man kernel_lockdown.7

man kernel_lockdown.7

[Heinrich Schuchardt]

Hello Matthew,

With commit 000d388ed3bbed ("security: Add a static lockdown policy
LSM") you added the following line to security/lockdown/lockdown.c:

pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n"

The manpage is not available on

https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git.

I found a rather outdated draft by David here:

https://lwn.net/Articles/735564/

Is anybody working on it?

Best regards

Heinrich

Re: man kernel_lockdown.7

[Michael Kerrisk (man-pages)]

Hi Heinrich!

On 10/14/20 6:51 PM, Heinrich Schuchardt wrote:
> Hello Matthew,
> 
> With commit 000d388ed3bbed ("security: Add a static lockdown policy
> LSM") you added the following line to security/lockdown/lockdown.c:
> 
> pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n"

This feature was in limbo for a very long time, but now I see that
it was finally merged last year:

  commit 000d388ed3bbed745f366ce71b2bb7c2ee70f449
  Author: Matthew Garrett <matthewgarrett@google.com>
  Date:   Mon Aug 19 17:17:39 2019 -0700

      security: Add a static lockdown policy LSM

I missed that that had been merged.

> The manpage is not available on
> 
> https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git.
> 
> I found a rather outdated draft by David here:
> 
> https://lwn.net/Articles/735564/

I see that my Fedora system has a slightly different version
of that page (obviously added a Fedora patch). I'm not sure
which is more up to date; probably the Fedora page.

> Is anybody working on it?

Not so far. I suppose the simple thing would be to just merge
the page that exists on Fedora. But I've no idea how much it
needs tobe updated to reflect reality. Perhaps someone in CC
can comment. Do you have any time to drive this along?

Thanks,

Michael


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/

[PATCH 1/1] kernel_lockdown.7: new file

[Heinrich Schuchardt]

Provide a man-page for kernel_lockdown. The content is taken from a patch
for the Fedora 34 man-pages available at

https://kojipkgs.fedoraproject.org//packages/man-pages/5.08/1.fc34/src/man-pages-5.08-1.fc34.src.rpm

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
---
 man7/kernel_lockdown.7 | 107 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 107 insertions(+)
 create mode 100644 man7/kernel_lockdown.7

diff --git a/man7/kernel_lockdown.7 b/man7/kernel_lockdown.7
new file mode 100644
index 000000000..5ec4289be
--- /dev/null
+++ b/man7/kernel_lockdown.7
@@ -0,0 +1,107 @@
+.\"
+.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version
+.\" 2 of the License, or (at your option) any later version.
+.\" %%%LICENSE_END
+.\"
+.TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual"
+.SH NAME
+Kernel Lockdown \- Kernel image access prevention feature
+.SH DESCRIPTION
+The Kernel Lockdown feature is designed to prevent both direct and indirect
+access to a running kernel image, attempting to protect against unauthorised
+modification of the kernel image and to prevent access to security and
+cryptographic data located in kernel memory, whilst still permitting driver
+modules to be loaded.
+.P
+Lockdown is typically enabled during boot and may be terminated, if configured,
+by typing a special key combination on a directly attached physical keyboard.
+.P
+If a prohibited or restricted feature is accessed or used, the kernel will emit
+a message that looks like:
+.P
+.RS
+ Lockdown: X: Y is restricted, see man kernel_lockdown.7
+.RE
+.P
+where X indicates the process name and Y indicates what is restricted.
+.P
+On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
+if the system boots in EFI Secure Boot mode.
+.P
+If the kernel is appropriately configured, lockdown may be lifted by typing the
+appropriate sequence on a directly attached physical keyboard.  For x86
+machines, this is
+.IR SysRq+x .
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH COVERAGE
+When lockdown is in effect, a number of features are disabled or have their use
+restricted.  This includes special device files and kernel services that allow
+direct access of the kernel image:
+.P
+.RS
+/dev/mem
+.br
+/dev/kmem
+.br
+/dev/kcore
+.br
+/dev/ioports
+.br
+BPF
+.br
+kprobes
+.RE
+.P
+and the ability to directly configure and control devices, so as to prevent the
+use of a device to access or modify a kernel image:
+.P
+.RS
+The use of module parameters that directly specify hardware parameters to
+drivers through the kernel command line or when loading a module.
+.P
+The use of direct PCI BAR access.
+.P
+The use of the ioperm and iopl instructions on x86.
+.P
+The use of the KD*IO console ioctls.
+.P
+The use of the TIOCSSERIAL serial ioctl.
+.P
+The alteration of MSR registers on x86.
+.P
+The replacement of the PCMCIA CIS.
+.P
+The overriding of ACPI tables.
+.P
+The use of ACPI error injection.
+.P
+The specification of the ACPI RDSP address.
+.P
+The use of ACPI custom methods.
+.RE
+.P
+Certain facilities are restricted:
+.P
+.RS
+Only validly signed modules may be loaded (waived if the module file being
+loaded is vouched for by IMA appraisal).
+.P
+Only validly signed binaries may be kexec'd (waived if the binary image file to
+be executed is vouched for by IMA appraisal).
+.P
+Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
+saved to a medium that can then be accessed.
+.P
+Use of debugfs is not permitted as this allows a whole range of actions
+including direct configuration of, access to and driving of hardware.
+.P
+IMA requires the addition of the "secure_boot" rules to the policy, whether or
+not they are specified on the command line, for both the builtin and custom
+policies in secure boot lockdown mode.
+.RE
--
2.28.0

Re: [PATCH 1/1] kernel_lockdown.7: new file

[Heinrich Schuchardt]

On 16.10.20 13:28, Heinrich Schuchardt wrote:
> Provide a man-page for kernel_lockdown. The content is taken from a patch
> for the Fedora 34 man-pages available at
>
> https://kojipkgs.fedoraproject.org//packages/man-pages/5.08/1.fc34/src/man-pages-5.08-1.fc34.src.rpm
>
> Signed-off-by: David Howells <dhowells@redhat.com>
> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
> ---
>  man7/kernel_lockdown.7 | 107 +++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 107 insertions(+)
>  create mode 100644 man7/kernel_lockdown.7
>
> diff --git a/man7/kernel_lockdown.7 b/man7/kernel_lockdown.7
> new file mode 100644
> index 000000000..5ec4289be
> --- /dev/null
> +++ b/man7/kernel_lockdown.7
> @@ -0,0 +1,107 @@
> +.\"
> +.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
> +.\" Written by David Howells (dhowells@redhat.com)
> +.\"
> +.\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
> +.\" This program is free software; you can redistribute it and/or
> +.\" modify it under the terms of the GNU General Public License
> +.\" as published by the Free Software Foundation; either version
> +.\" 2 of the License, or (at your option) any later version.
> +.\" %%%LICENSE_END
> +.\"
> +.TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual"
> +.SH NAME
> +Kernel Lockdown \- Kernel image access prevention feature
> +.SH DESCRIPTION
> +The Kernel Lockdown feature is designed to prevent both direct and indirect
> +access to a running kernel image, attempting to protect against unauthorised
> +modification of the kernel image and to prevent access to security and
> +cryptographic data located in kernel memory, whilst still permitting driver
> +modules to be loaded.
> +.P
> +Lockdown is typically enabled during boot and may be terminated, if configured,
> +by typing a special key combination on a directly attached physical keyboard.
> +.P
> +If a prohibited or restricted feature is accessed or used, the kernel will emit
> +a message that looks like:
> +.P
> +.RS
> + Lockdown: X: Y is restricted, see man kernel_lockdown.7
> +.RE
> +.P
> +where X indicates the process name and Y indicates what is restricted.
> +.P
> +On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
> +if the system boots in EFI Secure Boot mode.
> +.P
> +If the kernel is appropriately configured, lockdown may be lifted by typing the
> +appropriate sequence on a directly attached physical keyboard.  For x86
> +machines, this is
> +.IR SysRq+x .
> +.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
> +.SH COVERAGE
> +When lockdown is in effect, a number of features are disabled or have their use
> +restricted.  This includes special device files and kernel services that allow
> +direct access of the kernel image:
> +.P
> +.RS
> +/dev/mem
> +.br
> +/dev/kmem
> +.br
> +/dev/kcore
> +.br
> +/dev/ioports
> +.br
> +BPF
> +.br
> +kprobes
> +.RE
> +.P
> +and the ability to directly configure and control devices, so as to prevent the
> +use of a device to access or modify a kernel image:
> +.P
> +.RS
> +The use of module parameters that directly specify hardware parameters to
> +drivers through the kernel command line or when loading a module.
> +.P
> +The use of direct PCI BAR access.
> +.P
> +The use of the ioperm and iopl instructions on x86.
> +.P
> +The use of the KD*IO console ioctls.
> +.P
> +The use of the TIOCSSERIAL serial ioctl.
> +.P
> +The alteration of MSR registers on x86.
> +.P
> +The replacement of the PCMCIA CIS.
> +.P
> +The overriding of ACPI tables.
> +.P
> +The use of ACPI error injection.
> +.P
> +The specification of the ACPI RDSP address.
> +.P
> +The use of ACPI custom methods.
> +.RE
> +.P
> +Certain facilities are restricted:
> +.P
> +.RS
> +Only validly signed modules may be loaded (waived if the module file being
> +loaded is vouched for by IMA appraisal).
> +.P
> +Only validly signed binaries may be kexec'd (waived if the binary image file to
> +be executed is vouched for by IMA appraisal).
> +.P
> +Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
> +saved to a medium that can then be accessed.
> +.P
> +Use of debugfs is not permitted as this allows a whole range of actions
> +including direct configuration of, access to and driving of hardware.
> +.P
> +IMA requires the addition of the "secure_boot" rules to the policy, whether or
> +not they are specified on the command line, for both the builtin and custom
> +policies in secure boot lockdown mode.
> +.RE
> --
> 2.28.0
>

We should explain in this context:

* string "lockdown" in CONFIG_LSM
* CONFIG_SECURITY_LOCKDOWN_LSM
* CONFIG_SECURITY_LOCKDOWN_LSM_EARLY
* CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE
* CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY
* CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY

The relationship between CONFIG_LSM and CONFIG_SECURITY_LOCKDOWN_LSM is
not obvious in the Kconfig menu as CONFIG_LSM does not mention which
modules are available and CONFIG_SECURITY_LOCKDOWN_LSM does not mention
that it depends on CONFIG_LSM.

Best regards

Heinrich

Re: [PATCH 1/1] kernel_lockdown.7: new file

[Michael Kerrisk (man-pages)]

Hello Heinrich,

On 10/16/20 1:28 PM, Heinrich Schuchardt wrote:
> Provide a man-page for kernel_lockdown. The content is taken from a patch
> for the Fedora 34 man-pages available at
> 
> https://kojipkgs.fedoraproject.org//packages/man-pages/5.08/1.fc34/src/man-pages-5.08-1.fc34.src.rpm
> 
> Signed-off-by: David Howells <dhowells@redhat.com>
> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>

Thanks. I've applied this, done a few light edits, and pushed.

Cheers,

Michael

> ---
>  man7/kernel_lockdown.7 | 107 +++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 107 insertions(+)
>  create mode 100644 man7/kernel_lockdown.7
> 
> diff --git a/man7/kernel_lockdown.7 b/man7/kernel_lockdown.7
> new file mode 100644
> index 000000000..5ec4289be
> --- /dev/null
> +++ b/man7/kernel_lockdown.7
> @@ -0,0 +1,107 @@
> +.\"
> +.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
> +.\" Written by David Howells (dhowells@redhat.com)
> +.\"
> +.\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
> +.\" This program is free software; you can redistribute it and/or
> +.\" modify it under the terms of the GNU General Public License
> +.\" as published by the Free Software Foundation; either version
> +.\" 2 of the License, or (at your option) any later version.
> +.\" %%%LICENSE_END
> +.\"
> +.TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual"
> +.SH NAME
> +Kernel Lockdown \- Kernel image access prevention feature
> +.SH DESCRIPTION
> +The Kernel Lockdown feature is designed to prevent both direct and indirect
> +access to a running kernel image, attempting to protect against unauthorised
> +modification of the kernel image and to prevent access to security and
> +cryptographic data located in kernel memory, whilst still permitting driver
> +modules to be loaded.
> +.P
> +Lockdown is typically enabled during boot and may be terminated, if configured,
> +by typing a special key combination on a directly attached physical keyboard.
> +.P
> +If a prohibited or restricted feature is accessed or used, the kernel will emit
> +a message that looks like:
> +.P
> +.RS
> + Lockdown: X: Y is restricted, see man kernel_lockdown.7
> +.RE
> +.P
> +where X indicates the process name and Y indicates what is restricted.
> +.P
> +On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
> +if the system boots in EFI Secure Boot mode.
> +.P
> +If the kernel is appropriately configured, lockdown may be lifted by typing the
> +appropriate sequence on a directly attached physical keyboard.  For x86
> +machines, this is
> +.IR SysRq+x .
> +.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
> +.SH COVERAGE
> +When lockdown is in effect, a number of features are disabled or have their use
> +restricted.  This includes special device files and kernel services that allow
> +direct access of the kernel image:
> +.P
> +.RS
> +/dev/mem
> +.br
> +/dev/kmem
> +.br
> +/dev/kcore
> +.br
> +/dev/ioports
> +.br
> +BPF
> +.br
> +kprobes
> +.RE
> +.P
> +and the ability to directly configure and control devices, so as to prevent the
> +use of a device to access or modify a kernel image:
> +.P
> +.RS
> +The use of module parameters that directly specify hardware parameters to
> +drivers through the kernel command line or when loading a module.
> +.P
> +The use of direct PCI BAR access.
> +.P
> +The use of the ioperm and iopl instructions on x86.
> +.P
> +The use of the KD*IO console ioctls.
> +.P
> +The use of the TIOCSSERIAL serial ioctl.
> +.P
> +The alteration of MSR registers on x86.
> +.P
> +The replacement of the PCMCIA CIS.
> +.P
> +The overriding of ACPI tables.
> +.P
> +The use of ACPI error injection.
> +.P
> +The specification of the ACPI RDSP address.
> +.P
> +The use of ACPI custom methods.
> +.RE
> +.P
> +Certain facilities are restricted:
> +.P
> +.RS
> +Only validly signed modules may be loaded (waived if the module file being
> +loaded is vouched for by IMA appraisal).
> +.P
> +Only validly signed binaries may be kexec'd (waived if the binary image file to
> +be executed is vouched for by IMA appraisal).
> +.P
> +Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
> +saved to a medium that can then be accessed.
> +.P
> +Use of debugfs is not permitted as this allows a whole range of actions
> +including direct configuration of, access to and driving of hardware.
> +.P
> +IMA requires the addition of the "secure_boot" rules to the policy, whether or
> +not they are specified on the command line, for both the builtin and custom
> +policies in secure boot lockdown mode.
> +.RE
> --
> 2.28.0
> 
> .
> 


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/

Re: [PATCH 1/1] kernel_lockdown.7: new file

[Michael Kerrisk (man-pages)]

> We should explain in this context:
> 
> * string "lockdown" in CONFIG_LSM
> * CONFIG_SECURITY_LOCKDOWN_LSM
> * CONFIG_SECURITY_LOCKDOWN_LSM_EARLY
> * CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE
> * CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY
> * CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
> 
> The relationship between CONFIG_LSM and CONFIG_SECURITY_LOCKDOWN_LSM is
> not obvious in the Kconfig menu as CONFIG_LSM does not mention which
> modules are available and CONFIG_SECURITY_LOCKDOWN_LSM does not mention
> that it depends on CONFIG_LSM.

I'm kind of hoping that you might make a chance to work
on this. What are the chances?

Thanks,

Michaek

-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/