Re: linux-next: UEFI Secure boot lockdown patchset

From: Ard Biesheuvel
Date: Thu Mar 01 2018 - 06:08:44 EST


Hi David,

On 1 March 2018 at 11:06, David Howells <dhowells@xxxxxxxxxx> wrote:
>
> Hi Stephen,
>
> Can you pull the following branch into linux-next please?

Could you please include a URL?

> It does three
> things:
>
> (1) It restricts various accesses userspace may make upon the kernel when the
> kernel is locked down.
>
> (2) It engages the lockdown if UEFI Secure Boot mode is detected.
>
> (3) It passes the UEFI Secure Boot mode indication across kexec.
>
> The restrictions include:
>
> - Enforcing the use of module signatures
> - Enforcing the use of kexec image signatures
> - Requring IMA to use secure boot rules
> - Disabling:
> - The kexec_load() syscall
> - Use of /dev/{mem,kmem,port,kcore}
> - Hibernation
> - PCI BAR access
> - Direct I/O port access
> - Preventing direct port specification in drivers:
> - SCSI EATA
> - TIOCSSERIAL
> - Module parameters
> - Restricting:
> - MSR access
> - Certain ACPI features
> - kprobes
> - BPF
> - Perf
> - Debugfs
>
> The aim of the restrictions is twofold:
>
> (1) Prevent userspace from altering the kernel image directly (eg. by
> /dev/mem) or indirectly (eg. by manipulating a device to do DMA);
>
> (2) Prevent userspace from accessing crypto data stored in the kernel
> (eg. filesystem keys).
>
> A warning is logged if a restriction is triggered for which I've written a
> manpage that is referenced in the message (see attached).
>
> David
>