| Message ID | 20200116014808.15756-7-mpe@ellerman.id.au (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [1/9] powerpc/configs: Drop CONFIG_QLGE which moved to staging | expand |
| Context | Check | Description |
|---|---|---|
| snowpatch_ozlabs/apply_patch | success | Successfully applied on branch powerpc/merge (20862247a368dbb75d6e97d82345999adaacf3cc) |
| snowpatch_ozlabs/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 23 lines checked |
| snowpatch_ozlabs/needsstable | success | Patch has no Fixes tags |
Michael Ellerman <mpe@ellerman.id.au> writes: > From: Joel Stanley <joel@jms.id.au> > > This turns on HARDENED_USERCOPY with HARDENED_USERCOPY_PAGESPAN, and > FORTIFY_SOURCE. > > It also enables SECURITY_LOCKDOWN_LSM with _EARLY and > LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY options enabled. > As I said before, this will disable xmon entirely. If we want to set this, we should compile out xmon. But if we want xmon in read-only mode to be an option, we should pick integrity mode. I don't really mind, because I don't work with skiroot very much. Oliver, Joel, Nayna, you all do stuff around this sort of level - is this a problem for any of you? Regards, Daniel > MODULE_SIG is selected by lockdown, so it is still enabled. > > Signed-off-by: Joel Stanley <joel@jms.id.au> > Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> > --- > arch/powerpc/configs/skiroot_defconfig | 11 ++++++++++- > 1 file changed, 10 insertions(+), 1 deletion(-) > > diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig > index 24a210fe0049..bd661a9a9410 100644 > --- a/arch/powerpc/configs/skiroot_defconfig > +++ b/arch/powerpc/configs/skiroot_defconfig > @@ -49,7 +49,6 @@ CONFIG_JUMP_LABEL=y > CONFIG_STRICT_KERNEL_RWX=y > CONFIG_MODULES=y > CONFIG_MODULE_UNLOAD=y > -CONFIG_MODULE_SIG=y > CONFIG_MODULE_SIG_FORCE=y > CONFIG_MODULE_SIG_SHA512=y > CONFIG_PARTITION_ADVANCED=y > @@ -272,6 +271,16 @@ CONFIG_NLS_ASCII=y > CONFIG_NLS_ISO8859_1=y > CONFIG_NLS_UTF8=y > CONFIG_ENCRYPTED_KEYS=y > +CONFIG_SECURITY=y > +CONFIG_HARDENED_USERCOPY=y > +# CONFIG_HARDENED_USERCOPY_FALLBACK is not set > +CONFIG_HARDENED_USERCOPY_PAGESPAN=y > +CONFIG_FORTIFY_SOURCE=y > +CONFIG_SECURITY_LOCKDOWN_LSM=y > +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y > +CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y > +# CONFIG_INTEGRITY is not set > +CONFIG_LSM="yama,loadpin,safesetid,integrity" > # CONFIG_CRYPTO_HW is not set > CONFIG_CRC16=y > CONFIG_CRC_ITU_T=y > -- > 2.21.1
On Thu, Jan 16, 2020 at 4:00 PM Daniel Axtens <dja@axtens.net> wrote: > > Michael Ellerman <mpe@ellerman.id.au> writes: > > > From: Joel Stanley <joel@jms.id.au> > > > > This turns on HARDENED_USERCOPY with HARDENED_USERCOPY_PAGESPAN, and > > FORTIFY_SOURCE. > > > > It also enables SECURITY_LOCKDOWN_LSM with _EARLY and > > LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY options enabled. > > > > As I said before, this will disable xmon entirely. If we want to set > this, we should compile out xmon. But if we want xmon in read-only mode > to be an option, we should pick integrity mode. > > I don't really mind, because I don't work with skiroot very > much. Oliver, Joel, Nayna, you all do stuff around this sort of level - > is this a problem for any of you? Keep it enabled and force INTEGRITY mode. There are some cases where xmon is the only method for debugging a crashing skiroot (hello SMC BMCs) so I'd rather it remained available. If there's some actual security benefit to disabling it entirely then someone should articulate that. Oliver
On Thu, 16 Jan 2020 at 07:10, Oliver O'Halloran <oohall@gmail.com> wrote: > > On Thu, Jan 16, 2020 at 4:00 PM Daniel Axtens <dja@axtens.net> wrote: > > > > Michael Ellerman <mpe@ellerman.id.au> writes: > > > > > From: Joel Stanley <joel@jms.id.au> > > > > > > This turns on HARDENED_USERCOPY with HARDENED_USERCOPY_PAGESPAN, and > > > FORTIFY_SOURCE. > > > > > > It also enables SECURITY_LOCKDOWN_LSM with _EARLY and > > > LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY options enabled. > > > > > > > As I said before, this will disable xmon entirely. If we want to set > > this, we should compile out xmon. But if we want xmon in read-only mode > > to be an option, we should pick integrity mode. > > > > I don't really mind, because I don't work with skiroot very > > much. Oliver, Joel, Nayna, you all do stuff around this sort of level - > > is this a problem for any of you? > > Keep it enabled and force INTEGRITY mode. There are some cases where > xmon is the only method for debugging a crashing skiroot (hello SMC > BMCs) so I'd rather it remained available. If there's some actual > security benefit to disabling it entirely then someone should > articulate that. Ack.
diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig index 24a210fe0049..bd661a9a9410 100644 --- a/arch/powerpc/configs/skiroot_defconfig +++ b/arch/powerpc/configs/skiroot_defconfig @@ -49,7 +49,6 @@ CONFIG_JUMP_LABEL=y CONFIG_STRICT_KERNEL_RWX=y CONFIG_MODULES=y CONFIG_MODULE_UNLOAD=y -CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_SHA512=y CONFIG_PARTITION_ADVANCED=y @@ -272,6 +271,16 @@ CONFIG_NLS_ASCII=y CONFIG_NLS_ISO8859_1=y CONFIG_NLS_UTF8=y CONFIG_ENCRYPTED_KEYS=y +CONFIG_SECURITY=y +CONFIG_HARDENED_USERCOPY=y +# CONFIG_HARDENED_USERCOPY_FALLBACK is not set +CONFIG_HARDENED_USERCOPY_PAGESPAN=y +CONFIG_FORTIFY_SOURCE=y +CONFIG_SECURITY_LOCKDOWN_LSM=y +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y +# CONFIG_INTEGRITY is not set +CONFIG_LSM="yama,loadpin,safesetid,integrity" # CONFIG_CRYPTO_HW is not set CONFIG_CRC16=y CONFIG_CRC_ITU_T=y