Received: by 10.223.164.221 with SMTP id h29csp2752860wrb; Wed, 18 Oct 2017 06:25:18 -0700 (PDT) X-Received: by 10.98.58.69 with SMTP id h66mr14668340pfa.121.1508333118154; Wed, 18 Oct 2017 06:25:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1508333118; cv=none; d=google.com; s=arc-20160816; b=yygbelOLrHdu9sJqkTa6GJAadowMs6L5cPPo0UN8PsDXpEea5N9K5sOYlkU6Z+Zzfw 2TwDF/Qdbs5GzN9V+5ROz4NepuHVxNJHez8z2+b6nGJZme0prZFgPyr99NWetEDW6wfj CjfDhQGa8F8rTUbUudxBMypGUa+y+//SZ5YQzGmzr0NTSUIXcq1T713xRTgQvuC/M4bi lBeV96CqvVz1EEBMb+aEZZL4Mh/rWRhHcX6r4Pul0WJsTS2Cye4hiqYoToOAZ69Wkt0h pRolEoknPWjdKVNPPhD3vHoxCEVLcL/ruMRxbPMXFabPOafXJcUaCJEnLCC+ox2m+JKx QDWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:cc:dkim-signature :arc-authentication-results; bh=7Kb0W3ALS4sVonRYTaAEynr/gDvgHXQdJ/Qm2SLGcp8=; b=TpRtsX7bMhWepEw4OT6sYjF4LdjdOV6oNNuoO/kGD7onsx1Ce4S5JmxoL4o9gVSWPN UlvB56bmy4wSv0DVJVGfRbVr5TWLNJTkRbtuBrdPHlcSQtcpAbJOs8A25/QwuCXKxF4O dpIGA9c3w2E6IZFvsRLFoAGmXFEXxEGRBb9UrHRd/fOvxkl9DCBO1Vyj7wUPA+ysK/9B cyDNxAV1MDVbUP2LdlPXp5efXXE7hR8sPk/IgqfGRrTSKDZ8dKS9MFb4tS2KFT5urHDX DX7ihiy1jrBp3z8LYnI/HUxwT+rX01GRzowK0GQK1P8PCB6cUDU6UzombecUlVX2fupu Z1Qw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=oOCvxG5B; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r10si6876038pgq.332.2017.10.18.06.25.03; Wed, 18 Oct 2017 06:25:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=oOCvxG5B; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S936045AbdJRIVr (ORCPT + 99 others); Wed, 18 Oct 2017 04:21:47 -0400 Received: from mail-wm0-f67.google.com ([74.125.82.67]:54737 "EHLO mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758939AbdJRIVj (ORCPT ); Wed, 18 Oct 2017 04:21:39 -0400 Received: by mail-wm0-f67.google.com with SMTP id i124so8498679wmf.3; Wed, 18 Oct 2017 01:21:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=cc:subject:to:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=7Kb0W3ALS4sVonRYTaAEynr/gDvgHXQdJ/Qm2SLGcp8=; b=oOCvxG5BnA3j4RozHqy8Zj6MPRhxup/UlRiSCMfUyrgpOiXVsIaOfbdRaVeTCLjO/b tMiNhVUYpqGbvVFCqad26ww29IFEV2slH2Hx+XRrkSkY89ijN+d9T9R65GM9rlsppqYR aGKF9Ny59Oz9fmkDJmjogbcWtM/STJ3RBQpiIdMGGKIgFaMcwDEKxczNSBJrI5f2atmM qdJqIrCo7dDq11a2i8VDKon5YB+w1OS55ElGs/DetRzoadB7ckowzOn5yej6+XmkTfQz 07PD92dG80/O4YTdah0OqSDbr2M6XuLGw8p98H22NAFluiZsHNdK4GK860qGVRdPC1VH lVGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:cc:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=7Kb0W3ALS4sVonRYTaAEynr/gDvgHXQdJ/Qm2SLGcp8=; b=hhxw825bR5cEUZobH8W3CiHvDqpOOumW/yvKLUo5hv+Pt4t9PTiDfIIfd5Wy4Rw8jT YsKIHqoMs7OA64c7c02Kk8gt7kDxL1R6HndaIcmWcdzNr/96pY1ngrZEPyZp1+S4JO0t 8BIpva0+lxEzbXEFPgn8nUbYKT3VCUZoAZEaWwwBYvNlGgdhOlE+EU9KxWzoWLwXco9c ujGfAkDjb2TicwoNFXUhB3fa9OTuERTUPbcNJ2i9fBfYCsLSdBxpdlPVV5CqxMg/cP3L 9LyHdfo9bFll8fG082xFrEDzMlHyJURv0BF1Y1f3jc8SRQ8abTuD3SlWik/GJAJo7mba OUWA== X-Gm-Message-State: AMCzsaWa08TzjJoOLz7ZSkmCVc3KjOaAcPWKUxUdsIxEhEIbildDM9xL SRm6b9ZmW5dVKEJcCZcRInD5+ZTo X-Google-Smtp-Source: AOwi7QDz27vQ/GNWdVTPLtdIE2XsR1XXsXhy61NR/jpODWhREErfnaPKrd43HWi0chevqz2eVTXZ0Q== X-Received: by 10.80.188.18 with SMTP id j18mr18498218edh.189.1508314896998; Wed, 18 Oct 2017 01:21:36 -0700 (PDT) Received: from [192.168.234.154] (mail2.jambit.com. [213.131.239.194]) by smtp.gmail.com with ESMTPSA id k51sm8814281ede.42.2017.10.18.01.21.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Oct 2017 01:21:36 -0700 (PDT) Cc: mtk.manpages@gmail.com, mcgrof@kernel.org, johannes@sipsolutions.net, linux-man@vger.kernel.org, keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: Draft manpage explaining kernel lockdown To: David Howells , Ard Biesheuvel References: <7969.1507201224@warthog.procyon.org.uk> From: "Michael Kerrisk (man-pages)" Message-ID: <95c53500-eae9-6c03-8bc5-f1ba62475711@gmail.com> Date: Wed, 18 Oct 2017 10:21:35 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <7969.1507201224@warthog.procyon.org.uk> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi David, On 10/05/2017 01:00 PM, David Howells wrote: > Hi Ard, Michael, > > Attached is a draft for a manual page (kernel_lockdown.7) that I intend to > point at from messages emitted when the kernel prohibits something because the > kernel is in 'lockdown' mode, typically triggered by EFI secure boot. > > Let me know what you think. Thanks for the page proposal. Several people sent feedback. Will you revise the draft? Thanks, Michael > David > --- > .\" > .\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved. > .\" Written by David Howells (dhowells@redhat.com) > .\" > .\" %%%LICENSE_START(GPLv2+_SW_ONEPARA) > .\" This program is free software; you can redistribute it and/or > .\" modify it under the terms of the GNU General Public License > .\" as published by the Free Software Foundation; either version > .\" 2 of the License, or (at your option) any later version. > .\" %%%LICENSE_END > .\" > .TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual" > .SH NAME > Kernel Lockdown \- Kernel image access prevention feature > .SH DESCRIPTION > The Kernel Lockdown feature is designed to prevent both direct and indirect > access to a running kernel image, attempting to protect against unauthorised > modification of the kernel image and to prevent access to security and > cryptographic data located in kernel memory, whilst still permitting driver > modules to be loaded. > .P > Lockdown is typically enabled during boot and may be terminated, if configured, > by typing a special key combination on a directly attached physical keyboard. > .P > If a prohibited or restricted feature is accessed or used, the kernel will emit > a message that looks like: > .P > .RS > Lockdown: X is restricted, see man kernel_lockdown(7) > .RE > .P > where X indicates what is restricted. > .P > On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled > if the system boots in EFI Secure Boot mode. > .P > If the kernel is appropriately configured, lockdown may be lifted by typing the > appropriate sequence on a directly attached physical keyboard. For x86 > machines, this is > .IR SysRq+x . > .\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" > .SH COVERAGE > When lockdown is in effect, a number of things are disabled or restricted in > use. This includes special device files and kernel services that allow direct > access of the kernel image: > .P > .RS > /dev/mem > .br > /dev/kmem > .br > /dev/kcore > .br > /dev/ioports > .br > BPF memory access functions > .RE > .P > and the ability to directly configure and control devices, so as to prevent the > use of a device to access or modify a kernel image: > .P > .RS > The use of module parameters that directly specify hardware parameters to > drivers through the kernel command line or when loading a module. > .P > The use of direct PCI BAR access. > .P > The use of the ioperm and iopl instructions on x86. > .P > The use of the KD*IO console ioctls. > .P > The use of the TIOCSSERIAL serial ioctl. > .P > The alteration of MSR registers on x86. > .P > The replacement of the PCMCIA CIS. > .P > The overriding of ACPI tables. > .P > The use of ACPI error injection. > .P > The specification of the ACPI RDSP address. > .P > The use of ACPI custom methods. > .RE > .P > The following facilities are restricted: > .P > .RS > Only validly signed modules may be loaded. > .P > Only validly signed binaries may be kexec'd. > .P > Only validly signed device firmware may be loaded. > .P > Only validly signed wifi databases may be use. > .P > Unencrypted hibernation/suspend to swap are disallowed as the kernel image is > saved to a medium that can then be accessed. > .P > Use of debugfs is not permitted as this allows a whole range of actions > including direct configuration of, access to and driving of hardware. > .RE > .\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" > .SH SEE ALSO > .ad l > .nh > > -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/ From 1580493530342023731@xxx Fri Oct 06 07:48:07 +0000 2017 X-GM-THRID: 1580415097298572743 X-Gmail-Labels: Inbox,Category Forums