From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757377AbdDFMuS (ORCPT ); Thu, 6 Apr 2017 08:50:18 -0400 Received: from mx1.redhat.com ([209.132.183.28]:57422 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757012AbdDFMuB (ORCPT ); Thu, 6 Apr 2017 08:50:01 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com EF0D6624BE Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=dhowells@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com EF0D6624BE Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [PATCH 1/5] efi: Move the x86 secure boot switch to generic code From: David Howells To: ard.biesheuvel@linaro.org Cc: dhowells@redhat.com, matthew.garrett@nebula.com, linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org Date: Thu, 06 Apr 2017 13:49:57 +0100 Message-ID: <149148299794.3427.549144000807596903.stgit@warthog.procyon.org.uk> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Thu, 06 Apr 2017 12:50:00 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Move the switch-statement in x86's setup_arch() that inteprets the secure_boot boot parameter to generic code. Suggested-by: Ard Biesheuvel Signed-off-by: David Howells --- arch/x86/kernel/setup.c | 14 +------------- drivers/firmware/efi/Kconfig | 23 +++++++++++++++++++++++ drivers/firmware/efi/Makefile | 3 ++- drivers/firmware/efi/secure_boot.c | 34 ++++++++++++++++++++++++++++++++++ include/linux/efi.h | 6 ++++++ 5 files changed, 66 insertions(+), 14 deletions(-) create mode 100644 drivers/firmware/efi/secure_boot.c diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c index 4bf0c8926a1c..b89979ffa6e5 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -1178,19 +1178,7 @@ void __init setup_arch(char **cmdline_p) /* Allocate bigger log buffer */ setup_log_buf(1); - if (efi_enabled(EFI_BOOT)) { - switch (boot_params.secure_boot) { - case efi_secureboot_mode_disabled: - pr_info("Secure boot disabled\n"); - break; - case efi_secureboot_mode_enabled: - pr_info("Secure boot enabled\n"); - break; - default: - pr_info("Secure boot could not be determined\n"); - break; - } - } + efi_set_secure_boot(boot_params.secure_boot); reserve_initrd(); diff --git a/drivers/firmware/efi/Kconfig b/drivers/firmware/efi/Kconfig index 2e78b0b96d74..4b902ffbfcf4 100644 --- a/drivers/firmware/efi/Kconfig +++ b/drivers/firmware/efi/Kconfig @@ -84,6 +84,29 @@ config EFI_PARAMS_FROM_FDT config EFI_RUNTIME_WRAPPERS bool +config EFI_SECURE_BOOT + bool "Support UEFI Secure Boot and lock down the kernel in secure boot mode" + default n + help + UEFI Secure Boot provides a mechanism for ensuring that the firmware + will only load signed bootloaders and kernels. Secure boot mode may + be determined from EFI variables provided by the BIOS if not + indicated by the boot parameters. + + Enabling this option turns on support for UEFI secure boot in the + kernel. This will result in various kernel facilities being locked + away from userspace if the kernel detects that it has been booted in + secure boot mode. If it hasn't been booted in secure boot mode, or + this cannot be determined, the lock down doesn't occur. + + The kernel facilities that get locked down include: + - Viewing or changing the kernel's memory + - Directly accessing ioports + - Directly specifying ioports and other hardware parameters to drivers + - Storing the kernel image unencrypted for hibernation + - Loading unsigned modules + - Kexec'ing unsigned images + config EFI_ARMSTUB bool diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile index ad67342313ed..65969f840685 100644 --- a/drivers/firmware/efi/Makefile +++ b/drivers/firmware/efi/Makefile @@ -22,7 +22,8 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP) += fake_mem.o obj-$(CONFIG_EFI_BOOTLOADER_CONTROL) += efibc.o obj-$(CONFIG_EFI_TEST) += test/ obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o -obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o +obj-$(CONFIG_EFI_SECURE_BOOT) += secure_boot.o +obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.oo arm-obj-$(CONFIG_EFI) := arm-init.o arm-runtime.o obj-$(CONFIG_ARM) += $(arm-obj-y) diff --git a/drivers/firmware/efi/secure_boot.c b/drivers/firmware/efi/secure_boot.c new file mode 100644 index 000000000000..cf5bccae15e8 --- /dev/null +++ b/drivers/firmware/efi/secure_boot.c @@ -0,0 +1,34 @@ +/* Core kernel secure boot support. + * + * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +#include +#include +#include + +/* + * Decide what to do when UEFI secure boot mode is enabled. + */ +void __init efi_set_secure_boot(enum efi_secureboot_mode mode) +{ + if (efi_enabled(EFI_BOOT)) { + switch (mode) { + case efi_secureboot_mode_disabled: + pr_info("Secure boot disabled\n"); + break; + case efi_secureboot_mode_enabled: + pr_info("Secure boot enabled\n"); + break; + default: + pr_info("Secure boot could not be determined\n"); + break; + } + } +} diff --git a/include/linux/efi.h b/include/linux/efi.h index 94d34e0be24f..d8938a780290 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -1488,6 +1488,12 @@ enum efi_secureboot_mode { }; enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table); +#ifdef CONFIG_EFI_SECURE_BOOT +void __init efi_set_secure_boot(enum efi_secureboot_mode mode); +#else +static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {} +#endif + /* * Arch code can implement the following three template macros, avoiding * reptition for the void/non-void return cases of {__,}efi_call_virt(): From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Howells Subject: [PATCH 1/5] efi: Move the x86 secure boot switch to generic code Date: Thu, 06 Apr 2017 13:49:57 +0100 Message-ID: <149148299794.3427.549144000807596903.stgit@warthog.procyon.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: Sender: linux-efi-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org Cc: dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org, linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-Id: linux-efi@vger.kernel.org Move the switch-statement in x86's setup_arch() that inteprets the secure_boot boot parameter to generic code. Suggested-by: Ard Biesheuvel Signed-off-by: David Howells --- arch/x86/kernel/setup.c | 14 +------------- drivers/firmware/efi/Kconfig | 23 +++++++++++++++++++++++ drivers/firmware/efi/Makefile | 3 ++- drivers/firmware/efi/secure_boot.c | 34 ++++++++++++++++++++++++++++++++++ include/linux/efi.h | 6 ++++++ 5 files changed, 66 insertions(+), 14 deletions(-) create mode 100644 drivers/firmware/efi/secure_boot.c diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c index 4bf0c8926a1c..b89979ffa6e5 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -1178,19 +1178,7 @@ void __init setup_arch(char **cmdline_p) /* Allocate bigger log buffer */ setup_log_buf(1); - if (efi_enabled(EFI_BOOT)) { - switch (boot_params.secure_boot) { - case efi_secureboot_mode_disabled: - pr_info("Secure boot disabled\n"); - break; - case efi_secureboot_mode_enabled: - pr_info("Secure boot enabled\n"); - break; - default: - pr_info("Secure boot could not be determined\n"); - break; - } - } + efi_set_secure_boot(boot_params.secure_boot); reserve_initrd(); diff --git a/drivers/firmware/efi/Kconfig b/drivers/firmware/efi/Kconfig index 2e78b0b96d74..4b902ffbfcf4 100644 --- a/drivers/firmware/efi/Kconfig +++ b/drivers/firmware/efi/Kconfig @@ -84,6 +84,29 @@ config EFI_PARAMS_FROM_FDT config EFI_RUNTIME_WRAPPERS bool +config EFI_SECURE_BOOT + bool "Support UEFI Secure Boot and lock down the kernel in secure boot mode" + default n + help + UEFI Secure Boot provides a mechanism for ensuring that the firmware + will only load signed bootloaders and kernels. Secure boot mode may + be determined from EFI variables provided by the BIOS if not + indicated by the boot parameters. + + Enabling this option turns on support for UEFI secure boot in the + kernel. This will result in various kernel facilities being locked + away from userspace if the kernel detects that it has been booted in + secure boot mode. If it hasn't been booted in secure boot mode, or + this cannot be determined, the lock down doesn't occur. + + The kernel facilities that get locked down include: + - Viewing or changing the kernel's memory + - Directly accessing ioports + - Directly specifying ioports and other hardware parameters to drivers + - Storing the kernel image unencrypted for hibernation + - Loading unsigned modules + - Kexec'ing unsigned images + config EFI_ARMSTUB bool diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile index ad67342313ed..65969f840685 100644 --- a/drivers/firmware/efi/Makefile +++ b/drivers/firmware/efi/Makefile @@ -22,7 +22,8 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP) += fake_mem.o obj-$(CONFIG_EFI_BOOTLOADER_CONTROL) += efibc.o obj-$(CONFIG_EFI_TEST) += test/ obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o -obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o +obj-$(CONFIG_EFI_SECURE_BOOT) += secure_boot.o +obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.oo arm-obj-$(CONFIG_EFI) := arm-init.o arm-runtime.o obj-$(CONFIG_ARM) += $(arm-obj-y) diff --git a/drivers/firmware/efi/secure_boot.c b/drivers/firmware/efi/secure_boot.c new file mode 100644 index 000000000000..cf5bccae15e8 --- /dev/null +++ b/drivers/firmware/efi/secure_boot.c @@ -0,0 +1,34 @@ +/* Core kernel secure boot support. + * + * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +#include +#include +#include + +/* + * Decide what to do when UEFI secure boot mode is enabled. + */ +void __init efi_set_secure_boot(enum efi_secureboot_mode mode) +{ + if (efi_enabled(EFI_BOOT)) { + switch (mode) { + case efi_secureboot_mode_disabled: + pr_info("Secure boot disabled\n"); + break; + case efi_secureboot_mode_enabled: + pr_info("Secure boot enabled\n"); + break; + default: + pr_info("Secure boot could not be determined\n"); + break; + } + } +} diff --git a/include/linux/efi.h b/include/linux/efi.h index 94d34e0be24f..d8938a780290 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -1488,6 +1488,12 @@ enum efi_secureboot_mode { }; enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table); +#ifdef CONFIG_EFI_SECURE_BOOT +void __init efi_set_secure_boot(enum efi_secureboot_mode mode); +#else +static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {} +#endif + /* * Arch code can implement the following three template macros, avoiding * reptition for the void/non-void return cases of {__,}efi_call_virt(): From mboxrd@z Thu Jan 1 00:00:00 1970 From: dhowells@redhat.com (David Howells) Date: Thu, 06 Apr 2017 13:49:57 +0100 Subject: [PATCH 1/5] efi: Move the x86 secure boot switch to generic code Message-ID: <149148299794.3427.549144000807596903.stgit@warthog.procyon.org.uk> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org Move the switch-statement in x86's setup_arch() that inteprets the secure_boot boot parameter to generic code. Suggested-by: Ard Biesheuvel Signed-off-by: David Howells --- arch/x86/kernel/setup.c | 14 +------------- drivers/firmware/efi/Kconfig | 23 +++++++++++++++++++++++ drivers/firmware/efi/Makefile | 3 ++- drivers/firmware/efi/secure_boot.c | 34 ++++++++++++++++++++++++++++++++++ include/linux/efi.h | 6 ++++++ 5 files changed, 66 insertions(+), 14 deletions(-) create mode 100644 drivers/firmware/efi/secure_boot.c diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c index 4bf0c8926a1c..b89979ffa6e5 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -1178,19 +1178,7 @@ void __init setup_arch(char **cmdline_p) /* Allocate bigger log buffer */ setup_log_buf(1); - if (efi_enabled(EFI_BOOT)) { - switch (boot_params.secure_boot) { - case efi_secureboot_mode_disabled: - pr_info("Secure boot disabled\n"); - break; - case efi_secureboot_mode_enabled: - pr_info("Secure boot enabled\n"); - break; - default: - pr_info("Secure boot could not be determined\n"); - break; - } - } + efi_set_secure_boot(boot_params.secure_boot); reserve_initrd(); diff --git a/drivers/firmware/efi/Kconfig b/drivers/firmware/efi/Kconfig index 2e78b0b96d74..4b902ffbfcf4 100644 --- a/drivers/firmware/efi/Kconfig +++ b/drivers/firmware/efi/Kconfig @@ -84,6 +84,29 @@ config EFI_PARAMS_FROM_FDT config EFI_RUNTIME_WRAPPERS bool +config EFI_SECURE_BOOT + bool "Support UEFI Secure Boot and lock down the kernel in secure boot mode" + default n + help + UEFI Secure Boot provides a mechanism for ensuring that the firmware + will only load signed bootloaders and kernels. Secure boot mode may + be determined from EFI variables provided by the BIOS if not + indicated by the boot parameters. + + Enabling this option turns on support for UEFI secure boot in the + kernel. This will result in various kernel facilities being locked + away from userspace if the kernel detects that it has been booted in + secure boot mode. If it hasn't been booted in secure boot mode, or + this cannot be determined, the lock down doesn't occur. + + The kernel facilities that get locked down include: + - Viewing or changing the kernel's memory + - Directly accessing ioports + - Directly specifying ioports and other hardware parameters to drivers + - Storing the kernel image unencrypted for hibernation + - Loading unsigned modules + - Kexec'ing unsigned images + config EFI_ARMSTUB bool diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile index ad67342313ed..65969f840685 100644 --- a/drivers/firmware/efi/Makefile +++ b/drivers/firmware/efi/Makefile @@ -22,7 +22,8 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP) += fake_mem.o obj-$(CONFIG_EFI_BOOTLOADER_CONTROL) += efibc.o obj-$(CONFIG_EFI_TEST) += test/ obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o -obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o +obj-$(CONFIG_EFI_SECURE_BOOT) += secure_boot.o +obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.oo arm-obj-$(CONFIG_EFI) := arm-init.o arm-runtime.o obj-$(CONFIG_ARM) += $(arm-obj-y) diff --git a/drivers/firmware/efi/secure_boot.c b/drivers/firmware/efi/secure_boot.c new file mode 100644 index 000000000000..cf5bccae15e8 --- /dev/null +++ b/drivers/firmware/efi/secure_boot.c @@ -0,0 +1,34 @@ +/* Core kernel secure boot support. + * + * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells at redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +#include +#include +#include + +/* + * Decide what to do when UEFI secure boot mode is enabled. + */ +void __init efi_set_secure_boot(enum efi_secureboot_mode mode) +{ + if (efi_enabled(EFI_BOOT)) { + switch (mode) { + case efi_secureboot_mode_disabled: + pr_info("Secure boot disabled\n"); + break; + case efi_secureboot_mode_enabled: + pr_info("Secure boot enabled\n"); + break; + default: + pr_info("Secure boot could not be determined\n"); + break; + } + } +} diff --git a/include/linux/efi.h b/include/linux/efi.h index 94d34e0be24f..d8938a780290 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -1488,6 +1488,12 @@ enum efi_secureboot_mode { }; enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table); +#ifdef CONFIG_EFI_SECURE_BOOT +void __init efi_set_secure_boot(enum efi_secureboot_mode mode); +#else +static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {} +#endif + /* * Arch code can implement the following three template macros, avoiding * reptition for the void/non-void return cases of {__,}efi_call_virt(): -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html