[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[PATCH 00/24] Kernel lockdown · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 01/24] efi: Add EFI_SECURE_BOOT bit · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 01/24] efi: Add EFI_SECURE_BOOT bit · Ard Biesheuvel <hidden> · 2017-04-06
Re: [PATCH 01/24] efi: Add EFI_SECURE_BOOT bit · David Howells <dhowells@redhat.com> · 2017-04-06
[PATCH 02/24] Add the ability to lock down access to the running kernel image · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 03/24] efi: Lock down the kernel if booted in secure boot mode · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 05/24] Restrict /dev/mem and /dev/kmem when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 06/24] Add a sysrq option to exit secure boot mode · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode · Thomas Gleixner <hidden> · 2017-04-14
Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode · Ard Biesheuvel <hidden> · 2017-04-14
Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode · David Howells <dhowells@redhat.com> · 2017-04-14
Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode · Matt Fleming <hidden> · 2017-04-16
[PATCH 08/24] Copy secure_boot flag in boot params across kexec reboot · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 07/24] kexec: Disable at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 07/24] kexec: Disable at runtime if the kernel is locked down · Dave Young <hidden> · 2017-04-07
[PATCH 10/24] hibernate: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 11/24] uswsusp: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down · "Rafael J. Wysocki" <rafael@kernel.org> · 2017-04-05
Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down · Oliver Neukum <oneukum@suse.com> · 2017-04-06
Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-06
Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down · "Rafael J. Wysocki" <rafael@kernel.org> · 2017-04-06
Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down · "Rafael J. Wysocki" <rafael@kernel.org> · 2017-04-06
Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down · Jiri Kosina <jikos@kernel.org> · 2017-04-06
Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down · poma <hidden> · 2017-04-08
Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down · joeyli <jlee@suse.com> · 2017-04-12
Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-06
Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down · "Rafael J. Wysocki" <rafael@kernel.org> · 2017-04-06
[PATCH 13/24] x86: Lock down IO port access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 13/24] x86: Lock down IO port access when the kernel is locked down · Thomas Gleixner <hidden> · 2017-04-14
[PATCH 12/24] PCI: Lock down BAR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 12/24] PCI: Lock down BAR access when the kernel is locked down · Bjorn Helgaas <helgaas@kernel.org> · 2017-04-18
[PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · Andy Shevchenko <hidden> · 2017-04-07
Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-07
Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · Andy Shevchenko <hidden> · 2017-04-09
Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-10
Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · Andy Shevchenko <hidden> · 2017-04-18
Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · Ben Hutchings <hidden> · 2017-04-18
Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-18
Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · Ben Hutchings <hidden> · 2017-04-18
Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-18
Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-18
Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · Ben Hutchings <hidden> · 2017-04-18
[PATCH 16/24] ACPI: Limit access to custom_method when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 19/24] acpi: Disable APEI error injection if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 20/24] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 20/24] bpf: Restrict kernel image access functions when the kernel is locked down · Alexei Starovoitov <hidden> · 2017-04-06
Re: [PATCH 20/24] bpf: Restrict kernel image access functions when the kernel is locked down · Ard Biesheuvel <hidden> · 2017-04-06
Re: [PATCH 20/24] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-13
Re: [PATCH 20/24] bpf: Restrict kernel image access functions when the kernel is locked down · joeyli <jlee@suse.com> · 2017-04-12
[PATCH 21/24] scsi: Lock down the eata driver · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 23/24] Lock down TIOCSSERIAL · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 22/24] Prohibit PCMCIA CIS storage when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 24/24] Lock down module params that specify hardware parameters (eg. ioport) · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 18/24] acpi: Disable ACPI table override if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 17/24] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 17/24] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · "Rafael J. Wysocki" <rafael@kernel.org> · 2017-04-06
Re: [PATCH 17/24] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · Dave Young <hidden> · 2017-04-07
Re: [PATCH 17/24] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · David Howells <dhowells@redhat.com> · 2017-04-07
Re: [PATCH 17/24] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · Dave Young <hidden> · 2017-04-07
[PATCH 14/24] x86: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 14/24] x86: Restrict MSR access when the kernel is locked down · Thomas Gleixner <hidden> · 2017-04-14
[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · Dave Young <hidden> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · Dave Young <hidden> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · Dave Young <hidden> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · Dave Young <hidden> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · Dave Young <hidden> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-04-10
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-05-02
[PATCH 04/24] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 00/24] Kernel lockdown · Austin S. Hemmelgarn <hidden> · 2017-04-07
Re: [PATCH 00/24] Kernel lockdown · Justin Forbes <hidden> · 2017-04-07
Why kernel lockdown? · David Howells <dhowells@redhat.com> · 2017-04-10

From: Mimi Zohar <hidden>
Date: 2017-04-07 03:49:33
Also in: kexec, linux-efi, lkml

On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote:

On 04/05/17 at 09:15pm, David Howells wrote:

quoted

From: Chun-Yi Lee <redacted>

When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
through kexec_file systemcall if securelevel has been set.

This code was showed in Matthew's patch but not in git:
https://lkml.org/lkml/2015/3/13/778

Cc: Matthew Garrett <mjg59@srcf.ucam.org>
Signed-off-by: Chun-Yi Lee <jlee@suse.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: kexec at lists.infradead.org
---

 kernel/kexec_file.c |    6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index b118735fea9d..f6937eecd1eb 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c

@@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
 	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
 		return -EPERM;
 
+	/* Don't permit images to be loaded into trusted kernels if we're not
+	 * going to verify the signature on them
+	 */
+	if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
+		return -EPERM;
+

IMA can be used to verify file signatures too, based on the LSM hooks
in ?kernel_read_file_from_fd(). ?CONFIG_KEXEC_VERIFY_SIG should not be
required.

Mimi

	/* Make sure we have a legal set of flags */

quoted

 	if (flags != (flags & KEXEC_FILE_FLAGS))
 		return -EINVAL;


_______________________________________________
kexec mailing list
kexec at lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

Acked-by: Dave Young <redacted>

Thanks
Dave
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help