linux-efi.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: keyrings-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
	matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org,
	linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: [PATCH 00/16] Kernel lockdown
Date: Wed, 16 Nov 2016 21:47:16 +0000	[thread overview]
Message-ID: <147933283664.19316.12454053022687659937.stgit@warthog.procyon.org.uk> (raw)


These patches provide a facility by which a variety of avenues by which
userspace can feasibly modify the running kernel image can be locked down.
These include:

 (*) No unsigned modules and no modules for which can't validate the
     signature.

 (*) No use of ioperm(), iopl() and no writing to /dev/port.

 (*) No writing to /dev/mem or /dev/kmem.

 (*) No hibernation.

 (*) Restrict PCI BAR access.

 (*) Restrict MSR access.

 (*) No kexec_load().

 (*) Certain ACPI restrictions.

 (*) Restrict debugfs interface to ASUS WMI.

The lock-down can be configured to be triggered by the EFI secure boot
status, provided the shim isn't insecure.  The lock-down can be lifted by
typing SysRq+x on a keyboard attached to the system.


The patches can be found here also:

	http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-lockdown

They are dependent for some EFI definitions on the keys-uefi branch.

David
---
Dave Young (1):
      Copy secure_boot flag in boot params across kexec reboot

David Howells (3):
      Add the ability to lock down access to the running kernel image
      efi: Get the secure boot status
      efi: Lock down the kernel if booted in secure boot mode

Josh Boyer (4):
      efi: Disable secure boot if shim is in insecure mode
      efi: Add EFI_SECURE_BOOT bit
      hibernate: Disable when the kernel is locked down
      acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down

Kyle McMartin (1):
      Add a sysrq option to exit secure boot mode

Matthew Garrett (7):
      kexec: Disable at runtime if the kernel is locked down
      PCI: Lock down BAR access when the kernel is locked down
      x86: Lock down IO port access when the kernel is locked down
      ACPI: Limit access to custom_method when the kernel is locked down
      asus-wmi: Restrict debugfs interface when the kernel is locked down
      Restrict /dev/mem and /dev/kmem when the kernel is locked down
      x86: Restrict MSR access when the kernel is locked down


 Documentation/x86/zero-page.txt       |    2 +
 arch/x86/Kconfig                      |   22 ++++++++++++++
 arch/x86/boot/compressed/eboot.c      |   53 +++++++++++++++++++++++++++++++++
 arch/x86/include/uapi/asm/bootparam.h |    3 +-
 arch/x86/kernel/ioport.c              |    5 ++-
 arch/x86/kernel/kexec-bzimage64.c     |    1 +
 arch/x86/kernel/msr.c                 |    8 +++++
 arch/x86/kernel/setup.c               |   39 ++++++++++++++++++++++++
 drivers/acpi/custom_method.c          |    3 ++
 drivers/acpi/osl.c                    |    3 +-
 drivers/char/mem.c                    |   10 ++++++
 drivers/input/misc/uinput.c           |    1 +
 drivers/pci/pci-sysfs.c               |   10 ++++++
 drivers/pci/proc.c                    |    9 +++++-
 drivers/pci/syscall.c                 |    3 +-
 drivers/platform/x86/asus-wmi.c       |    9 ++++++
 drivers/tty/sysrq.c                   |   19 ++++++++----
 include/linux/efi.h                   |    1 +
 include/linux/input.h                 |    5 +++
 include/linux/security.h              |   16 ++++++++++
 include/linux/sysrq.h                 |    8 ++++-
 kernel/debug/kdb/kdb_main.c           |    2 +
 kernel/kexec.c                        |    8 +++++
 kernel/module.c                       |    2 +
 kernel/power/hibernate.c              |    3 +-
 security/Kconfig                      |   16 +++++++++-
 security/Makefile                     |    3 ++
 security/lock_down.c                  |   40 +++++++++++++++++++++++++
 28 files changed, 287 insertions(+), 17 deletions(-)
 create mode 100644 security/lock_down.c

             reply	other threads:[~2016-11-16 21:47 UTC|newest]

Thread overview: 76+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-16 21:47 David Howells [this message]
2016-11-16 21:47 ` [PATCH 01/16] Add the ability to lock down access to the running kernel image David Howells
     [not found]   ` <147933284407.19316.17886320817060158597.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-11-16 22:20     ` Borislav Petkov
2016-11-16 22:40   ` David Howells
2016-12-25 21:20   ` Pavel Machek
2016-12-25 21:44   ` David Howells
2016-11-16 21:47 ` [PATCH 02/16] efi: Get the secure boot status David Howells
2016-11-17 12:37   ` Lukas Wunner
2016-11-22  0:31     ` [PATCH 2/6] arm/efi: Allow invocation of arbitrary runtime services David Howells
2016-11-22  0:31     ` [PATCH 3/6] efi: Add SHIM and image security database GUID definitions David Howells
2016-11-22  0:32     ` [PATCH 4/6] efi: Get the secure boot status David Howells
2016-11-22 10:44       ` Lukas Wunner
     [not found]         ` <20161122104401.GC1552-JFq808J9C/izQB+pC5nmwQ@public.gmane.org>
2016-11-22 10:49           ` Ard Biesheuvel
2016-11-22 14:52           ` David Howells
     [not found]             ` <25371.1479826321-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-11-22 20:36               ` Lukas Wunner
2016-11-22 14:47       ` David Howells
2016-11-22 20:30         ` Lukas Wunner
2016-11-23  0:02         ` David Howells
     [not found]       ` <7199.1479826047-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-11-22 14:57         ` David Howells
2016-11-22  0:32     ` [PATCH 5/6] efi: Disable secure boot if shim is in insecure mode David Howells
2016-11-22 13:03       ` Lukas Wunner
2016-11-22  0:32     ` [PATCH 6/6] efi: Add EFI_SECURE_BOOT bit David Howells
2016-11-22 13:04       ` Lukas Wunner
2016-11-21 11:46   ` [PATCH 02/16] efi: Get the secure boot status David Howells
2016-11-21 19:58     ` Lukas Wunner
     [not found]   ` <20161117123731.GA11573-JFq808J9C/izQB+pC5nmwQ@public.gmane.org>
2016-11-21 11:42     ` David Howells
     [not found]       ` <29779.1479728545-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-11-21 11:52         ` Ard Biesheuvel
     [not found]       ` <CAKv+Gu-frVDhzORDRZ6XT+FxewsTgrxhXmM=DqaS6Ns4mJhQ9g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-11-21 12:41         ` David Howells
2016-11-21 13:14           ` Ard Biesheuvel
     [not found]             ` <CAKv+Gu8Lhm=u97hY1y+Y+Ladk=y7pSVNrow8ML1hQUJ9+74B-w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-11-21 15:17               ` Lukas Wunner
2016-11-21 15:25                 ` Ard Biesheuvel
2016-11-22  0:31     ` [PATCH 1/6] x86/efi: Allow invocation of arbitrary runtime services David Howells
     [not found]       ` <147977469914.6360.17194649697208113702.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-11-22 10:20         ` Lukas Wunner
2016-11-22 14:17       ` David Howells
2016-11-22 14:58         ` Joe Perches
     [not found]         ` <1479826691.1942.11.camel-6d6DIl74uiNBDgjK7y7TUQ@public.gmane.org>
2016-11-22 15:52           ` David Howells
     [not found]             ` <24973.1479829961-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-11-22 16:25               ` Joe Perches
2016-11-22 16:40             ` David Howells
2016-11-22 16:51               ` Joe Perches
2016-11-16 21:47 ` [PATCH 03/16] efi: Disable secure boot if shim is in insecure mode David Howells
2016-11-16 21:47 ` [PATCH 04/16] efi: Lock down the kernel if booted in secure boot mode David Howells
2016-11-16 21:47 ` [PATCH 05/16] efi: Add EFI_SECURE_BOOT bit David Howells
2016-11-17 21:58   ` Ard Biesheuvel
2016-11-18 11:58     ` Josh Boyer
     [not found]       ` <CA+5PVA6F5qEnuL2UaXS9_fJ217J93cEZDDsz9Y2BPwHXcMdX-A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-11-18 12:10         ` Ard Biesheuvel
     [not found]   ` <CAKv+Gu_8r3oM-jvvuSiXTzxp0YMEVgc5KkScJ2UhGTaXm28L6w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-11-18 17:28     ` David Howells
2016-11-16 21:48 ` [PATCH 06/16] Add a sysrq option to exit secure boot mode David Howells
2016-11-16 21:48 ` [PATCH 07/16] kexec: Disable at runtime if the kernel is locked down David Howells
2016-11-16 21:48 ` [PATCH 08/16] Copy secure_boot flag in boot params across kexec reboot David Howells
2016-11-16 21:48 ` [PATCH 09/16] hibernate: Disable when the kernel is locked down David Howells
2016-11-16 21:48 ` [PATCH 10/16] PCI: Lock down BAR access " David Howells
     [not found] ` <147933283664.19316.12454053022687659937.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-11-16 21:48   ` [PATCH 11/16] x86: Lock down IO port " David Howells
2016-11-16 21:49   ` [PATCH 16/16] x86: Restrict MSR " David Howells
2016-11-16 22:27   ` [PATCH 00/16] Kernel lockdown One Thousand Gnomes
2016-11-21 19:53     ` Ard Biesheuvel
2016-11-30 14:27       ` One Thousand Gnomes
2016-11-16 21:48 ` [PATCH 12/16] ACPI: Limit access to custom_method when the kernel is locked down David Howells
2016-11-16 21:48 ` [PATCH 13/16] asus-wmi: Restrict debugfs interface " David Howells
2016-11-16 21:48 ` [PATCH 14/16] Restrict /dev/mem and /dev/kmem " David Howells
2016-11-16 21:49 ` [PATCH 15/16] acpi: Ignore acpi_rsdp kernel param when the kernel has been " David Howells
2016-11-16 22:28 ` [PATCH 00/16] Kernel lockdown Justin Forbes
2016-11-21 23:10 ` [PATCH] Lock down drivers that can have io ports, io mem, irqs and dma changed David Howells
2016-11-22  6:12   ` Dominik Brodowski
2016-11-23 12:58   ` David Howells
2016-11-23 19:21     ` Dominik Brodowski
     [not found]     ` <20161123192143.GA482-SGhQLRGLuNwb6pqDj42GsMgv3T4z79SOrE5yTffgRl4@public.gmane.org>
2016-11-24 17:34       ` David Howells
2016-11-24 20:19         ` Dominik Brodowski
2016-11-25 14:49         ` David Howells
     [not found]   ` <26173.1479769852-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-11-28 22:32     ` Corey Minyard
2016-11-29  0:11   ` David Howells
2016-11-29  0:23     ` Corey Minyard
2016-11-29 14:03     ` David Howells
     [not found]       ` <6973.1480428211-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-11-29 14:35         ` Corey Minyard
2016-11-30 14:41         ` One Thousand Gnomes
     [not found]       ` <20161130144105.2b6be4fe-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org>
2016-11-30 16:25         ` David Howells
2016-11-29 10:40   ` David Howells

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=147933283664.19316.12454053022687659937.stgit@warthog.procyon.org.uk \
    --to=dhowells-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
    --cc=keyrings-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).