Received: by 10.192.165.156 with SMTP id m28csp956222imm; Wed, 11 Apr 2018 09:51:56 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+r5b/MQvy/WefBw8qki62oRmInqhYZdX/JSVU/QAgppxvLVFjvYioHZsy25tg5fu2olJYg X-Received: by 2002:a17:902:b68e:: with SMTP id c14-v6mr5840081pls.286.1523465516427; Wed, 11 Apr 2018 09:51:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523465516; cv=none; d=google.com; s=arc-20160816; b=wC3VgdRbu2Z+PKZvxvFwjmtG/kqDYsNyvVnSHU3LUUiQf6+vZibjcQ/oojR+2XCYHv eJS1RA6a2kFbEfBB9wBP3BbuxDUP3qE+ic0UXdwpLHhzpgKSFe969/58hUCBkjzRPtQT paYp9tHsy3Zdodr1upFJWv09EbI0kuCmBpWPFAN2jq4jKGv00c4XOJNfYI/YTlLQmzvU ZYuFKrZG5wf9MPUTCZQI5rr132KzPYLldO+EcuR2WDx6lt/bMCdIaaLmhIHAHGrkL01T WO64RRg0lZ8XXHi0iU4v8M0O0nRj7HVij/9wLtf45RmF9R+wepsfnQEVElxmAFeRN41a +ZFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=jnynQybeSFbO6fsyMrWyEgNH844ATZv5Pb62l/M1SBo=; b=iHo+ojU1Z6ootsyLV1TL8GTZZKEphBO0RKK6cspoob73IEZNfO54/gxqlS1Hgt90ze 9YIkDn3Pa2TRJmJDzsIWlR7Ez5Lf6Tk8bRbpReI4weHuEUvS5C0wMeWQaP1I3iTpXHqy Y3pBzJ2e+lVqWbgdwj2BfOIPZcbtgvXq8MFzLFmJyreEM5X0QbvUyB8t0nvWTw5G1xSC qcgm3lKyP5GfILc0iWie7Bk60NI0Jckp+bTBvNMdNPKPjSLHWEKdf3lsCXYk8giNt1lJ FZbtgYDPecashilK9VpU7C1vJuUkMhBUuUYO9O7+SCDPvGV2Cr2M96nbhICdkNVLsEqT iKTg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=IE+E1XN3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j7si988716pgs.49.2018.04.11.09.51.17; Wed, 11 Apr 2018 09:51:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=IE+E1XN3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753317AbeDKQpS (ORCPT + 99 others); Wed, 11 Apr 2018 12:45:18 -0400 Received: from mail-oi0-f65.google.com ([209.85.218.65]:40812 "EHLO mail-oi0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752915AbeDKQpP (ORCPT ); Wed, 11 Apr 2018 12:45:15 -0400 Received: by mail-oi0-f65.google.com with SMTP id x9-v6so2343275oig.7 for ; Wed, 11 Apr 2018 09:45:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=jnynQybeSFbO6fsyMrWyEgNH844ATZv5Pb62l/M1SBo=; b=IE+E1XN3mPfYXxp6aWgg8dClr6wHRQyiRL2PPzjHrDauN2V+/9ULhR0wOagG4RdlT/ EoeZ5jrBzdPMQeWoPEBwFA0p067B5kStdYqIFhgkIuP22iZJ4zZHCsbygYmJ1FPyW0Lw uRwqQZR2PmganQf7/PKj1PPDdNoVneEFnVrA5YczuKyaFWRZakOM6Y4xd7XFVNfADAOf W8CNcesLAKfLiaOAC6Tr7gx5M6js79r0BiYPamK4nzKzqdoyVMp108IcY393g9B3K/B+ gFbY7RZKm/eySvzjgCaD4eQqLM5VKIEyZZHVAGkt9IKwOJbOSInh5whAoIBO6y4eNRfq PBrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=jnynQybeSFbO6fsyMrWyEgNH844ATZv5Pb62l/M1SBo=; b=XqnjbrkS9fetZ+eprpq2G5bQJH4Oh4/FVMx9GpvpjVZzvkTBp9HZ8poQVW9gaEqkCu 1DQtQHjaDMbvQq4sgzvR9Rewyn3MXNiHiXNBM6zih5UeJzqDXex8XDuFJDUaud+T6Ulp DPAF7zcVp0JbFKLamFuG3DQ/OyZHpTM0zrlA2Jg6vria5gmpwjQTwv/ELFB+368zx4qe WuWcSrjNtl+xzmeRA6BTIspr2PqS6Q56auZVTtSoZ7yS+ercW4OrwM3AhdJqdBZps1oU ADDxTAGXMv60huzrZkp/CUSqfqFq6XJCul40J/Y2qoAF8gSJjFVVtXCYgPuDtRRyhA86 /taA== X-Gm-Message-State: ALQs6tAENSoGN6rMpLmJgsKhi72fQQVZJ8zYq3SWXmxrIYBvmk/h1xQ4 WNGDYXjr+SlK/LEEwD3MbiFfBuHg4rPt1919qYLq0g== X-Received: by 2002:aca:5484:: with SMTP id i126-v6mr3269097oib.219.1523465114827; Wed, 11 Apr 2018 09:45:14 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.73.133 with HTTP; Wed, 11 Apr 2018 09:44:54 -0700 (PDT) In-Reply-To: <152346388583.4030.15146667041427303547.stgit@warthog.procyon.org.uk> References: <152346387861.4030.4408662483445703127.stgit@warthog.procyon.org.uk> <152346388583.4030.15146667041427303547.stgit@warthog.procyon.org.uk> From: Jann Horn Date: Wed, 11 Apr 2018 18:44:54 +0200 Message-ID: Subject: Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image To: David Howells Cc: Linus Torvalds , linux-man , Linux API , James Morris , kernel list , linux-security-module Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 11, 2018 at 6:24 PM, David Howells wrote: > Provide a single call to allow kernel code to determine whether the system > should be locked down, thereby disallowing various accesses that might > allow the running kernel image to be changed, including: > > - /dev/mem and similar > - Loading of unauthorised modules > - Fiddling with MSR registers > - Suspend to disk managed by the kernel > - Use of device DMA > > Two kernel configuration options are provided: > > (*) CONFIG_LOCK_DOWN_KERNEL > > This makes lockdown available and applies it to all the points that > need to be locked down if the mode is set. Lockdown mode can be > enabled by providing: > > lockdown=1 > > on the command line. > > (*) CONFIG_LOCK_DOWN_MANDATORY > > This forces lockdown on at compile time, overriding the command line > option. > > init_lockdown() is used as a hook from which lockdown can be managed in > future. It has to be called from arch setup code before things like ACPI > are enabled. > > Note that, with the other changes in this series, if lockdown mode is > enabled, the kernel will not be able to use certain drivers as the ability > to manually configure hardware parameters would then be prohibited. This > primarily applies to ISA hardware devices. > > Signed-off-by: David Howells > --- [...] > diff --git a/security/lock_down.c b/security/lock_down.c > new file mode 100644 > index 000000000000..f35ffdd096ad > --- /dev/null > +++ b/security/lock_down.c [...] > +/* > + * Lock the kernel down from very early in the arch setup. This must happen > + * prior to things like ACPI being initialised. > + */ Pedantic nit: I think this comment is wrong now? This function actually just prints stuff. > +void __init init_lockdown(void) > +{ > +#ifdef CONFIG_LOCK_DOWN_MANDATORY > + pr_notice("Kernel is locked down from config; see man kernel_lockdown.7\n"); > +#endif > +}