From: Matthew Garrett <matthewgarrett@google.com> To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Dave Young <dyoung@redhat.com>, David Howells <dhowells@redhat.com>, Matthew Garrett <mjg59@google.com>, Kees Cook <keescook@chromium.org>, kexec@lists.infradead.org Subject: [PATCH V36 07/29] Copy secure_boot flag in boot params across kexec reboot Date: Thu, 18 Jul 2019 12:43:53 -0700 [thread overview] Message-ID: <20190718194415.108476-8-matthewgarrett@google.com> (raw) In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> From: Dave Young <dyoung@redhat.com> Kexec reboot in case secure boot being enabled does not keep the secure boot mode in new kernel, so later one can load unsigned kernel via legacy kexec_load. In this state, the system is missing the protections provided by secure boot. Adding a patch to fix this by retain the secure_boot flag in original kernel. secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the stub. Fixing this issue by copying secure_boot flag across kexec reboot. Signed-off-by: Dave Young <dyoung@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Matthew Garrett <mjg59@google.com> Reviewed-by: Kees Cook <keescook@chromium.org> cc: kexec@lists.infradead.org --- arch/x86/kernel/kexec-bzimage64.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c index 5ebcd02cbca7..d2f4e706a428 100644 --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c @@ -180,6 +180,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, if (efi_enabled(EFI_OLD_MEMMAP)) return 0; + params->secure_boot = boot_params.secure_boot; ei->efi_loader_signature = current_ei->efi_loader_signature; ei->efi_systab = current_ei->efi_systab; ei->efi_systab_hi = current_ei->efi_systab_hi; -- 2.22.0.510.g264f2c817a-goog
WARNING: multiple messages have this Message-ID (diff)
From: Matthew Garrett <matthewgarrett@google.com> To: jmorris@namei.org Cc: Kees Cook <keescook@chromium.org>, linux-api@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Matthew Garrett <mjg59@google.com>, David Howells <dhowells@redhat.com>, linux-security-module@vger.kernel.org, Dave Young <dyoung@redhat.com> Subject: [PATCH V36 07/29] Copy secure_boot flag in boot params across kexec reboot Date: Thu, 18 Jul 2019 12:43:53 -0700 [thread overview] Message-ID: <20190718194415.108476-8-matthewgarrett@google.com> (raw) In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> From: Dave Young <dyoung@redhat.com> Kexec reboot in case secure boot being enabled does not keep the secure boot mode in new kernel, so later one can load unsigned kernel via legacy kexec_load. In this state, the system is missing the protections provided by secure boot. Adding a patch to fix this by retain the secure_boot flag in original kernel. secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the stub. Fixing this issue by copying secure_boot flag across kexec reboot. Signed-off-by: Dave Young <dyoung@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Matthew Garrett <mjg59@google.com> Reviewed-by: Kees Cook <keescook@chromium.org> cc: kexec@lists.infradead.org --- arch/x86/kernel/kexec-bzimage64.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c index 5ebcd02cbca7..d2f4e706a428 100644 --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c @@ -180,6 +180,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, if (efi_enabled(EFI_OLD_MEMMAP)) return 0; + params->secure_boot = boot_params.secure_boot; ei->efi_loader_signature = current_ei->efi_loader_signature; ei->efi_systab = current_ei->efi_systab; ei->efi_systab_hi = current_ei->efi_systab_hi; -- 2.22.0.510.g264f2c817a-goog _______________________________________________ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2019-07-18 19:44 UTC|newest] Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-07-18 19:43 [PATCH V36 00/29] security: Add kernel lockdown functionality Matthew Garrett 2019-07-18 19:43 ` [PATCH V36 01/29] security: Support early LSMs Matthew Garrett 2019-07-18 20:02 ` Casey Schaufler 2019-07-18 19:43 ` [PATCH V36 02/29] security: Add a "locked down" LSM hook Matthew Garrett 2019-07-18 20:03 ` Casey Schaufler 2019-07-18 19:43 ` [PATCH V36 03/29] security: Add a static lockdown policy LSM Matthew Garrett 2019-07-18 19:43 ` [PATCH V36 04/29] Enforce module signatures if the kernel is locked down Matthew Garrett 2019-07-18 19:43 ` [PATCH V36 05/29] Restrict /dev/{mem,kmem,port} when " Matthew Garrett 2019-07-18 19:43 ` [PATCH V36 06/29] kexec_load: Disable at runtime if " Matthew Garrett 2019-07-18 19:43 ` Matthew Garrett 2019-07-18 19:43 ` Matthew Garrett [this message] 2019-07-18 19:43 ` [PATCH V36 07/29] Copy secure_boot flag in boot params across kexec reboot Matthew Garrett 2019-07-18 19:43 ` [PATCH V36 08/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE Matthew Garrett 2019-07-18 19:43 ` Matthew Garrett 2019-07-18 19:43 ` Matthew Garrett 2019-07-18 19:43 ` [PATCH V36 09/29] kexec_file: Restrict at runtime if the kernel is locked down Matthew Garrett 2019-07-18 19:43 ` Matthew Garrett 2019-07-18 19:43 ` [PATCH V36 10/29] hibernate: Disable when " Matthew Garrett 2019-07-18 19:43 ` [PATCH V36 11/29] PCI: Lock down BAR access " Matthew Garrett 2019-07-18 19:43 ` [PATCH V36 12/29] x86: Lock down IO port " Matthew Garrett 2019-07-18 19:43 ` [PATCH V36 13/29] x86/msr: Restrict MSR " Matthew Garrett 2019-07-18 19:44 ` [PATCH V36 14/29] ACPI: Limit access to custom_method " Matthew Garrett 2019-07-18 19:44 ` [PATCH V36 15/29] acpi: Ignore acpi_rsdp kernel param when the kernel has been " Matthew Garrett 2019-07-18 19:44 ` [PATCH V36 16/29] acpi: Disable ACPI table override if the kernel is " Matthew Garrett 2019-07-18 19:44 ` Matthew Garrett 2019-07-18 19:44 ` [PATCH V36 17/29] Prohibit PCMCIA CIS storage when " Matthew Garrett 2019-07-18 19:44 ` [PATCH V36 18/29] Lock down TIOCSSERIAL Matthew Garrett 2019-07-18 19:44 ` [PATCH V36 19/29] Lock down module params that specify hardware parameters (eg. ioport) Matthew Garrett 2019-07-29 21:47 ` Matthew Garrett 2019-07-18 19:44 ` [PATCH V36 20/29] x86/mmiotrace: Lock down the testmmiotrace module Matthew Garrett 2019-07-18 21:06 ` Kees Cook 2019-07-18 19:44 ` [PATCH V36 21/29] Lock down /proc/kcore Matthew Garrett 2019-07-18 19:44 ` [PATCH V36 22/29] Lock down tracing and perf kprobes when in confidentiality mode Matthew Garrett 2019-07-18 19:44 ` [PATCH V36 23/29] bpf: Restrict bpf when kernel lockdown is " Matthew Garrett 2019-07-18 21:06 ` Kees Cook 2019-07-29 21:47 ` Matthew Garrett 2019-07-18 19:44 ` [PATCH V36 24/29] Lock down perf when " Matthew Garrett 2019-07-18 19:44 ` [PATCH V36 25/29] kexec: Allow kexec_file() with appropriate IMA policy when locked down Matthew Garrett 2019-07-18 19:44 ` [PATCH V36 26/29] debugfs: Restrict debugfs when the kernel is " Matthew Garrett 2019-07-18 19:44 ` [PATCH V36 27/29] tracefs: Restrict tracefs " Matthew Garrett 2019-07-25 2:23 ` Steven Rostedt 2019-07-30 18:47 ` [PATCH] " Matthew Garrett 2019-07-31 1:48 ` Steven Rostedt 2019-07-18 19:44 ` [PATCH V36 28/29] efi: Restrict efivar_ssdt_load " Matthew Garrett 2019-07-18 19:44 ` [PATCH V36 29/29] lockdown: Print current->comm in restriction messages Matthew Garrett
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190718194415.108476-8-matthewgarrett@google.com \ --to=matthewgarrett@google.com \ --cc=dhowells@redhat.com \ --cc=dyoung@redhat.com \ --cc=jmorris@namei.org \ --cc=keescook@chromium.org \ --cc=kexec@lists.infradead.org \ --cc=linux-api@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=mjg59@google.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.