From patchwork Thu Jun 18 23:14:58 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 1312503
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=fail (p=none dis=none) header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 49nyVl6gGFz9sRW;
	Fri, 19 Jun 2020 09:16:31 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1jm3li-0001tN-L2; Thu, 18 Jun 2020 23:16:26 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <seth.forshee@canonical.com>) id 1jm3kR-0000kf-A8
 for kernel-team@lists.ubuntu.com; Thu, 18 Jun 2020 23:15:07 +0000
Received: from mail-il1-f199.google.com ([209.85.166.199])
 by youngberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <seth.forshee@canonical.com>) id 1jm3kP-0000CT-45
 for kernel-team@lists.ubuntu.com; Thu, 18 Jun 2020 23:15:05 +0000
Received: by mail-il1-f199.google.com with SMTP id c29so5139401ilf.20
 for <kernel-team@lists.ubuntu.com>; Thu, 18 Jun 2020 16:15:05 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=qCRaOK08zgAinMuzGo2Lcx68XmIrNn1g4CxmOTwy5C0=;
 b=LfccJfC9GXrGxbhBILXaCXR+zjAsS4m9BinXX94hPSGrRz0Q+Qon6wpBrxG2MfGmQJ
 rNJBOezaBKM3yyV73CbKgG3uA9ZHJHR2rYE4pQNzWtLRCBIXNxuW/DtArSdCmmyUlgVc
 2NCEFJDs/lNb24kzTlvLEFXD2K+5m2EgK5YXrB/2pvaDpSicAiDCYmP9TlGecQvU1HJV
 i74CYhfRbx4oWcXpTmHqw9or541toYvPtBm+eaTlJqegiZ6n8/8QrmQyJ99tSad/2XB7
 ftJVwAAZRR6L+cE55UzdSyHmS7OJHFAV9EebLicojk2ZQV+9uI2DjCYFQXJc+2Gn7boD
 I6WQ==
X-Gm-Message-State: AOAM531YzWHXb8cVNwXU8ESuFaiBN3DGVojFkr0NNTs5i9KVf8EHFHzy
 XUlWmag9Y5cmuUywH/3Yt3kp1MisXxZonn++5BzDU2AR/VGlExH0wXvpeW0L/2GFiiEHMcp/P5b
 hHfbhagv/7k/sBFMWP5ZX6mQ+pBc8kKInvmDUACt6wg==
X-Received: by 2002:a92:c6c5:: with SMTP id v5mr923120ilm.1.1592522103987;
 Thu, 18 Jun 2020 16:15:03 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJzq56JenmBmtOdOUri0yqQJgfqV83ixYLZ1lwPM4dG67nvgQs7WR0qfYsGudE3t9pGpaK2Zaw==
X-Received: by 2002:a92:c6c5:: with SMTP id v5mr923102ilm.1.1592522103709;
 Thu, 18 Jun 2020 16:15:03 -0700 (PDT)
Received: from localhost ([2605:a601:ac0f:820:f090:1573:c2fc:6389])
 by smtp.gmail.com with ESMTPSA id t1sm2072238iob.16.2020.06.18.16.15.03
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 Jun 2020 16:15:03 -0700 (PDT)
From: Seth Forshee <seth.forshee@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 1/4][E] efi/efi_test: Lock down /dev/efi_test and require
 CAP_SYS_ADMIN
Date: Thu, 18 Jun 2020 18:14:58 -0500
Message-Id: <20200618231501.630852-2-seth.forshee@canonical.com>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20200618231501.630852-1-seth.forshee@canonical.com>
References: <20200618231501.630852-1-seth.forshee@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Javier Martinez Canillas <javierm@redhat.com>

BugLink: https://bugs.launchpad.net/bugs/1884159

The driver exposes EFI runtime services to user-space through an IOCTL
interface, calling the EFI services function pointers directly without
using the efivar API.

Disallow access to the /dev/efi_test character device when the kernel is
locked down to prevent arbitrary user-space to call EFI runtime services.

Also require CAP_SYS_ADMIN to open the chardev to prevent unprivileged
users to call the EFI runtime services, instead of just relying on the
chardev file mode bits for this.

The main user of this driver is the fwts [0] tool that already checks if
the effective user ID is 0 and fails otherwise. So this change shouldn't
cause any regression to this tool.

[0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfo

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Acked-by: Matthew Garrett <mjg59@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: https://lkml.kernel.org/r/20191029173755.27149-7-ardb@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
(backported from commit 359efcc2c910117d2faf704ce154e91fc976d37f)
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
---
 drivers/firmware/efi/test/efi_test.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c
index 877745c3aaf2..2dc726e00a65 100644
--- a/drivers/firmware/efi/test/efi_test.c
+++ b/drivers/firmware/efi/test/efi_test.c
@@ -717,6 +717,13 @@ static long efi_test_ioctl(struct file *file, unsigned int cmd,
 
 static int efi_test_open(struct inode *inode, struct file *file)
 {
+	bool locked_down = kernel_is_locked_down("/dev/efi_test access");
+
+	if (locked_down)
+		return -EPERM;
+
+	if (!capable(CAP_SYS_ADMIN))
+		return -EACCES;
 	/*
 	 * nothing special to do here
 	 * We do accept multiple open files at the same time as we

From patchwork Thu Jun 18 23:14:59 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 1312504
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=fail (p=none dis=none) header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 49nyVn6bHcz9sR4;
	Fri, 19 Jun 2020 09:16:33 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1jm3lk-0001vE-6f; Thu, 18 Jun 2020 23:16:28 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <seth.forshee@canonical.com>) id 1jm3kS-0000l5-91
 for kernel-team@lists.ubuntu.com; Thu, 18 Jun 2020 23:15:08 +0000
Received: from mail-io1-f71.google.com ([209.85.166.71])
 by youngberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <seth.forshee@canonical.com>) id 1jm3kQ-0000CY-8c
 for kernel-team@lists.ubuntu.com; Thu, 18 Jun 2020 23:15:06 +0000
Received: by mail-io1-f71.google.com with SMTP id 5so5342300iou.6
 for <kernel-team@lists.ubuntu.com>; Thu, 18 Jun 2020 16:15:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=BmpcTH3xcDk22wVoQza9xS5u/W20BqytYhDqn9WNbn4=;
 b=Ej3UP5mrxoBDZMadR4hzSuZSGx4IFQONQzK0OFQBO7mza3CFI9P+obOvaLFsWfiYUj
 9fu7LPFV6Lqx6+TxQeqTzJw42zB4su23vf+dhRCOGpJw3iq4+KCudbhT2mV69DfMxFfX
 9mYJgWYnykmrD7L3ib4C2ceuPJECWwLTOjaEe95lw9cu+62/H2Q/GXVDZLnobQtwOwXh
 SrEOdrp2abmyQt9IJpArd1bS1e/EKTct+JwQN39K+bOIWfCIALlIdWxzlrQ6IjikEApq
 rE3TuJ7ksL5met8Gt9c3f4CpHY2cC2CASTRs81bV0ORefIaZMNiUc/zDKF367ZaE+1b0
 jwaA==
X-Gm-Message-State: AOAM532gzvK1sPWTRF/DNs2r+VhHp21Y2LZAIrd/chDszRpWKY5PeI4n
 op8gMxSA0dvp9oYW7+LcUYVdBhl9v+JdupcwKVp2cp8X00fpaIOrggT8x5ihObdk/PYBfrI4aSf
 TwiT/hf9KOs+ZA5Ev3w2IoMJ9u4lorSkkmB/j/REtdw==
X-Received: by 2002:a05:6602:14d0:: with SMTP id
 b16mr1214834iow.5.1592522105094;
 Thu, 18 Jun 2020 16:15:05 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJyMBMDB9zIICk3fJmZdlt32BthTk64XulqQJ/Lt4ew9Mzdh8/FiT3/aA0dADT8NZ0KGdF8/Tw==
X-Received: by 2002:a05:6602:14d0:: with SMTP id
 b16mr1214818iow.5.1592522104877;
 Thu, 18 Jun 2020 16:15:04 -0700 (PDT)
Received: from localhost ([2605:a601:ac0f:820:f090:1573:c2fc:6389])
 by smtp.gmail.com with ESMTPSA id b13sm2225862ilq.20.2020.06.18.16.15.04
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 Jun 2020 16:15:04 -0700 (PDT)
From: Seth Forshee <seth.forshee@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 2/4][E] efi: Restrict efivar_ssdt_load when the kernel is
 locked down
Date: Thu, 18 Jun 2020 18:14:59 -0500
Message-Id: <20200618231501.630852-3-seth.forshee@canonical.com>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20200618231501.630852-1-seth.forshee@canonical.com>
References: <20200618231501.630852-1-seth.forshee@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Matthew Garrett <matthewgarrett@google.com>

BugLink: https://bugs.launchpad.net/bugs/1884159

efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an
EFI variable, which gives arbitrary code execution in ring 0. Prevent
that when the kernel is locked down.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: linux-efi@vger.kernel.org
Signed-off-by: James Morris <jmorris@namei.org>
(backported from commit 1957a85b0032a81e6482ca4aab883643b8dae06e)
Reported-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
---
 drivers/firmware/efi/efi.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
index 1f03cf568bd2..446188f50f8f 100644
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -243,6 +243,11 @@ static void generic_ops_unregister(void)
 static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata;
 static int __init efivar_ssdt_setup(char *str)
 {
+	bool locked_down = kernel_is_locked_down("modifying ACPI tables");
+
+	if (locked_down)
+		return -EPERM;
+
 	if (strlen(str) < sizeof(efivar_ssdt))
 		memcpy(efivar_ssdt, str, strlen(str));
 	else

From patchwork Thu Jun 18 23:15:00 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 1312505
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=fail (p=none dis=none) header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 49nyVt4LqNz9sR4;
	Fri, 19 Jun 2020 09:16:38 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1jm3lo-000202-At; Thu, 18 Jun 2020 23:16:32 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <seth.forshee@canonical.com>) id 1jm3kT-0000lx-Q0
 for kernel-team@lists.ubuntu.com; Thu, 18 Jun 2020 23:15:09 +0000
Received: from mail-il1-f197.google.com ([209.85.166.197])
 by youngberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <seth.forshee@canonical.com>) id 1jm3kR-0000Ch-K2
 for kernel-team@lists.ubuntu.com; Thu, 18 Jun 2020 23:15:07 +0000
Received: by mail-il1-f197.google.com with SMTP id o12so5152719ilf.6
 for <kernel-team@lists.ubuntu.com>; Thu, 18 Jun 2020 16:15:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=jBCzI/AS0orb1BhWlpvl54LMiWiZPYlqvme2mPbz/Lw=;
 b=XQdhDwQMe2hdSc4pGOtSuD07SFHYWEwbYoY8ymWIVZx8cuHCAPZApphx3E3Lg9oN5P
 9XoY2r93Sj0UCjJUvcbv4RBV7oOoFv+PgerSXHizkS5qvdDOP0FxNQegllXVez2G16hg
 2jaeU90SPKLjrbnKY8K2e63VUy7wl/AjHpHGDWqeKHHkDuFv88d6rZy66uMj8qQHEk2v
 4UAdqrvqvcVA8sNff7ju/DwxFLfgB1qRtVwfgxrRQ9yW44YoVg0Xjqn2r8OzO9gi80L3
 lYDMCKwbWVlswmmb/R9XwJWMpJvaqAQIsssF3IiXA5hz76YQIw0iRwa5W22mtNTi90f4
 lULg==
X-Gm-Message-State: AOAM5335HBW0GGv9+pXRTBpob6lcLZXQ4cLVvML4E6CmcZ+ZTtVBhTn3
 rw59gCYvXa3dNmTJbfxzMSYOk4KLJHcMFgxi5ssjUqQGt39O2TY2FZqYzvwyfIi0NaTfYkXfw0H
 pianLbsas6qU7/2qW6w7FO2Yl4AZNZIQHm86YsIvavw==
X-Received: by 2002:a05:6602:140b:: with SMTP id
 t11mr1211089iov.198.1592522106390;
 Thu, 18 Jun 2020 16:15:06 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJwCRDvUFHYHbX9aDFx2yT+eBAiCbVZSNM+uvb+rm+ct1pyKyCpY7NMOwgjjLYRTvYZj/V/elA==
X-Received: by 2002:a05:6602:140b:: with SMTP id
 t11mr1211073iov.198.1592522106051;
 Thu, 18 Jun 2020 16:15:06 -0700 (PDT)
Received: from localhost ([2605:a601:ac0f:820:f090:1573:c2fc:6389])
 by smtp.gmail.com with ESMTPSA id f22sm2373890iob.18.2020.06.18.16.15.05
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 Jun 2020 16:15:05 -0700 (PDT)
From: Seth Forshee <seth.forshee@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 3/4][E] powerpc/xmon: Restrict when kernel is locked down
Date: Thu, 18 Jun 2020 18:15:00 -0500
Message-Id: <20200618231501.630852-4-seth.forshee@canonical.com>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20200618231501.630852-1-seth.forshee@canonical.com>
References: <20200618231501.630852-1-seth.forshee@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: "Christopher M. Riedl" <cmr@informatik.wtf>

BugLink: https://bugs.launchpad.net/bugs/1884159

Xmon should be either fully or partially disabled depending on the
kernel lockdown state.

Put xmon into read-only mode for lockdown=integrity and prevent user
entry into xmon when lockdown=confidentiality. Xmon checks the lockdown
state on every attempted entry:

 (1) during early xmon'ing

 (2) when triggered via sysrq

 (3) when toggled via debugfs

 (4) when triggered via a previously enabled breakpoint

The following lockdown state transitions are handled:

 (1) lockdown=none -> lockdown=integrity
     set xmon read-only mode

 (2) lockdown=none -> lockdown=confidentiality
     clear all breakpoints, set xmon read-only mode,
     prevent user re-entry into xmon

 (3) lockdown=integrity -> lockdown=confidentiality
     clear all breakpoints, set xmon read-only mode,
     prevent user re-entry into xmon

Suggested-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Christopher M. Riedl <cmr@informatik.wtf>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20190907061124.1947-3-cmr@informatik.wtf
(backported from commit 69393cb03ccdf29f3b452d3482ef918469d1c098)
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
---
 arch/powerpc/xmon/xmon.c | 90 ++++++++++++++++++++++++++++++----------
 1 file changed, 69 insertions(+), 21 deletions(-)

diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
index febe248c3c66..99ff92e51a94 100644
--- a/arch/powerpc/xmon/xmon.c
+++ b/arch/powerpc/xmon/xmon.c
@@ -187,6 +187,8 @@ static void dump_tlb_44x(void);
 static void dump_tlb_book3e(void);
 #endif
 
+static void clear_all_bpt(void);
+
 #ifdef CONFIG_PPC64
 #define REG		"%.16lx"
 #else
@@ -283,10 +285,26 @@ Commands:\n\
 "  U	show uptime information\n"
 "  ?	help\n"
 "  # n	limit output to n lines per page (for dp, dpa, dl)\n"
-"  zr	reboot\n\
-  zh	halt\n"
+"  zr	reboot\n"
+"  zh	halt\n"
 ;
 
+static bool xmon_is_locked_down(void)
+{
+	/*
+	 * Upstream has an integrity level of lockdown and a confidentiality
+	 * level, and xmon_is_locked_down() checks both to determine what
+	 * level of xmon restriction to enforce. For the Ubuntu backport we
+	 * don't have this dual-level approach, and we only need to enforce
+	 * the integrity level. This makes xmon read-only but returns 'false'
+	 * from xmon_is_locked_down().
+	 */
+	if (!xmon_is_ro)
+		xmon_is_ro = kernel_is_locked_down("xmon write access");
+
+	return false;
+}
+
 static struct pt_regs *xmon_regs;
 
 static inline void sync(void)
@@ -438,7 +456,10 @@ static bool wait_for_other_cpus(int ncpus)
 
 	return false;
 }
-#endif /* CONFIG_SMP */
+#else /* CONFIG_SMP */
+static inline void get_output_lock(void) {}
+static inline void release_output_lock(void) {}
+#endif
 
 static inline int unrecoverable_excp(struct pt_regs *regs)
 {
@@ -455,6 +476,7 @@ static int xmon_core(struct pt_regs *regs, int fromipi)
 	int cmd = 0;
 	struct bpt *bp;
 	long recurse_jmp[JMP_BUF_LEN];
+	bool locked_down;
 	unsigned long offset;
 	unsigned long flags;
 #ifdef CONFIG_SMP
@@ -465,6 +487,8 @@ static int xmon_core(struct pt_regs *regs, int fromipi)
 	local_irq_save(flags);
 	hard_irq_disable();
 
+	locked_down = xmon_is_locked_down();
+
 	if (!fromipi) {
 		tracing_enabled = tracing_is_on();
 		tracing_off();
@@ -518,7 +542,8 @@ static int xmon_core(struct pt_regs *regs, int fromipi)
 
 	if (!fromipi) {
 		get_output_lock();
-		excprint(regs);
+		if (!locked_down)
+			excprint(regs);
 		if (bp) {
 			printf("cpu 0x%x stopped at breakpoint 0x%tx (",
 			       cpu, BP_NUM(bp));
@@ -570,10 +595,14 @@ static int xmon_core(struct pt_regs *regs, int fromipi)
 		}
 		remove_bpts();
 		disable_surveillance();
-		/* for breakpoint or single step, print the current instr. */
-		if (bp || TRAP(regs) == 0xd00)
-			ppc_inst_dump(regs->nip, 1, 0);
-		printf("enter ? for help\n");
+
+		if (!locked_down) {
+			/* for breakpoint or single step, print curr insn */
+			if (bp || TRAP(regs) == 0xd00)
+				ppc_inst_dump(regs->nip, 1, 0);
+			printf("enter ? for help\n");
+		}
+
 		mb();
 		xmon_gate = 1;
 		barrier();
@@ -597,8 +626,9 @@ static int xmon_core(struct pt_regs *regs, int fromipi)
 			spin_cpu_relax();
 			touch_nmi_watchdog();
 		} else {
-			cmd = cmds(regs);
-			if (cmd != 0) {
+			if (!locked_down)
+				cmd = cmds(regs);
+			if (locked_down || cmd != 0) {
 				/* exiting xmon */
 				insert_bpts();
 				xmon_gate = 0;
@@ -635,13 +665,16 @@ static int xmon_core(struct pt_regs *regs, int fromipi)
 			       "can't continue\n");
 		remove_bpts();
 		disable_surveillance();
-		/* for breakpoint or single step, print the current instr. */
-		if (bp || TRAP(regs) == 0xd00)
-			ppc_inst_dump(regs->nip, 1, 0);
-		printf("enter ? for help\n");
+		if (!locked_down) {
+			/* for breakpoint or single step, print current insn */
+			if (bp || TRAP(regs) == 0xd00)
+				ppc_inst_dump(regs->nip, 1, 0);
+			printf("enter ? for help\n");
+		}
 	}
 
-	cmd = cmds(regs);
+	if (!locked_down)
+		cmd = cmds(regs);
 
 	insert_bpts();
 	in_xmon = 0;
@@ -670,7 +703,10 @@ static int xmon_core(struct pt_regs *regs, int fromipi)
 		}
 	}
 #endif
-	insert_cpu_bpts();
+	if (locked_down)
+		clear_all_bpt();
+	else
+		insert_cpu_bpts();
 
 	touch_nmi_watchdog();
 	local_irq_restore(flags);
@@ -3747,6 +3783,11 @@ static void xmon_init(int enable)
 #ifdef CONFIG_MAGIC_SYSRQ
 static void sysrq_handle_xmon(int key)
 {
+	if (xmon_is_locked_down()) {
+		clear_all_bpt();
+		xmon_init(0);
+		return;
+	}
 	/* ensure xmon is enabled */
 	xmon_init(1);
 	debugger(get_irq_regs());
@@ -3768,7 +3809,6 @@ static int __init setup_xmon_sysrq(void)
 device_initcall(setup_xmon_sysrq);
 #endif /* CONFIG_MAGIC_SYSRQ */
 
-#ifdef CONFIG_DEBUG_FS
 static void clear_all_bpt(void)
 {
 	int i;
@@ -3786,18 +3826,22 @@ static void clear_all_bpt(void)
 		iabr = NULL;
 		dabr.enabled = 0;
 	}
-
-	printf("xmon: All breakpoints cleared\n");
 }
 
+#ifdef CONFIG_DEBUG_FS
 static int xmon_dbgfs_set(void *data, u64 val)
 {
 	xmon_on = !!val;
 	xmon_init(xmon_on);
 
 	/* make sure all breakpoints removed when disabling */
-	if (!xmon_on)
+	if (!xmon_on) {
 		clear_all_bpt();
+		get_output_lock();
+		printf("xmon: All breakpoints cleared\n");
+		release_output_lock();
+	}
+
 	return 0;
 }
 
@@ -3823,7 +3867,11 @@ static int xmon_early __initdata;
 
 static int __init early_parse_xmon(char *p)
 {
-	if (!p || strncmp(p, "early", 5) == 0) {
+	if (xmon_is_locked_down()) {
+		xmon_init(0);
+		xmon_early = 0;
+		xmon_on = 0;
+	} else if (!p || strncmp(p, "early", 5) == 0) {
 		/* just "xmon" is equivalent to "xmon=early" */
 		xmon_init(1);
 		xmon_early = 1;

From patchwork Thu Jun 18 23:15:01 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 1312506
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=fail (p=none dis=none) header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 49nyVw4jFwz9sNR;
	Fri, 19 Jun 2020 09:16:40 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1jm3lr-00023c-10; Thu, 18 Jun 2020 23:16:35 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <seth.forshee@canonical.com>) id 1jm3kV-0000ma-Aq
 for kernel-team@lists.ubuntu.com; Thu, 18 Jun 2020 23:15:11 +0000
Received: from mail-io1-f70.google.com ([209.85.166.70])
 by youngberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <seth.forshee@canonical.com>) id 1jm3kS-0000DC-Ld
 for kernel-team@lists.ubuntu.com; Thu, 18 Jun 2020 23:15:08 +0000
Received: by mail-io1-f70.google.com with SMTP id m11so5320454ioj.14
 for <kernel-team@lists.ubuntu.com>; Thu, 18 Jun 2020 16:15:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=l23EdzJB+IRNbQlZ0qbSYJcGX7zKgc10NTbNOvpmgfU=;
 b=jKRXDqz2zp6VDUkNqK+ksfNz25sUIEhLbsETfvcdd6kUqe4OkNOlxH3868Pz16R1ex
 7X2ytJxX0ksIGHDjwKkF8X1OrNyo5xZtVgC6dqO5tSs9lsYUKzrO/zoBei1E/sKqlOEU
 UOnW4f+lak5yN7TX9C2dOe1B/MuJ+qBET4SrYD9/yz2xikc0AC4BKq4xM4lkQkpBcskR
 V5bGhQ9YY9O09FxdupKi+dJoGtI34k6xRgA2QPB5xL/2OoRWPzr3sKGqukwvek/hZKlk
 yXKfkBtdOm5RRC/CfH4LOkAyBTuro0UbRSIWzkNwlLAQMQnLMdCc0oxrhQVMvCY5pNtF
 jCeA==
X-Gm-Message-State: AOAM531LiqFqpnsGUKhOYN9m/YK3Ob0lOK3l+QzIGs5aUxDyoiPb8x/b
 QmkWQn//ffSy/au2sAah5WCdwQCo2/ywRYXebPNwSa+/0rLrFKzszKt3GEdyYmPVBbZ9QpQxjap
 6JwdWpMXC5fXUCYEBXMgdmwkuMQqp/j5CNu31oUTA2w==
X-Received: by 2002:a05:6602:2583:: with SMTP id
 p3mr1207096ioo.179.1592522107448;
 Thu, 18 Jun 2020 16:15:07 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJyYNfuUhw66N2yKfbvn+OS9opwkiRokr5e+F2XR1Brdro3J3XjAhkOdoDbDr8ezPwd1WlHhwA==
X-Received: by 2002:a05:6602:2583:: with SMTP id
 p3mr1207077ioo.179.1592522107230;
 Thu, 18 Jun 2020 16:15:07 -0700 (PDT)
Received: from localhost ([2605:a601:ac0f:820:f090:1573:c2fc:6389])
 by smtp.gmail.com with ESMTPSA id a6sm2249864ilh.60.2020.06.18.16.15.06
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 Jun 2020 16:15:06 -0700 (PDT)
From: Seth Forshee <seth.forshee@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 4/4][E] UBUNTU: SAUCE: acpi: disallow loading configfs acpi
 tables when locked down
Date: Thu, 18 Jun 2020 18:15:01 -0500
Message-Id: <20200618231501.630852-5-seth.forshee@canonical.com>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20200618231501.630852-1-seth.forshee@canonical.com>
References: <20200618231501.630852-1-seth.forshee@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: "Jason A. Donenfeld" <Jason@zx2c4.com>

BugLink: https://bugs.launchpad.net/bugs/1884159

Like other vectors already patched, this one here allows the root user
to load ACPI tables, which enables arbitrary physical address writes,
which in turn makes it possible to disable lockdown. This patch prevents
this by checking the lockdown status before allowing a new ACPI table to be
installed. The link in the trailer shows a PoC of how this might be
used.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Cc: stable@vger.kernel.org
Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh
Link: https://lore.kernel.org/lkml/20200615104332.901519-1-Jason@zx2c4.com/
[ saf: Backport to older lockdown implementation ]
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
---
 drivers/acpi/acpi_configfs.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/acpi/acpi_configfs.c b/drivers/acpi/acpi_configfs.c
index 57d9d574d4dd..f57b3270cdf3 100644
--- a/drivers/acpi/acpi_configfs.c
+++ b/drivers/acpi/acpi_configfs.c
@@ -28,8 +28,12 @@ static ssize_t acpi_table_aml_write(struct config_item *cfg,
 {
 	const struct acpi_table_header *header = data;
 	struct acpi_table *table;
+	bool locked_down = kernel_is_locked_down("modifying ACPI tables");
 	int ret;
 
+	if (locked_down)
+		return -EPERM;
+
 	table = container_of(cfg, struct acpi_table, cfg);
 
 	if (table->header) {