lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <150842483945.7923.12778302394414653081.stgit@warthog.procyon.org.uk>
Date:   Thu, 19 Oct 2017 15:53:59 +0100
From:   David Howells <dhowells@...hat.com>
To:     linux-security-module@...r.kernel.org
Cc:     gnomes@...rguk.ukuu.org.uk, linux-efi@...r.kernel.org,
        matthew.garrett@...ula.com, gregkh@...uxfoundation.org,
        linux-kernel@...r.kernel.org, dhowells@...hat.com,
        jforbes@...hat.com
Subject: [PATCH 27/27] efi: Lock down the kernel if booted in secure boot
 mode

UEFI Secure Boot provides a mechanism for ensuring that the firmware will
only load signed bootloaders and kernels.  Certain use cases may also
require that all kernel modules also be signed.  Add a configuration option
that to lock down the kernel - which includes requiring validly signed
modules - if the kernel is secure-booted.

Signed-off-by: David Howells <dhowells@...hat.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@...aro.org>
cc: linux-efi@...r.kernel.org
---

 arch/x86/kernel/setup.c |    6 ++++--
 security/Kconfig        |   14 ++++++++++++++
 security/lock_down.c    |    1 +
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 7c2162f9e769..4e38327efb2e 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -64,6 +64,7 @@
 #include <linux/dma-mapping.h>
 #include <linux/ctype.h>
 #include <linux/uaccess.h>
+#include <linux/security.h>
 
 #include <linux/percpu.h>
 #include <linux/crash_dump.h>
@@ -1039,6 +1040,9 @@ void __init setup_arch(char **cmdline_p)
 	if (efi_enabled(EFI_BOOT))
 		efi_init();
 
+	efi_set_secure_boot(boot_params.secure_boot);
+	init_lockdown();
+
 	dmi_scan_machine();
 	dmi_memdev_walk();
 	dmi_set_dump_stack_arch_desc();
@@ -1197,8 +1201,6 @@ void __init setup_arch(char **cmdline_p)
 	/* Allocate bigger log buffer */
 	setup_log_buf(1);
 
-	efi_set_secure_boot(boot_params.secure_boot);
-
 	reserve_initrd();
 
 	acpi_table_upgrade();
diff --git a/security/Kconfig b/security/Kconfig
index 4be6be71e075..e1756039dc0a 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -227,6 +227,20 @@ config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
 	  Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
 	  combination on a wired keyboard.
 
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
+	bool "Lock down the kernel in EFI Secure Boot mode"
+	default n
+	select LOCK_DOWN_KERNEL
+	depends on EFI
+	help
+	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
+	  will only load signed bootloaders and kernels.  Secure boot mode may
+	  be determined from EFI variables provided by the system firmware if
+	  not indicated by the boot parameters.
+
+	  Enabling this option turns on results in kernel lockdown being
+	  triggered if EFI Secure Boot is set.
+
 
 source security/selinux/Kconfig
 source security/smack/Kconfig
diff --git a/security/lock_down.c b/security/lock_down.c
index f71118c340d2..12c3bc204c4e 100644
--- a/security/lock_down.c
+++ b/security/lock_down.c
@@ -12,6 +12,7 @@
 #include <linux/security.h>
 #include <linux/export.h>
 #include <linux/sysrq.h>
+#include <linux/efi.h>
 
 #ifdef CONFIG_ALLOW_LOCKDOWN_LIFT
 static __read_mostly bool kernel_locked_down;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ