From 6185d54571ad528d95bf6ee297667d5794fd3a98 Mon Sep 17 00:00:00 2001 From: David Abdurachmanov Date: Sat, 21 Mar 2020 17:14:48 +0200 Subject: [PATCH] Remove obsolete patches Signed-off-by: David Abdurachmanov --- ...low-labeling-before-policy-is-loaded.patch | 153 -- ...ng-the-PM-driver-instead-of-firmware.patch | 78 - ...dio-Fix-draining-behavior-regression.patch | 64 - ...k-contents-as-dirty-on-a-write-fault.patch | 54 - dwc3-fix.patch | 80 - efi-lockdown.patch | 2173 ----------------- enforce-CAP_NET_RAW-for-raw-sockets.patch | 171 -- ...s-event--count-when-it-isn-t-mapped..patch | 233 -- ...e-after-successful-event-log-parsing.patch | 190 -- 9 files changed, 3196 deletions(-) delete mode 100644 PATCH-v2-selinux-allow-labeling-before-policy-is-loaded.patch delete mode 100644 Revert-ARM-bcm283x-Switch-V3D-over-to-using-the-PM-driver-instead-of-firmware.patch delete mode 100644 bcm2835-audio-Fix-draining-behavior-regression.patch delete mode 100644 drm-i915-Mark-contents-as-dirty-on-a-write-fault.patch delete mode 100644 dwc3-fix.patch delete mode 100644 efi-lockdown.patch delete mode 100644 enforce-CAP_NET_RAW-for-raw-sockets.patch delete mode 100644 v2-1-2-efi-tpm-Don-t-access-event--count-when-it-isn-t-mapped..patch delete mode 100644 v3-tpm-only-set-efi_tpm_final_log_size-after-successful-event-log-parsing.patch diff --git a/PATCH-v2-selinux-allow-labeling-before-policy-is-loaded.patch b/PATCH-v2-selinux-allow-labeling-before-policy-is-loaded.patch deleted file mode 100644 index 001fa32dc..000000000 --- a/PATCH-v2-selinux-allow-labeling-before-policy-is-loaded.patch +++ /dev/null @@ -1,153 +0,0 @@ -From mboxrd@z Thu Jan 1 00:00:00 1970 -Return-Path: -X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on - aws-us-west-2-korg-lkml-1.web.codeaurora.org -X-Spam-Level: -X-Spam-Status: No, score=-15.0 required=3.0 - tests=HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, - MENTIONS_GIT_HOSTING,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT - autolearn=ham autolearn_force=no version=3.4.0 -Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) - by smtp.lore.kernel.org (Postfix) with ESMTP id 0CE63C4CEC5 - for ; Thu, 12 Sep 2019 13:30:40 +0000 (UTC) -Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) - by mail.kernel.org (Postfix) with ESMTP id DC0B020CC7 - for ; Thu, 12 Sep 2019 13:30:39 +0000 (UTC) -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1732192AbfILNaj (ORCPT ); - Thu, 12 Sep 2019 09:30:39 -0400 -Received: from mx1.redhat.com ([209.132.183.28]:52278 "EHLO mx1.redhat.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1731687AbfILNaj (ORCPT ); - Thu, 12 Sep 2019 09:30:39 -0400 -Received: from mail-qt1-f197.google.com (mail-qt1-f197.google.com [209.85.160.197]) - (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) - (No client certificate requested) - by mx1.redhat.com (Postfix) with ESMTPS id 97CC359465 - for ; Thu, 12 Sep 2019 13:30:38 +0000 (UTC) -Received: by mail-qt1-f197.google.com with SMTP id c8so13609684qtd.20 - for ; Thu, 12 Sep 2019 06:30:38 -0700 (PDT) -X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; - d=1e100.net; s=20161025; - h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version - :content-transfer-encoding; - bh=S/MIBrjCy5DTvfqPzJTJqDQQH1pDu780wgGyHs56w4k=; - b=H7fZr4X/c4ge0SXeHHRXrq3U4J60PWfSRqdCphTWxKjyLvBs8nktbJczT562oH7Hxv - hdvVjKgAzNxIXFdQetnmveDXojtHFrE21PNdo5ONQIyh35oZyrJB4ewZdUrNfbrvDc2y - ElMr/HoKEX5pY+GMJE4nzeBotlfCWU9BoAxJPUhzKA9Oib+AqDzQ0hCGH6pQY9RXRXBV - IMH21FE5dxQGtLHNCJXVxE14edDeRo8qQFWQw6ooogK7JvduuJrWBn3BmCbKz1YLTNZE - 9wRXvaHFVGNhr79JrRcItTp6Sx+tZ3XY46CV+Wi6Rq1fu8MePP9zFdIQXw9wqyd+UgLa - AIlw== -X-Gm-Message-State: APjAAAXpWx500L+bZRH8M7OzuSb0aBlsvvjaBYCGvSkzojpa2nRWjtk0 - cjKEj45ivsUgPW2Bbi6CGEtspqM4wmwb72z+ajR4hy5OjMT3KRh6W71HFbVPrlLYQTvse11Ax2d - wGOma7U/qIGDDYkjh/Q== -X-Received: by 2002:ac8:7b2e:: with SMTP id l14mr8094193qtu.11.1568295037636; - Thu, 12 Sep 2019 06:30:37 -0700 (PDT) -X-Google-Smtp-Source: APXvYqzybFpoaFyGZXafGEdtHCL3XllpHltaXggcIZEb7De49V/kJzm1pU6vpg1gN8HtgnB3cilLuA== -X-Received: by 2002:ac8:7b2e:: with SMTP id l14mr8094176qtu.11.1568295037442; - Thu, 12 Sep 2019 06:30:37 -0700 (PDT) -Received: from localhost.localdomain ([12.133.141.2]) - by smtp.gmail.com with ESMTPSA id h68sm11848865qkd.35.2019.09.12.06.30.35 - (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); - Thu, 12 Sep 2019 06:30:36 -0700 (PDT) -From: Jonathan Lebon -To: selinux@vger.kernel.org -Cc: Jonathan Lebon , - Victor Kamensky -Subject: [PATCH v2] selinux: allow labeling before policy is loaded -Date: Thu, 12 Sep 2019 09:30:07 -0400 -Message-Id: <20190912133007.27545-1-jlebon@redhat.com> -X-Mailer: git-send-email 2.21.0 -MIME-Version: 1.0 -Content-Transfer-Encoding: 8bit -Sender: selinux-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: selinux@vger.kernel.org -Archived-At: -List-Archive: -List-Post: - -Currently, the SELinux LSM prevents one from setting the -`security.selinux` xattr on an inode without a policy first being -loaded. However, this restriction is problematic: it makes it impossible -to have newly created files with the correct label before actually -loading the policy. - -This is relevant in distributions like Fedora, where the policy is -loaded by systemd shortly after pivoting out of the initrd. In such -instances, all files created prior to pivoting will be unlabeled. One -then has to relabel them after pivoting, an operation which inherently -races with other processes trying to access those same files. - -Going further, there are use cases for creating the entire root -filesystem on first boot from the initrd (e.g. Container Linux supports -this today[1], and we'd like to support it in Fedora CoreOS as well[2]). -One can imagine doing this in two ways: at the block device level (e.g. -laying down a disk image), or at the filesystem level. In the former, -labeling can simply be part of the image. But even in the latter -scenario, one still really wants to be able to set the right labels when -populating the new filesystem. - -This patch enables this by changing behaviour in the following two ways: -1. allow `setxattr` if we're not initialized -2. don't try to set the in-core inode SID if we're not initialized; - instead leave it as `LABEL_INVALID` so that revalidation may be - attempted at a later time - -Note the first hunk of this patch is mostly the same as a previously -discussed one[3], though it was part of a larger series which wasn't -accepted. - -Co-developed-by: Victor Kamensky -Signed-off-by: Victor Kamensky -Signed-off-by: Jonathan Lebon - -[1] https://coreos.com/os/docs/latest/root-filesystem-placement.html -[2] https://github.com/coreos/fedora-coreos-tracker/issues/94 -[3] https://www.spinics.net/lists/linux-initramfs/msg04593.html - ---- - -v2: - - return early in selinux_inode_setxattr if policy hasn't been loaded - ---- - - security/selinux/hooks.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 94de51628..dbe96c707 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -3142,6 +3142,9 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name, - return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); - } - -+ if (!selinux_state.initialized) -+ return (inode_owner_or_capable(inode) ? 0 : -EPERM); -+ - sbsec = inode->i_sb->s_security; - if (!(sbsec->flags & SBLABEL_MNT)) - return -EOPNOTSUPP; -@@ -3225,6 +3228,15 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, - return; - } - -+ if (!selinux_state.initialized) { -+ /* If we haven't even been initialized, then we can't validate -+ * against a policy, so leave the label as invalid. It may -+ * resolve to a valid label on the next revalidation try if -+ * we've since initialized. -+ */ -+ return; -+ } -+ - rc = security_context_to_sid_force(&selinux_state, value, size, - &newsid); - if (rc) { --- -2.21.0 - - diff --git a/Revert-ARM-bcm283x-Switch-V3D-over-to-using-the-PM-driver-instead-of-firmware.patch b/Revert-ARM-bcm283x-Switch-V3D-over-to-using-the-PM-driver-instead-of-firmware.patch deleted file mode 100644 index 8627b6087..000000000 --- a/Revert-ARM-bcm283x-Switch-V3D-over-to-using-the-PM-driver-instead-of-firmware.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 9d1a8ad3c56f4e84a0ec46246b4c08a6d139f638 Mon Sep 17 00:00:00 2001 -From: Peter Robinson -Date: Sun, 13 Oct 2019 14:33:23 +0100 -Subject: [PATCH] Revert "ARM: bcm283x: Switch V3D over to using the PM driver - instead of firmware." - -Since release of the new BCM2835 PM driver there has been several reports -of V3D probing issues. This is caused by timeouts during powering-up the -GRAFX PM domain: - - bcm2835-power: Timeout waiting for grafx power OK - -I was able to reproduce this reliable on my Raspberry Pi 3B+ after setting -force_turbo=1 in the firmware configuration. Since there are no issues -using the firmware PM driver with the same setup, there must be an issue -in the BCM2835 PM driver. - -Unfortunately there hasn't been much progress in identifying the root cause -since June (mostly in the lack of documentation), so i decided to switch -back until the issue in the BCM2835 PM driver is fixed. - -Link: https://github.com/raspberrypi/linux/issues/3046 -Fixes: e1dc2b2e1bef (" ARM: bcm283x: Switch V3D over to using the PM driver instead of firmware.") -Cc: stable@vger.kernel.org -Signed-off-by: Stefan Wahren -Acked-by: Eric Anholt ---- - a/arch/arm/boot/dts/bcm2835-rpi.dtsi | 4 ++++ - b/arch/arm/boot/dts/bcm283x.dtsi | 4 +--- - 2 files changed, 5 insertions(+), 3 deletions(-) - -diff --git a/arch/arm/boot/dts/bcm2835-rpi.dtsi b/arch/arm/boot/dts/bcm2835-rpi.dtsi -index 715d50c64529..d136867c317f 100644 ---- a/arch/arm/boot/dts/bcm2835-rpi.dtsi -+++ b/arch/arm/boot/dts/bcm2835-rpi.dtsi -@@ -90,6 +90,10 @@ - status = "okay"; - }; - -+&v3d { -+ power-domains = <&power RPI_POWER_DOMAIN_V3D>; -+}; -+ - &vec { - power-domains = <&power RPI_POWER_DOMAIN_VEC>; - status = "okay"; -diff --git a/arch/arm/boot/dts/bcm283x.dtsi b/arch/arm/boot/dts/bcm283x.dtsi -index 4b21ddb26aa5..0c6a6611f285 100644 ---- a/arch/arm/boot/dts/bcm283x.dtsi -+++ b/arch/arm/boot/dts/bcm283x.dtsi -@@ -3,7 +3,6 @@ - #include - #include - #include --#include - - /* firmware-provided startup stubs live here, where the secondary CPUs are - * spinning. -@@ -121,7 +120,7 @@ - #interrupt-cells = <2>; - }; - -- pm: watchdog@7e100000 { -+ watchdog@7e100000 { - compatible = "brcm,bcm2835-pm", "brcm,bcm2835-pm-wdt"; - #power-domain-cells = <1>; - #reset-cells = <1>; -@@ -641,7 +640,6 @@ - compatible = "brcm,bcm2835-v3d"; - reg = <0x7ec00000 0x1000>; - interrupts = <1 10>; -- power-domains = <&pm BCM2835_POWER_DOMAIN_GRAFX_V3D>; - }; - - vc4: gpu { --- -2.21.0 - diff --git a/bcm2835-audio-Fix-draining-behavior-regression.patch b/bcm2835-audio-Fix-draining-behavior-regression.patch deleted file mode 100644 index 6d63db3f8..000000000 --- a/bcm2835-audio-Fix-draining-behavior-regression.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 2eed19b99c8e95ff87afe6c140ed895c3fac5937 Mon Sep 17 00:00:00 2001 -From: Takashi Iwai -Date: Sat, 14 Sep 2019 17:24:05 +0200 -Subject: staging: bcm2835-audio: Fix draining behavior regression - -The PCM draining behavior got broken since the recent refactoring, and -this turned out to be the incorrect expectation of the firmware -behavior regarding "draining". While I expected the "drain" flag at -the stop operation would do processing the queued samples, it seems -rather dropping the samples. - -As a quick fix, just drop the SNDRV_PCM_INFO_DRAIN_TRIGGER flag, so -that the driver uses the normal PCM draining procedure. Also, put -some caution comment to the function for future readers not to fall -into the same pitfall. - -Fixes: d7ca3a71545b ("staging: bcm2835-audio: Operate non-atomic PCM ops") -BugLink: https://github.com/raspberrypi/linux/issues/2983 -Cc: stable@vger.kernel.org -Signed-off-by: Takashi Iwai -Acked-by: Stefan Wahren -Link: https://lore.kernel.org/r/20190914152405.7416-1-tiwai@suse.de -Signed-off-by: Greg Kroah-Hartman ---- - drivers/staging/vc04_services/bcm2835-audio/bcm2835-pcm.c | 4 ++-- - drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c | 1 + - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-pcm.c b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-pcm.c -index bc1eaa3a0773..826016c3431a 100644 ---- a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-pcm.c -+++ b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-pcm.c -@@ -12,7 +12,7 @@ - static const struct snd_pcm_hardware snd_bcm2835_playback_hw = { - .info = (SNDRV_PCM_INFO_INTERLEAVED | SNDRV_PCM_INFO_BLOCK_TRANSFER | - SNDRV_PCM_INFO_MMAP | SNDRV_PCM_INFO_MMAP_VALID | -- SNDRV_PCM_INFO_DRAIN_TRIGGER | SNDRV_PCM_INFO_SYNC_APPLPTR), -+ SNDRV_PCM_INFO_SYNC_APPLPTR), - .formats = SNDRV_PCM_FMTBIT_U8 | SNDRV_PCM_FMTBIT_S16_LE, - .rates = SNDRV_PCM_RATE_CONTINUOUS | SNDRV_PCM_RATE_8000_48000, - .rate_min = 8000, -@@ -29,7 +29,7 @@ static const struct snd_pcm_hardware snd_bcm2835_playback_hw = { - static const struct snd_pcm_hardware snd_bcm2835_playback_spdif_hw = { - .info = (SNDRV_PCM_INFO_INTERLEAVED | SNDRV_PCM_INFO_BLOCK_TRANSFER | - SNDRV_PCM_INFO_MMAP | SNDRV_PCM_INFO_MMAP_VALID | -- SNDRV_PCM_INFO_DRAIN_TRIGGER | SNDRV_PCM_INFO_SYNC_APPLPTR), -+ SNDRV_PCM_INFO_SYNC_APPLPTR), - .formats = SNDRV_PCM_FMTBIT_S16_LE, - .rates = SNDRV_PCM_RATE_CONTINUOUS | SNDRV_PCM_RATE_44100 | - SNDRV_PCM_RATE_48000, -diff --git a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c -index 23fba01107b9..c6f9cf1913d2 100644 ---- a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c -+++ b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c -@@ -289,6 +289,7 @@ int bcm2835_audio_stop(struct bcm2835_alsa_stream *alsa_stream) - VC_AUDIO_MSG_TYPE_STOP, false); - } - -+/* FIXME: this doesn't seem working as expected for "draining" */ - int bcm2835_audio_drain(struct bcm2835_alsa_stream *alsa_stream) - { - struct vc_audio_msg m = { --- -cgit 1.2-0.3.lf.el7 diff --git a/drm-i915-Mark-contents-as-dirty-on-a-write-fault.patch b/drm-i915-Mark-contents-as-dirty-on-a-write-fault.patch deleted file mode 100644 index fd85fd874..000000000 --- a/drm-i915-Mark-contents-as-dirty-on-a-write-fault.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 7a78f4f0497f903756183f8b227f6fddaba8cdb0 Mon Sep 17 00:00:00 2001 -From: Chris Wilson -Date: Fri, 20 Sep 2019 13:18:21 +0100 -Subject: [PATCH] drm/i915: Mark contents as dirty on a write fault -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Since dropping the set-to-gtt-domain in commit a679f58d0510 ("drm/i915: -Flush pages on acquisition"), we no longer mark the contents as dirty on -a write fault. This has the issue of us then not marking the pages as -dirty on releasing the buffer, which means the contents are not written -out to the swap device (should we ever pick that buffer as a victim). -Notably, this is visible in the dumb buffer interface used for cursors. -Having updated the cursor contents via mmap, and swapped away, if the -shrinker should evict the old cursor, upon next reuse, the cursor would -be invisible. - -E.g. echo 80 > /proc/sys/kernel/sysrq ; echo f > /proc/sysrq-trigger - -Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=111541 -Fixes: a679f58d0510 ("drm/i915: Flush pages on acquisition") -Signed-off-by: Chris Wilson -Cc: Matthew Auld -Cc: Ville Syrjälä -Cc: # v5.2+ -Reviewed-by: Matthew Auld -Link: https://patchwork.freedesktop.org/patch/msgid/20190920121821.7223-1-chris@chris-wilson.co.uk -(cherry picked from commit 5028851cdfdf78dc22eacbc44a0ab0b3f599ee4a) -Signed-off-by: Rodrigo Vivi ---- - drivers/gpu/drm/i915/gem/i915_gem_mman.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/i915/gem/i915_gem_mman.c b/drivers/gpu/drm/i915/gem/i915_gem_mman.c -index 39a661927d8e..c201289039fe 100644 ---- a/drivers/gpu/drm/i915/gem/i915_gem_mman.c -+++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.c -@@ -317,7 +317,11 @@ vm_fault_t i915_gem_fault(struct vm_fault *vmf) - msecs_to_jiffies_timeout(CONFIG_DRM_I915_USERFAULT_AUTOSUSPEND)); - GEM_BUG_ON(!obj->userfault_count); - -- i915_vma_set_ggtt_write(vma); -+ if (write) { -+ GEM_BUG_ON(!i915_gem_object_has_pinned_pages(obj)); -+ i915_vma_set_ggtt_write(vma); -+ obj->mm.dirty = true; -+ } - - err_fence: - i915_vma_unpin_fence(vma); --- -2.21.0 - diff --git a/dwc3-fix.patch b/dwc3-fix.patch deleted file mode 100644 index d741b9e2e..000000000 --- a/dwc3-fix.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 4749e0e61241cc121de572520a39dab365b9ea1d Mon Sep 17 00:00:00 2001 -From: Thinh Nguyen -Date: Thu, 8 Aug 2019 16:39:42 -0700 -Subject: usb: dwc3: Update soft-reset wait polling rate - -Starting from DWC_usb31 version 1.90a and later, the DCTL.CSFRST bit -will not be cleared until after all the internal clocks are synchronized -during soft-reset. This may take a little more than 50ms. Set the -polling rate at 20ms instead. - -Signed-off-by: Thinh Nguyen -Signed-off-by: Felipe Balbi ---- - drivers/usb/dwc3/core.c | 23 ++++++++++++++++++----- - drivers/usb/dwc3/core.h | 2 ++ - 2 files changed, 20 insertions(+), 5 deletions(-) - -diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c -index 98bce85c29d0..252c397860ef 100644 ---- a/drivers/usb/dwc3/core.c -+++ b/drivers/usb/dwc3/core.c -@@ -252,12 +252,25 @@ static int dwc3_core_soft_reset(struct dwc3 *dwc) - reg |= DWC3_DCTL_CSFTRST; - dwc3_writel(dwc->regs, DWC3_DCTL, reg); - -+ /* -+ * For DWC_usb31 controller 1.90a and later, the DCTL.CSFRST bit -+ * is cleared only after all the clocks are synchronized. This can -+ * take a little more than 50ms. Set the polling rate at 20ms -+ * for 10 times instead. -+ */ -+ if (dwc3_is_usb31(dwc) && dwc->revision >= DWC3_USB31_REVISION_190A) -+ retries = 10; -+ - do { - reg = dwc3_readl(dwc->regs, DWC3_DCTL); - if (!(reg & DWC3_DCTL_CSFTRST)) - goto done; - -- udelay(1); -+ if (dwc3_is_usb31(dwc) && -+ dwc->revision >= DWC3_USB31_REVISION_190A) -+ msleep(20); -+ else -+ udelay(1); - } while (--retries); - - phy_exit(dwc->usb3_generic_phy); -@@ -267,11 +280,11 @@ static int dwc3_core_soft_reset(struct dwc3 *dwc) - - done: - /* -- * For DWC_usb31 controller, once DWC3_DCTL_CSFTRST bit is cleared, -- * we must wait at least 50ms before accessing the PHY domain -- * (synchronization delay). DWC_usb31 programming guide section 1.3.2. -+ * For DWC_usb31 controller 1.80a and prior, once DCTL.CSFRST bit -+ * is cleared, we must wait at least 50ms before accessing the PHY -+ * domain (synchronization delay). - */ -- if (dwc3_is_usb31(dwc)) -+ if (dwc3_is_usb31(dwc) && dwc->revision <= DWC3_USB31_REVISION_180A) - msleep(50); - - return 0; -diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h -index 3dd783b889cb..1c8b349379af 100644 ---- a/drivers/usb/dwc3/core.h -+++ b/drivers/usb/dwc3/core.h -@@ -1137,6 +1137,8 @@ struct dwc3 { - #define DWC3_USB31_REVISION_120A (0x3132302a | DWC3_REVISION_IS_DWC31) - #define DWC3_USB31_REVISION_160A (0x3136302a | DWC3_REVISION_IS_DWC31) - #define DWC3_USB31_REVISION_170A (0x3137302a | DWC3_REVISION_IS_DWC31) -+#define DWC3_USB31_REVISION_180A (0x3138302a | DWC3_REVISION_IS_DWC31) -+#define DWC3_USB31_REVISION_190A (0x3139302a | DWC3_REVISION_IS_DWC31) - - u32 version_type; - --- -cgit 1.2-0.3.lf.el7 - diff --git a/efi-lockdown.patch b/efi-lockdown.patch deleted file mode 100644 index 75d4b7ed7..000000000 --- a/efi-lockdown.patch +++ /dev/null @@ -1,2173 +0,0 @@ -From 4f426f922e12f0ffaed373536f68531e18d68495 Mon Sep 17 00:00:00 2001 -From: David Howells -Date: Mon, 18 Feb 2019 12:44:57 +0000 -Subject: [PATCH 01/29] Add the ability to lock down access to the running - kernel image - -Provide a single call to allow kernel code to determine whether the system -should be locked down, thereby disallowing various accesses that might -allow the running kernel image to be changed including the loading of -modules that aren't validly signed with a key we recognise, fiddling with -MSR registers and disallowing hibernation. - -Signed-off-by: David Howells -Acked-by: James Morris -Signed-off-by: Matthew Garrett ---- - include/linux/kernel.h | 17 ++++++++++++ - include/linux/security.h | 9 +++++- - security/Kconfig | 15 ++++++++++ - security/Makefile | 3 ++ - security/lock_down.c | 60 ++++++++++++++++++++++++++++++++++++++++ - 5 files changed, 103 insertions(+), 1 deletion(-) - create mode 100644 security/lock_down.c - -diff --git a/include/linux/kernel.h b/include/linux/kernel.h -index 0c9bc231107f..f71008b0a641 100644 ---- a/include/linux/kernel.h -+++ b/include/linux/kernel.h -@@ -312,6 +312,23 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err) - { } - #endif - -+#ifdef CONFIG_LOCK_DOWN_KERNEL -+extern bool __kernel_is_locked_down(const char *what, bool first); -+#else -+static inline bool __kernel_is_locked_down(const char *what, bool first) -+{ -+ return false; -+} -+#endif -+ -+#define kernel_is_locked_down(what) \ -+ ({ \ -+ static bool message_given; \ -+ bool locked_down = __kernel_is_locked_down(what, !message_given); \ -+ message_given = true; \ -+ locked_down; \ -+ }) -+ - /* Internal, do not use. */ - int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res); - int __must_check _kstrtol(const char *s, unsigned int base, long *res); -diff --git a/include/linux/security.h b/include/linux/security.h -index 5f7441abbf42..fd7579c879a6 100644 ---- a/include/linux/security.h -+++ b/include/linux/security.h -@@ -1829,5 +1829,12 @@ static inline void security_bpf_prog_free(struct bpf_prog_aux *aux) - #endif /* CONFIG_SECURITY */ - #endif /* CONFIG_BPF_SYSCALL */ - --#endif /* ! __LINUX_SECURITY_H */ -+#ifdef CONFIG_LOCK_DOWN_KERNEL -+extern void __init init_lockdown(void); -+#else -+static inline void __init init_lockdown(void) -+{ -+} -+#endif - -+#endif /* ! __LINUX_SECURITY_H */ -diff --git a/security/Kconfig b/security/Kconfig -index 06a30851511a..720cf9dee2b4 100644 ---- a/security/Kconfig -+++ b/security/Kconfig -@@ -230,6 +230,21 @@ config STATIC_USERMODEHELPER_PATH - If you wish for all usermode helper programs to be disabled, - specify an empty string here (i.e. ""). - -+config LOCK_DOWN_KERNEL -+ bool "Allow the kernel to be 'locked down'" -+ help -+ Allow the kernel to be locked down. If lockdown support is enabled -+ and activated, the kernel will impose additional restrictions -+ intended to prevent uid 0 from being able to modify the running -+ kernel. This may break userland applications that rely on low-level -+ access to hardware. -+ -+config LOCK_DOWN_KERNEL_FORCE -+ bool "Enable kernel lockdown mode automatically" -+ depends on LOCK_DOWN_KERNEL -+ help -+ Enable the kernel lock down functionality automatically at boot. -+ - source "security/selinux/Kconfig" - source "security/smack/Kconfig" - source "security/tomoyo/Kconfig" -diff --git a/security/Makefile b/security/Makefile -index c598b904938f..5ff090149c88 100644 ---- a/security/Makefile -+++ b/security/Makefile -@@ -32,3 +32,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o - # Object integrity file lists - subdir-$(CONFIG_INTEGRITY) += integrity - obj-$(CONFIG_INTEGRITY) += integrity/ -+ -+# Allow the kernel to be locked down -+obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o -diff --git a/security/lock_down.c b/security/lock_down.c -new file mode 100644 -index 000000000000..18d8776a4d02 ---- /dev/null -+++ b/security/lock_down.c -@@ -0,0 +1,60 @@ -+// SPDX-License-Identifier: GPL-2.0 -+/* Lock down the kernel -+ * -+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved. -+ * Written by David Howells (dhowells@redhat.com) -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public Licence -+ * as published by the Free Software Foundation; either version -+ * 2 of the Licence, or (at your option) any later version. -+ */ -+ -+#include -+#include -+ -+static __ro_after_init bool kernel_locked_down; -+ -+/* -+ * Put the kernel into lock-down mode. -+ */ -+static void __init lock_kernel_down(const char *where) -+{ -+ if (!kernel_locked_down) { -+ kernel_locked_down = true; -+ pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n", -+ where); -+ } -+} -+ -+static int __init lockdown_param(char *ignored) -+{ -+ lock_kernel_down("command line"); -+ return 0; -+} -+ -+early_param("lockdown", lockdown_param); -+ -+/* -+ * Lock the kernel down from very early in the arch setup. This must happen -+ * prior to things like ACPI being initialised. -+ */ -+void __init init_lockdown(void) -+{ -+#ifdef CONFIG_LOCK_DOWN_FORCE -+ lock_kernel_down("Kernel configuration"); -+#endif -+} -+ -+/** -+ * kernel_is_locked_down - Find out if the kernel is locked down -+ * @what: Tag to use in notice generated if lockdown is in effect -+ */ -+bool __kernel_is_locked_down(const char *what, bool first) -+{ -+ if (what && first && kernel_locked_down) -+ pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", -+ what); -+ return kernel_locked_down; -+} -+EXPORT_SYMBOL(__kernel_is_locked_down); --- -2.21.0 - - -From 7b3d34ce99e1db6152f3f350f7512ed67712d2bb Mon Sep 17 00:00:00 2001 -From: David Howells -Date: Mon, 18 Feb 2019 12:44:58 +0000 -Subject: [PATCH 02/29] Enforce module signatures if the kernel is locked down - -If the kernel is locked down, require that all modules have valid -signatures that we can verify. - -I have adjusted the errors generated: - - (1) If there's no signature (ENODATA) or we can't check it (ENOPKG, - ENOKEY), then: - - (a) If signatures are enforced then EKEYREJECTED is returned. - - (b) If there's no signature or we can't check it, but the kernel is - locked down then EPERM is returned (this is then consistent with - other lockdown cases). - - (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails - the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we - return the error we got. - -Note that the X.509 code doesn't check for key expiry as the RTC might not -be valid or might not have been transferred to the kernel's clock yet. - - [Modified by Matthew Garrett to remove the IMA integration. This will - be replaced with integration with the IMA architecture policy - patchset.] - -Signed-off-by: David Howells -Reviewed-by: Jiri Bohac -Signed-off-by: Matthew Garrett -Cc: Jessica Yu ---- - kernel/module.c | 39 ++++++++++++++++++++++++++++++++------- - 1 file changed, 32 insertions(+), 7 deletions(-) - -diff --git a/kernel/module.c b/kernel/module.c -index a2cee14a83f3..c771a183b741 100644 ---- a/kernel/module.c -+++ b/kernel/module.c -@@ -2753,8 +2753,9 @@ static inline void kmemleak_load_module(const struct module *mod, - #ifdef CONFIG_MODULE_SIG - static int module_sig_check(struct load_info *info, int flags) - { -- int err = -ENOKEY; -+ int err = -ENODATA; - const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; -+ const char *reason; - const void *mod = info->hdr; - - /* -@@ -2769,16 +2770,40 @@ static int module_sig_check(struct load_info *info, int flags) - err = mod_verify_sig(mod, info); - } - -- if (!err) { -+ switch (err) { -+ case 0: - info->sig_ok = true; - return 0; -- } - -- /* Not having a signature is only an error if we're strict. */ -- if (err == -ENOKEY && !is_module_sig_enforced()) -- err = 0; -+ /* We don't permit modules to be loaded into trusted kernels -+ * without a valid signature on them, but if we're not -+ * enforcing, certain errors are non-fatal. -+ */ -+ case -ENODATA: -+ reason = "Loading of unsigned module"; -+ goto decide; -+ case -ENOPKG: -+ reason = "Loading of module with unsupported crypto"; -+ goto decide; -+ case -ENOKEY: -+ reason = "Loading of module with unavailable key"; -+ decide: -+ if (is_module_sig_enforced()) { -+ pr_notice("%s is rejected\n", reason); -+ return -EKEYREJECTED; -+ } - -- return err; -+ if (kernel_is_locked_down(reason)) -+ return -EPERM; -+ return 0; -+ -+ /* All other errors are fatal, including nomem, unparseable -+ * signatures and signature check failures - even if signatures -+ * aren't required. -+ */ -+ default: -+ return err; -+ } - } - #else /* !CONFIG_MODULE_SIG */ - static int module_sig_check(struct load_info *info, int flags) --- -2.21.0 - - -From e6cee3fcc560211fbc3d1efaf048ad4b987a4b73 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Mon, 18 Feb 2019 12:44:58 +0000 -Subject: [PATCH 03/29] Restrict /dev/{mem,kmem,port} when the kernel is locked - down - -Allowing users to read and write to core kernel memory makes it possible -for the kernel to be subverted, avoiding module loading restrictions, and -also to steal cryptographic information. - -Disallow /dev/mem and /dev/kmem from being opened this when the kernel has -been locked down to prevent this. - -Also disallow /dev/port from being opened to prevent raw ioport access and -thus DMA from being used to accomplish the same thing. - -Signed-off-by: Matthew Garrett -Signed-off-by: David Howells -Signed-off-by: Matthew Garrett -Cc: x86@kernel.org ---- - drivers/char/mem.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index b08dc50f9f26..0a2f2e75d5f4 100644 ---- a/drivers/char/mem.c -+++ b/drivers/char/mem.c -@@ -786,6 +786,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) - - static int open_port(struct inode *inode, struct file *filp) - { -+ if (kernel_is_locked_down("/dev/mem,kmem,port")) -+ return -EPERM; - return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; - } - --- -2.21.0 - - -From 1fe9d9809a7bedff1c0a043f5bcaf128d479fe24 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Mon, 18 Feb 2019 12:44:58 +0000 -Subject: [PATCH 04/29] kexec_load: Disable at runtime if the kernel is locked - down - -The kexec_load() syscall permits the loading and execution of arbitrary -code in ring 0, which is something that lock-down is meant to prevent. It -makes sense to disable kexec_load() in this situation. - -This does not affect kexec_file_load() syscall which can check for a -signature on the image to be booted. - -Signed-off-by: Matthew Garrett -Signed-off-by: David Howells -Acked-by: Dave Young -cc: kexec@lists.infradead.org -Signed-off-by: Matthew Garrett ---- - kernel/kexec.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/kernel/kexec.c b/kernel/kexec.c -index 1b018f1a6e0d..fc87f152c229 100644 ---- a/kernel/kexec.c -+++ b/kernel/kexec.c -@@ -205,6 +205,13 @@ static inline int kexec_load_check(unsigned long nr_segments, - if (result < 0) - return result; - -+ /* -+ * kexec can be used to circumvent module loading restrictions, so -+ * prevent loading in that case -+ */ -+ if (kernel_is_locked_down("kexec of unsigned images")) -+ return -EPERM; -+ - /* - * Verify we have a legal set of flags - * This leaves us room for future extensions. --- -2.21.0 - - -From b1dbde991ca218ddc1b25e293e94e72907b2b2dc Mon Sep 17 00:00:00 2001 -From: Dave Young -Date: Mon, 18 Feb 2019 12:44:58 +0000 -Subject: [PATCH 05/29] Copy secure_boot flag in boot params across kexec - reboot - -Kexec reboot in case secure boot being enabled does not keep the secure -boot mode in new kernel, so later one can load unsigned kernel via legacy -kexec_load. In this state, the system is missing the protections provided -by secure boot. - -Adding a patch to fix this by retain the secure_boot flag in original -kernel. - -secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the -stub. Fixing this issue by copying secure_boot flag across kexec reboot. - -Signed-off-by: Dave Young -Signed-off-by: David Howells -cc: kexec@lists.infradead.org -Signed-off-by: Matthew Garrett ---- - arch/x86/kernel/kexec-bzimage64.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c -index 5ebcd02cbca7..d2f4e706a428 100644 ---- a/arch/x86/kernel/kexec-bzimage64.c -+++ b/arch/x86/kernel/kexec-bzimage64.c -@@ -180,6 +180,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, - if (efi_enabled(EFI_OLD_MEMMAP)) - return 0; - -+ params->secure_boot = boot_params.secure_boot; - ei->efi_loader_signature = current_ei->efi_loader_signature; - ei->efi_systab = current_ei->efi_systab; - ei->efi_systab_hi = current_ei->efi_systab_hi; --- -2.21.0 - - -From 054c9d4879b81dcf7c49c5815c30db59ad9356ea Mon Sep 17 00:00:00 2001 -From: Jiri Bohac -Date: Mon, 18 Feb 2019 12:44:58 +0000 -Subject: [PATCH 06/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and - KEXEC_SIG_FORCE - -This is a preparatory patch for kexec_file_load() lockdown. A locked down -kernel needs to prevent unsigned kernel images from being loaded with -kexec_file_load(). Currently, the only way to force the signature -verification is compiling with KEXEC_VERIFY_SIG. This prevents loading -usigned images even when the kernel is not locked down at runtime. - -This patch splits KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE. -Analogous to the MODULE_SIG and MODULE_SIG_FORCE for modules, KEXEC_SIG -turns on the signature verification but allows unsigned images to be -loaded. KEXEC_SIG_FORCE disallows images without a valid signature. - -[Modified by David Howells such that: - - (1) verify_pefile_signature() differentiates between no-signature and - sig-didn't-match in its returned errors. - - (2) kexec fails with EKEYREJECTED and logs an appropriate message if - signature checking is enforced and an signature is not found, uses - unsupported crypto or has no matching key. - - (3) kexec fails with EKEYREJECTED if there is a signature for which we - have a key, but signature doesn't match - even if in non-forcing mode. - - (4) kexec fails with EBADMSG or some other error if there is a signature - which cannot be parsed - even if in non-forcing mode. - - (5) kexec fails with ELIBBAD if the PE file cannot be parsed to extract - the signature - even if in non-forcing mode. - -] - -Signed-off-by: Jiri Bohac -Signed-off-by: David Howells -Reviewed-by: Jiri Bohac -cc: kexec@lists.infradead.org -Signed-off-by: Matthew Garrett ---- - arch/x86/Kconfig | 20 ++++++++--- - crypto/asymmetric_keys/verify_pefile.c | 4 ++- - include/linux/kexec.h | 4 +-- - kernel/kexec_file.c | 48 ++++++++++++++++++++++---- - 4 files changed, 61 insertions(+), 15 deletions(-) - -diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 879741336771..df9592ce8503 100644 ---- a/arch/x86/Kconfig -+++ b/arch/x86/Kconfig -@@ -2026,20 +2026,30 @@ config KEXEC_FILE - config ARCH_HAS_KEXEC_PURGATORY - def_bool KEXEC_FILE - --config KEXEC_VERIFY_SIG -+config KEXEC_SIG - bool "Verify kernel signature during kexec_file_load() syscall" - depends on KEXEC_FILE - ---help--- -- This option makes kernel signature verification mandatory for -- the kexec_file_load() syscall. - -- In addition to that option, you need to enable signature -+ This option makes the kexec_file_load() syscall check for a valid -+ signature of the kernel image. The image can still be loaded without -+ a valid signature unless you also enable KEXEC_SIG_FORCE, though if -+ there's a signature that we can check, then it must be valid. -+ -+ In addition to this option, you need to enable signature - verification for the corresponding kernel image type being - loaded in order for this to work. - -+config KEXEC_SIG_FORCE -+ bool "Require a valid signature in kexec_file_load() syscall" -+ depends on KEXEC_SIG -+ ---help--- -+ This option makes kernel signature verification mandatory for -+ the kexec_file_load() syscall. -+ - config KEXEC_BZIMAGE_VERIFY_SIG - bool "Enable bzImage signature verification support" -- depends on KEXEC_VERIFY_SIG -+ depends on KEXEC_SIG - depends on SIGNED_PE_FILE_VERIFICATION - select SYSTEM_TRUSTED_KEYRING - ---help--- -diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c -index 3b303fe2f061..cc9dbcecaaca 100644 ---- a/crypto/asymmetric_keys/verify_pefile.c -+++ b/crypto/asymmetric_keys/verify_pefile.c -@@ -96,7 +96,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, - - if (!ddir->certs.virtual_address || !ddir->certs.size) { - pr_debug("Unsigned PE binary\n"); -- return -EKEYREJECTED; -+ return -ENODATA; - } - - chkaddr(ctx->header_size, ddir->certs.virtual_address, -@@ -403,6 +403,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, - * (*) 0 if at least one signature chain intersects with the keys in the trust - * keyring, or: - * -+ * (*) -ENODATA if there is no signature present. -+ * - * (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a - * chain. - * -diff --git a/include/linux/kexec.h b/include/linux/kexec.h -index b9b1bc5f9669..58b27c7bdc2b 100644 ---- a/include/linux/kexec.h -+++ b/include/linux/kexec.h -@@ -125,7 +125,7 @@ typedef void *(kexec_load_t)(struct kimage *image, char *kernel_buf, - unsigned long cmdline_len); - typedef int (kexec_cleanup_t)(void *loader_data); - --#ifdef CONFIG_KEXEC_VERIFY_SIG -+#ifdef CONFIG_KEXEC_SIG - typedef int (kexec_verify_sig_t)(const char *kernel_buf, - unsigned long kernel_len); - #endif -@@ -134,7 +134,7 @@ struct kexec_file_ops { - kexec_probe_t *probe; - kexec_load_t *load; - kexec_cleanup_t *cleanup; --#ifdef CONFIG_KEXEC_VERIFY_SIG -+#ifdef CONFIG_KEXEC_SIG - kexec_verify_sig_t *verify_sig; - #endif - }; -diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c -index b8cc032d5620..5036bde1e5b3 100644 ---- a/kernel/kexec_file.c -+++ b/kernel/kexec_file.c -@@ -88,7 +88,7 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image) - return kexec_image_post_load_cleanup_default(image); - } - --#ifdef CONFIG_KEXEC_VERIFY_SIG -+#ifdef CONFIG_KEXEC_SIG - static int kexec_image_verify_sig_default(struct kimage *image, void *buf, - unsigned long buf_len) - { -@@ -186,7 +186,8 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, - const char __user *cmdline_ptr, - unsigned long cmdline_len, unsigned flags) - { -- int ret = 0; -+ const char *reason; -+ int ret; - void *ldata; - loff_t size; - -@@ -202,15 +203,48 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, - if (ret) - goto out; - --#ifdef CONFIG_KEXEC_VERIFY_SIG -+#ifdef CONFIG_KEXEC_SIG - ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf, - image->kernel_buf_len); -- if (ret) { -- pr_debug("kernel signature verification failed.\n"); -+#else -+ ret = -ENODATA; -+#endif -+ -+ switch (ret) { -+ case 0: -+ break; -+ -+ /* Certain verification errors are non-fatal if we're not -+ * checking errors, provided we aren't mandating that there -+ * must be a valid signature. -+ */ -+ case -ENODATA: -+ reason = "kexec of unsigned image"; -+ goto decide; -+ case -ENOPKG: -+ reason = "kexec of image with unsupported crypto"; -+ goto decide; -+ case -ENOKEY: -+ reason = "kexec of image with unavailable key"; -+ decide: -+ if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) { -+ pr_notice("%s rejected\n", reason); -+ ret = -EKEYREJECTED; -+ goto out; -+ } -+ -+ ret = 0; -+ break; -+ -+ /* All other errors are fatal, including nomem, unparseable -+ * signatures and signature check failures - even if signatures -+ * aren't required. -+ */ -+ default: -+ pr_notice("kernel signature verification failed (%d).\n", ret); - goto out; - } -- pr_debug("kernel signature verification successful.\n"); --#endif -+ - /* It is possible that there no initramfs is being loaded */ - if (!(flags & KEXEC_FILE_NO_INITRAMFS)) { - ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf, --- -2.21.0 - - -From d0ca8a6c26bfd6c8de7ed1d83326aae9b4bdfbf4 Mon Sep 17 00:00:00 2001 -From: Jiri Bohac -Date: Mon, 18 Feb 2019 12:44:58 +0000 -Subject: [PATCH 07/29] kexec_file: Restrict at runtime if the kernel is locked - down - -When KEXEC_SIG is not enabled, kernel should not load images through -kexec_file systemcall if the kernel is locked down. - -[Modified by David Howells to fit with modifications to the previous patch - and to return -EPERM if the kernel is locked down for consistency with - other lockdowns. Modified by Matthew Garrett to remove the IMA - integration, which will be replaced by integrating with the IMA - architecture policy patches.] - -Signed-off-by: Jiri Bohac -Signed-off-by: David Howells -Reviewed-by: Jiri Bohac -cc: kexec@lists.infradead.org -Signed-off-by: Matthew Garrett ---- - kernel/kexec_file.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c -index 5036bde1e5b3..0668c29d2eaf 100644 ---- a/kernel/kexec_file.c -+++ b/kernel/kexec_file.c -@@ -234,6 +234,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, - } - - ret = 0; -+ -+ if (kernel_is_locked_down(reason)) { -+ ret = -EPERM; -+ goto out; -+ } -+ - break; - - /* All other errors are fatal, including nomem, unparseable --- -2.21.0 - - -From 3754ff197e10abd8ef88875e069741025ea0dd84 Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Mon, 18 Feb 2019 12:44:59 +0000 -Subject: [PATCH 08/29] hibernate: Disable when the kernel is locked down - -There is currently no way to verify the resume image when returning -from hibernate. This might compromise the signed modules trust model, -so until we can work with signed hibernate images we disable it when the -kernel is locked down. - -Signed-off-by: Josh Boyer -Signed-off-by: David Howells -Cc: rjw@rjwysocki.net -Cc: pavel@ucw.cz -cc: linux-pm@vger.kernel.org -Signed-off-by: Matthew Garrett ---- - kernel/power/hibernate.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index cd7434e6000d..0f30de4a712a 100644 ---- a/kernel/power/hibernate.c -+++ b/kernel/power/hibernate.c -@@ -68,7 +68,7 @@ static const struct platform_hibernation_ops *hibernation_ops; - - bool hibernation_available(void) - { -- return (nohibernate == 0); -+ return nohibernate == 0 && !kernel_is_locked_down("Hibernation"); - } - - /** --- -2.21.0 - - -From a144fd3bcc7fcbf55b608c89b8cf64abec72130c Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Mon, 18 Feb 2019 12:44:59 +0000 -Subject: [PATCH 09/29] uswsusp: Disable when the kernel is locked down - -uswsusp allows a user process to dump and then restore kernel state, which -makes it possible to modify the running kernel. Disable this if the kernel -is locked down. - -Signed-off-by: Matthew Garrett -Signed-off-by: David Howells -Reviewed-by: James Morris -cc: linux-pm@vger.kernel.org -Cc: pavel@ucw.cz -Cc: rjw@rjwysocki.net -Signed-off-by: Matthew Garrett ---- - kernel/power/user.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/kernel/power/user.c b/kernel/power/user.c -index 77438954cc2b..0caff429eb55 100644 ---- a/kernel/power/user.c -+++ b/kernel/power/user.c -@@ -49,6 +49,9 @@ static int snapshot_open(struct inode *inode, struct file *filp) - if (!hibernation_available()) - return -EPERM; - -+ if (kernel_is_locked_down("/dev/snapshot")) -+ return -EPERM; -+ - lock_system_sleep(); - - if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { --- -2.21.0 - - -From 069af594117ee566597173886950d3577c523983 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Mon, 18 Feb 2019 12:44:59 +0000 -Subject: [PATCH 10/29] PCI: Lock down BAR access when the kernel is locked - down - -Any hardware that can potentially generate DMA has to be locked down in -order to avoid it being possible for an attacker to modify kernel code, -allowing them to circumvent disabled module loading or module signing. -Default to paranoid - in future we can potentially relax this for -sufficiently IOMMU-isolated devices. - -Signed-off-by: Matthew Garrett -Signed-off-by: David Howells -Acked-by: Bjorn Helgaas -cc: linux-pci@vger.kernel.org -Signed-off-by: Matthew Garrett ---- - drivers/pci/pci-sysfs.c | 9 +++++++++ - drivers/pci/proc.c | 9 ++++++++- - drivers/pci/syscall.c | 3 ++- - 3 files changed, 19 insertions(+), 2 deletions(-) - -diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index 965c72104150..f8cef3e348a3 100644 ---- a/drivers/pci/pci-sysfs.c -+++ b/drivers/pci/pci-sysfs.c -@@ -907,6 +907,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, - loff_t init_off = off; - u8 *data = (u8 *) buf; - -+ if (kernel_is_locked_down("Direct PCI access")) -+ return -EPERM; -+ - if (off > dev->cfg_size) - return 0; - if (off + count > dev->cfg_size) { -@@ -1168,6 +1171,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, - enum pci_mmap_state mmap_type; - struct resource *res = &pdev->resource[bar]; - -+ if (kernel_is_locked_down("Direct PCI access")) -+ return -EPERM; -+ - if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start)) - return -EINVAL; - -@@ -1243,6 +1249,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, - struct bin_attribute *attr, char *buf, - loff_t off, size_t count) - { -+ if (kernel_is_locked_down("Direct PCI access")) -+ return -EPERM; -+ - return pci_resource_io(filp, kobj, attr, buf, off, count, true); - } - -diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c -index fe7fe678965b..23c9b5979f5d 100644 ---- a/drivers/pci/proc.c -+++ b/drivers/pci/proc.c -@@ -117,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, - int size = dev->cfg_size; - int cnt; - -+ if (kernel_is_locked_down("Direct PCI access")) -+ return -EPERM; -+ - if (pos >= size) - return 0; - if (nbytes >= size) -@@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, - #endif /* HAVE_PCI_MMAP */ - int ret = 0; - -+ if (kernel_is_locked_down("Direct PCI access")) -+ return -EPERM; -+ - switch (cmd) { - case PCIIOC_CONTROLLER: - ret = pci_domain_nr(dev->bus); -@@ -238,7 +244,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) - struct pci_filp_private *fpriv = file->private_data; - int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM; - -- if (!capable(CAP_SYS_RAWIO)) -+ if (!capable(CAP_SYS_RAWIO) || -+ kernel_is_locked_down("Direct PCI access")) - return -EPERM; - - if (fpriv->mmap_state == pci_mmap_io) { -diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c -index d96626c614f5..b8a08d3166a1 100644 ---- a/drivers/pci/syscall.c -+++ b/drivers/pci/syscall.c -@@ -90,7 +90,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, - u32 dword; - int err = 0; - -- if (!capable(CAP_SYS_ADMIN)) -+ if (!capable(CAP_SYS_ADMIN) || -+ kernel_is_locked_down("Direct PCI access")) - return -EPERM; - - dev = pci_get_domain_bus_and_slot(0, bus, dfn); --- -2.21.0 - - -From 97f7b0338b58afd67817ca886de78ce9bba67f29 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Mon, 18 Feb 2019 12:44:59 +0000 -Subject: [PATCH 11/29] x86: Lock down IO port access when the kernel is locked - down - -IO port access would permit users to gain access to PCI configuration -registers, which in turn (on a lot of hardware) give access to MMIO -register space. This would potentially permit root to trigger arbitrary -DMA, so lock it down by default. - -This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and -KDDISABIO console ioctls. - -Signed-off-by: Matthew Garrett -Signed-off-by: David Howells -Reviewed-by: Thomas Gleixner -cc: x86@kernel.org -Signed-off-by: Matthew Garrett ---- - arch/x86/kernel/ioport.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c -index 0fe1c8782208..abc702a6ae9c 100644 ---- a/arch/x86/kernel/ioport.c -+++ b/arch/x86/kernel/ioport.c -@@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) - - if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) - return -EINVAL; -- if (turn_on && !capable(CAP_SYS_RAWIO)) -+ if (turn_on && (!capable(CAP_SYS_RAWIO) || -+ kernel_is_locked_down("ioperm"))) - return -EPERM; - - /* -@@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) - return -EINVAL; - /* Trying to gain more privileges? */ - if (level > old) { -- if (!capable(CAP_SYS_RAWIO)) -+ if (!capable(CAP_SYS_RAWIO) || -+ kernel_is_locked_down("iopl")) - return -EPERM; - } - regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | --- -2.21.0 - - -From 65029f8df39eb1d0a48cbcb6686b21e844ff9b3c Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Mon, 18 Feb 2019 12:44:59 +0000 -Subject: [PATCH 12/29] x86/msr: Restrict MSR access when the kernel is locked - down - -Writing to MSRs should not be allowed if the kernel is locked down, since -it could lead to execution of arbitrary code in kernel mode. Based on a -patch by Kees Cook. - -MSR accesses are logged for the purposes of building up a whitelist as per -Alan Cox's suggestion. - -Signed-off-by: Matthew Garrett -Signed-off-by: David Howells -Acked-by: Kees Cook -Reviewed-by: Thomas Gleixner -cc: x86@kernel.org -Signed-off-by: Matthew Garrett ---- - arch/x86/kernel/msr.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index 3db2252b958d..5eed6530c223 100644 ---- a/arch/x86/kernel/msr.c -+++ b/arch/x86/kernel/msr.c -@@ -79,6 +79,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf, - int err = 0; - ssize_t bytes = 0; - -+ if (kernel_is_locked_down("Direct MSR access")) { -+ pr_info("Direct access to MSR %x\n", reg); -+ return -EPERM; -+ } -+ - if (count % 8) - return -EINVAL; /* Invalid chunk size */ - -@@ -130,6 +135,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) - err = -EFAULT; - break; - } -+ if (kernel_is_locked_down("Direct MSR access")) { -+ pr_info("Direct access to MSR %x\n", regs[1]); /* Display %ecx */ -+ err = -EPERM; -+ break; -+ } - err = wrmsr_safe_regs_on_cpu(cpu, regs); - if (err) - break; --- -2.21.0 - - -From 0a0ad07ecc667dae61d7a1073559830184022be7 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Mon, 18 Feb 2019 12:44:59 +0000 -Subject: [PATCH 13/29] ACPI: Limit access to custom_method when the kernel is - locked down - -custom_method effectively allows arbitrary access to system memory, making -it possible for an attacker to circumvent restrictions on module loading. -Disable it if the kernel is locked down. - -Signed-off-by: Matthew Garrett -Signed-off-by: David Howells -cc: linux-acpi@vger.kernel.org -Signed-off-by: Matthew Garrett ---- - drivers/acpi/custom_method.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c -index b2ef4c2ec955..33b821be0600 100644 ---- a/drivers/acpi/custom_method.c -+++ b/drivers/acpi/custom_method.c -@@ -30,6 +30,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, - struct acpi_table_header table; - acpi_status status; - -+ if (kernel_is_locked_down("ACPI custom methods")) -+ return -EPERM; -+ - if (!(*ppos)) { - /* parse the table header to get the table length */ - if (count <= sizeof(struct acpi_table_header)) --- -2.21.0 - - -From ad843f3ba6d525cc47eb2c866de74a324d3a960c Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Mon, 18 Feb 2019 12:44:59 +0000 -Subject: [PATCH 14/29] acpi: Ignore acpi_rsdp kernel param when the kernel has - been locked down - -This option allows userspace to pass the RSDP address to the kernel, which -makes it possible for a user to modify the workings of hardware . Reject -the option when the kernel is locked down. - -Signed-off-by: Josh Boyer -Signed-off-by: David Howells -cc: Dave Young -cc: linux-acpi@vger.kernel.org -Signed-off-by: Matthew Garrett ---- - drivers/acpi/osl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index 9c0edf2fc0dd..0c5c7b51fb72 100644 ---- a/drivers/acpi/osl.c -+++ b/drivers/acpi/osl.c -@@ -180,7 +180,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void) - acpi_physical_address pa; - - #ifdef CONFIG_KEXEC -- if (acpi_rsdp) -+ if (acpi_rsdp && !kernel_is_locked_down("ACPI RSDP specification")) - return acpi_rsdp; - #endif - pa = acpi_arch_get_root_pointer(); --- -2.21.0 - - -From 146618cd3ae3556184f3ca94ca82809f4e7090b9 Mon Sep 17 00:00:00 2001 -From: Linn Crosetto -Date: Mon, 18 Feb 2019 12:45:00 +0000 -Subject: [PATCH 15/29] acpi: Disable ACPI table override if the kernel is - locked down - -From the kernel documentation (initrd_table_override.txt): - - If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible - to override nearly any ACPI table provided by the BIOS with an - instrumented, modified one. - -When securelevel is set, the kernel should disallow any unauthenticated -changes to kernel space. ACPI tables contain code invoked by the kernel, -so do not allow ACPI tables to be overridden if the kernel is locked down. - -Signed-off-by: Linn Crosetto -Signed-off-by: David Howells -cc: linux-acpi@vger.kernel.org -Signed-off-by: Matthew Garrett ---- - drivers/acpi/tables.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c -index b32327759380..6fd5c8328427 100644 ---- a/drivers/acpi/tables.c -+++ b/drivers/acpi/tables.c -@@ -578,6 +578,11 @@ void __init acpi_table_upgrade(void) - if (table_nr == 0) - return; - -+ if (kernel_is_locked_down("ACPI table override")) { -+ pr_notice("kernel is locked down, ignoring table override\n"); -+ return; -+ } -+ - acpi_tables_addr = - memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, - all_tables_size, PAGE_SIZE); --- -2.21.0 - - -From e183b69655b6069c7007ad911252dd681fb0083f Mon Sep 17 00:00:00 2001 -From: Linn Crosetto -Date: Mon, 18 Feb 2019 12:45:00 +0000 -Subject: [PATCH 16/29] acpi: Disable APEI error injection if the kernel is - locked down - -ACPI provides an error injection mechanism, EINJ, for debugging and testing -the ACPI Platform Error Interface (APEI) and other RAS features. If -supported by the firmware, ACPI specification 5.0 and later provide for a -way to specify a physical memory address to which to inject the error. - -Injecting errors through EINJ can produce errors which to the platform are -indistinguishable from real hardware errors. This can have undesirable -side-effects, such as causing the platform to mark hardware as needing -replacement. - -While it does not provide a method to load unauthenticated privileged code, -the effect of these errors may persist across reboots and affect trust in -the underlying hardware, so disable error injection through EINJ if -the kernel is locked down. - -Signed-off-by: Linn Crosetto -Signed-off-by: David Howells -cc: linux-acpi@vger.kernel.org -Signed-off-by: Matthew Garrett ---- - drivers/acpi/apei/einj.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c -index e430cf4caec2..dde995f871d6 100644 ---- a/drivers/acpi/apei/einj.c -+++ b/drivers/acpi/apei/einj.c -@@ -510,6 +510,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2, - int rc; - u64 base_addr, size; - -+ if (kernel_is_locked_down("ACPI error injection")) -+ return -EPERM; -+ - /* If user manually set "flags", make sure it is legal */ - if (flags && (flags & - ~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF))) --- -2.21.0 - - -From 2c469f9240f58dce6049eae000d70dcef8025cfa Mon Sep 17 00:00:00 2001 -From: David Howells -Date: Mon, 18 Feb 2019 12:45:00 +0000 -Subject: [PATCH 17/29] Prohibit PCMCIA CIS storage when the kernel is locked - down - -Prohibit replacement of the PCMCIA Card Information Structure when the -kernel is locked down. - -Suggested-by: Dominik Brodowski -Signed-off-by: David Howells -cc: linux-pcmcia@lists.infradead.org -Signed-off-by: Matthew Garrett ---- - drivers/pcmcia/cistpl.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c -index abd029945cc8..77919fa3fb4a 100644 ---- a/drivers/pcmcia/cistpl.c -+++ b/drivers/pcmcia/cistpl.c -@@ -1575,6 +1575,9 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj, - struct pcmcia_socket *s; - int error; - -+ if (kernel_is_locked_down("Direct PCMCIA CIS storage")) -+ return -EPERM; -+ - s = to_socket(container_of(kobj, struct device, kobj)); - - if (off) --- -2.21.0 - - -From 5f1bdf370484979c291e37cd6905480a12083b18 Mon Sep 17 00:00:00 2001 -From: David Howells -Date: Mon, 18 Feb 2019 12:45:00 +0000 -Subject: [PATCH 18/29] Lock down TIOCSSERIAL - -Lock down TIOCSSERIAL as that can be used to change the ioport and irq -settings on a serial port. This only appears to be an issue for the serial -drivers that use the core serial code. All other drivers seem to either -ignore attempts to change port/irq or give an error. - -Reported-by: Greg Kroah-Hartman -Signed-off-by: David Howells -cc: Jiri Slaby -Cc: linux-serial@vger.kernel.org -Signed-off-by: Matthew Garrett ---- - drivers/tty/serial/serial_core.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c -index 4223cb496764..4f3cd7bc1713 100644 ---- a/drivers/tty/serial/serial_core.c -+++ b/drivers/tty/serial/serial_core.c -@@ -846,6 +846,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port, - new_flags = (__force upf_t)new_info->flags; - old_custom_divisor = uport->custom_divisor; - -+ if ((change_port || change_irq) && -+ kernel_is_locked_down("Using TIOCSSERIAL to change device addresses, irqs and dma channels")) { -+ retval = -EPERM; -+ goto exit; -+ } -+ - if (!capable(CAP_SYS_ADMIN)) { - retval = -EPERM; - if (change_irq || change_port || --- -2.21.0 - - -From b07159ff6bc3345b49db17a82fa31013f398d4e5 Mon Sep 17 00:00:00 2001 -From: David Howells -Date: Mon, 18 Feb 2019 12:45:01 +0000 -Subject: [PATCH 19/29] Lock down module params that specify hardware - parameters (eg. ioport) - -Provided an annotation for module parameters that specify hardware -parameters (such as io ports, iomem addresses, irqs, dma channels, fixed -dma buffers and other types). - -Suggested-by: Alan Cox -Signed-off-by: David Howells -Signed-off-by: Matthew Garrett ---- - kernel/params.c | 26 +++++++++++++++++++++----- - 1 file changed, 21 insertions(+), 5 deletions(-) - -diff --git a/kernel/params.c b/kernel/params.c -index cf448785d058..61a08a5da208 100644 ---- a/kernel/params.c -+++ b/kernel/params.c -@@ -96,13 +96,19 @@ bool parameq(const char *a, const char *b) - return parameqn(a, b, strlen(a)+1); - } - --static void param_check_unsafe(const struct kernel_param *kp) -+static bool param_check_unsafe(const struct kernel_param *kp, -+ const char *doing) - { - if (kp->flags & KERNEL_PARAM_FL_UNSAFE) { - pr_notice("Setting dangerous option %s - tainting kernel\n", - kp->name); - add_taint(TAINT_USER, LOCKDEP_STILL_OK); - } -+ -+ if (kp->flags & KERNEL_PARAM_FL_HWPARAM && -+ kernel_is_locked_down("Command line-specified device addresses, irqs and dma channels")) -+ return false; -+ return true; - } - - static int parse_one(char *param, -@@ -132,8 +138,10 @@ static int parse_one(char *param, - pr_debug("handling %s with %p\n", param, - params[i].ops->set); - kernel_param_lock(params[i].mod); -- param_check_unsafe(¶ms[i]); -- err = params[i].ops->set(val, ¶ms[i]); -+ if (param_check_unsafe(¶ms[i], doing)) -+ err = params[i].ops->set(val, ¶ms[i]); -+ else -+ err = -EPERM; - kernel_param_unlock(params[i].mod); - return err; - } -@@ -541,6 +549,12 @@ static ssize_t param_attr_show(struct module_attribute *mattr, - return count; - } - -+#ifdef CONFIG_MODULES -+#define mod_name(mod) (mod)->name -+#else -+#define mod_name(mod) "unknown" -+#endif -+ - /* sysfs always hands a nul-terminated string in buf. We rely on that. */ - static ssize_t param_attr_store(struct module_attribute *mattr, - struct module_kobject *mk, -@@ -553,8 +567,10 @@ static ssize_t param_attr_store(struct module_attribute *mattr, - return -EPERM; - - kernel_param_lock(mk->mod); -- param_check_unsafe(attribute->param); -- err = attribute->param->ops->set(buf, attribute->param); -+ if (param_check_unsafe(attribute->param, mod_name(mk->mod))) -+ err = attribute->param->ops->set(buf, attribute->param); -+ else -+ err = -EPERM; - kernel_param_unlock(mk->mod); - if (!err) - return len; --- -2.21.0 - - -From 3e7fdce10f144b2a947f020bd0eeeb536c77153e Mon Sep 17 00:00:00 2001 -From: David Howells -Date: Mon, 18 Feb 2019 12:45:01 +0000 -Subject: [PATCH 20/29] x86/mmiotrace: Lock down the testmmiotrace module - -The testmmiotrace module shouldn't be permitted when the kernel is locked -down as it can be used to arbitrarily read and write MMIO space. - -Suggested-by: Thomas Gleixner -Signed-off-by: David Howells -cc: Steven Rostedt -cc: Ingo Molnar -cc: "H. Peter Anvin" -cc: x86@kernel.org -Signed-off-by: Matthew Garrett ---- - arch/x86/mm/testmmiotrace.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c -index 0881e1ff1e58..13f1da99ee5e 100644 ---- a/arch/x86/mm/testmmiotrace.c -+++ b/arch/x86/mm/testmmiotrace.c -@@ -116,6 +116,9 @@ static int __init init(void) - { - unsigned long size = (read_far) ? (8 << 20) : (16 << 10); - -+ if (kernel_is_locked_down("MMIO trace testing")) -+ return -EPERM; -+ - if (mmio_address == 0) { - pr_err("you have to use the module argument mmio_address.\n"); - pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n"); --- -2.21.0 - - -From 1e81a8fd6ed139113011e3b7d70aa8b5c59a97cb Mon Sep 17 00:00:00 2001 -From: David Howells -Date: Mon, 18 Feb 2019 12:45:02 +0000 -Subject: [PATCH 21/29] Lock down /proc/kcore - -Disallow access to /proc/kcore when the kernel is locked down to prevent -access to cryptographic data. - -Signed-off-by: David Howells -Reviewed-by: James Morris -Signed-off-by: Matthew Garrett ---- - fs/proc/kcore.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c -index f5834488b67d..0639228c4904 100644 ---- a/fs/proc/kcore.c -+++ b/fs/proc/kcore.c -@@ -545,6 +545,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos) - - static int open_kcore(struct inode *inode, struct file *filp) - { -+ if (kernel_is_locked_down("/proc/kcore")) -+ return -EPERM; - if (!capable(CAP_SYS_RAWIO)) - return -EPERM; - --- -2.21.0 - - -From 03a1ba6091a421ae40a17dc67f61a96733c8f0d2 Mon Sep 17 00:00:00 2001 -From: David Howells -Date: Mon, 18 Feb 2019 12:45:02 +0000 -Subject: [PATCH 22/29] Lock down kprobes - -Disallow the creation of kprobes when the kernel is locked down by -preventing their registration. This prevents kprobes from being used to -access kernel memory, either to make modifications or to steal crypto data. - -Reported-by: Alexei Starovoitov -Signed-off-by: David Howells -Signed-off-by: Matthew Garrett -Cc: Naveen N. Rao -Cc: Anil S Keshavamurthy -Cc: davem@davemloft.net -Cc: Masami Hiramatsu ---- - kernel/kprobes.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/kernel/kprobes.c b/kernel/kprobes.c -index 9f5433a52488..e54c7b70298a 100644 ---- a/kernel/kprobes.c -+++ b/kernel/kprobes.c -@@ -1556,6 +1556,9 @@ int register_kprobe(struct kprobe *p) - struct module *probed_mod; - kprobe_opcode_t *addr; - -+ if (kernel_is_locked_down("Use of kprobes")) -+ return -EPERM; -+ - /* Adjust probe address from symbol */ - addr = kprobe_addr(p); - if (IS_ERR(addr)) --- -2.21.0 - - -From d743cdf3a9508b9d9293acb3170b1d76f5556d1a Mon Sep 17 00:00:00 2001 -From: David Howells -Date: Mon, 18 Feb 2019 12:45:02 +0000 -Subject: [PATCH 23/29] bpf: Restrict kernel image access functions when the - kernel is locked down - -There are some bpf functions can be used to read kernel memory: -bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow -private keys in kernel memory (e.g. the hibernation image signing key) to -be read by an eBPF program and kernel memory to be altered without -restriction. - -Completely prohibit the use of BPF when the kernel is locked down. - -Suggested-by: Alexei Starovoitov -Signed-off-by: David Howells -cc: netdev@vger.kernel.org -cc: Chun-Yi Lee -cc: Alexei Starovoitov -Cc: Daniel Borkmann -Signed-off-by: Matthew Garrett ---- - kernel/bpf/syscall.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c -index 5d141f16f6fa..cf9f0d069a2a 100644 ---- a/kernel/bpf/syscall.c -+++ b/kernel/bpf/syscall.c -@@ -2813,6 +2813,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz - if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN)) - return -EPERM; - -+ if (kernel_is_locked_down("BPF")) -+ return -EPERM; -+ - err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size); - if (err) - return err; --- -2.21.0 - - -From 7ec8d8a7bc177bc54e627b04a6aa4520174965cd Mon Sep 17 00:00:00 2001 -From: David Howells -Date: Mon, 18 Feb 2019 12:45:02 +0000 -Subject: [PATCH 24/29] Lock down perf - -Disallow the use of certain perf facilities that might allow userspace to -access kernel data. - -Signed-off-by: David Howells -Signed-off-by: Matthew Garrett -Cc: Peter Zijlstra -Cc: Ingo Molnar -Cc: Arnaldo Carvalho de Melo ---- - kernel/events/core.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/kernel/events/core.c b/kernel/events/core.c -index eea9d52b010c..08f51f91d959 100644 ---- a/kernel/events/core.c -+++ b/kernel/events/core.c -@@ -10824,6 +10824,11 @@ SYSCALL_DEFINE5(perf_event_open, - return -EINVAL; - } - -+ if ((attr.sample_type & PERF_SAMPLE_REGS_INTR) && -+ kernel_is_locked_down("PERF_SAMPLE_REGS_INTR")) -+ /* REGS_INTR can leak data, lockdown must prevent this */ -+ return -EPERM; -+ - /* Only privileged users can get physical addresses */ - if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR) && - perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) --- -2.21.0 - - -From 98fa6aca64b1723db15cb1791b734aebb105433e Mon Sep 17 00:00:00 2001 -From: David Howells -Date: Mon, 18 Feb 2019 12:45:02 +0000 -Subject: [PATCH 25/29] debugfs: Restrict debugfs when the kernel is locked - down - -Disallow opening of debugfs files that might be used to muck around when -the kernel is locked down as various drivers give raw access to hardware -through debugfs. Given the effort of auditing all 2000 or so files and -manually fixing each one as necessary, I've chosen to apply a heuristic -instead. The following changes are made: - - (1) chmod and chown are disallowed on debugfs objects (though the root dir - can be modified by mount and remount, but I'm not worried about that). - - (2) When the kernel is locked down, only files with the following criteria - are permitted to be opened: - - - The file must have mode 00444 - - The file must not have ioctl methods - - The file must not have mmap - - (3) When the kernel is locked down, files may only be opened for reading. - -Normal device interaction should be done through configfs, sysfs or a -miscdev, not debugfs. - -Note that this makes it unnecessary to specifically lock down show_dsts(), -show_devs() and show_call() in the asus-wmi driver. - -I would actually prefer to lock down all files by default and have the -the files unlocked by the creator. This is tricky to manage correctly, -though, as there are 19 creation functions and ~1600 call sites (some of -them in loops scanning tables). - -Signed-off-by: David Howells -cc: Andy Shevchenko -cc: acpi4asus-user@lists.sourceforge.net -cc: platform-driver-x86@vger.kernel.org -cc: Matthew Garrett -cc: Thomas Gleixner -Cc: Greg Kroah-Hartman -Signed-off-by: Matthew Garrett ---- - fs/debugfs/file.c | 28 ++++++++++++++++++++++++++++ - fs/debugfs/inode.c | 30 ++++++++++++++++++++++++++++-- - 2 files changed, 56 insertions(+), 2 deletions(-) - -diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c -index 93e4ca6b2ad7..8eeff9068228 100644 ---- a/fs/debugfs/file.c -+++ b/fs/debugfs/file.c -@@ -136,6 +136,25 @@ void debugfs_file_put(struct dentry *dentry) - } - EXPORT_SYMBOL_GPL(debugfs_file_put); - -+/* -+ * Only permit access to world-readable files when the kernel is locked down. -+ * We also need to exclude any file that has ways to write or alter it as root -+ * can bypass the permissions check. -+ */ -+static bool debugfs_is_locked_down(struct inode *inode, -+ struct file *filp, -+ const struct file_operations *real_fops) -+{ -+ if ((inode->i_mode & 07777) == 0444 && -+ !(filp->f_mode & FMODE_WRITE) && -+ !real_fops->unlocked_ioctl && -+ !real_fops->compat_ioctl && -+ !real_fops->mmap) -+ return false; -+ -+ return kernel_is_locked_down("debugfs"); -+} -+ - static int open_proxy_open(struct inode *inode, struct file *filp) - { - struct dentry *dentry = F_DENTRY(filp); -@@ -147,6 +166,11 @@ static int open_proxy_open(struct inode *inode, struct file *filp) - return r == -EIO ? -ENOENT : r; - - real_fops = debugfs_real_fops(filp); -+ -+ r = -EPERM; -+ if (debugfs_is_locked_down(inode, filp, real_fops)) -+ goto out; -+ - real_fops = fops_get(real_fops); - if (!real_fops) { - /* Huh? Module did not clean up after itself at exit? */ -@@ -272,6 +296,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp) - return r == -EIO ? -ENOENT : r; - - real_fops = debugfs_real_fops(filp); -+ r = -EPERM; -+ if (debugfs_is_locked_down(inode, filp, real_fops)) -+ goto out; -+ - real_fops = fops_get(real_fops); - if (!real_fops) { - /* Huh? Module did not cleanup after itself at exit? */ -diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c -index 042b688ed124..cc0486ca1a11 100644 ---- a/fs/debugfs/inode.c -+++ b/fs/debugfs/inode.c -@@ -35,6 +35,31 @@ static struct vfsmount *debugfs_mount; - static int debugfs_mount_count; - static bool debugfs_registered; - -+/* -+ * Don't allow access attributes to be changed whilst the kernel is locked down -+ * so that we can use the file mode as part of a heuristic to determine whether -+ * to lock down individual files. -+ */ -+static int debugfs_setattr(struct dentry *dentry, struct iattr *ia) -+{ -+ if ((ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) && -+ kernel_is_locked_down("debugfs")) -+ return -EPERM; -+ return simple_setattr(dentry, ia); -+} -+ -+static const struct inode_operations debugfs_file_inode_operations = { -+ .setattr = debugfs_setattr, -+}; -+static const struct inode_operations debugfs_dir_inode_operations = { -+ .lookup = simple_lookup, -+ .setattr = debugfs_setattr, -+}; -+static const struct inode_operations debugfs_symlink_inode_operations = { -+ .get_link = simple_get_link, -+ .setattr = debugfs_setattr, -+}; -+ - static struct inode *debugfs_get_inode(struct super_block *sb) - { - struct inode *inode = new_inode(sb); -@@ -369,6 +394,7 @@ static struct dentry *__debugfs_create_file(const char *name, umode_t mode, - inode->i_mode = mode; - inode->i_private = data; - -+ inode->i_op = &debugfs_file_inode_operations; - inode->i_fop = proxy_fops; - dentry->d_fsdata = (void *)((unsigned long)real_fops | - DEBUGFS_FSDATA_IS_REAL_FOPS_BIT); -@@ -532,7 +558,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) - } - - inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO; -- inode->i_op = &simple_dir_inode_operations; -+ inode->i_op = &debugfs_dir_inode_operations; - inode->i_fop = &simple_dir_operations; - - /* directory inodes start off with i_nlink == 2 (for "." entry) */ -@@ -632,7 +658,7 @@ struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent, - return failed_creating(dentry); - } - inode->i_mode = S_IFLNK | S_IRWXUGO; -- inode->i_op = &simple_symlink_inode_operations; -+ inode->i_op = &debugfs_symlink_inode_operations; - inode->i_link = link; - d_instantiate(dentry, inode); - return end_creating(dentry); --- -2.21.0 - - -From 39ffa9315f46123f0f1f66fb6fd0597211b43b1d Mon Sep 17 00:00:00 2001 -From: David Howells -Date: Wed, 28 Feb 2018 14:43:03 +0000 -Subject: [PATCH 26/29] lockdown: Print current->comm in restriction messages - -Print the content of current->comm in messages generated by lockdown to -indicate a restriction that was hit. This makes it a bit easier to find -out what caused the message. - -The message now patterned something like: - - Lockdown: : is restricted; see man kernel_lockdown.7 - -Signed-off-by: David Howells -Signed-off-by: Matthew Garrett ---- - security/lock_down.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/security/lock_down.c b/security/lock_down.c -index 18d8776a4d02..ee00ca2677e7 100644 ---- a/security/lock_down.c -+++ b/security/lock_down.c -@@ -53,8 +53,8 @@ void __init init_lockdown(void) - bool __kernel_is_locked_down(const char *what, bool first) - { - if (what && first && kernel_locked_down) -- pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", -- what); -+ pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n", -+ current->comm, what); - return kernel_locked_down; - } - EXPORT_SYMBOL(__kernel_is_locked_down); --- -2.21.0 - - -From 0086dbfaa88118636bc5d77f25bd578034a84075 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Tue, 12 Mar 2019 12:50:30 -0700 -Subject: [PATCH 27/29] kexec: Allow kexec_file() with appropriate IMA policy - when locked down - -Systems in lockdown mode should block the kexec of untrusted kernels. -For x86 and ARM we can ensure that a kernel is trustworthy by validating -a PE signature, but this isn't possible on other architectures. On those -platforms we can use IMA digital signatures instead. Add a function to -determine whether IMA has or will verify signatures for a given event type, -and if so permit kexec_file() even if the kernel is otherwise locked down. -This is restricted to cases where CONFIG_INTEGRITY_TRUSTED_KEYRING is set -in order to prevent an attacker from loading additional keys at runtime. - -Signed-off-by: Matthew Garrett -Acked-by: Mimi Zohar -Cc: Dmitry Kasatkin -Cc: linux-integrity@vger.kernel.org ---- - include/linux/ima.h | 9 ++++++ - kernel/kexec_file.c | 7 +++- - security/integrity/ima/ima.h | 2 ++ - security/integrity/ima/ima_main.c | 2 +- - security/integrity/ima/ima_policy.c | 50 +++++++++++++++++++++++++++++ - 5 files changed, 68 insertions(+), 2 deletions(-) - -diff --git a/include/linux/ima.h b/include/linux/ima.h -index a20ad398d260..1c37f17f7203 100644 ---- a/include/linux/ima.h -+++ b/include/linux/ima.h -@@ -131,4 +131,13 @@ static inline int ima_inode_removexattr(struct dentry *dentry, - return 0; - } - #endif /* CONFIG_IMA_APPRAISE */ -+ -+#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) -+extern bool ima_appraise_signature(enum kernel_read_file_id func); -+#else -+static inline bool ima_appraise_signature(enum kernel_read_file_id func) -+{ -+ return false; -+} -+#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ - #endif /* _LINUX_IMA_H */ -diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c -index 0668c29d2eaf..78728a0f16a7 100644 ---- a/kernel/kexec_file.c -+++ b/kernel/kexec_file.c -@@ -235,7 +235,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, - - ret = 0; - -- if (kernel_is_locked_down(reason)) { -+ /* If IMA is guaranteed to appraise a signature on the kexec -+ * image, permit it even if the kernel is otherwise locked -+ * down. -+ */ -+ if (!ima_appraise_signature(READING_KEXEC_IMAGE) && -+ kernel_is_locked_down(reason)) { - ret = -EPERM; - goto out; - } -diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h -index 011b91c79351..64dcb11cf444 100644 ---- a/security/integrity/ima/ima.h -+++ b/security/integrity/ima/ima.h -@@ -113,6 +113,8 @@ struct ima_kexec_hdr { - u64 count; - }; - -+extern const int read_idmap[]; -+ - #ifdef CONFIG_HAVE_IMA_KEXEC - void ima_load_kexec_buffer(void); - #else -diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c -index 584019728660..b9f57503af2c 100644 ---- a/security/integrity/ima/ima_main.c -+++ b/security/integrity/ima/ima_main.c -@@ -502,7 +502,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) - return 0; - } - --static const int read_idmap[READING_MAX_ID] = { -+const int read_idmap[READING_MAX_ID] = { - [READING_FIRMWARE] = FIRMWARE_CHECK, - [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK, - [READING_MODULE] = MODULE_CHECK, -diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c -index 6df7f641ff66..827f1e33fe86 100644 ---- a/security/integrity/ima/ima_policy.c -+++ b/security/integrity/ima/ima_policy.c -@@ -1456,3 +1456,53 @@ int ima_policy_show(struct seq_file *m, void *v) - return 0; - } - #endif /* CONFIG_IMA_READ_POLICY */ -+ -+#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) -+/* -+ * ima_appraise_signature: whether IMA will appraise a given function using -+ * an IMA digital signature. This is restricted to cases where the kernel -+ * has a set of built-in trusted keys in order to avoid an attacker simply -+ * loading additional keys. -+ */ -+bool ima_appraise_signature(enum kernel_read_file_id id) -+{ -+ struct ima_rule_entry *entry; -+ bool found = false; -+ enum ima_hooks func; -+ -+ if (id >= READING_MAX_ID) -+ return false; -+ -+ func = read_idmap[id] ?: FILE_CHECK; -+ -+ rcu_read_lock(); -+ list_for_each_entry_rcu(entry, ima_rules, list) { -+ if (entry->action != APPRAISE) -+ continue; -+ -+ /* -+ * A generic entry will match, but otherwise require that it -+ * match the func we're looking for -+ */ -+ if (entry->func && entry->func != func) -+ continue; -+ -+ /* -+ * We require this to be a digital signature, not a raw IMA -+ * hash. -+ */ -+ if (entry->flags & IMA_DIGSIG_REQUIRED) -+ found = true; -+ -+ /* -+ * We've found a rule that matches, so break now even if it -+ * didn't require a digital signature - a later rule that does -+ * won't override it, so would be a false positive. -+ */ -+ break; -+ } -+ -+ rcu_read_unlock(); -+ return found; -+} -+#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ --- -2.21.0 - - -From 4a84d19a10c31a363aa7d1f325bd212012263a98 Mon Sep 17 00:00:00 2001 -From: Kyle McMartin -Date: Mon, 9 Apr 2018 09:52:45 +0100 -Subject: [PATCH 28/29] Add a SysRq option to lift kernel lockdown - -Make an option to provide a sysrq key that will lift the kernel lockdown, -thereby allowing the running kernel image to be accessed and modified. - -On x86 this is triggered with SysRq+x, but this key may not be available on -all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h. -Since this macro must be defined in an arch to be able to use this facility -for that arch, the Kconfig option is restricted to arches that support it. - -Signed-off-by: Kyle McMartin -Signed-off-by: David Howells -cc: x86@kernel.org ---- - arch/x86/include/asm/setup.h | 2 ++ - drivers/input/misc/uinput.c | 1 + - drivers/tty/sysrq.c | 19 ++++++++++----- - include/linux/input.h | 5 ++++ - include/linux/sysrq.h | 8 +++++- - kernel/debug/kdb/kdb_main.c | 2 +- - security/Kconfig | 10 ++++++++ - security/lock_down.c | 47 ++++++++++++++++++++++++++++++++++++ - 8 files changed, 86 insertions(+), 8 deletions(-) - -diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h -index ed8ec011a9fd..8daf633a5347 100644 ---- a/arch/x86/include/asm/setup.h -+++ b/arch/x86/include/asm/setup.h -@@ -9,6 +9,8 @@ - #include - #include - -+#define LOCKDOWN_LIFT_KEY 'x' -+ - #ifdef __i386__ - - #include -diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c -index 84051f20b18a..583ab2bc1916 100644 ---- a/drivers/input/misc/uinput.c -+++ b/drivers/input/misc/uinput.c -@@ -353,6 +353,7 @@ static int uinput_create_device(struct uinput_device *udev) - dev->flush = uinput_dev_flush; - } - -+ dev->flags |= INPUTDEV_FLAGS_SYNTHETIC; - dev->event = uinput_dev_event; - - input_set_drvdata(udev->dev, udev); -diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c -index 573b2055173c..7cc95a8bdf8d 100644 ---- a/drivers/tty/sysrq.c -+++ b/drivers/tty/sysrq.c -@@ -480,6 +480,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = { - /* x: May be registered on mips for TLB dump */ - /* x: May be registered on ppc/powerpc for xmon */ - /* x: May be registered on sparc64 for global PMU dump */ -+ /* x: May be registered on x86_64 for disabling secure boot */ - NULL, /* x */ - /* y: May be registered on sparc64 for global register dump */ - NULL, /* y */ -@@ -523,7 +524,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p) - sysrq_key_table[i] = op_p; - } - --void __handle_sysrq(int key, bool check_mask) -+void __handle_sysrq(int key, unsigned int from) - { - struct sysrq_key_op *op_p; - int orig_log_level; -@@ -546,11 +547,15 @@ void __handle_sysrq(int key, bool check_mask) - - op_p = __sysrq_get_key_op(key); - if (op_p) { -- /* -- * Should we check for enabled operations (/proc/sysrq-trigger -- * should not) and is the invoked operation enabled? -- */ -- if (!check_mask || sysrq_on_mask(op_p->enable_mask)) { -+ /* Ban synthetic events from some sysrq functionality */ -+ if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) && -+ op_p->enable_mask & SYSRQ_DISABLE_USERSPACE) { -+ printk("This sysrq operation is disabled from userspace.\n"); -+ } else if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) { -+ /* -+ * Should we check for enabled operations (/proc/sysrq-trigger -+ * should not) and is the invoked operation enabled? -+ */ - pr_info("%s\n", op_p->action_msg); - console_loglevel = orig_log_level; - op_p->handler(key); -@@ -585,7 +590,7 @@ void __handle_sysrq(int key, bool check_mask) - void handle_sysrq(int key) - { - if (sysrq_on()) -- __handle_sysrq(key, true); -+ __handle_sysrq(key, SYSRQ_FROM_KERNEL); - } - EXPORT_SYMBOL(handle_sysrq); - -@@ -665,7 +670,7 @@ static void sysrq_do_reset(struct timer_list *t) - static void sysrq_handle_reset_request(struct sysrq_state *state) - { - if (state->reset_requested) -- __handle_sysrq(sysrq_xlate[KEY_B], false); -+ __handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL); - - if (sysrq_reset_downtime_ms) - mod_timer(&state->keyreset_timer, -@@ -818,8 +823,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq, - - default: - if (sysrq->active && value && value != 2) { -+ int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ? -+ SYSRQ_FROM_SYNTHETIC : 0; - sysrq->need_reinject = false; -- __handle_sysrq(sysrq_xlate[code], true); -+ __handle_sysrq(sysrq_xlate[code], from); - } - break; - } -@@ -1102,7 +1109,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf, - - if (get_user(c, buf)) - return -EFAULT; -- __handle_sysrq(c, false); -+ __handle_sysrq(c, SYSRQ_FROM_PROC); - } - - return count; -diff --git a/include/linux/input.h b/include/linux/input.h -index 510e78558c10..7e7065b2f58a 100644 ---- a/include/linux/input.h -+++ b/include/linux/input.h -@@ -39,6 +39,7 @@ struct input_value { - * @phys: physical path to the device in the system hierarchy - * @uniq: unique identification code for the device (if device has it) - * @id: id of the device (struct input_id) -+ * @flags: input device flags (SYNTHETIC, etc.) - * @propbit: bitmap of device properties and quirks - * @evbit: bitmap of types of events supported by the device (EV_KEY, - * EV_REL, etc.) -@@ -121,6 +122,8 @@ struct input_dev { - const char *uniq; - struct input_id id; - -+ unsigned int flags; -+ - unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)]; - - unsigned long evbit[BITS_TO_LONGS(EV_CNT)]; -@@ -187,6 +190,8 @@ struct input_dev { - }; - #define to_input_dev(d) container_of(d, struct input_dev, dev) - -+#define INPUTDEV_FLAGS_SYNTHETIC 0x000000001 -+ - /* - * Verify that we are in sync with input_device_id mod_devicetable.h #defines - */ -diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h -index 8c71874e8485..7de1f08b60a9 100644 ---- a/include/linux/sysrq.h -+++ b/include/linux/sysrq.h -@@ -29,6 +29,8 @@ - #define SYSRQ_ENABLE_BOOT 0x0080 - #define SYSRQ_ENABLE_RTNICE 0x0100 - -+#define SYSRQ_DISABLE_USERSPACE 0x00010000 -+ - struct sysrq_key_op { - void (*handler)(int); - char *help_msg; -@@ -43,8 +45,12 @@ struct sysrq_key_op { - * are available -- else NULL's). - */ - -+#define SYSRQ_FROM_KERNEL 0x0001 -+#define SYSRQ_FROM_PROC 0x0002 -+#define SYSRQ_FROM_SYNTHETIC 0x0004 -+ - void handle_sysrq(int key); --void __handle_sysrq(int key, bool check_mask); -+void __handle_sysrq(int key, unsigned int from); - int register_sysrq_key(int key, struct sysrq_key_op *op); - int unregister_sysrq_key(int key, struct sysrq_key_op *op); - struct sysrq_key_op *__sysrq_get_key_op(int key); -diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c -index 9ecfa37c7fbf..902b7785d7dc 100644 ---- a/kernel/debug/kdb/kdb_main.c -+++ b/kernel/debug/kdb/kdb_main.c -@@ -1981,7 +1981,7 @@ static int kdb_sr(int argc, const char **argv) - return KDB_ARGCOUNT; - - kdb_trap_printk++; -- __handle_sysrq(*argv[1], check_mask); -+ __handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0); - kdb_trap_printk--; - - return 0; -diff --git a/security/Kconfig b/security/Kconfig -index 720cf9dee2b4..fe08b674bfce 100644 ---- a/security/Kconfig -+++ b/security/Kconfig -@@ -245,6 +245,16 @@ config LOCK_DOWN_KERNEL_FORCE - help - Enable the kernel lock down functionality automatically at boot. - -+config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ -+ bool "Allow the kernel lockdown to be lifted by SysRq" -+ depends on LOCK_DOWN_KERNEL -+ depends on !LOCK_DOWN_KERNEL_FORCE -+ depends on MAGIC_SYSRQ -+ depends on X86 -+ help -+ Allow the lockdown on a kernel to be lifted, by pressing a SysRq key -+ combination on a wired keyboard. On x86, this is SysRq+x. -+ - source "security/selinux/Kconfig" - source "security/smack/Kconfig" - source "security/tomoyo/Kconfig" -diff --git a/security/lock_down.c b/security/lock_down.c -index ee00ca2677e7..d68dff872ced 100644 ---- a/security/lock_down.c -+++ b/security/lock_down.c -@@ -12,8 +12,14 @@ - - #include - #include -+#include -+#include - -+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ -+static __read_mostly bool kernel_locked_down; -+#else - static __ro_after_init bool kernel_locked_down; -+#endif - - /* - * Put the kernel into lock-down mode. -@@ -58,3 +64,44 @@ bool __kernel_is_locked_down(const char *what, bool first) - return kernel_locked_down; - } - EXPORT_SYMBOL(__kernel_is_locked_down); -+ -+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ -+ -+/* -+ * Take the kernel out of lockdown mode. -+ */ -+static void lift_kernel_lockdown(void) -+{ -+ pr_notice("Lifting lockdown\n"); -+ kernel_locked_down = false; -+} -+ -+/* -+ * Allow lockdown to be lifted by pressing something like SysRq+x (and not by -+ * echoing the appropriate letter into the sysrq-trigger file). -+ */ -+static void sysrq_handle_lockdown_lift(int key) -+{ -+ if (kernel_locked_down) -+ lift_kernel_lockdown(); -+} -+ -+static struct sysrq_key_op lockdown_lift_sysrq_op = { -+ .handler = sysrq_handle_lockdown_lift, -+ .help_msg = "unSB(x)", -+ .action_msg = "Disabling Secure Boot restrictions", -+ .enable_mask = SYSRQ_DISABLE_USERSPACE, -+}; -+ -+static int __init lockdown_lift_sysrq(void) -+{ -+ if (kernel_locked_down) { -+ lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY; -+ register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op); -+ } -+ return 0; -+} -+ -+late_initcall(lockdown_lift_sysrq); -+ -+#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */ --- -2.21.0 - - -From c3e9fb754f7603ae10a750f685f0174c5ae51ffa Mon Sep 17 00:00:00 2001 -From: Vasily Gorbik -Date: Wed, 21 Nov 2018 13:05:10 +0100 -Subject: [PATCH 29/29] debugfs: avoid EPERM when no open file operation - defined - -With "debugfs: Restrict debugfs when the kernel is locked down" -return code "r" is unconditionally set to -EPERM, which stays like that -until function return if no "open" file operation defined, effectivelly -resulting in "Operation not permitted" for all such files despite kernel -lock down status or CONFIG_LOCK_DOWN_KERNEL being enabled. - -In particular this breaks 2 debugfs files on s390: -/sys/kernel/debug/s390_hypfs/diag_304 -/sys/kernel/debug/s390_hypfs/diag_204 - -To address that set EPERM return code only when debugfs_is_locked_down -returns true. - -Fixes: 3fc322605158 ("debugfs: Restrict debugfs when the kernel is locked down") -Signed-off-by: Vasily Gorbik ---- - fs/debugfs/file.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c -index 8eeff9068228..9c56e1aa1f29 100644 ---- a/fs/debugfs/file.c -+++ b/fs/debugfs/file.c -@@ -167,9 +167,10 @@ static int open_proxy_open(struct inode *inode, struct file *filp) - - real_fops = debugfs_real_fops(filp); - -- r = -EPERM; -- if (debugfs_is_locked_down(inode, filp, real_fops)) -+ if (debugfs_is_locked_down(inode, filp, real_fops)) { -+ r = -EPERM; - goto out; -+ } - - real_fops = fops_get(real_fops); - if (!real_fops) { -@@ -296,9 +297,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp) - return r == -EIO ? -ENOENT : r; - - real_fops = debugfs_real_fops(filp); -- r = -EPERM; -- if (debugfs_is_locked_down(inode, filp, real_fops)) -+ if (debugfs_is_locked_down(inode, filp, real_fops)) { -+ r = -EPERM; - goto out; -+ } - - real_fops = fops_get(real_fops); - if (!real_fops) { --- -2.21.0 - diff --git a/enforce-CAP_NET_RAW-for-raw-sockets.patch b/enforce-CAP_NET_RAW-for-raw-sockets.patch deleted file mode 100644 index f253a35af..000000000 --- a/enforce-CAP_NET_RAW-for-raw-sockets.patch +++ /dev/null @@ -1,171 +0,0 @@ -From b91ee4aa2a2199ba4d4650706c272985a5a32d80 Mon Sep 17 00:00:00 2001 -From: Ori Nimron -Date: Fri, 20 Sep 2019 09:35:45 +0200 -Subject: mISDN: enforce CAP_NET_RAW for raw sockets - -When creating a raw AF_ISDN socket, CAP_NET_RAW needs to be checked -first. - -Signed-off-by: Ori Nimron -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: David S. Miller ---- - drivers/isdn/mISDN/socket.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c -index c6ba37df4b9d..dff4132b3702 100644 ---- a/drivers/isdn/mISDN/socket.c -+++ b/drivers/isdn/mISDN/socket.c -@@ -754,6 +754,8 @@ base_sock_create(struct net *net, struct socket *sock, int protocol, int kern) - - if (sock->type != SOCK_RAW) - return -ESOCKTNOSUPPORT; -+ if (!capable(CAP_NET_RAW)) -+ return -EPERM; - - sk = sk_alloc(net, PF_ISDN, GFP_KERNEL, &mISDN_proto, kern); - if (!sk) --- -cgit 1.2-0.3.lf.el7 - - -From 6cc03e8aa36c51f3b26a0d21a3c4ce2809c842ac Mon Sep 17 00:00:00 2001 -From: Ori Nimron -Date: Fri, 20 Sep 2019 09:35:46 +0200 -Subject: appletalk: enforce CAP_NET_RAW for raw sockets - -When creating a raw AF_APPLETALK socket, CAP_NET_RAW needs to be checked -first. - -Signed-off-by: Ori Nimron -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: David S. Miller ---- - net/appletalk/ddp.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c -index 4072e9d394d6..b41375d4d295 100644 ---- a/net/appletalk/ddp.c -+++ b/net/appletalk/ddp.c -@@ -1023,6 +1023,11 @@ static int atalk_create(struct net *net, struct socket *sock, int protocol, - */ - if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM) - goto out; -+ -+ rc = -EPERM; -+ if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW)) -+ goto out; -+ - rc = -ENOMEM; - sk = sk_alloc(net, PF_APPLETALK, GFP_KERNEL, &ddp_proto, kern); - if (!sk) --- -cgit 1.2-0.3.lf.el7 - - -From 0614e2b73768b502fc32a75349823356d98aae2c Mon Sep 17 00:00:00 2001 -From: Ori Nimron -Date: Fri, 20 Sep 2019 09:35:47 +0200 -Subject: ax25: enforce CAP_NET_RAW for raw sockets - -When creating a raw AF_AX25 socket, CAP_NET_RAW needs to be checked -first. - -Signed-off-by: Ori Nimron -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: David S. Miller ---- - net/ax25/af_ax25.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c -index ca5207767dc2..bb222b882b67 100644 ---- a/net/ax25/af_ax25.c -+++ b/net/ax25/af_ax25.c -@@ -855,6 +855,8 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol, - break; - - case SOCK_RAW: -+ if (!capable(CAP_NET_RAW)) -+ return -EPERM; - break; - default: - return -ESOCKTNOSUPPORT; --- -cgit 1.2-0.3.lf.el7 - - -From e69dbd4619e7674c1679cba49afd9dd9ac347eef Mon Sep 17 00:00:00 2001 -From: Ori Nimron -Date: Fri, 20 Sep 2019 09:35:48 +0200 -Subject: ieee802154: enforce CAP_NET_RAW for raw sockets - -When creating a raw AF_IEEE802154 socket, CAP_NET_RAW needs to be -checked first. - -Signed-off-by: Ori Nimron -Signed-off-by: Greg Kroah-Hartman -Acked-by: Stefan Schmidt -Signed-off-by: David S. Miller ---- - net/ieee802154/socket.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c -index badc5cfe4dc6..d93d4531aa9b 100644 ---- a/net/ieee802154/socket.c -+++ b/net/ieee802154/socket.c -@@ -1008,6 +1008,9 @@ static int ieee802154_create(struct net *net, struct socket *sock, - - switch (sock->type) { - case SOCK_RAW: -+ rc = -EPERM; -+ if (!capable(CAP_NET_RAW)) -+ goto out; - proto = &ieee802154_raw_prot; - ops = &ieee802154_raw_ops; - break; --- -cgit 1.2-0.3.lf.el7 - - -From 3a359798b176183ef09efb7a3dc59abad1cc7104 Mon Sep 17 00:00:00 2001 -From: Ori Nimron -Date: Fri, 20 Sep 2019 09:35:49 +0200 -Subject: nfc: enforce CAP_NET_RAW for raw sockets - -When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked -first. - -Signed-off-by: Ori Nimron -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: David S. Miller ---- - net/nfc/llcp_sock.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c -index 9b8742947aff..8dfea26536c9 100644 ---- a/net/nfc/llcp_sock.c -+++ b/net/nfc/llcp_sock.c -@@ -1004,10 +1004,13 @@ static int llcp_sock_create(struct net *net, struct socket *sock, - sock->type != SOCK_RAW) - return -ESOCKTNOSUPPORT; - -- if (sock->type == SOCK_RAW) -+ if (sock->type == SOCK_RAW) { -+ if (!capable(CAP_NET_RAW)) -+ return -EPERM; - sock->ops = &llcp_rawsock_ops; -- else -+ } else { - sock->ops = &llcp_sock_ops; -+ } - - sk = nfc_llcp_sock_alloc(sock, sock->type, GFP_ATOMIC, kern); - if (sk == NULL) --- -cgit 1.2-0.3.lf.el7 - diff --git a/v2-1-2-efi-tpm-Don-t-access-event--count-when-it-isn-t-mapped..patch b/v2-1-2-efi-tpm-Don-t-access-event--count-when-it-isn-t-mapped..patch deleted file mode 100644 index d0ec73a2a..000000000 --- a/v2-1-2-efi-tpm-Don-t-access-event--count-when-it-isn-t-mapped..patch +++ /dev/null @@ -1,233 +0,0 @@ -From patchwork Wed Sep 25 10:16:18 2019 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -X-Patchwork-Submitter: Jarkko Sakkinen -X-Patchwork-Id: 11160381 -Return-Path: -Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org - [172.30.200.123]) - by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 43E0E112B - for ; - Wed, 25 Sep 2019 10:16:35 +0000 (UTC) -Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) - by mail.kernel.org (Postfix) with ESMTP id 2BB5521D7A - for ; - Wed, 25 Sep 2019 10:16:35 +0000 (UTC) -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S2389040AbfIYKQe (ORCPT - ); - Wed, 25 Sep 2019 06:16:34 -0400 -Received: from mga06.intel.com ([134.134.136.31]:40402 "EHLO mga06.intel.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1727141AbfIYKQe (ORCPT ); - Wed, 25 Sep 2019 06:16:34 -0400 -X-Amp-Result: SKIPPED(no attachment in message) -X-Amp-File-Uploaded: False -Received: from orsmga006.jf.intel.com ([10.7.209.51]) - by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; - 25 Sep 2019 03:16:33 -0700 -X-ExtLoop1: 1 -X-IronPort-AV: E=Sophos;i="5.64,547,1559545200"; - d="scan'208";a="193723106" -Received: from dariusvo-mobl.ger.corp.intel.com (HELO localhost) - ([10.249.39.150]) - by orsmga006.jf.intel.com with ESMTP; 25 Sep 2019 03:16:27 -0700 -From: Jarkko Sakkinen -To: linux-integrity@vger.kernel.org -Cc: Peter Jones , linux-efi@vger.kernel.org, - stable@vger.kernel.org, Lyude Paul , - Jarkko Sakkinen , - Matthew Garrett , - Ard Biesheuvel , - Roberto Sassu , - Bartosz Szczepanek , - linux-kernel@vger.kernel.org (open list) -Subject: [PATCH v2 1/2] efi+tpm: Don't access event->count when it isn't - mapped. -Date: Wed, 25 Sep 2019 13:16:18 +0300 -Message-Id: <20190925101622.31457-1-jarkko.sakkinen@linux.intel.com> -X-Mailer: git-send-email 2.20.1 -MIME-Version: 1.0 -Sender: linux-integrity-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-integrity@vger.kernel.org - -From: Peter Jones - -Some machines generate a lot of event log entries. When we're -iterating over them, the code removes the old mapping and adds a -new one, so once we cross the page boundary we're unmapping the page -with the count on it. Hilarity ensues. - -This patch keeps the info from the header in local variables so we don't -need to access that page again or keep track of if it's mapped. - -Fixes: 44038bc514a2 ("tpm: Abstract crypto agile event size calculations") -Cc: linux-efi@vger.kernel.org -Cc: linux-integrity@vger.kernel.org -Cc: stable@vger.kernel.org -Signed-off-by: Peter Jones -Tested-by: Lyude Paul -Reviewed-by: Jarkko Sakkinen -Acked-by: Matthew Garrett -Acked-by: Ard Biesheuvel -Signed-off-by: Jarkko Sakkinen ---- - include/linux/tpm_eventlog.h | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h -index 63238c84dc0b..12584b69a3f3 100644 ---- a/include/linux/tpm_eventlog.h -+++ b/include/linux/tpm_eventlog.h -@@ -170,6 +170,7 @@ static inline int __calc_tpm2_event_size(struct tcg_pcr_event2_head *event, - u16 halg; - int i; - int j; -+ u32 count, event_type; - - marker = event; - marker_start = marker; -@@ -190,16 +191,22 @@ static inline int __calc_tpm2_event_size(struct tcg_pcr_event2_head *event, - } - - event = (struct tcg_pcr_event2_head *)mapping; -+ /* -+ * the loop below will unmap these fields if the log is larger than -+ * one page, so save them here for reference. -+ */ -+ count = READ_ONCE(event->count); -+ event_type = READ_ONCE(event->event_type); - - efispecid = (struct tcg_efi_specid_event_head *)event_header->event; - - /* Check if event is malformed. */ -- if (event->count > efispecid->num_algs) { -+ if (count > efispecid->num_algs) { - size = 0; - goto out; - } - -- for (i = 0; i < event->count; i++) { -+ for (i = 0; i < count; i++) { - halg_size = sizeof(event->digests[i].alg_id); - - /* Map the digest's algorithm identifier */ -@@ -256,8 +263,9 @@ static inline int __calc_tpm2_event_size(struct tcg_pcr_event2_head *event, - + event_field->event_size; - size = marker - marker_start; - -- if ((event->event_type == 0) && (event_field->event_size == 0)) -+ if (event_type == 0 && event_field->event_size == 0) - size = 0; -+ - out: - if (do_mapping) - TPM_MEMUNMAP(mapping, mapping_size); - -From patchwork Wed Sep 25 10:16:19 2019 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -X-Patchwork-Submitter: Jarkko Sakkinen -X-Patchwork-Id: 11160383 -Return-Path: -Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org - [172.30.200.123]) - by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 363B114DB - for ; - Wed, 25 Sep 2019 10:16:40 +0000 (UTC) -Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) - by mail.kernel.org (Postfix) with ESMTP id 1DCE921D7C - for ; - Wed, 25 Sep 2019 10:16:40 +0000 (UTC) -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S2389138AbfIYKQj (ORCPT - ); - Wed, 25 Sep 2019 06:16:39 -0400 -Received: from mga18.intel.com ([134.134.136.126]:21948 "EHLO mga18.intel.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1727141AbfIYKQj (ORCPT ); - Wed, 25 Sep 2019 06:16:39 -0400 -X-Amp-Result: SKIPPED(no attachment in message) -X-Amp-File-Uploaded: False -Received: from orsmga004.jf.intel.com ([10.7.209.38]) - by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; - 25 Sep 2019 03:16:38 -0700 -X-ExtLoop1: 1 -X-IronPort-AV: E=Sophos;i="5.64,547,1559545200"; - d="scan'208";a="340366339" -Received: from dariusvo-mobl.ger.corp.intel.com (HELO localhost) - ([10.249.39.150]) - by orsmga004.jf.intel.com with ESMTP; 25 Sep 2019 03:16:35 -0700 -From: Jarkko Sakkinen -To: linux-integrity@vger.kernel.org -Cc: Peter Jones , linux-efi@vger.kernel.org, - stable@vger.kernel.org, Lyude Paul , - Jarkko Sakkinen , - Matthew Garrett , - Ard Biesheuvel , - linux-kernel@vger.kernel.org (open list) -Subject: [PATCH v2 2/2] efi+tpm: don't traverse an event log with no events -Date: Wed, 25 Sep 2019 13:16:19 +0300 -Message-Id: <20190925101622.31457-2-jarkko.sakkinen@linux.intel.com> -X-Mailer: git-send-email 2.20.1 -In-Reply-To: <20190925101622.31457-1-jarkko.sakkinen@linux.intel.com> -References: <20190925101622.31457-1-jarkko.sakkinen@linux.intel.com> -MIME-Version: 1.0 -Sender: linux-integrity-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-integrity@vger.kernel.org - -From: Peter Jones - -When there are no entries to put into the final event log, some machines -will return the template they would have populated anyway. In this case -the nr_events field is 0, but the rest of the log is just garbage. - -This patch stops us from trying to iterate the table with -__calc_tpm2_event_size() when the number of events in the table is 0. - -Fixes: c46f3405692d ("tpm: Reserve the TPM final events table") -Cc: linux-efi@vger.kernel.org -Cc: linux-integrity@vger.kernel.org -Cc: stable@vger.kernel.org -Signed-off-by: Peter Jones -Tested-by: Lyude Paul -Reviewed-by: Jarkko Sakkinen -Acked-by: Matthew Garrett -Acked-by: Ard Biesheuvel -Signed-off-by: Jarkko Sakkinen ---- - drivers/firmware/efi/tpm.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c -index 1d3f5ca3eaaf..b9ae5c6f9b9c 100644 ---- a/drivers/firmware/efi/tpm.c -+++ b/drivers/firmware/efi/tpm.c -@@ -75,11 +75,16 @@ int __init efi_tpm_eventlog_init(void) - goto out; - } - -- tbl_size = tpm2_calc_event_log_size((void *)efi.tpm_final_log -- + sizeof(final_tbl->version) -- + sizeof(final_tbl->nr_events), -- final_tbl->nr_events, -- log_tbl->log); -+ tbl_size = 0; -+ if (final_tbl->nr_events != 0) { -+ void *events = (void *)efi.tpm_final_log -+ + sizeof(final_tbl->version) -+ + sizeof(final_tbl->nr_events); -+ -+ tbl_size = tpm2_calc_event_log_size(events, -+ final_tbl->nr_events, -+ log_tbl->log); -+ } - memblock_reserve((unsigned long)final_tbl, - tbl_size + sizeof(*final_tbl)); - early_memunmap(final_tbl, sizeof(*final_tbl)); diff --git a/v3-tpm-only-set-efi_tpm_final_log_size-after-successful-event-log-parsing.patch b/v3-tpm-only-set-efi_tpm_final_log_size-after-successful-event-log-parsing.patch deleted file mode 100644 index a828cb294..000000000 --- a/v3-tpm-only-set-efi_tpm_final_log_size-after-successful-event-log-parsing.patch +++ /dev/null @@ -1,190 +0,0 @@ -From patchwork Wed Sep 25 17:27:05 2019 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -X-Patchwork-Submitter: Jerry Snitselaar -X-Patchwork-Id: 11161161 -Return-Path: -Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org - [172.30.200.123]) - by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 88B8A1747 - for ; - Wed, 25 Sep 2019 17:27:13 +0000 (UTC) -Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) - by mail.kernel.org (Postfix) with ESMTP id 66F4F217F4 - for ; - Wed, 25 Sep 2019 17:27:13 +0000 (UTC) -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S2505171AbfIYR1J (ORCPT - ); - Wed, 25 Sep 2019 13:27:09 -0400 -Received: from mx1.redhat.com ([209.132.183.28]:41496 "EHLO mx1.redhat.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S2505170AbfIYR1J (ORCPT ); - Wed, 25 Sep 2019 13:27:09 -0400 -Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com - [10.5.11.22]) - (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) - (No client certificate requested) - by mx1.redhat.com (Postfix) with ESMTPS id 4CE7C1056FB1; - Wed, 25 Sep 2019 17:27:08 +0000 (UTC) -Received: from cantor.redhat.com (ovpn-117-191.phx2.redhat.com [10.3.117.191]) - by smtp.corp.redhat.com (Postfix) with ESMTP id D081B1001B12; - Wed, 25 Sep 2019 17:27:07 +0000 (UTC) -From: Jerry Snitselaar -To: linux-efi@vger.kernel.org -Cc: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, - stable@vger.kernel.org, Matthew Garrett , - Ard Biesheuvel , - Jarkko Sakkinen -Subject: [PATCH v3] tpm: only set efi_tpm_final_log_size after successful - event log parsing -Date: Wed, 25 Sep 2019 10:27:05 -0700 -Message-Id: <20190925172705.17358-1-jsnitsel@redhat.com> -MIME-Version: 1.0 -X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 -X-Greylist: Sender IP whitelisted, - not delayed by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.64]); - Wed, 25 Sep 2019 17:27:08 +0000 (UTC) -Sender: linux-integrity-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-integrity@vger.kernel.org - -If __calc_tpm2_event_size fails to parse an event it will return 0, -resulting tpm2_calc_event_log_size returning -1. Currently there is -no check of this return value, and efi_tpm_final_log_size can end up -being set to this negative value resulting in a panic like the -the one given below. - -Also __calc_tpm2_event_size returns a size of 0 when it fails -to parse an event, so update function documentation to reflect this. - -[ 0.774340] BUG: unable to handle page fault for address: ffffbc8fc00866ad -[ 0.774788] #PF: supervisor read access in kernel mode -[ 0.774788] #PF: error_code(0x0000) - not-present page -[ 0.774788] PGD 107d36067 P4D 107d36067 PUD 107d37067 PMD 107d38067 PTE 0 -[ 0.774788] Oops: 0000 [#1] SMP PTI -[ 0.774788] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.3.0-0.rc2.1.elrdy.x86_64 #1 -[ 0.774788] Hardware name: LENOVO 20HGS22D0W/20HGS22D0W, BIOS N1WET51W (1.30 ) 09/14/2018 -[ 0.774788] RIP: 0010:memcpy_erms+0x6/0x10 -[ 0.774788] Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe -[ 0.774788] RSP: 0000:ffffbc8fc0073b30 EFLAGS: 00010286 -[ 0.774788] RAX: ffff9b1fc7c5b367 RBX: ffff9b1fc8390000 RCX: ffffffffffffe962 -[ 0.774788] RDX: ffffffffffffe962 RSI: ffffbc8fc00866ad RDI: ffff9b1fc7c5b367 -[ 0.774788] RBP: ffff9b1c10ca7018 R08: ffffbc8fc0085fff R09: 8000000000000063 -[ 0.774788] R10: 0000000000001000 R11: 000fffffffe00000 R12: 0000000000003367 -[ 0.774788] R13: ffff9b1fcc47c010 R14: ffffbc8fc0085000 R15: 0000000000000002 -[ 0.774788] FS: 0000000000000000(0000) GS:ffff9b1fce200000(0000) knlGS:0000000000000000 -[ 0.774788] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 0.774788] CR2: ffffbc8fc00866ad CR3: 000000029f60a001 CR4: 00000000003606f0 -[ 0.774788] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -[ 0.774788] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -[ 0.774788] Call Trace: -[ 0.774788] tpm_read_log_efi+0x156/0x1a0 -[ 0.774788] tpm_bios_log_setup+0xc8/0x190 -[ 0.774788] tpm_chip_register+0x50/0x1c0 -[ 0.774788] tpm_tis_core_init.cold.9+0x28c/0x466 -[ 0.774788] tpm_tis_plat_probe+0xcc/0xea -[ 0.774788] platform_drv_probe+0x35/0x80 -[ 0.774788] really_probe+0xef/0x390 -[ 0.774788] driver_probe_device+0xb4/0x100 -[ 0.774788] device_driver_attach+0x4f/0x60 -[ 0.774788] __driver_attach+0x86/0x140 -[ 0.774788] ? device_driver_attach+0x60/0x60 -[ 0.774788] bus_for_each_dev+0x76/0xc0 -[ 0.774788] ? klist_add_tail+0x3b/0x70 -[ 0.774788] bus_add_driver+0x14a/0x1e0 -[ 0.774788] ? tpm_init+0xea/0xea -[ 0.774788] ? do_early_param+0x8e/0x8e -[ 0.774788] driver_register+0x6b/0xb0 -[ 0.774788] ? tpm_init+0xea/0xea -[ 0.774788] init_tis+0x86/0xd8 -[ 0.774788] ? do_early_param+0x8e/0x8e -[ 0.774788] ? driver_register+0x94/0xb0 -[ 0.774788] do_one_initcall+0x46/0x1e4 -[ 0.774788] ? do_early_param+0x8e/0x8e -[ 0.774788] kernel_init_freeable+0x199/0x242 -[ 0.774788] ? rest_init+0xaa/0xaa -[ 0.774788] kernel_init+0xa/0x106 -[ 0.774788] ret_from_fork+0x35/0x40 -[ 0.774788] Modules linked in: -[ 0.774788] CR2: ffffbc8fc00866ad -[ 0.774788] ---[ end trace 42930799f8d6eaea ]--- -[ 0.774788] RIP: 0010:memcpy_erms+0x6/0x10 -[ 0.774788] Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe -[ 0.774788] RSP: 0000:ffffbc8fc0073b30 EFLAGS: 00010286 -[ 0.774788] RAX: ffff9b1fc7c5b367 RBX: ffff9b1fc8390000 RCX: ffffffffffffe962 -[ 0.774788] RDX: ffffffffffffe962 RSI: ffffbc8fc00866ad RDI: ffff9b1fc7c5b367 -[ 0.774788] RBP: ffff9b1c10ca7018 R08: ffffbc8fc0085fff R09: 8000000000000063 -[ 0.774788] R10: 0000000000001000 R11: 000fffffffe00000 R12: 0000000000003367 -[ 0.774788] R13: ffff9b1fcc47c010 R14: ffffbc8fc0085000 R15: 0000000000000002 -[ 0.774788] FS: 0000000000000000(0000) GS:ffff9b1fce200000(0000) knlGS:0000000000000000 -[ 0.774788] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 0.774788] CR2: ffffbc8fc00866ad CR3: 000000029f60a001 CR4: 00000000003606f0 -[ 0.774788] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -[ 0.774788] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -[ 0.774788] Kernel panic - not syncing: Fatal exception -[ 0.774788] Kernel Offset: 0x1d000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) -[ 0.774788] ---[ end Kernel panic - not syncing: Fatal exception ]--- - -The root cause of the issue that caused the failure of event parsing -in this case is resolved by Peter Jone's patchset dealing with large -event logs where crossing over a page boundary causes the page with -the event count to be unmapped. - -Fixes: c46f3405692de ("tpm: Reserve the TPM final events table") -Cc: linux-efi@vger.kernel.org -Cc: linux-integrity@vger.kernel.org -Cc: stable@vger.kernel.org -Cc: Matthew Garrett -Cc: Ard Biesheuvel -Cc: Jarkko Sakkinen -Signed-off-by: Jerry Snitselaar -Reviewed-by: ---- -v3: rebase on top of Peter Jone's patchset -v2: added FW_BUG to pr_err, and renamed label to out_calc. - Updated doc comment for __calc_tpm2_event_size. - - drivers/firmware/efi/tpm.c | 9 ++++++++- - include/linux/tpm_eventlog.h | 2 +- - 2 files changed, 9 insertions(+), 2 deletions(-) - -diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c -index b9ae5c6f9b9c..703469c1ab8e 100644 ---- a/drivers/firmware/efi/tpm.c -+++ b/drivers/firmware/efi/tpm.c -@@ -85,11 +85,18 @@ int __init efi_tpm_eventlog_init(void) - final_tbl->nr_events, - log_tbl->log); - } -+ -+ if (tbl_size < 0) { -+ pr_err(FW_BUG "Failed to parse event in TPM Final Events Log\n"); -+ goto out_calc; -+ } -+ - memblock_reserve((unsigned long)final_tbl, - tbl_size + sizeof(*final_tbl)); -- early_memunmap(final_tbl, sizeof(*final_tbl)); - efi_tpm_final_log_size = tbl_size; - -+out_calc: -+ early_memunmap(final_tbl, sizeof(*final_tbl)); - out: - early_memunmap(log_tbl, sizeof(*log_tbl)); - return ret; -diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h -index 12584b69a3f3..2dfdd63ac034 100644 ---- a/include/linux/tpm_eventlog.h -+++ b/include/linux/tpm_eventlog.h -@@ -152,7 +152,7 @@ struct tcg_algorithm_info { - * total. Once we've done this we know the offset of the data length field, - * and can calculate the total size of the event. - * -- * Return: size of the event on success, <0 on failure -+ * Return: size of the event on success, 0 on failure - */ - - static inline int __calc_tpm2_event_size(struct tcg_pcr_event2_head *event,