Skip to content
This repository has been archived by the owner on Sep 24, 2020. It is now read-only.

Commit

Permalink
Merge pull request #46 from bgilbert/v4.10-coreos
Browse files Browse the repository at this point in the history
Rebase CoreOS patches onto Linux v4.10
  • Loading branch information
bgilbert authored Feb 25, 2017
2 parents c470abd + c67b19f commit 5785e7d
Show file tree
Hide file tree
Showing 22 changed files with 159 additions and 12 deletions.
2 changes: 2 additions & 0 deletions Documentation/x86/zero-page.txt
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ Offset Proto Name Meaning
1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below)
1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer
(below)
1EB/001 ALL kbd_status Numlock is enabled
1EC/001 ALL secure_boot Secure boot is enabled in the firmware
1EF/001 ALL sentinel Used to detect broken bootloaders
290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
2D0/A00 ALL e820_map E820 memory map table
Expand Down
3 changes: 2 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
@:

sub-make:
$(Q)$(MAKE) -C $(KBUILD_OUTPUT) KBUILD_SRC=$(CURDIR) \
$(Q)$(MAKE) -C $(KBUILD_OUTPUT) \
KBUILD_SRC=$(shell realpath --relative-to=$(KBUILD_OUTPUT) $(CURDIR)) \
-f $(CURDIR)/Makefile $(filter-out _all sub-make,$(MAKECMDGOALS))

# Leave processing to above invocation of make
Expand Down
5 changes: 5 additions & 0 deletions arch/arm64/kernel/head.S
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,11 @@ section_table:
.short 0 // NumberOfLineNumbers (0 for executables)
.long 0xe0500020 // Characteristics (section flags)

/* CoreOS 64 byte verity hash value. */
.org _head + 512
.ascii "verity-hash"
.org _head + 512 + 64

/*
* EFI will load .text onwards at the 4k section alignment
* described in the PE/COFF header. To ensure that instruction
Expand Down
11 changes: 11 additions & 0 deletions arch/x86/Kconfig
Original file line number Diff line number Diff line change
Expand Up @@ -1815,6 +1815,17 @@ config EFI_MIXED

If unsure, say N.

config EFI_SECURE_BOOT_SIG_ENFORCE
def_bool n
depends on EFI
prompt "Force module signing when UEFI Secure Boot is enabled"
---help---
UEFI Secure Boot provides a mechanism for ensuring that the
firmware will only load signed bootloaders and kernels. Certain
use cases may also require that all kernel modules also be signed.
Say Y here to automatically enable module signature enforcement
when a system boots with UEFI Secure Boot enabled.

config SECCOMP
def_bool y
prompt "Enable seccomp to safely compute untrusted bytecode"
Expand Down
35 changes: 35 additions & 0 deletions arch/x86/boot/compressed/eboot.c
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
#include <asm/efi.h>
#include <asm/setup.h>
#include <asm/desc.h>
#include <asm/bootparam_utils.h>

#include "../string.h"
#include "eboot.h"
Expand Down Expand Up @@ -600,6 +601,36 @@ static void setup_quirks(struct boot_params *boot_params)
}
}

static int get_secure_boot(void)
{
u8 sb, setup;
unsigned long datasize = sizeof(sb);
efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
efi_status_t status;

status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
L"SecureBoot", &var_guid, NULL, &datasize, &sb);

if (status != EFI_SUCCESS)
return 0;

if (sb == 0)
return 0;


status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
L"SetupMode", &var_guid, NULL, &datasize,
&setup);

if (status != EFI_SUCCESS)
return 0;

if (setup == 1)
return 0;

return 1;
}

static efi_status_t
setup_uga32(void **uga_handle, unsigned long size, u32 *width, u32 *height)
{
Expand Down Expand Up @@ -1157,6 +1188,10 @@ struct boot_params *efi_main(struct efi_config *c,
else
setup_boot_services32(efi_early);

sanitize_boot_params(boot_params);

boot_params->secure_boot = get_secure_boot();

setup_graphics(boot_params);

setup_efi_pci(boot_params);
Expand Down
3 changes: 2 additions & 1 deletion arch/x86/include/uapi/asm/bootparam.h
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,8 @@ struct boot_params {
__u8 eddbuf_entries; /* 0x1e9 */
__u8 edd_mbr_sig_buf_entries; /* 0x1ea */
__u8 kbd_status; /* 0x1eb */
__u8 _pad5[3]; /* 0x1ec */
__u8 secure_boot; /* 0x1ec */
__u8 _pad5[2]; /* 0x1ed */
/*
* The sentinel is set to a nonzero value (0xff) in header.S.
*
Expand Down
5 changes: 3 additions & 2 deletions arch/x86/kernel/ioport.c
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
#include <linux/thread_info.h>
#include <linux/syscalls.h>
#include <linux/bitmap.h>
#include <linux/module.h>
#include <asm/syscalls.h>

/*
Expand All @@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)

if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
return -EINVAL;
if (turn_on && !capable(CAP_SYS_RAWIO))
if (turn_on && (!capable(CAP_SYS_RAWIO) || secure_modules()))
return -EPERM;

/*
Expand Down Expand Up @@ -108,7 +109,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
return -EINVAL;
/* Trying to gain more privileges? */
if (level > old) {
if (!capable(CAP_SYS_RAWIO))
if (!capable(CAP_SYS_RAWIO) || secure_modules())
return -EPERM;
}
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
Expand Down
7 changes: 7 additions & 0 deletions arch/x86/kernel/msr.c
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
int err = 0;
ssize_t bytes = 0;

if (secure_modules())
return -EPERM;

if (count % 8)
return -EINVAL; /* Invalid chunk size */

Expand Down Expand Up @@ -131,6 +134,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
err = -EBADF;
break;
}
if (secure_modules()) {
err = -EPERM;
break;
}
if (copy_from_user(&regs, uregs, sizeof regs)) {
err = -EFAULT;
break;
Expand Down
8 changes: 8 additions & 0 deletions arch/x86/kernel/setup.c
Original file line number Diff line number Diff line change
Expand Up @@ -1184,6 +1184,14 @@ void __init setup_arch(char **cmdline_p)

io_delay_init();

#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
if (boot_params.secure_boot) {
set_bit(EFI_SECURE_BOOT, &efi.flags);
enforce_signed_modules();
pr_info("Secure boot enabled\n");
}
#endif

/*
* Parse the ACPI tables for possible boot-time SMP configuration.
*/
Expand Down
3 changes: 3 additions & 0 deletions drivers/acpi/custom_method.c
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
struct acpi_table_header table;
acpi_status status;

if (secure_modules())
return -EPERM;

if (!(*ppos)) {
/* parse the table header to get the table length */
if (count <= sizeof(struct acpi_table_header))
Expand Down
3 changes: 2 additions & 1 deletion drivers/acpi/osl.c
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@
#include <linux/list.h>
#include <linux/jiffies.h>
#include <linux/semaphore.h>
#include <linux/module.h>

#include <asm/io.h>
#include <linux/uaccess.h>
Expand Down Expand Up @@ -192,7 +193,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
acpi_physical_address pa = 0;

#ifdef CONFIG_KEXEC
if (acpi_rsdp)
if (acpi_rsdp && !secure_modules())
return acpi_rsdp;
#endif

Expand Down
10 changes: 10 additions & 0 deletions drivers/char/mem.c
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
#include <linux/export.h>
#include <linux/io.h>
#include <linux/uio.h>
#include <linux/module.h>

#include <linux/uaccess.h>

Expand Down Expand Up @@ -163,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
if (p != *ppos)
return -EFBIG;

if (secure_modules())
return -EPERM;

if (!valid_phys_addr_range(p, count))
return -EFAULT;

Expand Down Expand Up @@ -513,6 +517,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
int err = 0;

if (secure_modules())
return -EPERM;

if (p < (unsigned long) high_memory) {
unsigned long to_write = min_t(unsigned long, count,
(unsigned long)high_memory - p);
Expand Down Expand Up @@ -578,6 +585,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
unsigned long i = *ppos;
const char __user *tmp = buf;

if (secure_modules())
return -EPERM;

if (!access_ok(VERIFY_READ, buf, count))
return -EFAULT;
while (count-- > 0 && i < 65536) {
Expand Down
10 changes: 10 additions & 0 deletions drivers/pci/pci-sysfs.c
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
#include <linux/vgaarb.h>
#include <linux/pm_runtime.h>
#include <linux/of.h>
#include <linux/module.h>
#include "pci.h"

static int sysfs_initialized; /* = 0 */
Expand Down Expand Up @@ -718,6 +719,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
loff_t init_off = off;
u8 *data = (u8 *) buf;

if (secure_modules())
return -EPERM;

if (off > dev->cfg_size)
return 0;
if (off + count > dev->cfg_size) {
Expand Down Expand Up @@ -1009,6 +1013,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
resource_size_t start, end;
int i;

if (secure_modules())
return -EPERM;

for (i = 0; i < PCI_ROM_RESOURCE; i++)
if (res == &pdev->resource[i])
break;
Expand Down Expand Up @@ -1108,6 +1115,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
struct bin_attribute *attr, char *buf,
loff_t off, size_t count)
{
if (secure_modules())
return -EPERM;

return pci_resource_io(filp, kobj, attr, buf, off, count, true);
}

Expand Down
8 changes: 7 additions & 1 deletion drivers/pci/proc.c
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
int size = dev->cfg_size;
int cnt;

if (secure_modules())
return -EPERM;

if (pos >= size)
return 0;
if (nbytes >= size)
Expand Down Expand Up @@ -195,6 +198,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
#endif /* HAVE_PCI_MMAP */
int ret = 0;

if (secure_modules())
return -EPERM;

switch (cmd) {
case PCIIOC_CONTROLLER:
ret = pci_domain_nr(dev->bus);
Expand Down Expand Up @@ -233,7 +239,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
struct pci_filp_private *fpriv = file->private_data;
int i, ret, write_combine;

if (!capable(CAP_SYS_RAWIO))
if (!capable(CAP_SYS_RAWIO) || secure_modules())
return -EPERM;

/* Make sure the caller is mapping a real resource for this device */
Expand Down
3 changes: 2 additions & 1 deletion drivers/pci/syscall.c
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
#include <linux/pci.h>
#include <linux/syscalls.h>
#include <linux/uaccess.h>
#include <linux/module.h>
#include "pci.h"

SYSCALL_DEFINE5(pciconfig_read, unsigned long, bus, unsigned long, dfn,
Expand Down Expand Up @@ -92,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
u32 dword;
int err = 0;

if (!capable(CAP_SYS_ADMIN))
if (!capable(CAP_SYS_ADMIN) || secure_modules())
return -EPERM;

dev = pci_get_bus_and_slot(bus, dfn);
Expand Down
9 changes: 9 additions & 0 deletions drivers/platform/x86/asus-wmi.c
Original file line number Diff line number Diff line change
Expand Up @@ -1898,6 +1898,9 @@ static int show_dsts(struct seq_file *m, void *data)
int err;
u32 retval = -1;

if (secure_modules())
return -EPERM;

err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);

if (err < 0)
Expand All @@ -1914,6 +1917,9 @@ static int show_devs(struct seq_file *m, void *data)
int err;
u32 retval = -1;

if (secure_modules())
return -EPERM;

err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
&retval);

Expand All @@ -1938,6 +1944,9 @@ static int show_call(struct seq_file *m, void *data)
union acpi_object *obj;
acpi_status status;

if (secure_modules())
return -EPERM;

status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
1, asus->debug.method_id,
&input, &output);
Expand Down
1 change: 1 addition & 0 deletions include/linux/efi.h
Original file line number Diff line number Diff line change
Expand Up @@ -1065,6 +1065,7 @@ extern int __init efi_setup_pcdp_console(char *);
#define EFI_ARCH_1 7 /* First arch-specific bit */
#define EFI_DBG 8 /* Print additional debug info at runtime */
#define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */
#define EFI_SECURE_BOOT 10 /* Are we in Secure Boot mode? */

#ifdef CONFIG_EFI
/*
Expand Down
12 changes: 12 additions & 0 deletions include/linux/module.h
Original file line number Diff line number Diff line change
Expand Up @@ -260,6 +260,12 @@ extern const typeof(name) __mod_##type##__##name##_device_table \

struct notifier_block;

#ifdef CONFIG_MODULE_SIG
extern void enforce_signed_modules(void);
#else
static inline void enforce_signed_modules(void) {};
#endif

#ifdef CONFIG_MODULES

extern int modules_disabled; /* for sysctl */
Expand Down Expand Up @@ -629,6 +635,8 @@ static inline bool module_requested_async_probing(struct module *module)
return module && module->async_probe_requested;
}

extern bool secure_modules(void);

#ifdef CONFIG_LIVEPATCH
static inline bool is_livepatch_module(struct module *mod)
{
Expand Down Expand Up @@ -750,6 +758,10 @@ static inline bool module_requested_async_probing(struct module *module)
return false;
}

static inline bool secure_modules(void)
{
return false;
}
#endif /* CONFIG_MODULES */

#ifdef CONFIG_SYSFS
Expand Down
Loading

0 comments on commit 5785e7d

Please sign in to comment.