lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk>
Date:   Wed, 05 Apr 2017 21:14:27 +0100
From:   David Howells <dhowells@...hat.com>
To:     linux-kernel@...r.kernel.org
Cc:     gnomes@...rguk.ukuu.org.uk, linux-efi@...r.kernel.org,
        matthew.garrett@...ula.com, gregkh@...uxfoundation.org,
        dhowells@...hat.com, linux-security-module@...r.kernel.org,
        keyrings@...r.kernel.org
Subject: [PATCH 00/24] Kernel lockdown


These patches provide a facility by which a variety of avenues by which
userspace can feasibly modify the running kernel image can be locked down.
These include:

 (*) No unsigned modules and no modules for which can't validate the
     signature.

 (*) No use of ioperm(), iopl() and no writing to /dev/port.

 (*) No writing to /dev/mem or /dev/kmem.

 (*) No hibernation.

 (*) Restrict PCI BAR access.

 (*) Restrict MSR access.

 (*) No kexec_load().

 (*) Certain ACPI restrictions.

 (*) Restrict debugfs interface to ASUS WMI.

The lock-down can be configured to be triggered by the EFI secure boot
status, provided the shim isn't insecure.  The lock-down can be lifted by
typing SysRq+x on a keyboard attached to the system.


The patches can be found here also:

	http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=efi-lockdown

They are dependent on the hwparam branch, which I posted separately.

David
---
Chun-Yi Lee (2):
      kexec_file: Disable at runtime if securelevel has been set
      bpf: Restrict kernel image access functions when the kernel is locked down

Dave Young (1):
      Copy secure_boot flag in boot params across kexec reboot

David Howells (7):
      Add the ability to lock down access to the running kernel image
      efi: Lock down the kernel if booted in secure boot mode
      Enforce module signatures if the kernel is locked down
      scsi: Lock down the eata driver
      Prohibit PCMCIA CIS storage when the kernel is locked down
      Lock down TIOCSSERIAL
      Lock down module params that specify hardware parameters (eg. ioport)

Josh Boyer (3):
      efi: Add EFI_SECURE_BOOT bit
      hibernate: Disable when the kernel is locked down
      acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down

Kyle McMartin (1):
      Add a sysrq option to exit secure boot mode

Linn Crosetto (2):
      acpi: Disable ACPI table override if the kernel is locked down
      acpi: Disable APEI error injection if the kernel is locked down

Matthew Garrett (8):
      Restrict /dev/mem and /dev/kmem when the kernel is locked down
      kexec: Disable at runtime if the kernel is locked down
      uswsusp: Disable when the kernel is locked down
      PCI: Lock down BAR access when the kernel is locked down
      x86: Lock down IO port access when the kernel is locked down
      x86: Restrict MSR access when the kernel is locked down
      asus-wmi: Restrict debugfs interface when the kernel is locked down
      ACPI: Limit access to custom_method when the kernel is locked down


 arch/x86/Kconfig                  |   22 ++++++++++++++++++++
 arch/x86/kernel/ioport.c          |    4 ++--
 arch/x86/kernel/kexec-bzimage64.c |    1 +
 arch/x86/kernel/msr.c             |    7 ++++++
 arch/x86/kernel/setup.c           |   40 ++++++++++++++++++++++++++++++++++++-
 drivers/acpi/apei/einj.c          |    3 +++
 drivers/acpi/custom_method.c      |    3 +++
 drivers/acpi/osl.c                |    2 +-
 drivers/acpi/tables.c             |    5 +++++
 drivers/char/mem.c                |    8 +++++++
 drivers/input/misc/uinput.c       |    1 +
 drivers/pci/pci-sysfs.c           |    9 ++++++++
 drivers/pci/proc.c                |    8 ++++++-
 drivers/pci/syscall.c             |    2 +-
 drivers/pcmcia/cistpl.c           |    5 +++++
 drivers/platform/x86/asus-wmi.c   |    9 ++++++++
 drivers/scsi/eata.c               |    7 ++++++
 drivers/tty/serial/serial_core.c  |    6 ++++++
 drivers/tty/sysrq.c               |   19 ++++++++++++------
 include/linux/efi.h               |    1 +
 include/linux/input.h             |    5 +++++
 include/linux/kernel.h            |    9 ++++++++
 include/linux/security.h          |   11 ++++++++++
 include/linux/sysrq.h             |    8 ++++++-
 kernel/debug/kdb/kdb_main.c       |    2 +-
 kernel/kexec.c                    |    7 ++++++
 kernel/kexec_file.c               |    6 ++++++
 kernel/module.c                   |    2 +-
 kernel/params.c                   |   27 ++++++++++++++++++++-----
 kernel/power/hibernate.c          |    2 +-
 kernel/power/user.c               |    3 +++
 kernel/trace/bpf_trace.c          |   11 ++++++++++
 security/Kconfig                  |   15 ++++++++++++++
 security/Makefile                 |    3 +++
 security/lock_down.c              |   40 +++++++++++++++++++++++++++++++++++++
 35 files changed, 291 insertions(+), 22 deletions(-)
 create mode 100644 security/lock_down.c

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ