Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Deepin Kernel SIG] [Debian] Enhance kernel LOCKDOWN feature to better support secure boot #533

Merged

Conversation

Avenger-285714
Copy link
Collaborator

Linn Crosetto and others added 4 commits December 26, 2024 20:04
Add a kernel configuration option to lock down the kernel, to restrict
userspace's ability to modify the running kernel when UEFI Secure Boot is
enabled. Based on the x86 patch by Matthew Garrett.

Determine the state of Secure Boot in the EFI stub and pass this to the
kernel using the FDT.

Signed-off-by: Linn Crosetto <[email protected]>
[bwh: Forward-ported to 4.10: adjust context]
[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
[bwh: Forward-ported to 4.15 and lockdown patch set:
 - Pass result of efi_get_secureboot() in stub through to
   efi_set_secure_boot() in main kernel
 - Use lockdown API and naming]
[bwh: Forward-ported to 4.19.3: adjust context in update_fdt()]
[dannf: Moved init_lockdown() call after uefi_init(), fixing SB detection]
[bwh: Drop call to init_lockdown(), as efi_set_secure_boot() now calls this]
[bwh: Forward-ported to 5.6: efi_get_secureboot() no longer takes a
 sys_table parameter]
[bwh: Forward-ported to 5.7: EFI initialisation from FDT was rewritten, so:
 - Add Secure Boot mode to the parameter enumeration in fdtparams.c
 - Add a parameter to efi_get_fdt_params() to return the Secure Boot mode
 - Since Xen does not have a property name defined for Secure Boot mode,
   change efi_get_fdt_prop() to handle a missing property name by clearing
   the output variable]
[Salvatore Bonaccorso: Forward-ported to 5.10: f30f242 ("efi: Rename
arm-init to efi-init common for all arch") renamed arm-init.c to efi-init.c]
UEFI machines can be booted in Secure Boot mode.  Add an EFI_SECURE_BOOT
flag that can be passed to efi_enabled() to find out whether secure boot is
enabled.

Move the switch-statement in x86's setup_arch() that inteprets the
secure_boot boot parameter to generic code and set the bit there.

Suggested-by: Ard Biesheuvel <[email protected]>
Signed-off-by: David Howells <[email protected]>
Reviewed-by: Ard Biesheuvel <[email protected]>
cc: [email protected]
[rperier: Forward-ported to 5.5:
 - Use pr_warn()
 - Adjust context]
[bwh: Forward-ported to 5.6: adjust context]
[bwh: Forward-ported to 5.7:
 - Use the next available bit in efi.flags
 - Adjust context]

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
Based on an earlier patch by David Howells, who wrote the following
description:

> UEFI Secure Boot provides a mechanism for ensuring that the firmware will
> only load signed bootloaders and kernels.  Certain use cases may also
> require that all kernel modules also be signed.  Add a configuration option
> that to lock down the kernel - which includes requiring validly signed
> modules - if the kernel is secure-booted.

Signed-off-by: Ben Hutchings <[email protected]>
[Salvatore Bonaccorso: After fixing https://bugs.debian.org/956197 the
help text for LOCK_DOWN_IN_EFI_SECURE_BOOT was adjusted to mention that
lockdown is triggered in integrity mode (https://bugs.debian.org/1025417)]
Signed-off-by: Salvatore Bonaccorso <[email protected]>
These drivers allow mapping arbitrary memory ranges as MTD devices.
This should be disabled to preserve the kernel's integrity when it is
locked down.

* Add the HWPARAM flag to the module parameters
* When slram is built-in, it uses __setup() to read kernel parameters,
  so add an explicit check security_locked_down() check

Signed-off-by: Ben Hutchings <[email protected]>
Cc: Matthew Garrett <[email protected]>
Cc: David Howells <[email protected]>
Cc: Joern Engel <[email protected]>
Cc: [email protected]
@deepin-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from avenger-285714. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Enhance kernel LOCKDOWN feature to better support secure boot

All patches are from Debian.

Link: https://salsa.debian.org/kernel-team/linux/-/tree/debian/latest?ref_type=heads
Signed-off-by: WangYuli <[email protected]>
@deepin-ci-robot
Copy link

deepin pr auto review

代码审查意见:

  1. arch/arm64/configs/deepin_arm64_desktop_defconfig文件中,新增了CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT配置项,但没有提供相应的文档说明其用途和影响。建议添加相应的文档注释。

  2. arch/loongarch/configs/deepin_loongarch_desktop_defconfig文件中,移除了CONFIG_SECURITY_LOCKDOWN_LSM_EARLY配置项,但未说明原因。建议提供移除该配置项的原因,并确保移除不会影响系统的安全性。

  3. arch/x86/configs/deepin_x86_desktop_defconfig文件中,CONFIG_LSM配置项的值发生了变化,增加了loadpinsafesetid。建议确认这些新增的LSM模块是否与系统的安全策略相符合,并确保它们不会引入新的安全风险。

  4. arch/x86/kernel/setup.c文件中,efi_set_secure_boot函数被调用,但之前的代码中并没有定义该函数。建议检查secureboot.c文件是否已经正确添加了该函数的定义。

  5. drivers/firmware/efi/Makefile文件中,新增了secureboot.o对象文件。建议确认该文件是否已经包含了efi_set_secure_boot函数的实现。

  6. drivers/firmware/efi/efi-init.c文件中,efi_get_fdt_params函数的签名发生了变化,增加了u32 *secure_boot参数。建议检查所有调用该函数的地方,确保它们已经更新以适应新的函数签名。

  7. drivers/firmware/efi/fdtparams.c文件中,efi_get_fdt_params函数的实现被修改,增加了对secure_boot参数的处理。建议确认该修改是否正确,并且不会引入新的错误。

  8. drivers/firmware/efi/libstub/fdt.c文件中,新增了对secure_boot参数的处理。建议确认该修改是否正确,并且不会引入新的错误。

  9. drivers/firmware/efi/secureboot.c文件中,新增了efi_set_secure_boot函数的实现。建议确认该函数的实现是否正确,并且不会引入新的错误。

  10. drivers/mtd/devices/phram.c文件中,phram_param_call函数的实现被修改,增加了对hwparam_iomem的支持。建议确认该修改是否正确,并且不会引入新的错误。

  11. drivers/mtd/devices/slram.c文件中,init_slram函数的实现被修改,增加了对security_locked_down函数的调用。建议确认该修改是否正确,并且不会引入新的错误。

  12. include/linux/efi.h文件中,efi_set_secure_boot函数的声明被添加。建议确认该函数的声明是否正确,并且不会引入新的错误。

  13. include/linux/security.h文件中,lock_kernel_down函数的声明被添加。建议确认该函数的声明是否正确,并且不会引入新的错误。

  14. security/lockdown/Kconfig文件中,新增了LOCK_DOWN_IN_EFI_SECURE_BOOT配置项。建议确认该配置项的添加是否正确,并且不会引入新的错误。

  15. security/lockdown/lockdown.c文件中,lock_kernel_down函数的实现被添加。建议确认该函数的实现是否正确,并且不会引入新的错误。

总体来说,这些修改都是为了增强系统的安全性,特别是与EFI Secure Boot相关的配置和函数。建议在合并这些修改之前,进行充分的测试和验证,以确保它们不会引入新的安全风险。

@Avenger-285714 Avenger-285714 merged commit 92f6b17 into deepin-community:linux-6.6.y Dec 27, 2024
3 of 5 checks passed
@opsiff
Copy link
Member

opsiff commented Dec 27, 2024

/ltgm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants