e21e52b608
This is a first pass at getting the secureboot patches working with the upstream lockdown patches that got merged. The final patch from our lockdown set is the sysrq patch which also needs work. For the present it is not applied.
287 lines
9.2 KiB
Diff
287 lines
9.2 KiB
Diff
From 4a84d19a10c31a363aa7d1f325bd212012263a98 Mon Sep 17 00:00:00 2001
|
|
From: Kyle McMartin <kyle@redhat.com>
|
|
Date: Mon, 9 Apr 2018 09:52:45 +0100
|
|
Subject: [PATCH 28/29] Add a SysRq option to lift kernel lockdown
|
|
|
|
Make an option to provide a sysrq key that will lift the kernel lockdown,
|
|
thereby allowing the running kernel image to be accessed and modified.
|
|
|
|
On x86 this is triggered with SysRq+x, but this key may not be available on
|
|
all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h.
|
|
Since this macro must be defined in an arch to be able to use this facility
|
|
for that arch, the Kconfig option is restricted to arches that support it.
|
|
|
|
Signed-off-by: Kyle McMartin <kyle@redhat.com>
|
|
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
cc: x86@kernel.org
|
|
---
|
|
arch/x86/include/asm/setup.h | 2 ++
|
|
drivers/input/misc/uinput.c | 1 +
|
|
drivers/tty/sysrq.c | 19 ++++++++++-----
|
|
include/linux/input.h | 5 ++++
|
|
include/linux/sysrq.h | 8 +++++-
|
|
kernel/debug/kdb/kdb_main.c | 2 +-
|
|
security/Kconfig | 10 ++++++++
|
|
security/lock_down.c | 47 ++++++++++++++++++++++++++++++++++++
|
|
8 files changed, 86 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h
|
|
index ed8ec011a9fd..8daf633a5347 100644
|
|
--- a/arch/x86/include/asm/setup.h
|
|
+++ b/arch/x86/include/asm/setup.h
|
|
@@ -9,6 +9,8 @@
|
|
#include <linux/linkage.h>
|
|
#include <asm/page_types.h>
|
|
|
|
+#define LOCKDOWN_LIFT_KEY 'x'
|
|
+
|
|
#ifdef __i386__
|
|
|
|
#include <linux/pfn.h>
|
|
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
|
|
index 84051f20b18a..583ab2bc1916 100644
|
|
--- a/drivers/input/misc/uinput.c
|
|
+++ b/drivers/input/misc/uinput.c
|
|
@@ -353,6 +353,7 @@ static int uinput_create_device(struct uinput_device *udev)
|
|
dev->flush = uinput_dev_flush;
|
|
}
|
|
|
|
+ dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;
|
|
dev->event = uinput_dev_event;
|
|
|
|
input_set_drvdata(udev->dev, udev);
|
|
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
|
|
index 573b2055173c..7cc95a8bdf8d 100644
|
|
--- a/drivers/tty/sysrq.c
|
|
+++ b/drivers/tty/sysrq.c
|
|
@@ -480,6 +480,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
|
|
/* x: May be registered on mips for TLB dump */
|
|
/* x: May be registered on ppc/powerpc for xmon */
|
|
/* x: May be registered on sparc64 for global PMU dump */
|
|
+ /* x: May be registered on x86_64 for disabling secure boot */
|
|
NULL, /* x */
|
|
/* y: May be registered on sparc64 for global register dump */
|
|
NULL, /* y */
|
|
@@ -523,7 +524,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
|
|
sysrq_key_table[i] = op_p;
|
|
}
|
|
|
|
-void __handle_sysrq(int key, bool check_mask)
|
|
+void __handle_sysrq(int key, unsigned int from)
|
|
{
|
|
struct sysrq_key_op *op_p;
|
|
int orig_log_level;
|
|
@@ -546,11 +547,15 @@ void __handle_sysrq(int key, bool check_mask)
|
|
|
|
op_p = __sysrq_get_key_op(key);
|
|
if (op_p) {
|
|
+ /* Ban synthetic events from some sysrq functionality */
|
|
+ if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
|
|
+ op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
|
|
+ printk("This sysrq operation is disabled from userspace.\n");
|
|
/*
|
|
* Should we check for enabled operations (/proc/sysrq-trigger
|
|
* should not) and is the invoked operation enabled?
|
|
*/
|
|
- if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
|
|
+ if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
|
|
pr_info("%s\n", op_p->action_msg);
|
|
console_loglevel = orig_log_level;
|
|
op_p->handler(key);
|
|
@@ -585,7 +590,7 @@ void __handle_sysrq(int key, bool check_mask)
|
|
void handle_sysrq(int key)
|
|
{
|
|
if (sysrq_on())
|
|
- __handle_sysrq(key, true);
|
|
+ __handle_sysrq(key, SYSRQ_FROM_KERNEL);
|
|
}
|
|
EXPORT_SYMBOL(handle_sysrq);
|
|
|
|
@@ -665,7 +670,7 @@ static void sysrq_do_reset(struct timer_list *t)
|
|
static void sysrq_handle_reset_request(struct sysrq_state *state)
|
|
{
|
|
if (state->reset_requested)
|
|
- __handle_sysrq(sysrq_xlate[KEY_B], false);
|
|
+ __handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL);
|
|
|
|
if (sysrq_reset_downtime_ms)
|
|
mod_timer(&state->keyreset_timer,
|
|
@@ -818,8 +823,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
|
|
|
|
default:
|
|
if (sysrq->active && value && value != 2) {
|
|
+ int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ?
|
|
+ SYSRQ_FROM_SYNTHETIC : 0;
|
|
sysrq->need_reinject = false;
|
|
- __handle_sysrq(sysrq_xlate[code], true);
|
|
+ __handle_sysrq(sysrq_xlate[code], from);
|
|
}
|
|
break;
|
|
}
|
|
@@ -1102,7 +1109,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
|
|
|
|
if (get_user(c, buf))
|
|
return -EFAULT;
|
|
- __handle_sysrq(c, false);
|
|
+ __handle_sysrq(c, SYSRQ_FROM_PROC);
|
|
}
|
|
|
|
return count;
|
|
diff --git a/include/linux/input.h b/include/linux/input.h
|
|
index 510e78558c10..7e7065b2f58a 100644
|
|
--- a/include/linux/input.h
|
|
+++ b/include/linux/input.h
|
|
@@ -39,6 +39,7 @@ struct input_value {
|
|
* @phys: physical path to the device in the system hierarchy
|
|
* @uniq: unique identification code for the device (if device has it)
|
|
* @id: id of the device (struct input_id)
|
|
+ * @flags: input device flags (SYNTHETIC, etc.)
|
|
* @propbit: bitmap of device properties and quirks
|
|
* @evbit: bitmap of types of events supported by the device (EV_KEY,
|
|
* EV_REL, etc.)
|
|
@@ -121,6 +122,8 @@ struct input_dev {
|
|
const char *uniq;
|
|
struct input_id id;
|
|
|
|
+ unsigned int flags;
|
|
+
|
|
unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)];
|
|
|
|
unsigned long evbit[BITS_TO_LONGS(EV_CNT)];
|
|
@@ -187,6 +190,8 @@ struct input_dev {
|
|
};
|
|
#define to_input_dev(d) container_of(d, struct input_dev, dev)
|
|
|
|
+#define INPUTDEV_FLAGS_SYNTHETIC 0x000000001
|
|
+
|
|
/*
|
|
* Verify that we are in sync with input_device_id mod_devicetable.h #defines
|
|
*/
|
|
diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
|
|
index 8c71874e8485..7de1f08b60a9 100644
|
|
--- a/include/linux/sysrq.h
|
|
+++ b/include/linux/sysrq.h
|
|
@@ -29,6 +29,8 @@
|
|
#define SYSRQ_ENABLE_BOOT 0x0080
|
|
#define SYSRQ_ENABLE_RTNICE 0x0100
|
|
|
|
+#define SYSRQ_DISABLE_USERSPACE 0x00010000
|
|
+
|
|
struct sysrq_key_op {
|
|
void (*handler)(int);
|
|
char *help_msg;
|
|
@@ -43,8 +45,12 @@ struct sysrq_key_op {
|
|
* are available -- else NULL's).
|
|
*/
|
|
|
|
+#define SYSRQ_FROM_KERNEL 0x0001
|
|
+#define SYSRQ_FROM_PROC 0x0002
|
|
+#define SYSRQ_FROM_SYNTHETIC 0x0004
|
|
+
|
|
void handle_sysrq(int key);
|
|
-void __handle_sysrq(int key, bool check_mask);
|
|
+void __handle_sysrq(int key, unsigned int from);
|
|
int register_sysrq_key(int key, struct sysrq_key_op *op);
|
|
int unregister_sysrq_key(int key, struct sysrq_key_op *op);
|
|
struct sysrq_key_op *__sysrq_get_key_op(int key);
|
|
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
|
|
index 9ecfa37c7fbf..902b7785d7dc 100644
|
|
--- a/kernel/debug/kdb/kdb_main.c
|
|
+++ b/kernel/debug/kdb/kdb_main.c
|
|
@@ -1981,7 +1981,7 @@ static int kdb_sr(int argc, const char **argv)
|
|
return KDB_ARGCOUNT;
|
|
|
|
kdb_trap_printk++;
|
|
- __handle_sysrq(*argv[1], check_mask);
|
|
+ __handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0);
|
|
kdb_trap_printk--;
|
|
|
|
return 0;
|
|
diff --git a/security/Kconfig b/security/Kconfig
|
|
index 720cf9dee2b4..fe08b674bfce 100644
|
|
--- a/security/Kconfig
|
|
+++ b/security/Kconfig
|
|
@@ -245,6 +245,16 @@ config LOCK_DOWN_KERNEL_FORCE
|
|
help
|
|
Enable the kernel lock down functionality automatically at boot.
|
|
|
|
+config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
|
|
+ bool "Allow the kernel lockdown to be lifted by SysRq"
|
|
+ depends on LOCK_DOWN_KERNEL
|
|
+ depends on !LOCK_DOWN_KERNEL_FORCE
|
|
+ depends on MAGIC_SYSRQ
|
|
+ depends on X86
|
|
+ help
|
|
+ Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
|
|
+ combination on a wired keyboard. On x86, this is SysRq+x.
|
|
+
|
|
source "security/selinux/Kconfig"
|
|
source "security/smack/Kconfig"
|
|
source "security/tomoyo/Kconfig"
|
|
diff --git a/security/lock_down.c b/security/lock_down.c
|
|
index ee00ca2677e7..d68dff872ced 100644
|
|
--- a/security/lock_down.c
|
|
+++ b/security/lock_down.c
|
|
@@ -12,8 +12,14 @@
|
|
|
|
#include <linux/security.h>
|
|
#include <linux/export.h>
|
|
+#include <linux/sysrq.h>
|
|
+#include <asm/setup.h>
|
|
|
|
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
|
|
+static __read_mostly bool kernel_locked_down;
|
|
+#else
|
|
static __ro_after_init bool kernel_locked_down;
|
|
+#endif
|
|
|
|
/*
|
|
* Put the kernel into lock-down mode.
|
|
@@ -58,3 +64,44 @@ bool __kernel_is_locked_down(const char *what, bool first)
|
|
return kernel_locked_down;
|
|
}
|
|
EXPORT_SYMBOL(__kernel_is_locked_down);
|
|
+
|
|
+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
|
|
+
|
|
+/*
|
|
+ * Take the kernel out of lockdown mode.
|
|
+ */
|
|
+static void lift_kernel_lockdown(void)
|
|
+{
|
|
+ pr_notice("Lifting lockdown\n");
|
|
+ kernel_locked_down = false;
|
|
+}
|
|
+
|
|
+/*
|
|
+ * Allow lockdown to be lifted by pressing something like SysRq+x (and not by
|
|
+ * echoing the appropriate letter into the sysrq-trigger file).
|
|
+ */
|
|
+static void sysrq_handle_lockdown_lift(int key)
|
|
+{
|
|
+ if (kernel_locked_down)
|
|
+ lift_kernel_lockdown();
|
|
+}
|
|
+
|
|
+static struct sysrq_key_op lockdown_lift_sysrq_op = {
|
|
+ .handler = sysrq_handle_lockdown_lift,
|
|
+ .help_msg = "unSB(x)",
|
|
+ .action_msg = "Disabling Secure Boot restrictions",
|
|
+ .enable_mask = SYSRQ_DISABLE_USERSPACE,
|
|
+};
|
|
+
|
|
+static int __init lockdown_lift_sysrq(void)
|
|
+{
|
|
+ if (kernel_locked_down) {
|
|
+ lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;
|
|
+ register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);
|
|
+ }
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+late_initcall(lockdown_lift_sysrq);
|
|
+
|
|
+#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */
|
|
--
|
|
2.21.0
|