LockDown that allows read of /dev/mem ?

LockDown that allows read of /dev/mem ?

[David F.]

I'm finding that LockDown Integrity prevents blocks things like mdadm,
Xvesa, and a couple of my specialized tools.    There should be an
option to allow /dev/mem read access.  Is there?  There are no secrets
to the boot disk booted environment it's all root.

?

Re: LockDown that allows read of /dev/mem ?

[Enrico Weigelt, metux IT consult]

On 20.06.21 01:55, David F. wrote:

> I'm finding that LockDown Integrity prevents blocks things like mdadm,
> Xvesa, and a couple of my specialized tools.    There should be an
> option to allow /dev/mem read access.  Is there?  There are no secrets
> to the boot disk booted environment it's all root.

Looks like conflict of goals. lockdown is used in scenarios where one
really doesn't take any chance that code running w/ root privileges can
do such things (there's a lot of security critical information one can
learn from reading the raw memory).

I wonder what your actual use case is.

* why are you using lockdown and also running everything as root ?
* why are you still using the old Xvesa instead of using KMS or
  framebuffer device ?
* why does mdadm want to access /dev/mem ?



--mtx

-- 
---
Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert
werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren
GPG/PGP-Schlüssel zu.
---
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
info@metux.net -- +49-151-27565287

Re: LockDown that allows read of /dev/mem ?

[David F.]

Lockdown required by secure boot and shim signing (prevent acpi
patching), root because it's main use is a utility boot disk.   If
lockdown could be forced when secure boot active but not when not
active, that be best, but I'm not seeing that option.  The other
option maybe to modify open_port on mem.c to do the secure boot check.
However searching EFI_SECURE_BOOT doesn't exist in 5.10.x as in
efi_enabled(EFI_SECURE_BOOT) - It appears that is some other patch
that is not applied to the base, I do see struct boot_params has a
secure_boot field set, but can I access that from mem.c?  If not, is
efi_get_secureboot() function available when /drivers/char/mem.c may
be used?

On Mon, Jun 21, 2021 at 3:27 AM Enrico Weigelt, metux IT consult
<lkml@metux.net> wrote:
>
> On 20.06.21 01:55, David F. wrote:
>
> > I'm finding that LockDown Integrity prevents blocks things like mdadm,
> > Xvesa, and a couple of my specialized tools.    There should be an
> > option to allow /dev/mem read access.  Is there?  There are no secrets
> > to the boot disk booted environment it's all root.
>
> Looks like conflict of goals. lockdown is used in scenarios where one
> really doesn't take any chance that code running w/ root privileges can
> do such things (there's a lot of security critical information one can
> learn from reading the raw memory).
>
> I wonder what your actual use case is.
>
> * why are you using lockdown and also running everything as root ?
> * why are you still using the old Xvesa instead of using KMS or
>   framebuffer device ?
> * why does mdadm want to access /dev/mem ?
>
>
>
> --mtx
>
> --
> ---
> Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert
> werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren
> GPG/PGP-Schlüssel zu.
> ---
> Enrico Weigelt, metux IT consult
> Free software and Linux embedded engineering
> info@metux.net -- +49-151-27565287

Re: LockDown that allows read of /dev/mem ?

[Enrico Weigelt, metux IT consult]

On 21.06.21 17:29, David F. wrote:

Hi,

> Lockdown required by secure boot and shim signing (prevent acpi
> patching), root because it's main use is a utility boot disk.   If
> lockdown could be forced when secure boot active but not when not
> active, that be best, but I'm not seeing that option.  The other
> option maybe to modify open_port on mem.c to do the secure boot check.
> However searching EFI_SECURE_BOOT doesn't exist in 5.10.x as in
> efi_enabled(EFI_SECURE_BOOT) - It appears that is some other patch
> that is not applied to the base, I do see struct boot_params has a
> secure_boot field set, but can I access that from mem.c?  If not, is
> efi_get_secureboot() function available when /drivers/char/mem.c may
> be used?

I'd rather try not using /dev/mem at all.

What exactly do you really need it for, in that specific case ?


--mtx

-- 
---
Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert
werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren
GPG/PGP-Schlüssel zu.
---
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
info@metux.net -- +49-151-27565287