[PATCH 4/6][B] powerpc/xmon: Restrict when kernel is locked down
Seth Forshee
seth.forshee at canonical.com
Tue Jun 23 18:30:16 UTC 2020
On Tue, Jun 23, 2020 at 02:15:00PM -0300, Thadeu Lima de Souza Cascardo wrote:
> On Fri, Jun 19, 2020 at 07:48:31AM -0500, Seth Forshee wrote:
> > From: "Christopher M. Riedl" <cmr at informatik.wtf>
> >
> > BugLink: https://bugs.launchpad.net/bugs/1884159
> >
> > Xmon should be either fully or partially disabled depending on the
> > kernel lockdown state.
> >
> > Put xmon into read-only mode for lockdown=integrity and prevent user
> > entry into xmon when lockdown=confidentiality. Xmon checks the lockdown
> > state on every attempted entry:
> >
> > (1) during early xmon'ing
> >
> > (2) when triggered via sysrq
> >
> > (3) when toggled via debugfs
> >
> > (4) when triggered via a previously enabled breakpoint
> >
> > The following lockdown state transitions are handled:
> >
> > (1) lockdown=none -> lockdown=integrity
> > set xmon read-only mode
> >
> > (2) lockdown=none -> lockdown=confidentiality
> > clear all breakpoints, set xmon read-only mode,
> > prevent user re-entry into xmon
> >
> > (3) lockdown=integrity -> lockdown=confidentiality
> > clear all breakpoints, set xmon read-only mode,
> > prevent user re-entry into xmon
> >
> > Suggested-by: Andrew Donnellan <ajd at linux.ibm.com>
> > Signed-off-by: Christopher M. Riedl <cmr at informatik.wtf>
> > Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>
> > Link: https://lore.kernel.org/r/20190907061124.1947-3-cmr@informatik.wtf
> > (backported from commit 69393cb03ccdf29f3b452d3482ef918469d1c098)
> > Signed-off-by: Seth Forshee <seth.forshee at canonical.com>
> > ---
> > arch/powerpc/xmon/xmon.c | 106 ++++++++++++++++++++++++++++++++-------
> > 1 file changed, 89 insertions(+), 17 deletions(-)
>
> I was finally able to test this and then noticed that CONFIG_LOCK_DOWN_KERNEL
> is not set for ppc64el. Should we enable it for this patchset?
Hmm, I knew that we only started automatically enabling lockdown under
secure boot recently for ppc64el, but I didn't notice that the option
was turned off. Looks like that's the case until focal.
I think whether to turn on lockdown for ppc64el is a sepearte issue from
these updates, so let's not do that here. And in that case the xmon
patches aren't needed right now.
More information about the kernel-team
mailing list