* [PATCH v2 0/2] powerpc/pseries: restrict error injection and DT changes when locked down @ 2022-09-26 13:16 Nathan Lynch 2022-09-26 13:16 ` [PATCH v2 1/2] powerpc/pseries: block untrusted device tree " Nathan Lynch ` (2 more replies) 0 siblings, 3 replies; 9+ messages in thread From: Nathan Lynch @ 2022-09-26 13:16 UTC (permalink / raw) To: linuxppc-dev, linux-security-module, linux-kernel Cc: ajd, nayna, jmorris, paul, gcwilson, serge Add two new lockdown reasons for use in powerpc's pseries platform code. The pseries platform allows hardware-level error injection via certain calls to the RTAS (Run Time Abstraction Services) firmware. ACPI-based error injection is already restricted in lockdown; this facility should be restricted for the same reasons. pseries also allows nearly arbitrary device tree changes via /proc/powerpc/ofdt. Just as overriding ACPI tables is not allowed while locked down, so should this facility be restricted. Changes since v1: * Move LOCKDOWN_DEVICE_TREE next to LOCKDOWN_ACPI_TABLES. Nathan Lynch (2): powerpc/pseries: block untrusted device tree changes when locked down powerpc/rtas: block error injection when locked down arch/powerpc/kernel/rtas.c | 25 ++++++++++++++++++++++- arch/powerpc/platforms/pseries/reconfig.c | 5 +++++ include/linux/security.h | 2 ++ security/security.c | 2 ++ 4 files changed, 33 insertions(+), 1 deletion(-) -- 2.37.3 ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH v2 1/2] powerpc/pseries: block untrusted device tree changes when locked down 2022-09-26 13:16 [PATCH v2 0/2] powerpc/pseries: restrict error injection and DT changes when locked down Nathan Lynch @ 2022-09-26 13:16 ` Nathan Lynch 2022-09-26 22:39 ` Paul Moore 2022-09-28 9:51 ` Andrew Donnellan 2022-09-26 13:16 ` [PATCH v2 2/2] powerpc/rtas: block error injection " Nathan Lynch 2022-10-04 13:25 ` [PATCH v2 0/2] powerpc/pseries: restrict error injection and DT changes " Michael Ellerman 2 siblings, 2 replies; 9+ messages in thread From: Nathan Lynch @ 2022-09-26 13:16 UTC (permalink / raw) To: linuxppc-dev, linux-security-module, linux-kernel Cc: ajd, nayna, jmorris, paul, gcwilson, serge The /proc/powerpc/ofdt interface allows the root user to freely alter the in-kernel device tree, enabling arbitrary physical address writes via drivers that could bind to malicious device nodes, thus making it possible to disable lockdown. Historically this interface has been used on the pseries platform to facilitate the runtime addition and removal of processor, memory, and device resources (aka Dynamic Logical Partitioning or DLPAR). Years ago, the processor and memory use cases were migrated to designs that happen to be lockdown-friendly: device tree updates are communicated directly to the kernel from firmware without passing through untrusted user space. I/O device DLPAR via the "drmgr" command in powerpc-utils remains the sole legitimate user of /proc/powerpc/ofdt, but it is already broken in lockdown since it uses /dev/mem to allocate argument buffers for the rtas syscall. So only illegitimate uses of the interface should see a behavior change when running on a locked down kernel. Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com> --- arch/powerpc/platforms/pseries/reconfig.c | 5 +++++ include/linux/security.h | 1 + security/security.c | 1 + 3 files changed, 7 insertions(+) diff --git a/arch/powerpc/platforms/pseries/reconfig.c b/arch/powerpc/platforms/pseries/reconfig.c index cad7a0c93117..599bd2c78514 100644 --- a/arch/powerpc/platforms/pseries/reconfig.c +++ b/arch/powerpc/platforms/pseries/reconfig.c @@ -10,6 +10,7 @@ #include <linux/kernel.h> #include <linux/notifier.h> #include <linux/proc_fs.h> +#include <linux/security.h> #include <linux/slab.h> #include <linux/of.h> @@ -361,6 +362,10 @@ static ssize_t ofdt_write(struct file *file, const char __user *buf, size_t coun char *kbuf; char *tmp; + rv = security_locked_down(LOCKDOWN_DEVICE_TREE); + if (rv) + return rv; + kbuf = memdup_user_nul(buf, count); if (IS_ERR(kbuf)) return PTR_ERR(kbuf); diff --git a/include/linux/security.h b/include/linux/security.h index 7bd0c490703d..39e7c0e403d9 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -114,6 +114,7 @@ enum lockdown_reason { LOCKDOWN_IOPORT, LOCKDOWN_MSR, LOCKDOWN_ACPI_TABLES, + LOCKDOWN_DEVICE_TREE, LOCKDOWN_PCMCIA_CIS, LOCKDOWN_TIOCSSERIAL, LOCKDOWN_MODULE_PARAMETERS, diff --git a/security/security.c b/security/security.c index 4b95de24bc8d..51bf66d4f472 100644 --- a/security/security.c +++ b/security/security.c @@ -52,6 +52,7 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_MSR] = "raw MSR access", [LOCKDOWN_ACPI_TABLES] = "modifying ACPI tables", + [LOCKDOWN_DEVICE_TREE] = "modifying device tree contents", [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage", [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO", [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters", -- 2.37.3 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH v2 1/2] powerpc/pseries: block untrusted device tree changes when locked down 2022-09-26 13:16 ` [PATCH v2 1/2] powerpc/pseries: block untrusted device tree " Nathan Lynch @ 2022-09-26 22:39 ` Paul Moore 2022-09-28 9:51 ` Andrew Donnellan 1 sibling, 0 replies; 9+ messages in thread From: Paul Moore @ 2022-09-26 22:39 UTC (permalink / raw) To: Nathan Lynch Cc: ajd, nayna, linux-kernel, jmorris, linux-security-module, gcwilson, linuxppc-dev, serge On Mon, Sep 26, 2022 at 9:17 AM Nathan Lynch <nathanl@linux.ibm.com> wrote: > > The /proc/powerpc/ofdt interface allows the root user to freely alter > the in-kernel device tree, enabling arbitrary physical address writes > via drivers that could bind to malicious device nodes, thus making it > possible to disable lockdown. > > Historically this interface has been used on the pseries platform to > facilitate the runtime addition and removal of processor, memory, and > device resources (aka Dynamic Logical Partitioning or DLPAR). Years > ago, the processor and memory use cases were migrated to designs that > happen to be lockdown-friendly: device tree updates are communicated > directly to the kernel from firmware without passing through untrusted > user space. I/O device DLPAR via the "drmgr" command in powerpc-utils > remains the sole legitimate user of /proc/powerpc/ofdt, but it is > already broken in lockdown since it uses /dev/mem to allocate argument > buffers for the rtas syscall. So only illegitimate uses of the > interface should see a behavior change when running on a locked down > kernel. > > Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com> > --- > arch/powerpc/platforms/pseries/reconfig.c | 5 +++++ > include/linux/security.h | 1 + > security/security.c | 1 + > 3 files changed, 7 insertions(+) Thanks for moving the definitions. Acked-by: Paul Moore <paul@paul-moore.com> (LSM) > diff --git a/arch/powerpc/platforms/pseries/reconfig.c b/arch/powerpc/platforms/pseries/reconfig.c > index cad7a0c93117..599bd2c78514 100644 > --- a/arch/powerpc/platforms/pseries/reconfig.c > +++ b/arch/powerpc/platforms/pseries/reconfig.c > @@ -10,6 +10,7 @@ > #include <linux/kernel.h> > #include <linux/notifier.h> > #include <linux/proc_fs.h> > +#include <linux/security.h> > #include <linux/slab.h> > #include <linux/of.h> > > @@ -361,6 +362,10 @@ static ssize_t ofdt_write(struct file *file, const char __user *buf, size_t coun > char *kbuf; > char *tmp; > > + rv = security_locked_down(LOCKDOWN_DEVICE_TREE); > + if (rv) > + return rv; > + > kbuf = memdup_user_nul(buf, count); > if (IS_ERR(kbuf)) > return PTR_ERR(kbuf); > diff --git a/include/linux/security.h b/include/linux/security.h > index 7bd0c490703d..39e7c0e403d9 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -114,6 +114,7 @@ enum lockdown_reason { > LOCKDOWN_IOPORT, > LOCKDOWN_MSR, > LOCKDOWN_ACPI_TABLES, > + LOCKDOWN_DEVICE_TREE, > LOCKDOWN_PCMCIA_CIS, > LOCKDOWN_TIOCSSERIAL, > LOCKDOWN_MODULE_PARAMETERS, > diff --git a/security/security.c b/security/security.c > index 4b95de24bc8d..51bf66d4f472 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -52,6 +52,7 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { > [LOCKDOWN_IOPORT] = "raw io port access", > [LOCKDOWN_MSR] = "raw MSR access", > [LOCKDOWN_ACPI_TABLES] = "modifying ACPI tables", > + [LOCKDOWN_DEVICE_TREE] = "modifying device tree contents", > [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage", > [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO", > [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters", > -- > 2.37.3 > -- paul-moore.com ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 1/2] powerpc/pseries: block untrusted device tree changes when locked down 2022-09-26 13:16 ` [PATCH v2 1/2] powerpc/pseries: block untrusted device tree " Nathan Lynch 2022-09-26 22:39 ` Paul Moore @ 2022-09-28 9:51 ` Andrew Donnellan 1 sibling, 0 replies; 9+ messages in thread From: Andrew Donnellan @ 2022-09-28 9:51 UTC (permalink / raw) To: Nathan Lynch, linuxppc-dev, linux-security-module, linux-kernel Cc: paul, nayna, jmorris, gcwilson, serge On Mon, 2022-09-26 at 08:16 -0500, Nathan Lynch wrote: > The /proc/powerpc/ofdt interface allows the root user to freely alter > the in-kernel device tree, enabling arbitrary physical address writes > via drivers that could bind to malicious device nodes, thus making it > possible to disable lockdown. > > Historically this interface has been used on the pseries platform to > facilitate the runtime addition and removal of processor, memory, and > device resources (aka Dynamic Logical Partitioning or DLPAR). Years > ago, the processor and memory use cases were migrated to designs that > happen to be lockdown-friendly: device tree updates are communicated > directly to the kernel from firmware without passing through > untrusted > user space. I/O device DLPAR via the "drmgr" command in powerpc-utils > remains the sole legitimate user of /proc/powerpc/ofdt, but it is > already broken in lockdown since it uses /dev/mem to allocate > argument > buffers for the rtas syscall. So only illegitimate uses of the > interface should see a behavior change when running on a locked down > kernel. > > Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com> Seems sensible to me. Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com> > --- > arch/powerpc/platforms/pseries/reconfig.c | 5 +++++ > include/linux/security.h | 1 + > security/security.c | 1 + > 3 files changed, 7 insertions(+) > > diff --git a/arch/powerpc/platforms/pseries/reconfig.c > b/arch/powerpc/platforms/pseries/reconfig.c > index cad7a0c93117..599bd2c78514 100644 > --- a/arch/powerpc/platforms/pseries/reconfig.c > +++ b/arch/powerpc/platforms/pseries/reconfig.c > @@ -10,6 +10,7 @@ > #include <linux/kernel.h> > #include <linux/notifier.h> > #include <linux/proc_fs.h> > +#include <linux/security.h> > #include <linux/slab.h> > #include <linux/of.h> > > @@ -361,6 +362,10 @@ static ssize_t ofdt_write(struct file *file, > const char __user *buf, size_t coun > char *kbuf; > char *tmp; > > + rv = security_locked_down(LOCKDOWN_DEVICE_TREE); > + if (rv) > + return rv; > + > kbuf = memdup_user_nul(buf, count); > if (IS_ERR(kbuf)) > return PTR_ERR(kbuf); > diff --git a/include/linux/security.h b/include/linux/security.h > index 7bd0c490703d..39e7c0e403d9 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -114,6 +114,7 @@ enum lockdown_reason { > LOCKDOWN_IOPORT, > LOCKDOWN_MSR, > LOCKDOWN_ACPI_TABLES, > + LOCKDOWN_DEVICE_TREE, > LOCKDOWN_PCMCIA_CIS, > LOCKDOWN_TIOCSSERIAL, > LOCKDOWN_MODULE_PARAMETERS, > diff --git a/security/security.c b/security/security.c > index 4b95de24bc8d..51bf66d4f472 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -52,6 +52,7 @@ const char *const > lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { > [LOCKDOWN_IOPORT] = "raw io port access", > [LOCKDOWN_MSR] = "raw MSR access", > [LOCKDOWN_ACPI_TABLES] = "modifying ACPI tables", > + [LOCKDOWN_DEVICE_TREE] = "modifying device tree contents", > [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage", > [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO", > [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters", -- Andrew Donnellan OzLabs, ADL Canberra ajd@linux.ibm.com IBM Australia Limited ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH v2 2/2] powerpc/rtas: block error injection when locked down 2022-09-26 13:16 [PATCH v2 0/2] powerpc/pseries: restrict error injection and DT changes when locked down Nathan Lynch 2022-09-26 13:16 ` [PATCH v2 1/2] powerpc/pseries: block untrusted device tree " Nathan Lynch @ 2022-09-26 13:16 ` Nathan Lynch 2022-09-26 22:41 ` Paul Moore 2022-09-28 10:02 ` Andrew Donnellan 2022-10-04 13:25 ` [PATCH v2 0/2] powerpc/pseries: restrict error injection and DT changes " Michael Ellerman 2 siblings, 2 replies; 9+ messages in thread From: Nathan Lynch @ 2022-09-26 13:16 UTC (permalink / raw) To: linuxppc-dev, linux-security-module, linux-kernel Cc: ajd, nayna, jmorris, paul, gcwilson, serge The error injection facility on pseries VMs allows corruption of arbitrary guest memory, potentially enabling a sufficiently privileged user to disable lockdown or perform other modifications of the running kernel via the rtas syscall. Block the PAPR error injection facility from being opened or called when locked down. Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com> --- arch/powerpc/kernel/rtas.c | 25 ++++++++++++++++++++++++- include/linux/security.h | 1 + security/security.c | 1 + 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c index 693133972294..c2540d393f1c 100644 --- a/arch/powerpc/kernel/rtas.c +++ b/arch/powerpc/kernel/rtas.c @@ -23,6 +23,7 @@ #include <linux/memblock.h> #include <linux/slab.h> #include <linux/reboot.h> +#include <linux/security.h> #include <linux/syscalls.h> #include <linux/of.h> #include <linux/of_fdt.h> @@ -464,6 +465,9 @@ void rtas_call_unlocked(struct rtas_args *args, int token, int nargs, int nret, va_end(list); } +static int ibm_open_errinjct_token; +static int ibm_errinjct_token; + int rtas_call(int token, int nargs, int nret, int *outputs, ...) { va_list list; @@ -476,6 +480,16 @@ int rtas_call(int token, int nargs, int nret, int *outputs, ...) if (!rtas.entry || token == RTAS_UNKNOWN_SERVICE) return -1; + if (token == ibm_open_errinjct_token || token == ibm_errinjct_token) { + /* + * It would be nicer to not discard the error value + * from security_locked_down(), but callers expect an + * RTAS status, not an errno. + */ + if (security_locked_down(LOCKDOWN_RTAS_ERROR_INJECTION)) + return -1; + } + if ((mfmsr() & (MSR_IR|MSR_DR)) != (MSR_IR|MSR_DR)) { WARN_ON_ONCE(1); return -1; @@ -1227,6 +1241,14 @@ SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs) if (block_rtas_call(token, nargs, &args)) return -EINVAL; + if (token == ibm_open_errinjct_token || token == ibm_errinjct_token) { + int err; + + err = security_locked_down(LOCKDOWN_RTAS_ERROR_INJECTION); + if (err) + return err; + } + /* Need to handle ibm,suspend_me call specially */ if (token == rtas_token("ibm,suspend-me")) { @@ -1325,7 +1347,8 @@ void __init rtas_initialize(void) #ifdef CONFIG_RTAS_ERROR_LOGGING rtas_last_error_token = rtas_token("rtas-last-error"); #endif - + ibm_open_errinjct_token = rtas_token("ibm,open-errinjct"); + ibm_errinjct_token = rtas_token("ibm,errinjct"); rtas_syscall_filter_init(); } diff --git a/include/linux/security.h b/include/linux/security.h index 39e7c0e403d9..70f89dc3a712 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -123,6 +123,7 @@ enum lockdown_reason { LOCKDOWN_XMON_WR, LOCKDOWN_BPF_WRITE_USER, LOCKDOWN_DBG_WRITE_KERNEL, + LOCKDOWN_RTAS_ERROR_INJECTION, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, LOCKDOWN_KPROBES, diff --git a/security/security.c b/security/security.c index 51bf66d4f472..eabe3ce7e74e 100644 --- a/security/security.c +++ b/security/security.c @@ -61,6 +61,7 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_XMON_WR] = "xmon write access", [LOCKDOWN_BPF_WRITE_USER] = "use of bpf to write user RAM", [LOCKDOWN_DBG_WRITE_KERNEL] = "use of kgdb/kdb to write kernel RAM", + [LOCKDOWN_RTAS_ERROR_INJECTION] = "RTAS error injection", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_KPROBES] = "use of kprobes", -- 2.37.3 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH v2 2/2] powerpc/rtas: block error injection when locked down 2022-09-26 13:16 ` [PATCH v2 2/2] powerpc/rtas: block error injection " Nathan Lynch @ 2022-09-26 22:41 ` Paul Moore 2022-09-28 10:02 ` Andrew Donnellan 1 sibling, 0 replies; 9+ messages in thread From: Paul Moore @ 2022-09-26 22:41 UTC (permalink / raw) To: Nathan Lynch Cc: ajd, nayna, linux-kernel, jmorris, linux-security-module, gcwilson, linuxppc-dev, serge On Mon, Sep 26, 2022 at 9:18 AM Nathan Lynch <nathanl@linux.ibm.com> wrote: > > The error injection facility on pseries VMs allows corruption of > arbitrary guest memory, potentially enabling a sufficiently privileged > user to disable lockdown or perform other modifications of the running > kernel via the rtas syscall. > > Block the PAPR error injection facility from being opened or called > when locked down. > > Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com> > --- > arch/powerpc/kernel/rtas.c | 25 ++++++++++++++++++++++++- > include/linux/security.h | 1 + > security/security.c | 1 + > 3 files changed, 26 insertions(+), 1 deletion(-) The lockdown changes are trivial, but they look fine to me. Acked-by: Paul Moore <paul@paul-moore.com> (LSM) -- paul-moore.com ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 2/2] powerpc/rtas: block error injection when locked down 2022-09-26 13:16 ` [PATCH v2 2/2] powerpc/rtas: block error injection " Nathan Lynch 2022-09-26 22:41 ` Paul Moore @ 2022-09-28 10:02 ` Andrew Donnellan 2022-09-28 16:23 ` Nathan Lynch 1 sibling, 1 reply; 9+ messages in thread From: Andrew Donnellan @ 2022-09-28 10:02 UTC (permalink / raw) To: Nathan Lynch, linuxppc-dev, linux-security-module, linux-kernel Cc: paul, nayna, jmorris, gcwilson, serge On Mon, 2022-09-26 at 08:16 -0500, Nathan Lynch wrote: > The error injection facility on pseries VMs allows corruption of > arbitrary guest memory, potentially enabling a sufficiently > privileged > user to disable lockdown or perform other modifications of the > running > kernel via the rtas syscall. > > Block the PAPR error injection facility from being opened or called > when locked down. > > Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com> Is there any circumstance (short of arbitrary code execution etc) where the rtas_call() check will actually trigger rather than the sys_rtas() check? (Not that it matters, defence in depth is good.) Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com> > --- > arch/powerpc/kernel/rtas.c | 25 ++++++++++++++++++++++++- > include/linux/security.h | 1 + > security/security.c | 1 + > 3 files changed, 26 insertions(+), 1 deletion(-) > > diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c > index 693133972294..c2540d393f1c 100644 > --- a/arch/powerpc/kernel/rtas.c > +++ b/arch/powerpc/kernel/rtas.c > @@ -23,6 +23,7 @@ > #include <linux/memblock.h> > #include <linux/slab.h> > #include <linux/reboot.h> > +#include <linux/security.h> > #include <linux/syscalls.h> > #include <linux/of.h> > #include <linux/of_fdt.h> > @@ -464,6 +465,9 @@ void rtas_call_unlocked(struct rtas_args *args, > int token, int nargs, int nret, > va_end(list); > } > > +static int ibm_open_errinjct_token; > +static int ibm_errinjct_token; > + > int rtas_call(int token, int nargs, int nret, int *outputs, ...) > { > va_list list; > @@ -476,6 +480,16 @@ int rtas_call(int token, int nargs, int nret, > int *outputs, ...) > if (!rtas.entry || token == RTAS_UNKNOWN_SERVICE) > return -1; > > + if (token == ibm_open_errinjct_token || token == > ibm_errinjct_token) { > + /* > + * It would be nicer to not discard the error value > + * from security_locked_down(), but callers expect an > + * RTAS status, not an errno. > + */ > + if > (security_locked_down(LOCKDOWN_RTAS_ERROR_INJECTION)) > + return -1; > + } > + > if ((mfmsr() & (MSR_IR|MSR_DR)) != (MSR_IR|MSR_DR)) { > WARN_ON_ONCE(1); > return -1; > @@ -1227,6 +1241,14 @@ SYSCALL_DEFINE1(rtas, struct rtas_args __user > *, uargs) > if (block_rtas_call(token, nargs, &args)) > return -EINVAL; > > + if (token == ibm_open_errinjct_token || token == > ibm_errinjct_token) { > + int err; > + > + err = > security_locked_down(LOCKDOWN_RTAS_ERROR_INJECTION); > + if (err) > + return err; > + } > + > /* Need to handle ibm,suspend_me call specially */ > if (token == rtas_token("ibm,suspend-me")) { > > @@ -1325,7 +1347,8 @@ void __init rtas_initialize(void) > #ifdef CONFIG_RTAS_ERROR_LOGGING > rtas_last_error_token = rtas_token("rtas-last-error"); > #endif > - > + ibm_open_errinjct_token = rtas_token("ibm,open-errinjct"); > + ibm_errinjct_token = rtas_token("ibm,errinjct"); > rtas_syscall_filter_init(); > } > > diff --git a/include/linux/security.h b/include/linux/security.h > index 39e7c0e403d9..70f89dc3a712 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -123,6 +123,7 @@ enum lockdown_reason { > LOCKDOWN_XMON_WR, > LOCKDOWN_BPF_WRITE_USER, > LOCKDOWN_DBG_WRITE_KERNEL, > + LOCKDOWN_RTAS_ERROR_INJECTION, > LOCKDOWN_INTEGRITY_MAX, > LOCKDOWN_KCORE, > LOCKDOWN_KPROBES, > diff --git a/security/security.c b/security/security.c > index 51bf66d4f472..eabe3ce7e74e 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -61,6 +61,7 @@ const char *const > lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { > [LOCKDOWN_XMON_WR] = "xmon write access", > [LOCKDOWN_BPF_WRITE_USER] = "use of bpf to write user RAM", > [LOCKDOWN_DBG_WRITE_KERNEL] = "use of kgdb/kdb to write > kernel RAM", > + [LOCKDOWN_RTAS_ERROR_INJECTION] = "RTAS error injection", > [LOCKDOWN_INTEGRITY_MAX] = "integrity", > [LOCKDOWN_KCORE] = "/proc/kcore access", > [LOCKDOWN_KPROBES] = "use of kprobes", -- Andrew Donnellan OzLabs, ADL Canberra ajd@linux.ibm.com IBM Australia Limited ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 2/2] powerpc/rtas: block error injection when locked down 2022-09-28 10:02 ` Andrew Donnellan @ 2022-09-28 16:23 ` Nathan Lynch 0 siblings, 0 replies; 9+ messages in thread From: Nathan Lynch @ 2022-09-28 16:23 UTC (permalink / raw) To: Andrew Donnellan Cc: paul, nayna, jmorris, linux-kernel, linux-security-module, gcwilson, linuxppc-dev, serge Andrew Donnellan <ajd@linux.ibm.com> writes: > On Mon, 2022-09-26 at 08:16 -0500, Nathan Lynch wrote: >> The error injection facility on pseries VMs allows corruption of >> arbitrary guest memory, potentially enabling a sufficiently >> privileged >> user to disable lockdown or perform other modifications of the >> running >> kernel via the rtas syscall. >> >> Block the PAPR error injection facility from being opened or called >> when locked down. >> >> Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com> > > Is there any circumstance (short of arbitrary code execution etc) where > the rtas_call() check will actually trigger rather than the sys_rtas() > check? (Not that it matters, defence in depth is good.) Fair question! There are no in-kernel users of rtas_call() that pass the error injection tokens as far as I could tell. Nor am I aware of any out-of-tree users, for that matter. But rtas_call() is the likely most appropriate place to have the lockdown gate should that situation change (as it might, see https://github.com/ibm-power-utilities/librtas/issues/29). ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 0/2] powerpc/pseries: restrict error injection and DT changes when locked down 2022-09-26 13:16 [PATCH v2 0/2] powerpc/pseries: restrict error injection and DT changes when locked down Nathan Lynch 2022-09-26 13:16 ` [PATCH v2 1/2] powerpc/pseries: block untrusted device tree " Nathan Lynch 2022-09-26 13:16 ` [PATCH v2 2/2] powerpc/rtas: block error injection " Nathan Lynch @ 2022-10-04 13:25 ` Michael Ellerman 2 siblings, 0 replies; 9+ messages in thread From: Michael Ellerman @ 2022-10-04 13:25 UTC (permalink / raw) To: Nathan Lynch, linux-kernel, linux-security-module, linuxppc-dev Cc: ajd, nayna, jmorris, paul, gcwilson, serge On Mon, 26 Sep 2022 08:16:41 -0500, Nathan Lynch wrote: > Add two new lockdown reasons for use in powerpc's pseries platform > code. > > The pseries platform allows hardware-level error injection via certain > calls to the RTAS (Run Time Abstraction Services) firmware. ACPI-based > error injection is already restricted in lockdown; this facility > should be restricted for the same reasons. > > [...] Applied to powerpc/next. [1/2] powerpc/pseries: block untrusted device tree changes when locked down https://git.kernel.org/powerpc/c/99df7a2810b6d24651d4887ab61a142e042fb235 [2/2] powerpc/rtas: block error injection when locked down https://git.kernel.org/powerpc/c/b8f3e48834fe8c86b4f21739c6effd160e2c2c19 cheers ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2022-10-04 13:54 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-09-26 13:16 [PATCH v2 0/2] powerpc/pseries: restrict error injection and DT changes when locked down Nathan Lynch 2022-09-26 13:16 ` [PATCH v2 1/2] powerpc/pseries: block untrusted device tree " Nathan Lynch 2022-09-26 22:39 ` Paul Moore 2022-09-28 9:51 ` Andrew Donnellan 2022-09-26 13:16 ` [PATCH v2 2/2] powerpc/rtas: block error injection " Nathan Lynch 2022-09-26 22:41 ` Paul Moore 2022-09-28 10:02 ` Andrew Donnellan 2022-09-28 16:23 ` Nathan Lynch 2022-10-04 13:25 ` [PATCH v2 0/2] powerpc/pseries: restrict error injection and DT changes " Michael Ellerman
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).