[PATCH 05/27] kexec: Disable at runtime if the kernel is locked down

[PATCH 00/27] security, efi: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 01/27] Add the ability to lock down access to the running kernel image · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 01/27] Add the ability to lock down access to the running kernel image · James Morris <hidden> · 2017-10-20
[PATCH 02/27] Add a SysRq option to lift kernel lockdown · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown · Randy Dunlap <hidden> · 2017-10-19
Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown · Thiago Jung Bauermann <hidden> · 2017-11-07
Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown · David Howells <dhowells@redhat.com> · 2017-11-07
[PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · James Morris <hidden> · 2017-10-20
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-10-27
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-30
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-10-30
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-11-02
[PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · James Morris <hidden> · 2017-10-20
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-23
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · Ethan Zhao <hidden> · 2017-10-24
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-24
[PATCH 05/27] kexec: Disable at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 05/27] kexec: Disable at runtime if the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 05/27] kexec: Disable at runtime if the kernel is locked down · James Morris <hidden> · 2017-10-20
[PATCH 06/27] Copy secure_boot flag in boot params across kexec reboot · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 06/27] Copy secure_boot flag in boot params across kexec reboot · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · James Morris <hidden> · 2017-10-20
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-23
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · joeyli <jlee@suse.com> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-27
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · joeyli <jlee@suse.com> · 2017-10-28
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-29
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-28
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-30
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-30
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-30
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-30
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-11-02
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-11-02
[PATCH 08/27] hibernate: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 08/27] hibernate: Disable when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 09/27] uswsusp: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 09/27] uswsusp: Disable when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 09/27] uswsusp: Disable when the kernel is locked down · James Morris <hidden> · 2017-10-20
[PATCH 10/27] PCI: Lock down BAR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 10/27] PCI: Lock down BAR access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 11/27] x86: Lock down IO port access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 11/27] x86: Lock down IO port access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · Alan Cox <hidden> · 2017-10-20
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-20
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-21
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-23
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-25
[PATCH 13/27] asus-wmi: Restrict debugfs interface when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 13/27] asus-wmi: Restrict debugfs interface when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 14/27] ACPI: Limit access to custom_method when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 14/27] ACPI: Limit access to custom_method when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 16/27] acpi: Disable ACPI table override if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 16/27] acpi: Disable ACPI table override if the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 17/27] acpi: Disable APEI error injection if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 17/27] acpi: Disable APEI error injection if the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · Alexei Starovoitov <hidden> · 2017-10-19
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · Alexei Starovoitov <hidden> · 2017-10-19
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · jlee@suse.com · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · jlee@suse.com · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-23
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-25
[PATCH 19/27] scsi: Lock down the eata driver · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 20/27] Prohibit PCMCIA CIS storage when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 21/27] Lock down TIOCSSERIAL · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 22/27] Lock down module params that specify hardware parameters (eg. ioport) · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 23/27] x86/mmiotrace: Lock down the testmmiotrace module · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 24/27] debugfs: Disallow use of debugfs files when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 25/27] Lock down /proc/kcore · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 25/27] Lock down /proc/kcore · James Morris <hidden> · 2017-10-21
Re: [PATCH 25/27] Lock down /proc/kcore · David Howells <dhowells@redhat.com> · 2017-10-23
[PATCH 26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode · James Morris <hidden> · 2017-10-21
Re: [PATCH 26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode · David Howells <dhowells@redhat.com> · 2017-10-23
[PATCH 27/27] efi: Lock down the kernel if booted in secure boot mode · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 00/27] security, efi: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-02
Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2017-11-02
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-02
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-07
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · AKASHI, Takahiro <hidden> · 2017-11-08
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-08
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · AKASHI, Takahiro <hidden> · 2017-11-09
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-09
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · AKASHI, Takahiro <hidden> · 2017-11-09
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-10
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Alan Cox <hidden> · 2017-11-11
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Alan Cox <hidden> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Linus Torvalds <torvalds@linux-foundation.org> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Alan Cox <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Linus Torvalds <torvalds@linux-foundation.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Linus Torvalds <torvalds@linux-foundation.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Linus Torvalds <torvalds@linux-foundation.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · James Bottomley <James.Bottomley@HansenPartnership.com> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · James Bottomley <James.Bottomley@HansenPartnership.com> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-15
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-15
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-15
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-15
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-16
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-12-04
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Alan Cox <hidden> · 2017-12-07
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-10
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-10
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-08
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-08

From: jlee@suse.com (joeyli)
Date: 2017-10-20 06:38:51
Also in: linux-efi, lkml

On Thu, Oct 19, 2017 at 03:51:09PM +0100, David Howells wrote:

From: Matthew Garrett <redacted>

kexec permits the loading and execution of arbitrary code in ring 0, which
is something that lock-down is meant to prevent. It makes sense to disable
kexec in this situation.

This does not affect kexec_file_load() which can check for a signature on the
image to be booted.

Signed-off-by: Matthew Garrett <redacted>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Dave Young <redacted>

I have reviewed and tested this patch. Please feel free to add:

Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>

Thanks a lot!
Joey Lee

quoted hunk ↗ jump to hunk

cc: kexec at lists.infradead.org
---

 kernel/kexec.c |    7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/kernel/kexec.c b/kernel/kexec.c
index e62ec4dc6620..7dadfed9b676 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c

@@ -202,6 +202,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
 		return -EPERM;
 
 	/*
+	 * kexec can be used to circumvent module loading restrictions, so
+	 * prevent loading in that case
+	 */
+	if (kernel_is_locked_down("kexec of unsigned images"))
+		return -EPERM;
+
+	/*
 	 * Verify we have a legal set of flags
 	 * This leaves us room for future extensions.
 	 */

--

To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help