.
> .P
> The alteration of MSR registers on x86.
> .P
> The replacement of the PCMCIA CIS.
> .P
> The overriding of ACPI tables.
> .P
> The use of ACPI error injection.
> .P
> The specification of the ACPI RDSP address.
> .P
> The use of ACPI custom methods.
> .RE
> .P
> The following facilities are restricted:
> .P
> .RS
> Only validly signed modules may be loaded.
> .P
> Only validly signed binaries may be kexec'd.
> .P
> Only validly signed device firmware may be loaded.
> .P
> Only validly signed wifi databases may be use.
> .P
> Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
> saved to a medium that can then be accessed.
> .P
> Use of debugfs is not permitted as this allows a whole range of actions
> including direct configuration of, access to and driving of hardware.
> .RE
> .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
> .SH SEE ALSO
> .ad l
> .nh
> 
> 


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Draft manpage explaining kernel lockdown

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 550 bytes --]

Hi!

> Attached is a draft for a manual page (kernel_lockdown.7) that I intend to
> point at from messages emitted when the kernel prohibits something because the
> kernel is in 'lockdown' mode, typically triggered by EFI secure
> boot.

What about livepatching? It allows kernel modifications.. and it has
some interestlingly insecure /sys controls being merged just now...

								Pavel
								
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: Draft manpage explaining kernel lockdown

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 550 bytes --]

Hi!

> Attached is a draft for a manual page (kernel_lockdown.7) that I intend to
> point at from messages emitted when the kernel prohibits something because the
> kernel is in 'lockdown' mode, typically triggered by EFI secure
> boot.

What about livepatching? It allows kernel modifications.. and it has
some interestlingly insecure /sys controls being merged just now...

								Pavel
								
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: Draft manpage explaining kernel lockdown

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 550 bytes --]

Hi!

> Attached is a draft for a manual page (kernel_lockdown.7) that I intend to
> point at from messages emitted when the kernel prohibits something because the
> kernel is in 'lockdown' mode, typically triggered by EFI secure
> boot.

What about livepatching? It allows kernel modifications.. and it has
some interestlingly insecure /sys controls being merged just now...

								Pavel
								
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]