diff --git a/config/arm64/default b/config/arm64/default index 71659f3..8aafee6 100644 --- a/config/arm64/default +++ b/config/arm64/default @@ -12194,6 +12194,7 @@ CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set diff --git a/config/armv6hl/default b/config/armv6hl/default index d6936a3..4490e1a 100644 --- a/config/armv6hl/default +++ b/config/armv6hl/default @@ -8371,6 +8371,7 @@ CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set diff --git a/config/armv7hl/default b/config/armv7hl/default index af50cd0..afab7be 100644 --- a/config/armv7hl/default +++ b/config/armv7hl/default @@ -11765,6 +11765,7 @@ CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set diff --git a/config/riscv64/default b/config/riscv64/default index d52abef..3a7cf8e 100644 --- a/config/riscv64/default +++ b/config/riscv64/default @@ -9201,6 +9201,7 @@ CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set diff --git a/config/x86_64/default b/config/x86_64/default index 61e8b39..521cc03 100644 --- a/config/x86_64/default +++ b/config/x86_64/default @@ -10280,6 +10280,7 @@ CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set diff --git a/patches.suse/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-down.patch b/patches.suse/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-down.patch new file mode 100644 index 0000000..5c70267 --- /dev/null +++ b/patches.suse/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-down.patch @@ -0,0 +1,91 @@ +From 478a0cff698409224330ea9e25eb332220b55dbb Mon Sep 17 00:00:00 2001 +From: Jeremy Cline +Date: Mon, 30 Sep 2019 21:22:47 +0000 +Subject: [PATCH 1/3] security: lockdown: expose a hook to lock the kernel down +Patch-mainline: Never, Fedora Core 32 +References: jsc#SLE-9870 + +In order to automatically lock down kernels running on UEFI machines +booted in Secure Boot mode, expose the lock_kernel_down() hook. + +Signed-off-by: Jeremy Cline +Acked-by: Lee, Chun-Yi +--- + include/linux/lsm_hook_defs.h | 1 + + include/linux/lsm_hooks.h | 6 ++++++ + include/linux/security.h | 5 +++++ + security/lockdown/lockdown.c | 1 + + security/security.c | 6 ++++++ + 5 files changed, 19 insertions(+) + +--- a/include/linux/lsm_hook_defs.h ++++ b/include/linux/lsm_hook_defs.h +@@ -403,6 +403,7 @@ LSM_HOOK(void, LSM_RET_VOID, bpf_prog_fr + #endif /* CONFIG_BPF_SYSCALL */ + + LSM_HOOK(int, 0, locked_down, enum lockdown_reason what) ++LSM_HOOK(int, 0, lock_kernel_down, const char *where, enum lockdown_reason level) + + #ifdef CONFIG_PERF_EVENTS + LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type) +--- a/include/linux/lsm_hooks.h ++++ b/include/linux/lsm_hooks.h +@@ -1618,6 +1618,12 @@ + * @what: kernel feature being accessed. + * Return 0 if permission is granted. + * ++ * @lock_kernel_down ++ * Put the kernel into lock-down mode. ++ * ++ * @where: Where the lock-down is originating from (e.g. command line option) ++ * @level: The lock-down level (can only increase) ++ * + * Security hooks for perf events + * + * @perf_event_open: +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -487,6 +487,7 @@ int security_inode_notifysecctx(struct i + int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); + int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); + int security_locked_down(enum lockdown_reason what); ++int security_lock_kernel_down(const char *where, enum lockdown_reason level); + #else /* CONFIG_SECURITY */ + + static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) +@@ -1402,6 +1403,10 @@ static inline int security_locked_down(e + { + return 0; + } ++static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level) ++{ ++ return 0; ++} + #endif /* CONFIG_SECURITY */ + + #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) +--- a/security/lockdown/lockdown.c ++++ b/security/lockdown/lockdown.c +@@ -73,6 +73,7 @@ static int lockdown_is_locked_down(enum + + static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(locked_down, lockdown_is_locked_down), ++ LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down), + }; + + static int __init lockdown_lsm_init(void) +--- a/security/security.c ++++ b/security/security.c +@@ -2705,6 +2705,12 @@ int security_locked_down(enum lockdown_r + } + EXPORT_SYMBOL(security_locked_down); + ++int security_lock_kernel_down(const char *where, enum lockdown_reason level) ++{ ++ return call_int_hook(lock_kernel_down, 0, where, level); ++} ++EXPORT_SYMBOL(security_lock_kernel_down); ++ + #ifdef CONFIG_PERF_EVENTS + int security_perf_event_open(struct perf_event_attr *attr, int type) + { diff --git a/patches.suse/0002-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-boot-mode.patch b/patches.suse/0002-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-boot-mode.patch new file mode 100644 index 0000000..f5c3585 --- /dev/null +++ b/patches.suse/0002-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-boot-mode.patch @@ -0,0 +1,154 @@ +From b5123d0553f4ed5e734f6457696cdd30228d1eee Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Tue, 27 Feb 2018 10:04:55 +0000 +Subject: [PATCH 2/3] efi: Add an EFI_SECURE_BOOT flag to indicate secure + boot mode +Patch-mainline: Never, Fedora Core 32 +References: jsc#SLE-9870 + +UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT +flag that can be passed to efi_enabled() to find out whether secure boot is +enabled. + +Move the switch-statement in x86's setup_arch() that inteprets the +secure_boot boot parameter to generic code and set the bit there. + +Suggested-by: Ard Biesheuvel +Signed-off-by: David Howells +Reviewed-by: Ard Biesheuvel +cc: linux-efi@vger.kernel.org +[Rebased for context; efi_is_table_address was moved to arch/x86] +Signed-off-by: Jeremy Cline +Acked-by: Lee, Chun-Yi +Signed-off-by: Chester Lin +--- + arch/x86/kernel/setup.c | 14 +------------- + drivers/firmware/efi/Makefile | 1 + + drivers/firmware/efi/secureboot.c | 38 ++++++++++++++++++++++++++++++++++++++ + include/linux/efi.h | 19 ++++++++++++------- + 4 files changed, 52 insertions(+), 20 deletions(-) + create mode 100644 drivers/firmware/efi/secureboot.c + +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1114,19 +1114,7 @@ void __init setup_arch(char **cmdline_p) + /* Allocate bigger log buffer */ + setup_log_buf(1); + +- if (efi_enabled(EFI_BOOT)) { +- switch (boot_params.secure_boot) { +- case efi_secureboot_mode_disabled: +- pr_info("Secure boot disabled\n"); +- break; +- case efi_secureboot_mode_enabled: +- pr_info("Secure boot enabled\n"); +- break; +- default: +- pr_info("Secure boot could not be determined\n"); +- break; +- } +- } ++ efi_set_secure_boot(boot_params.secure_boot); + + reserve_initrd(); + +--- a/drivers/firmware/efi/Makefile ++++ b/drivers/firmware/efi/Makefile +@@ -27,6 +27,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP) += fake_m + obj-$(CONFIG_EFI_BOOTLOADER_CONTROL) += efibc.o + obj-$(CONFIG_EFI_TEST) += test/ + obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o ++obj-$(CONFIG_EFI) += secureboot.o + obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o + obj-$(CONFIG_EFI_RCI2_TABLE) += rci2-table.o + obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE) += embedded-firmware.o +--- /dev/null ++++ b/drivers/firmware/efi/secureboot.c +@@ -0,0 +1,38 @@ ++/* Core kernel secure boot support. ++ * ++ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved. ++ * Written by David Howells (dhowells@redhat.com) ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public Licence ++ * as published by the Free Software Foundation; either version ++ * 2 of the Licence, or (at your option) any later version. ++ */ ++ ++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt ++ ++#include ++#include ++#include ++ ++/* ++ * Decide what to do when UEFI secure boot mode is enabled. ++ */ ++void __init efi_set_secure_boot(enum efi_secureboot_mode mode) ++{ ++ if (efi_enabled(EFI_BOOT)) { ++ switch (mode) { ++ case efi_secureboot_mode_disabled: ++ pr_info("Secure boot disabled\n"); ++ break; ++ case efi_secureboot_mode_enabled: ++ set_bit(EFI_SECURE_BOOT, &efi.flags); ++ pr_info("Secure boot enabled\n"); ++ break; ++ default: ++ pr_warn("Secure boot could not be determined (mode %u)\n", ++ mode); ++ break; ++ } ++ } ++} +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -847,6 +847,14 @@ extern int __init efi_setup_pcdp_console + #define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */ + #define EFI_MEM_NO_SOFT_RESERVE 11 /* Is the kernel configured to ignore soft reservations? */ + #define EFI_PRESERVE_BS_REGIONS 12 /* Are EFI boot-services memory segments available? */ ++#define EFI_SECURE_BOOT 13 /* Are we in Secure Boot mode? */ ++ ++enum efi_secureboot_mode { ++ efi_secureboot_mode_unset, ++ efi_secureboot_mode_unknown, ++ efi_secureboot_mode_disabled, ++ efi_secureboot_mode_enabled, ++}; + + #ifdef CONFIG_EFI + /* +@@ -871,6 +879,8 @@ static inline bool efi_rt_services_suppo + return (efi.runtime_supported_mask & mask) == mask; + } + extern void efi_find_mirror(void); ++ ++extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode); + #else + static inline bool efi_enabled(int feature) + { +@@ -890,6 +900,8 @@ static inline bool efi_rt_services_suppo + } + + static inline void efi_find_mirror(void) {} ++ ++static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {} + #endif + + extern int efi_status_to_err(efi_status_t status); +@@ -1105,13 +1117,6 @@ static inline bool efi_runtime_disabled( + extern void efi_call_virt_check_flags(unsigned long flags, const char *call); + extern unsigned long efi_call_virt_save_flags(void); + +-enum efi_secureboot_mode { +- efi_secureboot_mode_unset, +- efi_secureboot_mode_unknown, +- efi_secureboot_mode_disabled, +- efi_secureboot_mode_enabled, +-}; +- + static inline + enum efi_secureboot_mode efi_get_secureboot_mode(efi_get_variable_t *get_var) + { diff --git a/patches.suse/0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.patch b/patches.suse/0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.patch new file mode 100644 index 0000000..7c9a7ef --- /dev/null +++ b/patches.suse/0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.patch @@ -0,0 +1,67 @@ +From 15368f76d4997912318d35c52bfeb9041d85098e Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Mon, 30 Sep 2019 21:28:16 +0000 +Subject: [PATCH 3/3] efi: Lock down the kernel if booted in secure boot mode +Patch-mainline: Never, Fedora Core 32 +References: jsc#SLE-9870 + +UEFI Secure Boot provides a mechanism for ensuring that the firmware +will only load signed bootloaders and kernels. Certain use cases may +also require that all kernel modules also be signed. Add a +configuration option that to lock down the kernel - which includes +requiring validly signed modules - if the kernel is secure-booted. + +Signed-off-by: David Howells +Signed-off-by: Jeremy Cline +Acked-by: Lee, Chun-Yi +--- + arch/x86/kernel/setup.c | 8 ++++++++ + security/lockdown/Kconfig | 13 +++++++++++++ + 2 files changed, 21 insertions(+) + +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + #include + +@@ -1036,6 +1037,13 @@ void __init setup_arch(char **cmdline_p) + if (efi_enabled(EFI_BOOT)) + efi_init(); + ++ efi_set_secure_boot(boot_params.secure_boot); ++ ++#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT ++ if (efi_enabled(EFI_SECURE_BOOT)) ++ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_CONFIDENTIALITY_MAX); ++#endif ++ + dmi_setup(); + + /* +--- a/security/lockdown/Kconfig ++++ b/security/lockdown/Kconfig +@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY + subsystem is fully initialised. If enabled, lockdown will + unconditionally be called before any other LSMs. + ++config LOCK_DOWN_IN_EFI_SECURE_BOOT ++ bool "Lock down the kernel in EFI Secure Boot mode" ++ default n ++ depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY ++ help ++ UEFI Secure Boot provides a mechanism for ensuring that the firmware ++ will only load signed bootloaders and kernels. Secure boot mode may ++ be determined from EFI variables provided by the system firmware if ++ not indicated by the boot parameters. ++ ++ Enabling this option results in kernel lockdown being triggered if ++ EFI Secure Boot is set. ++ + choice + prompt "Kernel default lockdown mode" + default LOCK_DOWN_KERNEL_FORCE_NONE diff --git a/patches.suse/0004-efi-Lock-down-the-kernel-at-the-integrity-level-if-b.patch b/patches.suse/0004-efi-Lock-down-the-kernel-at-the-integrity-level-if-b.patch new file mode 100644 index 0000000..1838c16 --- /dev/null +++ b/patches.suse/0004-efi-Lock-down-the-kernel-at-the-integrity-level-if-b.patch @@ -0,0 +1,32 @@ +From a44d0b29e985f769540491f7f39b8ffe9ddc3768 Mon Sep 17 00:00:00 2001 +From: "Lee, Chun-Yi" +Date: Tue, 26 Nov 2019 14:40:07 +0800 +Subject: [PATCH] efi: Lock down the kernel at the integrity level if booted in + secure boot mode +Patch-mainline: Never, SUSE specific tweak +References: jsc#SLE-9870 + +The perf and bpf are restricted in confidentiality level, but those +functions are available on SLE. So we use integrity level here. + +Signed-off-by: Lee, Chun-Yi +--- + arch/x86/kernel/setup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index 303abf8..a94e2b0 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1032,7 +1032,7 @@ void __init setup_arch(char **cmdline_p) + + #ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT + if (efi_enabled(EFI_SECURE_BOOT)) +- security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_CONFIDENTIALITY_MAX); ++ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX); + #endif + + dmi_setup(); +-- +2.16.4 + diff --git a/patches.suse/arm64-lock-down-kernel-in-secure-boot-mode.patch b/patches.suse/arm64-lock-down-kernel-in-secure-boot-mode.patch new file mode 100644 index 0000000..645dc26 --- /dev/null +++ b/patches.suse/arm64-lock-down-kernel-in-secure-boot-mode.patch @@ -0,0 +1,47 @@ +From: Chester Lin +Date: Fri, 20 Nov 2020 14:08:38 +0800 +Subject: arm64: lock down kernel in secure boot mode +References: jsc#SLE-15020 +Patch-mainline: never, only for SLE + +This kernel lockdown feature on ARM64 depends on IMA and EFI to query +secure boot mode. Because aarch64 initiates the EFI subsystem late so +the lockdown check must be put off until the EFI subsystem has been +initialized. + +Signed-off-by: Chester Lin +--- + drivers/firmware/efi/secureboot.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/firmware/efi/secureboot.c ++++ b/drivers/firmware/efi/secureboot.c +@@ -14,6 +14,8 @@ + #include + #include + #include ++#include ++#include + + /* + * Decide what to do when UEFI secure boot mode is enabled. +@@ -36,3 +38,19 @@ void __init efi_set_secure_boot(enum efi + } + } + } ++ ++#if defined(CONFIG_ARM64) && defined(CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT) ++/* ++ * The arm64_kernel_lockdown() must run after efisubsys_init() because the ++ * the secure boot mode query relies on efi_rts_wq to call EFI_GET_VARIABLE. ++ */ ++static int __init arm64_kernel_lockdown(void) ++{ ++ if (arch_ima_get_secureboot()) ++ security_lock_kernel_down("EFI Secure Boot mode", ++ LOCKDOWN_INTEGRITY_MAX); ++ return 0; ++} ++ ++subsys_initcall(arm64_kernel_lockdown); ++#endif diff --git a/series.conf b/series.conf index 8572179..1c4964b 100644 --- a/series.conf +++ b/series.conf @@ -147,6 +147,14 @@ # Security ######################################################## + # Bug 1198101 - VUL-0: shim: openSUSE tumbleweed not fully locked down? Add opensuse-cert-prompt back to openSUSE shim + # Lock down functions for secure boot + patches.suse/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-down.patch + patches.suse/0002-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-boot-mode.patch + patches.suse/0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.patch + patches.suse/0004-efi-Lock-down-the-kernel-at-the-integrity-level-if-b.patch + patches.suse/arm64-lock-down-kernel-in-secure-boot-mode.patch + # crypto ########################################################