Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2969368yba; Tue, 16 Apr 2019 01:41:30 -0700 (PDT) X-Google-Smtp-Source: APXvYqxzAbluxt16p9sv/G+SyGLy0Qtk95Oshl3WSRpGNE1Upr9X73EAyl4BlCuV/g0L1uVLeGxJ X-Received: by 2002:a63:ac12:: with SMTP id v18mr71592330pge.111.1555404090781; Tue, 16 Apr 2019 01:41:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555404090; cv=none; d=google.com; s=arc-20160816; b=rlJAs6dcUE9Mff9DzrvOTKXZvdMnqLqmyxvWvR/XV3Tkk8syOzRDRDhgwvTKWyGOsG i134UyfemWmBTwOCn56aIl3o8PPjW9j8waXlF0jFV+LNpUQGMyIB4SVeq4C21wiYZB+M LbV/nOormYkxW2dtXu4lv4vlzEK8IPaASyg5ynoBf5XhRNQqx/8HtJbxLR12edF28xKk PE/+ZImDr9toy2Futsa5w7BUfFzA31ejIvuznh3bJxKN82BuIImhi9tcrDlw3GDwljAE KjjNKv57XE89htatAqrowC6KzOsNPHIwg/ImMXZD0jVAw+Jy74S0QuZQ0keTDqw/40UZ CyNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date:from :references:cc:to:subject; bh=GyhNYlLbbJV1wwLomsOii6HG+8/DFG2ELbgEhjt1k0k=; b=R5AkOgrSk20DUe7802g8DjheP1gfc0Qng3vw7ENI9i13tk5jAE3UIxrpNHYBxDt1dp 2eri5JHkhOutjF7vu/x3S0NbrXpwss9HUt2IsHdEJZZ70IT9P01d4/OH/bxvb3Z7mlIo bwnMm5wfwHnWuhhpWKkJuIDTdturm4fXmg+3aMW0JW6mPMZQzzdjbal7vh0NaoZx0MFC VdtjQESJzIyRbedpqUVLqLdVLxE61CBAbY+n3YRI1EnCspZpDG9oVNlqz1TF3BNAv15T X8euKhxnJ5OgPEbXzs+it/aeoOmyKbbu/rl515S9EPyZGX4FKENJ9jx6YAdUys+r5Vz8 OcNA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r189si18348347pgr.175.2019.04.16.01.41.13; Tue, 16 Apr 2019 01:41:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728620AbfDPIkU (ORCPT + 99 others); Tue, 16 Apr 2019 04:40:20 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:47894 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726208AbfDPIkU (ORCPT ); Tue, 16 Apr 2019 04:40:20 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x3G8V3UE074159 for ; Tue, 16 Apr 2019 04:40:18 -0400 Received: from e06smtp03.uk.ibm.com (e06smtp03.uk.ibm.com [195.75.94.99]) by mx0b-001b2d01.pphosted.com with ESMTP id 2rwavv2c7d-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 16 Apr 2019 04:40:18 -0400 Received: from localhost by e06smtp03.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 16 Apr 2019 09:40:16 +0100 Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194) by e06smtp03.uk.ibm.com (192.168.101.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Tue, 16 Apr 2019 09:40:11 +0100 Received: from d06av21.portsmouth.uk.ibm.com (d06av21.portsmouth.uk.ibm.com [9.149.105.232]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x3G8eAvD53674088 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 16 Apr 2019 08:40:10 GMT Received: from d06av21.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6BE7552057; Tue, 16 Apr 2019 08:40:10 +0000 (GMT) Received: from ozlabs.au.ibm.com (unknown [9.192.253.14]) by d06av21.portsmouth.uk.ibm.com (Postfix) with ESMTP id 26EA552050; Tue, 16 Apr 2019 08:40:10 +0000 (GMT) Received: from [10.61.2.125] (haven.au.ibm.com [9.192.254.114]) (using TLSv1.2 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ozlabs.au.ibm.com (Postfix) with ESMTPSA id DD492A0147; Tue, 16 Apr 2019 18:40:08 +1000 (AEST) Subject: Re: [PATCH V32 01/27] Add the ability to lock down access to the running kernel image To: Matthew Garrett , jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, linuxppc-dev , Michael Ellerman , Daniel Axtens , cmr References: <20190404003249.14356-1-matthewgarrett@google.com> <20190404003249.14356-2-matthewgarrett@google.com> From: Andrew Donnellan Date: Tue, 16 Apr 2019 18:40:08 +1000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <20190404003249.14356-2-matthewgarrett@google.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-AU Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 x-cbid: 19041608-0012-0000-0000-0000030F4C95 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19041608-0013-0000-0000-000021478484 Message-Id: <059c523e-926c-24ee-0935-198031712145@au1.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-04-16_02:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904160060 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/4/19 11:32 am, Matthew Garrett wrote: > diff --git a/Documentation/ABI/testing/lockdown b/Documentation/ABI/testing/lockdown > new file mode 100644 > index 000000000000..5bd51e20917a > --- /dev/null > +++ b/Documentation/ABI/testing/lockdown > @@ -0,0 +1,19 @@ > +What: security/lockdown > +Date: March 2019 > +Contact: Matthew Garrett > +Description: > + If CONFIG_LOCK_DOWN_KERNEL is enabled, the kernel can be > + moved to a more locked down state at runtime by writing to > + this attribute. Valid values are: > + > + integrity: > + The kernel will disable functionality that allows > + userland to modify the running kernel image, other > + than through the loading or execution of appropriately > + signed objects. > + > + confidentiality: > + The kernel will disable all functionality disabled by > + the integrity mode, but additionally will disable > + features that potentially permit userland to obtain > + confidential information stored within the kernel. [+ linuxppc, mpe, dja, cmr] I'm thinking about whether we should lock down the powerpc xmon debug monitor - intuitively, I think the answer is yes if for no other reason than Least Astonishment, when lockdown is enabled you probably don't expect xmon to keep letting you access kernel memory. Semantically though, xmon is not a userspace process - it's in kernel and reads debug commands/outputs debug data directly from/to the console. Is that a threat vector that this series cares about? -- Andrew Donnellan OzLabs, ADL Canberra andrew.donnellan@au1.ibm.com IBM Australia Limited