49fcf732bd
If the kernel is locked down, require that all modules have valid
signatures that we can verify.
I have adjusted the errors generated:
(1) If there's no signature (ENODATA) or we can't check it (ENOPKG,
ENOKEY), then:
(a) If signatures are enforced then EKEYREJECTED is returned.
(b) If there's no signature or we can't check it, but the kernel is
locked down then EPERM is returned (this is then consistent with
other lockdown cases).
(2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails
the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we
return the error we got.
Note that the X.509 code doesn't check for key expiry as the RTC might not
be valid or might not have been transferred to the kernel's clock yet.
[Modified by Matthew Garrett to remove the IMA integration. This will
be replaced with integration with the IMA architecture policy
patchset.]
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: Jessica Yu <jeyu@kernel.org>
Signed-off-by: James Morris <jmorris@namei.org>
48 lines
1.5 KiB
Plaintext
48 lines
1.5 KiB
Plaintext
config SECURITY_LOCKDOWN_LSM
|
|
bool "Basic module for enforcing kernel lockdown"
|
|
depends on SECURITY
|
|
select MODULE_SIG if MODULES
|
|
help
|
|
Build support for an LSM that enforces a coarse kernel lockdown
|
|
behaviour.
|
|
|
|
config SECURITY_LOCKDOWN_LSM_EARLY
|
|
bool "Enable lockdown LSM early in init"
|
|
depends on SECURITY_LOCKDOWN_LSM
|
|
help
|
|
Enable the lockdown LSM early in boot. This is necessary in order
|
|
to ensure that lockdown enforcement can be carried out on kernel
|
|
boot parameters that are otherwise parsed before the security
|
|
subsystem is fully initialised. If enabled, lockdown will
|
|
unconditionally be called before any other LSMs.
|
|
|
|
choice
|
|
prompt "Kernel default lockdown mode"
|
|
default LOCK_DOWN_KERNEL_FORCE_NONE
|
|
depends on SECURITY_LOCKDOWN_LSM
|
|
help
|
|
The kernel can be configured to default to differing levels of
|
|
lockdown.
|
|
|
|
config LOCK_DOWN_KERNEL_FORCE_NONE
|
|
bool "None"
|
|
help
|
|
No lockdown functionality is enabled by default. Lockdown may be
|
|
enabled via the kernel commandline or /sys/kernel/security/lockdown.
|
|
|
|
config LOCK_DOWN_KERNEL_FORCE_INTEGRITY
|
|
bool "Integrity"
|
|
help
|
|
The kernel runs in integrity mode by default. Features that allow
|
|
the kernel to be modified at runtime are disabled.
|
|
|
|
config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
|
|
bool "Confidentiality"
|
|
help
|
|
The kernel runs in confidentiality mode by default. Features that
|
|
allow the kernel to be modified at runtime or that permit userland
|
|
code to read confidential material held inside the kernel are
|
|
disabled.
|
|
|
|
endchoice
|