Re: [PATCH V31 19/25] x86/mmiotrace: Lock down the testmmiotrace module

[PATCH V31 00/25] Add support for kernel lockdown · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 01/25] Add the ability to lock down access to the running kernel image · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 02/25] Enforce module signatures if the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 03/25] Restrict /dev/{mem,kmem,port} when the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 05/25] Copy secure_boot flag in boot params across kexec reboot · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 06/25] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Matthew Garrett <hidden> · 2019-03-26
Re: [PATCH V31 06/25] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Dave Young <hidden> · 2019-06-21
Re: [PATCH V31 06/25] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Matthew Garrett <hidden> · 2019-06-21
Re: [PATCH V31 06/25] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Matthew Garrett <hidden> · 2019-06-21
[PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
Re: [PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down · Dave Young <hidden> · 2019-06-21
Re: [PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-06-21
Re: [PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down · Dave Young <hidden> · 2019-06-24
Re: [PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-06-24
Re: [PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down · Mimi Zohar <zohar@linux.ibm.com> · 2019-06-24
Re: [PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-06-25
Re: [PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down · Mimi Zohar <zohar@linux.ibm.com> · 2019-06-25
Re: [PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down · Dave Young <hidden> · 2019-06-25
[PATCH V31 09/25] uswsusp: Disable when the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 11/25] x86: Lock down IO port access when the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
Re: [PATCH V31 11/25] x86: Lock down IO port access when the kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2019-03-26
[PATCH V31 12/25] x86/msr: Restrict MSR access when the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 14/25] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 16/25] Prohibit PCMCIA CIS storage when the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 17/25] Lock down TIOCSSERIAL · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 18/25] Lock down module params that specify hardware parameters (eg. ioport) · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 20/25] Lock down /proc/kcore · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 22/25] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Matthew Garrett <hidden> · 2019-03-26
Re: [PATCH V31 22/25] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Andy Lutomirski <luto@kernel.org> · 2019-03-26
[PATCH V31 23/25] Lock down perf when in confidentiality mode · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 24/25] lockdown: Print current->comm in restriction messages · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2019-03-26
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Greg KH <gregkh@linuxfoundation.org> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Greg KH <gregkh@linuxfoundation.org> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Andy Lutomirski <luto@amacapital.net> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Greg KH <gregkh@linuxfoundation.org> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · James Morris <jmorris@namei.org> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Matthew Garrett <hidden> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Greg KH <gregkh@linuxfoundation.org> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Greg KH <gregkh@linuxfoundation.org> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Greg KH <gregkh@linuxfoundation.org> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Matthew Garrett <hidden> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Greg KH <gregkh@linuxfoundation.org> · 2019-03-27
[PATCH V31 21/25] Lock down kprobes when in confidentiality mode · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 19/25] x86/mmiotrace: Lock down the testmmiotrace module · Matthew Garrett <hidden> · 2019-03-26
Re: [PATCH V31 19/25] x86/mmiotrace: Lock down the testmmiotrace module · Steven Rostedt <rostedt@goodmis.org> · 2019-03-27
Re: [PATCH V31 19/25] x86/mmiotrace: Lock down the testmmiotrace module · Matthew Garrett <hidden> · 2019-03-27
[PATCH V31 15/25] acpi: Disable ACPI table override if the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 13/25] ACPI: Limit access to custom_method when the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 10/25] PCI: Lock down BAR access when the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
Re: [PATCH V31 10/25] PCI: Lock down BAR access when the kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2019-03-26
Re: [PATCH V31 10/25] PCI: Lock down BAR access when the kernel is locked down · Alex Williamson <hidden> · 2019-03-26
[PATCH V31 08/25] hibernate: Disable when the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 04/25] kexec_load: Disable at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26

From: Steven Rostedt <rostedt@goodmis.org>
Date: 2019-03-27 15:57:54
Also in: linux-security-module, lkml

On Tue, 26 Mar 2019 11:27:35 -0700
Matthew Garrett [off-list ref] wrote:

From: David Howells <dhowells@redhat.com>

The testmmiotrace module shouldn't be permitted when the kernel is locked
down as it can be used to arbitrarily read and write MMIO space. This is
a runtime check rather than buildtime in order to allow configurations
where the same kernel may be run in both locked down or permissive modes
depending on local policy.

Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>

I'm curious. Should there be a mode to lockdown the tracefs directory
too? As that can expose addresses.

-- Steve

quoted hunk ↗ jump to hunk

Suggested-by: Thomas Gleixner <redacted>
Signed-off-by: David Howells <dhowells@redhat.com
Signed-off-by: Matthew Garrett <redacted>
cc: Thomas Gleixner <redacted>
cc: Steven Rostedt <rostedt@goodmis.org>
cc: Ingo Molnar <mingo@kernel.org>
cc: "H. Peter Anvin" <hpa@zytor.com>
cc: x86@kernel.org
---
 arch/x86/mm/testmmiotrace.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c
index f6ae6830b341..9e8ad665f354 100644
--- a/arch/x86/mm/testmmiotrace.c
+++ b/arch/x86/mm/testmmiotrace.c

@@ -115,6 +115,9 @@ static int __init init(void)
 {
 	unsigned long size = (read_far) ? (8 << 20) : (16 << 10);
 
+	if (kernel_is_locked_down("MMIO trace testing", LOCKDOWN_INTEGRITY))
+		return -EPERM;
+
 	if (mmio_address == 0) {
 		pr_err("you have to use the module argument mmio_address.\n");
 		pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n");

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help