Received: by 10.213.65.68 with SMTP id h4csp913815imn; Wed, 4 Apr 2018 09:19:07 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/JWX/oz69Ja2dGjULPjcEYYRkWbziTveSe4WBIdOKEuZsgT+quw6o8XWevMn0hsASLCOPt X-Received: by 10.98.217.85 with SMTP id s82mr14354200pfg.208.1522858746965; Wed, 04 Apr 2018 09:19:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522858746; cv=none; d=google.com; s=arc-20160816; b=DNNlUwzXQH2x3GQlbbTPhjy5EPN+Zm1/tKkB2M4G10AafLQeB3d2GXr2N9RwABVzaS k1iJMcJzUtL+RCZUH28kNb7Bm01cM0b851N5O3P45CsuUu+nqla/u7bT3nprPEBnVcxZ id+Xx6W7Zn4/SGQKxguFLe8rjW2Dp9u/xnV9c2+UBo5h0KQ/wFROmQ2yS7yGIZ1fL7AB IMAozT8LA8IIOAL49lcNy5+twacqcz5cL4Qk8AGdRZQ003PXgs6yaQkiXXgDBPcyGlOP 884maV2ScrSbWnGO+oQ6afaKH2ifUB+BU//qQvyWBFdlWeVds96/F7ZWVyZb+7zF5SRP d3VQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:content-id:mime-version :subject:cc:to:references:in-reply-to:from:organization :arc-authentication-results; bh=32RkUj1Zt7456XJMKSRsWzdYDZQ1buFTn5AMcC8eKmQ=; b=gGLC2oIrDmWxEipWOsPio4CSJnp3TiQOl6oymSK+ejioYXkD6MxV0RrL14SUE057d+ se6AVoD+tdpws0m4E7DyXdGeppj2jtLFuJFuY75XmLQo0uM/bP+6ew/UPGR2tI4kKtRd QzntmP0jw5dKCihrbkgat7CkR6fMdWtFQpE5/7XKO07Jgwx8w+2nQXo1DxbN+Nh3C6wD g48Y8WmZsjRHD7almTT3sdu1eR5OxwSQuyBCcMaU3u8XSs/QYR/G9B/ZnFpYKn/gveE7 du/IqNOlnCncZjFYOABJ1gi7vQ1E+EjXZJsndpGO3DCaB87gaQL58wIB1umdzQNvjPxU cLGg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i3-v6si3370994pld.241.2018.04.04.09.18.52; Wed, 04 Apr 2018 09:19:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752070AbeDDQRa (ORCPT + 99 others); Wed, 4 Apr 2018 12:17:30 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:40830 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751606AbeDDQR1 (ORCPT ); Wed, 4 Apr 2018 12:17:27 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 110018011462; Wed, 4 Apr 2018 16:17:27 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-120-158.rdu2.redhat.com [10.10.120.158]) by smtp.corp.redhat.com (Postfix) with ESMTP id B00C82166BAE; Wed, 4 Apr 2018 16:17:24 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: References: To: Andy Lutomirski Cc: dhowells@redhat.com, Greg Kroah-Hartman , "Theodore Y. Ts'o" , Matthew Garrett , Linus Torvalds , Ard Biesheuvel , James Morris , Alan Cox , Linux Kernel Mailing List , Justin Forbes , linux-man , joeyli , LSM List , Linux API , Kees Cook , linux-efi Subject: Re: An actual suggestion (Re: [GIT PULL] Kernel lockdown for secure boot) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <1118.1522858644.1@warthog.procyon.org.uk> Date: Wed, 04 Apr 2018 17:17:24 +0100 Message-ID: <1119.1522858644@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Wed, 04 Apr 2018 16:17:27 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Wed, 04 Apr 2018 16:17:27 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dhowells@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Andy Lutomirski wrote: > Since this thread has devolved horribly, I'm going to propose a solution. > > 1. Split the "lockdown" state into three levels: (please don't > bikeshed about the names right now.) > > LOCKDOWN_NONE: normal behavior > > LOCKDOWN_PROTECT_INTEGREITY: kernel tries to keep root from writing to > kernel memory > > LOCKDOWN_PROTECT_INTEGRITY_AND_SECRECY: kernel tries to keep root from > reading or writing kernel memory. In theory, it's good idea, but in practice it's not as easy to implement as I think you think. Let me list here the things that currently get restricted by lockdown: (1) Manipulation of devices to access the kernel image: - Ioports & ioperm - /dev/ports - /dev/mem - PCI Bar - Some debugfs files - pcmcia_cis - Driver hardware parameters - ISA drivers - TIOCSSERIAL - SCSI EATA driver - testmmiotrace - firmware (2) Direct kernel memory modification: - /dev/mem - /dev/kmem - bpf - kprobes (3) Direct kernel memory reading: - /dev/mem - /dev/kmem - /dev/kcore - bpf - kprobes - perf (4) Indirect kernel access: - Modules - MSRs - Suspend to disk - ACPI (custom_method, RSDP, table override, error injection) (5) Kexec. Note that /dev/mem can be used to access MMIO devices (I'm not sure about /dev/kmem, though). Even reads through /dev/mem can do this. I'm not sure whether that's sufficient to actually affect a modification, though. Debugfs is particularly icky. It contains at least a couple of thousand files, a few of which provide direct access to hardware, some of which change driver behaviour and some of which just give information. Auditing that pile isn't something I really want to have to do. I'd rather just turn the whole lot off, but got persuaded otherwise by people who have been using it to provide mechanisms that programs rely on - hence the only allow files that have 0444 (and even that is iffy as some of these files have side effects and write ops anyway). > 2. The kexec protocol gets a new flag min_lockdown_level. A kexeced > kernel will boot with at least that lockdown level regardless of its > configuration. kexec sets min_lockdown_level to the running kernels' > lockdown_level. Some future API could allow kexec with a higher > min_lockdown_level. An even fancier future API could allow a > LOCKDOWN_PROTECT_INTEGRITY_AND_SECRECY kernel to kexec with > min_lockdown_level == LOCKDOWN_PROTECT_INTEGRITY if there's some > mechanism that guarantees that memory gets zeroed in the process. Note that on x86 we already have an allocated flag for passing the secure boot flag from kexec/bootloader to the kernel being booted, and what you're proposing ought to be redundant. See boot_params::secure_boot. > 3. All the bpf and tracing stuf, etc, gets changed so it only takes > effect when LOCKDOWN_PROTECT_INTEGRITY_AND_SECRECY is set. Uh, no. bpf, for example, can be used to modify kernel memory. I think only the following are safe from being able to talk directly to devices: /dev/kmem (O_RDONLY only) /dev/kcore perf some debugfs files > This removes a giant annoyance on distro kernels that are likely to want to > enable LOCKDOWN_PROTECT_INTEGRITY. *shrug* Distros have been running with the full set for a while. I haven't seen many complaints. > If you load a key into the kernel, and you want to keep that key safe, you > can enable LOCKDOWN_PROTECT_INTEGRITY_AND_SECRECY at that time. After all, > if root is compromised before that, root can just remember a copu of the key > in user memory or email it to someone. If your key needs to be truly protected, it should never be seen unencrypted in userspace, rather it should be decrypted in the TPM and then retained in kernel memory only. > ... > 6. There's a way to *decrease* the lockdown level below the configured > value. (This ability itself may be gated by a config option.) > Choices include a UEFI protected variable, By turning secure boot off, maybe? > an authenticated flag passed by the bootloader, Authenticated how? How do you stop the running system from passing this to the bootloader next time it is run? I guess you're thinking of a bootloader "command" that can only be passed by someone sat at a keyboard and never read from the config file. > and even just some special flag in the boot handoff protocol. We already have that with secure boot. > It would be really quite useful for a user to be able to ask their > bootloader to reduce the lockdown level for the purpose of a particular boot > for debugging. This I shall grant you - but you have to be able to prevent an attacker inside the system from making use of it. There's a SysRq provided to drop out of lockdown mode - in theory only usable if you're sat at a wired keyboard connected to the computer. > 7. kexec does not attempt to think about "secure boot" at all. > They're totally separate. Except that they're not. The boot_params flag must be set to something by kexec on x86 for transfer along the chain. However, we can leave secure boot out for now - that can be treated as a separate issue. Note that whether you like it or not, distribution kernels already work this way and propagate the boot_params flag over kexec. > What do you all think? I think that this checks basically all the > boxes, is a lot more user friendly than the current patchset or what > distros do, and actually makes some sense from a security perspective. You haven't really defined well what's allowed in _INTEGRITY mode verses _SECRECY mode. I'm currently in the throes of modifying my patchset to make it more inline with what Linus mandates: dropping the enablement from secure boot; dropping the propagation of the flag over kexec; providing a config option to make it mandatory. There is already a command line option to trigger it. David