Re: [PATCH 02/24] Add a SysRq option to lift kernel lockdown

[PATCH 00/24] security: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 01/24] Add the ability to lock down access to the running kernel image · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Jann Horn <jannh@google.com> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Randy Dunlap <hidden> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Miguel Ojeda <hidden> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Greg KH <gregkh@linuxfoundation.org> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Justin Forbes <hidden> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Jordan Glover <hidden> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Justin Forbes <hidden> · 2018-04-12
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-12
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Andy Lutomirski <luto@amacapital.net> · 2018-04-12
[PATCH 02/24] Add a SysRq option to lift kernel lockdown · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 02/24] Add a SysRq option to lift kernel lockdown · Jann Horn <jannh@google.com> · 2018-04-11
Re: [PATCH 02/24] Add a SysRq option to lift kernel lockdown · Pavel Machek <hidden> · 2018-04-13
[PATCH 03/24] ima: require secure_boot rules in lockdown mode · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 04/24] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 05/24] Restrict /dev/{mem, kmem, port} when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 07/24] hibernate: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Pavel Machek <hidden> · 2018-04-13
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-19
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2018-04-22
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Pavel Machek <hidden> · 2018-04-26
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Rafael J. Wysocki <hidden> · 2018-04-26
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Jiri Kosina <jikos@kernel.org> · 2018-04-26
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · joeyli <jlee@suse.com> · 2018-05-23
[PATCH 08/24] uswsusp: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 09/24] PCI: Lock down BAR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 10/24] x86: Lock down IO port access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 11/24] x86/msr: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 12/24] ACPI: Limit access to custom_method when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 13/24] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 14/24] acpi: Disable ACPI table override if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 15/24] acpi: Disable APEI error injection if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 16/24] Prohibit PCMCIA CIS storage when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 17/24] Lock down TIOCSSERIAL · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 18/24] Lock down module params that specify hardware parameters (eg. ioport) · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 18/24] Lock down module params that specify hardware parameters (eg. ioport) · Randy Dunlap <hidden> · 2018-04-11
[PATCH 19/24] x86/mmiotrace: Lock down the testmmiotrace module · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 20/24] Lock down /proc/kcore · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 21/24] Lock down kprobes · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 22/24] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 23/24] Lock down perf · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Randy Dunlap <hidden> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Greg KH <hidden> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Greg KH <hidden> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2018-04-12
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Greg KH <hidden> · 2018-04-12
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2018-04-12
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Pavel Machek <hidden> · 2018-04-13
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-19
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Pavel Machek <hidden> · 2018-05-10

From: Jann Horn <jannh@google.com>
Date: 2018-04-11 17:06:19
Also in: linux-man, linux-security-module, lkml

On Wed, Apr 11, 2018 at 6:24 PM, David Howells [off-list ref] wrote:

From: Kyle McMartin <redacted>

Make an option to provide a sysrq key that will lift the kernel lockdown,
thereby allowing the running kernel image to be accessed and modified.

On x86 this is triggered with SysRq+x, but this key may not be available on
all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h.
Since this macro must be defined in an arch to be able to use this facility
for that arch, the Kconfig option is restricted to arches that support it.

In the current form, this is probably incompatible with USB/IP (which
Debian seems to be shipping as a module by default), right? And
perhaps also with dummy_hcd (if I understand correctly what it's
doing)?

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help