From patchwork Fri Jun 19 12:48:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 1312886 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49pJWv0TbXz9sSg; Fri, 19 Jun 2020 22:48:42 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1jmGRk-0007RM-2x; Fri, 19 Jun 2020 12:48:40 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmGRi-0007Qk-2I for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 12:48:38 +0000 Received: from mail-io1-f69.google.com ([209.85.166.69]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmGRh-0005Rr-Ly for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 12:48:37 +0000 Received: by mail-io1-f69.google.com with SMTP id w2so6658737iom.13 for ; Fri, 19 Jun 2020 05:48:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=JwzC5BwcUqItvr8iJaWh/2SnV1nhJdW6kudgyYsBDbw=; b=Lvy4nWefbMcatSRbMX9xJUlnTm2aJYQobrdqvy1FrPgOZt0Ufjcf5rYkPggL2zGKRX Qit4kAOv3jEhJfnQww6zHr8c8euVKjKxGXsQv1jBr5rAYR337qz1rV1w8PY4oUAuOS0h 268WL6+I8hmyAe2hzHp5x/zAgvM9pS9jP50ulUEMJOcRRUrRYdMC4YWC5fBUaY9w1cFj wwox6EQAHnrossUbFtkT/k0y1eU/iKFLWS8FP8ezwANCXP64YN6oIqDOsOTAHT04HHGl Hp93V5SKVOD8acMVWjNzRhWNGQV7kvWdngiBHPUHQQG2DZdkl80ab3phV7BiEPiIYpVd slnA== X-Gm-Message-State: AOAM530NEd3gPo0cywzjWysGe1Z5mWFeWKdFQ7XqQS/vTE0NYor/BsqH WmcNpgyjwU6veHIgKzENj+AotQElXySca6NV2qApDUjjDQPJl+ye8ScMqOLLSIbmdwVymCAqX9y /m2gX4VtolpJSImnxtwsLQUXgmMWimPIOZOt7znn/6g== X-Received: by 2002:a5d:914d:: with SMTP id y13mr4206414ioq.48.1592570916587; Fri, 19 Jun 2020 05:48:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyTusLGpkTcR3mweaJ7mTasDPvKmbqDjEbQmq5Q5eLUuziLc467sT35gSbix5pQd0NFFhv7RA== X-Received: by 2002:a5d:914d:: with SMTP id y13mr4206401ioq.48.1592570916271; Fri, 19 Jun 2020 05:48:36 -0700 (PDT) Received: from localhost ([136.37.150.243]) by smtp.gmail.com with ESMTPSA id p5sm3070414ilg.88.2020.06.19.05.48.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Jun 2020 05:48:35 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/6][B] efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN Date: Fri, 19 Jun 2020 07:48:28 -0500 Message-Id: <20200619124833.633575-2-seth.forshee@canonical.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200619124833.633575-1-seth.forshee@canonical.com> References: <20200619124833.633575-1-seth.forshee@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Javier Martinez Canillas BugLink: https://bugs.launchpad.net/bugs/1884159 The driver exposes EFI runtime services to user-space through an IOCTL interface, calling the EFI services function pointers directly without using the efivar API. Disallow access to the /dev/efi_test character device when the kernel is locked down to prevent arbitrary user-space to call EFI runtime services. Also require CAP_SYS_ADMIN to open the chardev to prevent unprivileged users to call the EFI runtime services, instead of just relying on the chardev file mode bits for this. The main user of this driver is the fwts [0] tool that already checks if the effective user ID is 0 and fails otherwise. So this change shouldn't cause any regression to this tool. [0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfo Signed-off-by: Javier Martinez Canillas Signed-off-by: Ard Biesheuvel Acked-by: Laszlo Ersek Acked-by: Matthew Garrett Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Link: https://lkml.kernel.org/r/20191029173755.27149-7-ardb@kernel.org Signed-off-by: Ingo Molnar (backported from commit 359efcc2c910117d2faf704ce154e91fc976d37f) Signed-off-by: Seth Forshee --- drivers/firmware/efi/test/efi_test.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c index 41c48a1e8baa..cfc6ac5ed34e 100644 --- a/drivers/firmware/efi/test/efi_test.c +++ b/drivers/firmware/efi/test/efi_test.c @@ -689,6 +689,13 @@ static long efi_test_ioctl(struct file *file, unsigned int cmd, static int efi_test_open(struct inode *inode, struct file *file) { + bool locked_down = kernel_is_locked_down("/dev/efi_test access"); + + if (locked_down) + return -EPERM; + + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; /* * nothing special to do here * We do accept multiple open files at the same time as we From patchwork Fri Jun 19 12:48:29 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 1312887 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49pJWx50Bmz9sNR; Fri, 19 Jun 2020 22:48:45 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1jmGRm-0007SM-7h; Fri, 19 Jun 2020 12:48:42 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmGRj-0007Qz-7B for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 12:48:39 +0000 Received: from mail-il1-f200.google.com ([209.85.166.200]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmGRi-0005Rz-SN for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 12:48:39 +0000 Received: by mail-il1-f200.google.com with SMTP id n2so6324280ilq.4 for ; Fri, 19 Jun 2020 05:48:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=h72X1+51STYuu8HFk8cgu3RwXWoJTYRL4S3yd2gEVDU=; b=ZCQEVPcr/0ss2IXZi60GrWAW3g3dTwEAYy0ZFwcMcyZmUl0a7rLgFaN/Q9GyTQIteP d/HjDkQhcncyMs6sP7UAJ8qYI1BNnpdmChTkqSYIZF19//DOeb1RX7IzO+inLPKIhZeM ZAWRc28jLQuL4L0eq+NKi2FleOlzG6z+J+BiYVufch1ctShYna7mkcEZJsnv9rMxsObO SAVCtgph7wkfBz2mbNDU0pdpjWngbly9goSYriW7jxb+2x4qhnvQCTzW54924lH8615Y q4A9DKGqkAVwamFsUE3jw+5YmSftRNQnPUrMgZosmVEu1Do1oD4gHxDoT/ii+GQUpz2D UtzQ== X-Gm-Message-State: AOAM531PQE8amwUN+KA7kyK9r2M2dIOnfivizSkBD9CT/xiQOnBafAQ/ 9wIzyrYgb0lD3obLV9HQ508ajfXOaaY28JjizHg+0h1MMuYKqjiVTZLNZjI3xPZOeONRPEBXbGk MwmV+qg6tmt5sd2/NLj4gy6gPi2I5XukyiGMuvlYGsQ== X-Received: by 2002:a5e:df49:: with SMTP id g9mr4128451ioq.153.1592570917677; Fri, 19 Jun 2020 05:48:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwo3WuXhsrUMt2VCkEwFMP3Ys/6llEsDCbEmK34cihfDrHQYKndDhW25lHYzT+kIhkhpFkp7A== X-Received: by 2002:a5e:df49:: with SMTP id g9mr4128429ioq.153.1592570917433; Fri, 19 Jun 2020 05:48:37 -0700 (PDT) Received: from localhost ([136.37.150.243]) by smtp.gmail.com with ESMTPSA id e3sm3406070iot.7.2020.06.19.05.48.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Jun 2020 05:48:37 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH 2/6][B] efi: Restrict efivar_ssdt_load when the kernel is locked down Date: Fri, 19 Jun 2020 07:48:29 -0500 Message-Id: <20200619124833.633575-3-seth.forshee@canonical.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200619124833.633575-1-seth.forshee@canonical.com> References: <20200619124833.633575-1-seth.forshee@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Matthew Garrett BugLink: https://bugs.launchpad.net/bugs/1884159 efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an EFI variable, which gives arbitrary code execution in ring 0. Prevent that when the kernel is locked down. Signed-off-by: Matthew Garrett Acked-by: Ard Biesheuvel Reviewed-by: Kees Cook Cc: Ard Biesheuvel Cc: linux-efi@vger.kernel.org Signed-off-by: James Morris (backported from commit 1957a85b0032a81e6482ca4aab883643b8dae06e) Signed-off-by: Seth Forshee --- drivers/firmware/efi/efi.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 4b4dd5532725..ed4f03dbecfd 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -228,6 +228,11 @@ static void generic_ops_unregister(void) static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata; static int __init efivar_ssdt_setup(char *str) { + bool locked_down = kernel_is_locked_down("modifying ACPI tables"); + + if (locked_down) + return -EPERM; + if (strlen(str) < sizeof(efivar_ssdt)) memcpy(efivar_ssdt, str, strlen(str)); else From patchwork Fri Jun 19 12:48:30 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 1312888 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49pJWz1kp6z9sRf; Fri, 19 Jun 2020 22:48:47 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1jmGRn-0007TK-EZ; Fri, 19 Jun 2020 12:48:43 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmGRk-0007Rf-E8 for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 12:48:40 +0000 Received: from mail-io1-f70.google.com ([209.85.166.70]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmGRk-0005S6-2a for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 12:48:40 +0000 Received: by mail-io1-f70.google.com with SMTP id l204so6657900ioa.4 for ; Fri, 19 Jun 2020 05:48:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=yWOLn/UjXVjg1+lFWSdpAfq0hgzoPq+wkAHj0cJ5HzQ=; b=BKRVvr7Zjwx6CerFVvTh//bi/WAv15b3ltHYp82UxvMiVEk5CPyom0j04rsw4Vei7U 7lbTz/CNu2RH0N595aloZvWwO3ZZ49QAgya4Qi1+QK2G6YQIfuu+4n9W8cL1kFPOZHbK b0u/bK7xBALkZ2pHG35eicNpcjM25GaLOLMHKCxbrOYF1C8OpVUKFCoS9cqrd0KDTZ2q Jczuh7zeNKLQGrbTzJISEDkHtihSeYrrgw7BpMRFy4Bolj1apsqKWos6t6c44/ufSYqN vc+XIjIlkFUdEfHhUR+aRmP5JkhlJxtcSlxn+XhSI036MIU5SxACcJ7lvtzy7T6fVeMG NQCg== X-Gm-Message-State: AOAM530XA5cofN1g5Oj+wmMCgzdNodp2Jq73Ya6jJwSbHAUfy8VZdsiK CZqI+vv34D1gQq+ktNR3ImbPDMB8h3tduET3Hi6y/l8wfAwRkNzGAk5GuQiJHlHFW9KDZr+2PMI vyYDI9Lc0ap18GVkBoPOFKOhM4daP1qVOQk6DySPmqg== X-Received: by 2002:a92:a112:: with SMTP id v18mr3177352ili.278.1592570918880; Fri, 19 Jun 2020 05:48:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyGXb4GtwSR3kEwB5ArtGW8sYJHepGutTVF8iEiJ4wrsRmTJp0UI2tkOB3UuLmsfS4qUmYFpQ== X-Received: by 2002:a92:a112:: with SMTP id v18mr3177340ili.278.1592570918604; Fri, 19 Jun 2020 05:48:38 -0700 (PDT) Received: from localhost ([136.37.150.243]) by smtp.gmail.com with ESMTPSA id j11sm3218673iof.25.2020.06.19.05.48.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Jun 2020 05:48:38 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH 3/6][B] powerpc/xmon: add read-only mode Date: Fri, 19 Jun 2020 07:48:30 -0500 Message-Id: <20200619124833.633575-4-seth.forshee@canonical.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200619124833.633575-1-seth.forshee@canonical.com> References: <20200619124833.633575-1-seth.forshee@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: "Christopher M. Riedl" BugLink: https://bugs.launchpad.net/bugs/1884159 Operations which write to memory and special purpose registers should be restricted on systems with integrity guarantees (such as Secure Boot) and, optionally, to avoid self-destructive behaviors. Add a config option, XMON_DEFAULT_RO_MODE, to set default xmon behavior. The kernel cmdline options xmon=ro and xmon=rw override this default. The following xmon operations are affected: memops: disable memmove disable memset disable memzcan memex: no-op'd mwrite super_regs: no-op'd write_spr bpt_cmds: disable proc_call: disable Signed-off-by: Christopher M. Riedl Reviewed-by: Oliver O'Halloran Reviewed-by: Andrew Donnellan Signed-off-by: Michael Ellerman (cherry picked from commit 0acb5f64560a052fd66ab37b212a72964847160f) Signed-off-by: Seth Forshee --- arch/powerpc/Kconfig.debug | 8 ++++++++ arch/powerpc/xmon/xmon.c | 42 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) diff --git a/arch/powerpc/Kconfig.debug b/arch/powerpc/Kconfig.debug index 657c33cd4eee..e1c4e50e2c0b 100644 --- a/arch/powerpc/Kconfig.debug +++ b/arch/powerpc/Kconfig.debug @@ -122,6 +122,14 @@ config XMON_DISASSEMBLY to say Y here, unless you're building for a memory-constrained system. +config XMON_DEFAULT_RO_MODE + bool "Restrict xmon to read-only operations by default" + depends on XMON + default y + help + Operate xmon in read-only mode. The cmdline options 'xmon=rw' and + 'xmon=ro' override this default. + config DEBUGGER bool depends on KGDB || XMON diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c index 7e6ddedb6694..6d93367d600b 100644 --- a/arch/powerpc/xmon/xmon.c +++ b/arch/powerpc/xmon/xmon.c @@ -84,6 +84,7 @@ static int set_indicator_token = RTAS_UNKNOWN_SERVICE; #endif static unsigned long in_xmon __read_mostly = 0; static int xmon_on = IS_ENABLED(CONFIG_XMON_DEFAULT); +static bool xmon_is_ro = IS_ENABLED(CONFIG_XMON_DEFAULT_RO_MODE); static unsigned long adrs; static int size = 1; @@ -206,6 +207,8 @@ static void dump_tlb_book3e(void); #define GETWORD(v) (((v)[0] << 24) + ((v)[1] << 16) + ((v)[2] << 8) + (v)[3]) #endif +static const char *xmon_ro_msg = "Operation disabled: xmon in read-only mode\n"; + static char *help_string = "\ Commands:\n\ b show breakpoints\n\ @@ -984,6 +987,10 @@ cmds(struct pt_regs *excp) memlocate(); break; case 'z': + if (xmon_is_ro) { + printf(xmon_ro_msg); + break; + } memzcan(); break; case 'i': @@ -1037,6 +1044,10 @@ cmds(struct pt_regs *excp) set_lpp_cmd(); break; case 'b': + if (xmon_is_ro) { + printf(xmon_ro_msg); + break; + } bpt_cmds(); break; case 'C': @@ -1050,6 +1061,10 @@ cmds(struct pt_regs *excp) bootcmds(); break; case 'p': + if (xmon_is_ro) { + printf(xmon_ro_msg); + break; + } proccall(); break; case 'P': @@ -1758,6 +1773,11 @@ read_spr(int n, unsigned long *vp) static void write_spr(int n, unsigned long val) { + if (xmon_is_ro) { + printf(xmon_ro_msg); + return; + } + if (setjmp(bus_error_jmp) == 0) { catch_spr_faults = 1; sync(); @@ -1996,6 +2016,12 @@ mwrite(unsigned long adrs, void *buf, int size) char *p, *q; n = 0; + + if (xmon_is_ro) { + printf(xmon_ro_msg); + return n; + } + if (setjmp(bus_error_jmp) == 0) { catch_memory_errors = 1; sync(); @@ -2843,9 +2869,17 @@ memops(int cmd) scanhex((void *)&mcount); switch( cmd ){ case 'm': + if (xmon_is_ro) { + printf(xmon_ro_msg); + break; + } memmove((void *)mdest, (void *)msrc, mcount); break; case 's': + if (xmon_is_ro) { + printf(xmon_ro_msg); + break; + } memset((void *)mdest, mval, mcount); break; case 'd': @@ -3701,6 +3735,14 @@ static int __init early_parse_xmon(char *p) } else if (strncmp(p, "on", 2) == 0) { xmon_init(1); xmon_on = 1; + } else if (strncmp(p, "rw", 2) == 0) { + xmon_init(1); + xmon_on = 1; + xmon_is_ro = false; + } else if (strncmp(p, "ro", 2) == 0) { + xmon_init(1); + xmon_on = 1; + xmon_is_ro = true; } else if (strncmp(p, "off", 3) == 0) xmon_on = 0; else From patchwork Fri Jun 19 12:48:31 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 1312891 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49pJX70yRrz9sRf; Fri, 19 Jun 2020 22:48:55 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1jmGRv-0007Zb-97; Fri, 19 Jun 2020 12:48:51 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmGRl-0007S9-Ox for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 12:48:41 +0000 Received: from mail-il1-f199.google.com ([209.85.166.199]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmGRl-0005SH-Dc for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 12:48:41 +0000 Received: by mail-il1-f199.google.com with SMTP id a4so6333121ilq.2 for ; Fri, 19 Jun 2020 05:48:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=eOnsyW16EpV/riWyDr+zlkCQ37v60BoVK9YJRn0rG+U=; b=K72H9HQ6HTgasYtiptiSk/jh383hJr4P1fBAX/4jGmKKztUkIKh+cIaYV7ou5R5VMa mpim5TdWn1Vdt2mnz1jBvv47UF7p3c2VlC/8V1cTB45ID7/mDB7qZntojtOkExjrkDaY lmUZh0GTqL9Pwr7oyPn3MQh/Iq09mLWkdUFG4HnXfNmnqYV6a4UoeCwgrMsNoTgIIoFM bXctjXYBi9s5JjNIGj5/qdZwEGhyb4Ladph2f9BE1mnjaqgvWMrpeu9XkCzeK89IVybD jBXCVL79VdwshOZONgPspOT+V0hiBVWN3II7wQLMexJpfEkaO3Ia2guA2ec7frqCbFBR d5lg== X-Gm-Message-State: AOAM530ojei3J+m568m7gw+4rFO9BQX9wn7f/+zdzSZjCnXONNowl+QB gA67l2UetHuZAk6fuw7uvfQP6b0ywCvPdWHvY8o9zuXcvhN3JTnqcaE0G2B7qqqhaWDud4YFwsq IB7Jt4PfeMxeTxJmI2C0yYe54nq8d6Py8Oax4Nd/IGw== X-Received: by 2002:a02:1745:: with SMTP id 66mr3560431jah.141.1592570920123; Fri, 19 Jun 2020 05:48:40 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzTdAbM+afPIIXfvG2HupcdnctL+19FcDjurTfVLgyRcOdnZ+RgioMZD6Ozrkb8p+TleUWqgw== X-Received: by 2002:a02:1745:: with SMTP id 66mr3560412jah.141.1592570919782; Fri, 19 Jun 2020 05:48:39 -0700 (PDT) Received: from localhost ([136.37.150.243]) by smtp.gmail.com with ESMTPSA id o2sm3108051ilq.71.2020.06.19.05.48.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Jun 2020 05:48:39 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH 4/6][B] powerpc/xmon: Restrict when kernel is locked down Date: Fri, 19 Jun 2020 07:48:31 -0500 Message-Id: <20200619124833.633575-5-seth.forshee@canonical.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200619124833.633575-1-seth.forshee@canonical.com> References: <20200619124833.633575-1-seth.forshee@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: "Christopher M. Riedl" BugLink: https://bugs.launchpad.net/bugs/1884159 Xmon should be either fully or partially disabled depending on the kernel lockdown state. Put xmon into read-only mode for lockdown=integrity and prevent user entry into xmon when lockdown=confidentiality. Xmon checks the lockdown state on every attempted entry: (1) during early xmon'ing (2) when triggered via sysrq (3) when toggled via debugfs (4) when triggered via a previously enabled breakpoint The following lockdown state transitions are handled: (1) lockdown=none -> lockdown=integrity set xmon read-only mode (2) lockdown=none -> lockdown=confidentiality clear all breakpoints, set xmon read-only mode, prevent user re-entry into xmon (3) lockdown=integrity -> lockdown=confidentiality clear all breakpoints, set xmon read-only mode, prevent user re-entry into xmon Suggested-by: Andrew Donnellan Signed-off-by: Christopher M. Riedl Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20190907061124.1947-3-cmr@informatik.wtf (backported from commit 69393cb03ccdf29f3b452d3482ef918469d1c098) Signed-off-by: Seth Forshee --- arch/powerpc/xmon/xmon.c | 106 ++++++++++++++++++++++++++++++++------- 1 file changed, 89 insertions(+), 17 deletions(-) diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c index 6d93367d600b..db036bf7045a 100644 --- a/arch/powerpc/xmon/xmon.c +++ b/arch/powerpc/xmon/xmon.c @@ -195,6 +195,8 @@ static void dump_tlb_44x(void); static void dump_tlb_book3e(void); #endif +static void clear_all_bpt(void); + #ifdef CONFIG_PPC64 #define REG "%.16lx" #else @@ -290,10 +292,26 @@ Commands:\n\ " U show uptime information\n" " ? help\n" " # n limit output to n lines per page (for dp, dpa, dl)\n" -" zr reboot\n\ - zh halt\n" +" zr reboot\n" +" zh halt\n" ; +static bool xmon_is_locked_down(void) +{ + /* + * Upstream has an integrity level of lockdown and a confidentiality + * level, and xmon_is_locked_down() checks both to determine what + * level of xmon restriction to enforce. For the Ubuntu backport we + * don't have this dual-level approach, and we only need to enforce + * the integrity level. This makes xmon read-only but returns 'false' + * from xmon_is_locked_down(). + */ + if (!xmon_is_ro) + xmon_is_ro = kernel_is_locked_down("xmon write access"); + + return false; +} + static struct pt_regs *xmon_regs; static inline void sync(void) @@ -445,7 +463,10 @@ static bool wait_for_other_cpus(int ncpus) return false; } -#endif /* CONFIG_SMP */ +#else /* CONFIG_SMP */ +static inline void get_output_lock(void) {} +static inline void release_output_lock(void) {} +#endif static inline int unrecoverable_excp(struct pt_regs *regs) { @@ -462,6 +483,7 @@ static int xmon_core(struct pt_regs *regs, int fromipi) int cmd = 0; struct bpt *bp; long recurse_jmp[JMP_BUF_LEN]; + bool locked_down; unsigned long offset; unsigned long flags; #ifdef CONFIG_SMP @@ -472,6 +494,8 @@ static int xmon_core(struct pt_regs *regs, int fromipi) local_irq_save(flags); hard_irq_disable(); + locked_down = xmon_is_locked_down(); + if (!fromipi) { tracing_enabled = tracing_is_on(); tracing_off(); @@ -525,7 +549,8 @@ static int xmon_core(struct pt_regs *regs, int fromipi) if (!fromipi) { get_output_lock(); - excprint(regs); + if (!locked_down) + excprint(regs); if (bp) { printf("cpu 0x%x stopped at breakpoint 0x%lx (", cpu, BP_NUM(bp)); @@ -577,10 +602,14 @@ static int xmon_core(struct pt_regs *regs, int fromipi) } remove_bpts(); disable_surveillance(); - /* for breakpoint or single step, print the current instr. */ - if (bp || TRAP(regs) == 0xd00) - ppc_inst_dump(regs->nip, 1, 0); - printf("enter ? for help\n"); + + if (!locked_down) { + /* for breakpoint or single step, print curr insn */ + if (bp || TRAP(regs) == 0xd00) + ppc_inst_dump(regs->nip, 1, 0); + printf("enter ? for help\n"); + } + mb(); xmon_gate = 1; barrier(); @@ -604,8 +633,9 @@ static int xmon_core(struct pt_regs *regs, int fromipi) spin_cpu_relax(); touch_nmi_watchdog(); } else { - cmd = cmds(regs); - if (cmd != 0) { + if (!locked_down) + cmd = cmds(regs); + if (locked_down || cmd != 0) { /* exiting xmon */ insert_bpts(); xmon_gate = 0; @@ -642,13 +672,16 @@ static int xmon_core(struct pt_regs *regs, int fromipi) "can't continue\n"); remove_bpts(); disable_surveillance(); - /* for breakpoint or single step, print the current instr. */ - if (bp || TRAP(regs) == 0xd00) - ppc_inst_dump(regs->nip, 1, 0); - printf("enter ? for help\n"); + if (!locked_down) { + /* for breakpoint or single step, print current insn */ + if (bp || TRAP(regs) == 0xd00) + ppc_inst_dump(regs->nip, 1, 0); + printf("enter ? for help\n"); + } } - cmd = cmds(regs); + if (!locked_down) + cmd = cmds(regs); insert_bpts(); in_xmon = 0; @@ -677,7 +710,10 @@ static int xmon_core(struct pt_regs *regs, int fromipi) } } #endif - insert_cpu_bpts(); + if (locked_down) + clear_all_bpt(); + else + insert_cpu_bpts(); touch_nmi_watchdog(); local_irq_restore(flags); @@ -3675,6 +3711,11 @@ static void xmon_init(int enable) #ifdef CONFIG_MAGIC_SYSRQ static void sysrq_handle_xmon(int key) { + if (xmon_is_locked_down()) { + clear_all_bpt(); + xmon_init(0); + return; + } /* ensure xmon is enabled */ xmon_init(1); debugger(get_irq_regs()); @@ -3696,12 +3737,39 @@ static int __init setup_xmon_sysrq(void) device_initcall(setup_xmon_sysrq); #endif /* CONFIG_MAGIC_SYSRQ */ +static void clear_all_bpt(void) +{ + int i; + + /* clear/unpatch all breakpoints */ + remove_bpts(); + remove_cpu_bpts(); + + /* Disable all breakpoints */ + for (i = 0; i < NBPTS; ++i) + bpts[i].enabled = 0; + + /* Clear any data or iabr breakpoints */ + if (iabr || dabr.enabled) { + iabr = NULL; + dabr.enabled = 0; + } +} + #ifdef CONFIG_DEBUG_FS static int xmon_dbgfs_set(void *data, u64 val) { xmon_on = !!val; xmon_init(xmon_on); + /* make sure all breakpoints removed when disabling */ + if (!xmon_on) { + clear_all_bpt(); + get_output_lock(); + printf("xmon: All breakpoints cleared\n"); + release_output_lock(); + } + return 0; } @@ -3727,7 +3795,11 @@ static int xmon_early __initdata; static int __init early_parse_xmon(char *p) { - if (!p || strncmp(p, "early", 5) == 0) { + if (xmon_is_locked_down()) { + xmon_init(0); + xmon_early = 0; + xmon_on = 0; + } else if (!p || strncmp(p, "early", 5) == 0) { /* just "xmon" is equivalent to "xmon=early" */ xmon_init(1); xmon_early = 1; From patchwork Fri Jun 19 12:48:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 1312889 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49pJX25xxfz9sT6; Fri, 19 Jun 2020 22:48:50 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1jmGRq-0007VC-BJ; Fri, 19 Jun 2020 12:48:46 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmGRn-0007Ss-1o for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 12:48:43 +0000 Received: from mail-io1-f70.google.com ([209.85.166.70]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmGRm-0005SM-Gz for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 12:48:42 +0000 Received: by mail-io1-f70.google.com with SMTP id l19so6686332iol.5 for ; Fri, 19 Jun 2020 05:48:42 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ocw3g8A0YrWVEHnut74Hjg8rsyrvBgCjDfmcrcCW3nw=; b=SPizRHEIk4adU6hzWUZ9P1ZsrzwdkivPR3PLH2MX8BcZd3I4XE7BJSCf4NZ0ZLCReG aOyhOzOQYIka3uBNnr2djEcvCzDu1VtIezboIkyqwOswhufOCvU7mRHWuCw12Hfbl0mI 3lur44oRvUHLzISHp7sFBAunsqiHCgqfyRoLQ/VS2nMdIKf4vOS6xozBayJ3wUiRCB7v YtBZlC+iLuAG7FUk9YPIFpQq0fxHTZGFHU2FFSi3+cGRXsl956oHh9qG8b0PvMWpsIgs WTKZUy4UgqFMxdEtgvL/8ib4K+t3cKctfIi3U0jJ6OrtUyTN+F/Ef2jQ3FEBZargu8XE D14w== X-Gm-Message-State: AOAM531K0n9A14kadGPS5XAy7XiP1vGRls8AJr/gjFN2dkl/padVjYcT CLDFxyhnPpqVOapX4zFsX7O2IHcLssaAxF+9N1DezeO8Qdo3OvylmbBnN7oNw7/gmwgeUTucdS2 D9z/uZ25Gitavc5M336yQsE8UEq7BhLAlqDl5R2vOFw== X-Received: by 2002:a6b:c910:: with SMTP id z16mr4064627iof.199.1592570921477; Fri, 19 Jun 2020 05:48:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzCovhOrR0NwWZbXsAWSIyuq0X92HkilFuf3rHgwp+Y0eumJa641TSsDBCO91XYGWaL0pZ0AQ== X-Received: by 2002:a6b:c910:: with SMTP id z16mr4064607iof.199.1592570921209; Fri, 19 Jun 2020 05:48:41 -0700 (PDT) Received: from localhost ([136.37.150.243]) by smtp.gmail.com with ESMTPSA id w21sm3443819ioa.48.2020.06.19.05.48.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Jun 2020 05:48:40 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH 5/6][B] UBUNTU: [Config] CONFIG_XMON_DEFAULT_RO_MODE=y Date: Fri, 19 Jun 2020 07:48:32 -0500 Message-Id: <20200619124833.633575-6-seth.forshee@canonical.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200619124833.633575-1-seth.forshee@canonical.com> References: <20200619124833.633575-1-seth.forshee@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1884159 Signed-off-by: Seth Forshee --- debian.master/config/config.common.ubuntu | 1 + 1 file changed, 1 insertion(+) diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index 4d302e768218..f7e71ddfa9fd 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -10513,6 +10513,7 @@ CONFIG_XILLYBUS_OF=m CONFIG_XILLYBUS_PCIE=m CONFIG_XMON=y # CONFIG_XMON_DEFAULT is not set +CONFIG_XMON_DEFAULT_RO_MODE=y CONFIG_XMON_DISASSEMBLY=y CONFIG_XOR_BLOCKS=m CONFIG_XPS=y From patchwork Fri Jun 19 12:48:33 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 1312890 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49pJX46vyPz9sNR; Fri, 19 Jun 2020 22:48:52 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1jmGRs-0007X7-Jn; Fri, 19 Jun 2020 12:48:48 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmGRo-0007Tr-O3 for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 12:48:44 +0000 Received: from mail-il1-f197.google.com ([209.85.166.197]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmGRn-0005ST-LZ for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 12:48:43 +0000 Received: by mail-il1-f197.google.com with SMTP id k13so6257466ilh.23 for ; Fri, 19 Jun 2020 05:48:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=yygTKGf9pArkMBZISfoGwBOOsGiyX9nWLiOjwhKYH9Y=; b=C2cyNueyhPvrfQ+9i7rhJwuI0rKeMk1dUz62Lalgp6MGwFeijhxvWWepQNzA0M8xvd xXbLaA1gTStKYQEVPGDkisS05ETYlPvlGe4tDtwSuk8OWnfpRirPGmLiH2uBaXH9Sq9N QMZiuvGZ9SrTrIq4Ahx6Tf7ZOkj2Dy+Rop07sy/nuHoN/jaGv8eS0uqyY6sr880LSTiF +9VQlEk/ohvibrWsSWqGVj+H9uGMvU4zoeANhegX6YQwDPGmBorMMod6BsOxW0mYC/Yr 395r/IpCNc9nLpiS7St7T1vDpuAXAVgUDZ4NSGNH7cZbUAKQqGz+Zd1UKXPk5+l6xZ9A MqLg== X-Gm-Message-State: AOAM5319JAgeyazOTU3pCz+5vvQmukl82EchRenJDuyCPo0GUNoO/e30 RKCg8Vl4jU8zR5spWpVnpj4F8XI4KYvVrsTePeOoje4Rva3sjgm/EG6BaGbsrwgTzNm3lqTUzg4 RiZvaRuw2jcs0Em9gpjFlnmorzlRFXF5xIor4D1BVVg== X-Received: by 2002:a6b:14cc:: with SMTP id 195mr4083394iou.117.1592570922510; Fri, 19 Jun 2020 05:48:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy7TCtpTYquJjjBjyxQHW1wQrtBL+pal9aEG6gG1Rd8Kge8MK4EbH5U6dE3qlyDaH/kOyCrUA== X-Received: by 2002:a6b:14cc:: with SMTP id 195mr4083374iou.117.1592570922291; Fri, 19 Jun 2020 05:48:42 -0700 (PDT) Received: from localhost ([136.37.150.243]) by smtp.gmail.com with ESMTPSA id d1sm3045516ilq.3.2020.06.19.05.48.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Jun 2020 05:48:41 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH 6/6][B] UBUNTU: SAUCE: acpi: disallow loading configfs acpi tables when locked down Date: Fri, 19 Jun 2020 07:48:33 -0500 Message-Id: <20200619124833.633575-7-seth.forshee@canonical.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200619124833.633575-1-seth.forshee@canonical.com> References: <20200619124833.633575-1-seth.forshee@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: "Jason A. Donenfeld" BugLink: https://bugs.launchpad.net/bugs/1884159 Like other vectors already patched, this one here allows the root user to load ACPI tables, which enables arbitrary physical address writes, which in turn makes it possible to disable lockdown. This patch prevents this by checking the lockdown status before allowing a new ACPI table to be installed. The link in the trailer shows a PoC of how this might be used. Signed-off-by: Jason A. Donenfeld Cc: stable@vger.kernel.org Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh Link: https://lore.kernel.org/lkml/20200615104332.901519-1-Jason@zx2c4.com/ [ saf: Backport to older lockdown implementation ] Signed-off-by: Seth Forshee --- drivers/acpi/acpi_configfs.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/acpi/acpi_configfs.c b/drivers/acpi/acpi_configfs.c index b58850389094..74fd2b7fbab2 100644 --- a/drivers/acpi/acpi_configfs.c +++ b/drivers/acpi/acpi_configfs.c @@ -31,8 +31,12 @@ static ssize_t acpi_table_aml_write(struct config_item *cfg, { const struct acpi_table_header *header = data; struct acpi_table *table; + bool locked_down = kernel_is_locked_down("modifying ACPI tables"); int ret; + if (locked_down) + return -EPERM; + table = container_of(cfg, struct acpi_table, cfg); if (table->header) {