Re: [PATCH] powerpc/config: Enable secuity features in skiroot

From: Daniel Axtens
Date: Mon Jan 06 2020 - 00:28:29 EST

Next message: Liu, Yi L: "RE: [PATCH v3 08/10] vfio/pci: protect cap/ecap_perm bits alloc/free"
Previous message: Sricharan R: "Re: [PATCH V3 1/5] dt-bindings: pinctrl: qcom: Add ipq6018 pinctrl bindings"
In reply to: Joel Stanley: "[PATCH] powerpc/config: Enable secuity features in skiroot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Joel Stanley <joel@xxxxxxxxx> writes:

> This turns on HARDENED_USERCOPY with HARDENED_USERCOPY_PAGESPAN, and
> FORTIFY_SOURCE.
>
> It also enables SECURITY_LOCKDOWN_LSM with _EARLY and
> LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY options enabled.

This will completely disable xmon when combined with 69393cb03ccd
("powerpc/xmon: Restrict when kernel is locked down"). I don't
personally have a problem with this, but I think not disabling xmon has
come up before as a requirement of some developers.

Is forcing integrity not sufficient? What confidential data held by the
skiroot kernel are you trying to protect? If you just force integrity
you'll get xmon in read-only mode, which should be fine for most
debugging...

Regards,
Daniel

>
> MODULE_SIG is selected by lockdown, so it is still enabled.
>
> Signed-off-by: Joel Stanley <joel@xxxxxxxxx>
> ---
> arch/powerpc/configs/skiroot_defconfig | 11 ++++++++++-
> 1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig
> index 069f67f12731..0a441c414a57 100644
> --- a/arch/powerpc/configs/skiroot_defconfig
> +++ b/arch/powerpc/configs/skiroot_defconfig
> @@ -33,7 +33,6 @@ CONFIG_JUMP_LABEL=y
> CONFIG_STRICT_KERNEL_RWX=y
> CONFIG_MODULES=y
> CONFIG_MODULE_UNLOAD=y
> -CONFIG_MODULE_SIG=y
> CONFIG_MODULE_SIG_FORCE=y
> CONFIG_MODULE_SIG_SHA512=y
> CONFIG_PARTITION_ADVANCED=y
> @@ -297,5 +296,15 @@ CONFIG_WQ_WATCHDOG=y
> CONFIG_XMON=y
> CONFIG_XMON_DEFAULT=y
> CONFIG_ENCRYPTED_KEYS=y
> +CONFIG_SECURITY=y
> +CONFIG_HARDENED_USERCOPY=y
> +# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
> +CONFIG_HARDENED_USERCOPY_PAGESPAN=y
> +CONFIG_FORTIFY_SOURCE=y
> +CONFIG_SECURITY_LOCKDOWN_LSM=y
> +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
> +CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y
> +# CONFIG_INTEGRITY is not set
> +CONFIG_LSM="yama,loadpin,safesetid,integrity"
> # CONFIG_CRYPTO_ECHAINIV is not set
> # CONFIG_CRYPTO_HW is not set
> --
> 2.24.1

Next message: Liu, Yi L: "RE: [PATCH v3 08/10] vfio/pci: protect cap/ecap_perm bits alloc/free"
Previous message: Sricharan R: "Re: [PATCH V3 1/5] dt-bindings: pinctrl: qcom: Add ipq6018 pinctrl bindings"
In reply to: Joel Stanley: "[PATCH] powerpc/config: Enable secuity features in skiroot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]