On Thu, Apr 25, 2019 at 3:49 AM Vasily Gorbik wrote:
> I would appreciate if you consider that change, possibly just
> squashing into yours.
Thanks, I've squashed that in.
On Thu, Apr 25, 2019 at 5:44 AM Vlastimil Babka wrote:
>
> On 4/25/19 2:14 PM, Michal Hocko wrote:
> > Please cc linux-api for user visible API proposals (now done). Keep the
> > rest of the email intact for reference.
> >
> > On Wed 24-04-19 14:10:39, Matthew Gar
On Thu, Apr 25, 2019 at 5:43 AM Jann Horn wrote:
> An interesting effect of this is that it will be possible to set this
> on a CoW anon VMA in a fork() child, and then the semantics in the
> parent will be subtly different - e.g. if the parent vmsplice()d a
> CoWed page into a pipe, then forked
On Thu, Apr 25, 2019 at 5:37 AM Michal Hocko wrote:
> Besides that you inherently assume that the user would do mlock because
> you do not try to wipe the swap content. Is this intentional?
Yes, given MADV_DONTDUMP doesn't imply mlock I thought it'd be more
consistent to keep those independent.
On Thu, Apr 25, 2019 at 8:32 AM Christopher Lameter wrote:
>
> On Wed, 24 Apr 2019, Matthew Garrett wrote:
>
> > Applications that hold secrets and wish to avoid them leaking can use
> > mlock() to prevent the page from being pushed out to swap and
> > MADV_DONTDU
From: Matthew Garrett
Applications that hold secrets and wish to avoid them leaking can use
mlock() to prevent the page from being pushed out to swap and
MADV_DONTDUMP to prevent it from being included in core dumps. Applications
can also use atexit() handlers to overwrite secrets on application
On Wed, Apr 24, 2019 at 1:20 PM Matthew Wilcox wrote:
> It depends on the semantics you want. There's no legacy code to
> worry about here. I was seeing this as the equivalent of an atexit()
> handler; userspace is saying "When this page is unmapped, zero it".
> So it doesn't matter that
On Wed, Apr 24, 2019 at 12:28 PM Matthew Wilcox wrote:
>
> On Wed, Apr 24, 2019 at 12:14:40PM -0700, Matthew Garrett wrote:
> > Unfortunately, if an application exits uncleanly, its secrets may still be
> > present in RAM. This can't be easily fixed in userland (eg, if the OOM
From: Matthew Garrett
Applications that hold secrets and wish to avoid them leaking can use
mlock() to prevent the page from being pushed out to swap and
MADV_DONTDUMP to prevent it from being included in core dumps. Applications
can also use atexit() handlers to overwrite secrets on application
On Tue, Apr 16, 2019 at 8:36 AM Jarkko Sakkinen
wrote:
> Matthew, looking at the code I guess the includes are in wrong order
> i.e. early_ioremap.h should be included before tpm_eventlog.h. Do you
> agree that this is the correct conclusion? I can do the update.
Yes, I believe that that's the
On Thu, Apr 4, 2019 at 6:39 AM Steven Rostedt wrote:
>
> On Wed, 3 Apr 2019 17:32:49 -0700
> Matthew Garrett wrote:
>
>
> > +static void tracefs_destroy_inode(struct inode *inode)
> > +{
> > + if S_ISREG(inode->i_mode)
>
> Can we please pu
From: Matthew Garrett
uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to modify the running kernel. Disable this if the kernel
is locked down.
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
cc: linux...@vger.kernel.org
Cc: pa
From: Matthew Garrett
Any hardware that can potentially generate DMA has to be locked down in
order to avoid it being possible for an attacker to modify kernel code,
allowing them to circumvent disabled module loading or module signing.
Default to paranoid - in future we can potentially relax
From: Josh Boyer
This option allows userspace to pass the RSDP address to the kernel, which
makes it possible for a user to modify the workings of hardware . Reject
the option when the kernel is locked down.
Signed-off-by: Josh Boyer
Signed-off-by: David Howells
Signed-off-by: Matthew
.
Reported-by: Greg Kroah-Hartman
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
cc: Jiri Slaby
Cc: linux-ser...@vger.kernel.org
---
drivers/tty/serial/serial_core.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial
off-by: David Howells
Signed-off-by: Matthew Garrett
---
security/lock_down.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/lock_down.c b/security/lock_down.c
index 9913fff09ad0..2659722784cc 100644
--- a/security/lock_down.c
+++ b/security/lock_down.c
@@ -70,8 +7
-by: Matthew Garrett
Acked-by: Mimi Zohar
Cc: Dmitry Kasatkin
Cc: linux-integr...@vger.kernel.org
---
include/linux/ima.h | 9 ++
kernel/kexec_file.c | 7 +++-
security/integrity/ima/ima.h| 2 ++
security/integrity/ima/ima_main.c | 2 +-
security
modules.
Reported-by: Alexei Starovoitov
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
Cc: Naveen N. Rao
Cc: Anil S Keshavamurthy
Cc: da...@davemloft.net
Cc: Masami Hiramatsu
---
kernel/trace/trace_kprobe.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/trace
From: David Howells
Disallow access to /proc/kcore when the kernel is locked down to prevent
access to cryptographic data. This is limited to lockdown
confidentiality mode and is still permitted in integrity mode.
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
---
fs/proc
, as there are 19 creation functions and ~1600 call sites (some of
them in loops scanning tables).
Signed-off-by: David Howells
cc: Andy Shevchenko
cc: acpi4asus-u...@lists.sourceforge.net
cc: platform-driver-...@vger.kernel.org
cc: Matthew Garrett
cc: Thomas Gleixner
Signed-off-by: Matthew Garrett
Tracefs may release more information about the kernel than desirable, so
restrict it when the kernel is locked down in confidentiality mode by
preventing open().
Signed-off-by: Matthew Garrett
Cc: Steven Rostedt
---
fs/tracefs/inode.c | 40 +++-
1 file
From: David Howells
Disallow the use of certain perf facilities that might allow userspace to
access kernel data.
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
Cc: Peter Zijlstra
Cc: Ingo Molnar
Cc: Arnaldo Carvalho de Melo
---
kernel/events/core.c | 6 ++
1 file changed
uld disallow any unauthenticated
changes to kernel space. ACPI tables contain code invoked by the kernel,
so do not allow ACPI tables to be overridden if the kernel is locked down.
Signed-off-by: Linn Crosetto
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
cc: li
From: Matthew Garrett
custom_method effectively allows arbitrary access to system memory, making
it possible for an attacker to circumvent restrictions on module loading.
Disable it if the kernel is locked down.
Signed-off-by: Matthew Garrett
Signed-off-by: David Howells
cc: linux
From: Matthew Garrett
Writing to MSRs should not be allowed if the kernel is locked down, since
it could lead to execution of arbitrary code in kernel mode. Based on a
patch by Kees Cook.
Signed-off-by: Matthew Garrett
Signed-off-by: David Howells
Acked-by: Kees Cook
Reviewed-by: Thomas
From: David Howells
Provided an annotation for module parameters that specify hardware
parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
dma buffers and other types).
Suggested-by: Alan Cox
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
---
kernel
From: David Howells
Prohibit replacement of the PCMCIA Card Information Structure when the
kernel is locked down.
Suggested-by: Dominik Brodowski
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
---
drivers/pcmcia/cistpl.c | 4
1 file changed, 4 insertions(+)
diff --git
From: David Howells
The testmmiotrace module shouldn't be permitted when the kernel is locked
down as it can be used to arbitrarily read and write MMIO space. This is
a runtime check rather than buildtime in order to allow configurations
where the same kernel may be run in both locked down or
-by: David Howells
Signed-off-by: Matthew Garrett
Cc: r...@rjwysocki.net
Cc: pa...@ucw.cz
cc: linux...@vger.kernel.org
---
kernel/power/hibernate.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index abef759de7c8..928b198cfa26
error if there is a signature
which cannot be parsed - even if in non-forcing mode.
(5) kexec fails with ELIBBAD if the PE file cannot be parsed to extract
the signature - even if in non-forcing mode.
]
Signed-off-by: Jiri Bohac
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
Fairly minimal changes since the last set: tracefs is restricted at
Steven's suggestion (but could do with a once-over, I'm very much not a
vfs person), debugfs is back to Dave's original implementation. I've
also fixed up a malformed patch that resulted from me getting confused
during rebase, and
From: Matthew Garrett
IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO
register space. This would potentially permit root to trigger arbitrary
DMA, so lock it down by default.
This also implicitly locks
, fiddling with
MSR registers and disallowing hibernation.
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
---
Documentation/ABI/testing/lockdown| 19 +++
.../admin-guide/kernel-parameters.txt | 9 ++
Documentation/admin-guide/lockdown.rst| 60
(EKEYREJECTED) or a system error occurs (eg. ENOMEM), we
return the error we got.
Note that the X.509 code doesn't check for key expiry as the RTC might not
be valid or might not have been transferred to the kernel's clock yet.
[Modified by Matthew Garrett to remove the IMA integration
From: Matthew Garrett
Allowing users to read and write to core kernel memory makes it possible
for the kernel to be subverted, avoiding module loading restrictions, and
also to steal cryptographic information.
Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
been
On Wed, Mar 27, 2019 at 10:40 AM Andy Lutomirski wrote:
> As far as I'm concerned, preventing root from crashing the system
> should not be a design goal of lockdown at all. And I think that the
> "integrity" mode should be as non-annoying as possible, so I think we
> should allow reading from
On Wed, Mar 27, 2019 at 8:57 AM Steven Rostedt wrote:
>
> On Tue, 26 Mar 2019 11:27:35 -0700
> Matthew Garrett wrote:
>
> > From: David Howells
> >
> > The testmmiotrace module shouldn't be permitted when the kernel is locked
> > down as it can be used to a
On Tue, Mar 26, 2019 at 5:31 PM Greg KH wrote:
> On Tue, Mar 26, 2019 at 11:27:41AM -0700, Matthew Garrett wrote:
> > From: Matthew Garrett
> >
> > debugfs has not been meaningfully audited in terms of ensuring that
> > userland cannot trample over the kernel.
On Tue, Mar 26, 2019 at 12:20 PM Andy Lutomirski wrote:
> Ugh. Some of those files are very useful. Could this perhaps still
> allow O_RDONLY if we're in INTEGRITY mode?
The previous implementation did, but Greg wanted it to go away entirely.
From: Matthew Garrett
Allowing users to read and write to core kernel memory makes it possible
for the kernel to be subverted, avoiding module loading restrictions, and
also to steal cryptographic information.
Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
been
-by: David Howells
Signed-off-by: Matthew Garrett
Cc: r...@rjwysocki.net
Cc: pa...@ucw.cz
cc: linux...@vger.kernel.org
---
kernel/power/hibernate.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index abef759de7c8..928b198cfa26
From: Matthew Garrett
custom_method effectively allows arbitrary access to system memory, making
it possible for an attacker to circumvent restrictions on module loading.
Disable it if the kernel is locked down.
Signed-off-by: Matthew Garrett
Signed-off-by: David Howells
cc: linux
uld disallow any unauthenticated
changes to kernel space. ACPI tables contain code invoked by the kernel,
so do not allow ACPI tables to be overridden if the kernel is locked down.
Signed-off-by: Linn Crosetto
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
cc: li
From: Matthew Garrett
Any hardware that can potentially generate DMA has to be locked down in
order to avoid it being possible for an attacker to modify kernel code,
allowing them to circumvent disabled module loading or module signing.
Default to paranoid - in future we can potentially relax
Signed-off-by: Matthew Garrett
Cc: Naveen N. Rao
Cc: Anil S Keshavamurthy
Cc: da...@davemloft.net
Cc: Masami Hiramatsu
---
kernel/kprobes.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index f4ddfdd2d07e..b9781bd2db8c 100644
--- a/kernel/kprobes.c
+++ b
From: David Howells
Prohibit replacement of the PCMCIA Card Information Structure when the
kernel is locked down.
Suggested-by: Dominik Brodowski
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
---
drivers/pcmcia/cistpl.c | 4
1 file changed, 4 insertions(+)
diff --git
From: David Howells
The testmmiotrace module shouldn't be permitted when the kernel is locked
down as it can be used to arbitrarily read and write MMIO space. This is
a runtime check rather than buildtime in order to allow configurations
where the same kernel may be run in both locked down or
restriction. Disable them if the kernel has been locked down in
confidentiality mode.
Suggested-by: Alexei Starovoitov
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
cc: net...@vger.kernel.org
cc: Chun-Yi Lee
cc: Alexei Starovoitov
Cc: Daniel Borkmann
---
kernel/trace
From: Matthew Garrett
debugfs has not been meaningfully audited in terms of ensuring that
userland cannot trample over the kernel. At Greg's request, disable
access to it entirely when the kernel is locked down. This is done at
open() time rather than init time as the kernel lockdown status may
From: Matthew Garrett
IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO
register space. This would potentially permit root to trigger arbitrary
DMA, so lock it down by default.
This also implicitly locks
man kernel_lockdown.7
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
---
include/linux/ima.h | 9 ++
kernel/kexec_file.c | 7 +++-
security/integrity/ima/ima.h| 2 ++
security/integrity/ima/ima_main.c | 2 +-
security/integrity/ima/ima_policy.c |
From: David Howells
Disallow the use of certain perf facilities that might allow userspace to
access kernel data.
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
Cc: Peter Zijlstra
Cc: Ingo Molnar
Cc: Arnaldo Carvalho de Melo
---
kernel/events/core.c | 6 ++
1 file changed
From: David Howells
Provided an annotation for module parameters that specify hardware
parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
dma buffers and other types).
Suggested-by: Alan Cox
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
---
kernel
From: David Howells
Disallow access to /proc/kcore when the kernel is locked down to prevent
access to cryptographic data. This is limited to lockdown
confidentiality mode and is still permitted in integrity mode.
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
---
fs/proc
.
Reported-by: Greg Kroah-Hartman
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
cc: Jiri Slaby
Cc: linux-ser...@vger.kernel.org
---
drivers/tty/serial/serial_core.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial
From: Josh Boyer
This option allows userspace to pass the RSDP address to the kernel, which
makes it possible for a user to modify the workings of hardware . Reject
the option when the kernel is locked down.
Signed-off-by: Josh Boyer
Signed-off-by: David Howells
Signed-off-by: Matthew
From: Matthew Garrett
Writing to MSRs should not be allowed if the kernel is locked down, since
it could lead to execution of arbitrary code in kernel mode. Based on a
patch by Kees Cook.
Signed-off-by: Matthew Garrett
Signed-off-by: David Howells
Acked-by: Kees Cook
Reviewed-by: Thomas
From: Matthew Garrett
uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to modify the running kernel. Disable this if the kernel
is locked down.
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
cc: linux...@vger.kernel.org
Cc: pa
error if there is a signature
which cannot be parsed - even if in non-forcing mode.
(5) kexec fails with ELIBBAD if the PE file cannot be parsed to extract
the signature - even if in non-forcing mode.
]
Signed-off-by: Jiri Bohac
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
(EKEYREJECTED) or a system error occurs (eg. ENOMEM), we
return the error we got.
Note that the X.509 code doesn't check for key expiry as the RTC might not
be valid or might not have been transferred to the kernel's clock yet.
[Modified by Matthew Garrett to remove the IMA integration
Updates: Based on Andy's feedback, lockdown is now a tristate and can be
made stricter at runtime. The states are "none", "integrity" and
"confidentiality". "none" results in no behavioural change, "integrity"
enables features that prevent untrusted code from being run in ring 0,
and
, fiddling with
MSR registers and disallowing hibernation.
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
---
Documentation/ABI/testing/lockdown| 19 +++
.../admin-guide/kernel-parameters.txt | 9 ++
include/linux/kernel.h| 28
On Tue, Mar 26, 2019 at 5:30 AM Masami Hiramatsu wrote:
>
> On Mon, 25 Mar 2019 15:09:49 -0700
> Matthew Garrett wrote:
>
> > From: David Howells
> >
> > Disallow the creation of kprobes when the kernel is locked down by
> > preventing their registration. T
Based on Andy's feedback, I'm going to rework this slightly and
re-send tomorrow.
On Mon, Mar 25, 2019 at 5:35 PM Greg Kroah-Hartman
wrote:
> On Mon, Mar 25, 2019 at 03:09:52PM -0700, Matthew Garrett wrote:
> > Normal device interaction should be done through configfs, sysfs or a
> > miscdev, not debugfs.
>
> Then why not just not allow debugfs at all
, fiddling with
MSR registers and disallowing hibernation.
Signed-off-by: David Howells
Acked-by: James Morris
Signed-off-by: Matthew Garrett
---
include/linux/kernel.h | 17
include/linux/security.h | 9 +-
security/Kconfig | 15 ++
security/Makefile
: ke...@lists.infradead.org
Signed-off-by: Matthew Garrett
---
arch/x86/Kconfig | 20 ---
crypto/asymmetric_keys/verify_pefile.c | 4 ++-
include/linux/kexec.h | 4 +--
kernel/kexec_file.c| 48 ++
4 files
From: Matthew Garrett
IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO
register space. This would potentially permit root to trigger arbitrary
DMA, so lock it down by default.
This also implicitly locks
From: Matthew Garrett
Any hardware that can potentially generate DMA has to be locked down in
order to avoid it being possible for an attacker to modify kernel code,
allowing them to circumvent disabled module loading or module signing.
Default to paranoid - in future we can potentially relax
From: Matthew Garrett
uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to modify the running kernel. Disable this if the kernel
is locked down.
Signed-off-by: Matthew Garrett
Signed-off-by: David Howells
Reviewed-by: James Morris
cc: linux
Howells
Signed-off-by: Matthew Garrett
Cc: Naveen N. Rao
Cc: Anil S Keshavamurthy
Cc: da...@davemloft.net
Cc: Masami Hiramatsu
---
kernel/kprobes.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index f4ddfdd2d07e..6f66cca8e2c6 100644
--- a/kernel
-a...@vger.kernel.org
Signed-off-by: Matthew Garrett
---
drivers/acpi/osl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
index f29e427d0d1d..3e44cef7a0cd 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -194,7 +194,7
From: David Howells
Provided an annotation for module parameters that specify hardware
parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
dma buffers and other types).
Suggested-by: Alan Cox
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
---
kernel
.
Reported-by: Greg Kroah-Hartman
Signed-off-by: David Howells
cc: Jiri Slaby
Cc: linux-ser...@vger.kernel.org
Signed-off-by: Matthew Garrett
---
drivers/tty/serial/serial_core.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial
From: Matthew Garrett
custom_method effectively allows arbitrary access to system memory, making
it possible for an attacker to circumvent restrictions on module loading.
Disable it if the kernel is locked down.
Signed-off-by: Matthew Garrett
Signed-off-by: David Howells
cc: linux
, as there are 19 creation functions and ~1600 call sites (some of
them in loops scanning tables).
Signed-off-by: David Howells
cc: Andy Shevchenko
cc: acpi4asus-u...@lists.sourceforge.net
cc: platform-driver-...@vger.kernel.org
cc: Matthew Garrett
cc: Thomas Gleixner
Cc: Greg Kroah-Hartman
Signed-off
ot;
cc: x...@kernel.org
Signed-off-by: Matthew Garrett
---
arch/x86/mm/testmmiotrace.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c
index f6ae6830b341..bbaad357f5d7 100644
--- a/arch/x86/mm/testmmiotrace.c
+++ b/arch/x86/mm/testmmiotrace.c
man kernel_lockdown.7
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
---
security/lock_down.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/lock_down.c b/security/lock_down.c
index 18d8776a4d02..ee00ca2677e7 100644
--- a/security/lock_down.c
+++ b/secur
From: David Howells
Disallow the use of certain perf facilities that might allow userspace to
access kernel data.
Signed-off-by: David Howells
Signed-off-by: Matthew Garrett
Cc: Peter Zijlstra
Cc: Ingo Molnar
Cc: Arnaldo Carvalho de Melo
---
kernel/events/core.c | 5 +
1 file changed
restriction.
Completely prohibit the use of BPF when the kernel is locked down.
Suggested-by: Alexei Starovoitov
Signed-off-by: David Howells
cc: net...@vger.kernel.org
cc: Chun-Yi Lee
cc: Alexei Starovoitov
Cc: Daniel Borkmann
Signed-off-by: Matthew Garrett
---
kernel/bpf/syscall.c | 3
-by: Matthew Garrett
---
drivers/acpi/apei/einj.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c
index fcccbfdbdd1a..9fe6bbab2e7d 100644
--- a/drivers/acpi/apei/einj.c
+++ b/drivers/acpi/apei/einj.c
@@ -518,6 +518,9 @@ static int
From: David Howells
Prohibit replacement of the PCMCIA Card Information Structure when the
kernel is locked down.
Suggested-by: Dominik Brodowski
Signed-off-by: David Howells
cc: linux-pcm...@lists.infradead.org
Signed-off-by: Matthew Garrett
---
drivers/pcmcia/cistpl.c | 3 +++
1 file
From: David Howells
Disallow access to /proc/kcore when the kernel is locked down to prevent
access to cryptographic data.
Signed-off-by: David Howells
Reviewed-by: James Morris
Signed-off-by: Matthew Garrett
---
fs/proc/kcore.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/proc
From: Matthew Garrett
Writing to MSRs should not be allowed if the kernel is locked down, since
it could lead to execution of arbitrary code in kernel mode. Based on a
patch by Kees Cook.
MSR accesses are logged for the purposes of building up a whitelist as per
Alan Cox's suggestion.
Signed
uld disallow any unauthenticated
changes to kernel space. ACPI tables contain code invoked by the kernel,
so do not allow ACPI tables to be overridden if the kernel is locked down.
Signed-off-by: Linn Crosetto
Signed-off-by: David Howells
cc: linux-a...@vger.kernel.org
Signed-off-by: Matthew Garr
-by: David Howells
Cc: r...@rjwysocki.net
Cc: pa...@ucw.cz
cc: linux...@vger.kernel.org
Signed-off-by: Matthew Garrett
---
kernel/power/hibernate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index abef759de7c8..802795becb88
-by: Matthew Garrett
Cc: Mimi Zohar
Cc: Dmitry Kasatkin
Cc: linux-integr...@vger.kernel.org
---
include/linux/ima.h | 9 ++
kernel/kexec_file.c | 7 +++-
security/integrity/ima/ima.h| 2 ++
security/integrity/ima/ima_main.c | 2 +-
security
From: Matthew Garrett
Allowing users to read and write to core kernel memory makes it possible
for the kernel to be subverted, avoiding module loading restrictions, and
also to steal cryptographic information.
Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
been
inn Crosetto (2):
acpi: Disable ACPI table override if the kernel is locked down
acpi: Disable APEI error injection if the kernel is locked down
Matthew Garrett (8):
Restrict /dev/{mem,kmem,port} when the kernel is locked down
kexec_load: Disable at runtime if the kernel is loc
-verity backed filesystems. If lockdown is enabled, loading unsigned
modules from an integrity-assured filesystem will fail.
[Modified by Matthew Garrett to remove the IMA integration. This will
be replaced with integration with the IMA architecture policy
patchset.]
Signed-off-by: David Howells
On Wed, Mar 6, 2019 at 8:24 PM Matthew Garrett wrote:
>
> On Wed, Mar 6, 2019 at 7:56 PM Mimi Zohar wrote:
> > The kexec and kernel modules patches in this patch set continues to
> > ignore IMA. This patch set should up front either provide an
> > alternativ
On Fri, Mar 8, 2019 at 3:00 PM James Morris wrote:
>
> On Wed, 6 Mar 2019, Matthew Garrett wrote:
>
> > From: David Howells
> >
> > If the kernel is locked down, require that all modules have valid
> > signatures that we can verify.
>
> Perhaps note th
On Fri, Mar 8, 2019 at 10:43 AM Mimi Zohar wrote:
> FYI, efi_printk() works before exit_boot(), but not afterwards. The
> system hangs.
efi_printk() uses boot services to print, so that's not unexpected :)
It would probably be sensible to return an error rather than crash,
though…
On Fri, Mar 8, 2019 at 5:40 AM Mimi Zohar wrote:
>
> On Thu, 2019-03-07 at 14:50 -0800, Matthew Garrett wrote:
> > Is the issue that it gives incorrect results on the first read, or is
> > the issue that it gives incorrect results before ExitBootServices() is
> > calle
On Thu, Mar 7, 2019 at 2:48 PM Mimi Zohar wrote:
> I added this last attempt because I'm seeing this on my laptop, with
> some older, buggy firmware.
Is the issue that it gives incorrect results on the first read, or is
the issue that it gives incorrect results before ExitBootServices() is
On Thu, Mar 7, 2019 at 2:41 PM Mimi Zohar wrote:
> On Thu, 2019-03-07 at 14:36 -0800, Matthew Garrett wrote:
> > Right, but how is this different to what Linus was objecting to?
>
> Both Andy Lutomirski and Linus objected to limiting the "lockdown"
> patch set to
On Thu, Mar 7, 2019 at 2:38 PM Justin Forbes wrote:
> On Thu, Mar 7, 2019 at 4:29 PM Matthew Garrett wrote:
>>
>> On Mon, Nov 19, 2018 at 11:57 AM Mimi Zohar wrote:
>> >
>> > The secure boot mode may not be detected on boot for some reason (eg.
>> >
On Thu, Mar 7, 2019 at 2:34 PM Mimi Zohar wrote:
>
> On Thu, 2019-03-07 at 14:27 -0800, Matthew Garrett wrote:
> > On Wed, Feb 13, 2019 at 4:18 AM Mimi Zohar wrote:
> > > - if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) &&
> > > arch_ima_get_secu
On Mon, Nov 19, 2018 at 11:57 AM Mimi Zohar wrote:
>
> The secure boot mode may not be detected on boot for some reason (eg.
> buggy firmware). This patch attempts one more time to detect the
> secure boot mode.
Do we have cases where this has actually been seen? I'm not sure what
the
On Wed, Feb 13, 2019 at 4:18 AM Mimi Zohar wrote:
> - if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot())
> + if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
> + if (IS_ENABLED(CONFIG_MODULE_SIG))
> +
301 - 400 of 3200 matches
Mail list logo