The driver is needed for testing purposes, enable it on the architectures where EFI is supported. Also, disallow access to the registered device if the kernel is locked down. --- configs/fedora/generic/CONFIG_EFI_TEST | 2 +- ...k-down-dev-efi_test-and-require-CAP_.patch | 85 +++++++++++++++++++ kernel-aarch64-debug.config | 2 +- kernel-aarch64.config | 2 +- kernel-armv7hl-debug.config | 2 +- kernel-armv7hl-lpae-debug.config | 2 +- kernel-armv7hl-lpae.config | 2 +- kernel-armv7hl.config | 2 +- kernel-i686-debug.config | 2 +- kernel-i686.config | 2 +- kernel-x86_64-debug.config | 2 +- kernel-x86_64.config | 2 +- kernel.spec | 3 + 13 files changed, 99 insertions(+), 11 deletions(-) create mode 100644 efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch
diff --git a/configs/fedora/generic/CONFIG_EFI_TEST b/configs/fedora/generic/CONFIG_EFI_TEST index 455eb306151..09ff10ce71f 100644 --- a/configs/fedora/generic/CONFIG_EFI_TEST +++ b/configs/fedora/generic/CONFIG_EFI_TEST @@ -1 +1 @@ -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m diff --git a/efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch b/efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch new file mode 100644 index 00000000000..36ef9b827a5 --- /dev/null +++ b/efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch @@ -0,0 +1,85 @@ +From 6ec9c505a12c0b5822c41f2b3bf873ebaeaae034 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas javierm@redhat.com +Date: Wed, 2 Oct 2019 11:21:52 +0200 +Subject: [PATCH] efi/efi_test: lock down /dev/efi_test and require + CAP_SYS_ADMIN + +The driver exposes EFI runtime services to user-space through an IOCTL +interface, calling the EFI services function pointers directly without +using the efivar API. + +Disallow access to the /dev/efi_test character device when the kernel is +locked down to prevent arbitrary user-space to call EFI runtime services. + +Also require CAP_SYS_ADMIN to open the chardev to prevent unprivileged +users to call the EFI runtime services, instead of just relying on the +chardev file mode bits for this. + +The main user of this driver is the fwts [0] tool that already checks if +the effective user ID is 0 and fails otherwise. So this change shouldn't +cause any regression to this tool. + +[0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfo + +Signed-off-by: Javier Martinez Canillas javierm@redhat.com +Acked-by: Laszlo Ersek lersek@redhat.com +Acked-by: Matthew Garrett mjg59@google.com +--- + drivers/firmware/efi/test/efi_test.c | 8 ++++++++ + include/linux/security.h | 1 + + security/lockdown/lockdown.c | 1 + + 3 files changed, 10 insertions(+) + +diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c +index 877745c3aaf..7baf48c01e7 100644 +--- a/drivers/firmware/efi/test/efi_test.c ++++ b/drivers/firmware/efi/test/efi_test.c +@@ -14,6 +14,7 @@ + #include <linux/init.h> + #include <linux/proc_fs.h> + #include <linux/efi.h> ++#include <linux/security.h> + #include <linux/slab.h> + #include <linux/uaccess.h> + +@@ -717,6 +718,13 @@ static long efi_test_ioctl(struct file *file, unsigned int cmd, + + static int efi_test_open(struct inode *inode, struct file *file) + { ++ int ret = security_locked_down(LOCKDOWN_EFI_TEST); ++ ++ if (ret) ++ return ret; ++ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EACCES; + /* + * nothing special to do here + * We do accept multiple open files at the same time as we +diff --git a/include/linux/security.h b/include/linux/security.h +index a8d59d612d2..9df7547afc0 100644 +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -105,6 +105,7 @@ enum lockdown_reason { + LOCKDOWN_NONE, + LOCKDOWN_MODULE_SIGNATURE, + LOCKDOWN_DEV_MEM, ++ LOCKDOWN_EFI_TEST, + LOCKDOWN_KEXEC, + LOCKDOWN_HIBERNATION, + LOCKDOWN_PCI_ACCESS, +diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c +index 8a10b43daf7..40b790536de 100644 +--- a/security/lockdown/lockdown.c ++++ b/security/lockdown/lockdown.c +@@ -20,6 +20,7 @@ static const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { + [LOCKDOWN_NONE] = "none", + [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", + [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", ++ [LOCKDOWN_EFI_TEST] = "/dev/efi_test access", + [LOCKDOWN_KEXEC] = "kexec of unsigned images", + [LOCKDOWN_HIBERNATION] = "hibernation", + [LOCKDOWN_PCI_ACCESS] = "direct PCI access", +-- +2.21.0 + diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config index 4b1ce9112b4..0c863055531 100644 --- a/kernel-aarch64-debug.config +++ b/kernel-aarch64-debug.config @@ -1733,7 +1733,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y CONFIG_EFI_PARTITION=y CONFIG_EFI_PGT_DUMP=y # CONFIG_EFI_RCI2_TABLE is not set -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m CONFIG_EFIVAR_FS=y CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y CONFIG_EFI_VARS_PSTORE=y diff --git a/kernel-aarch64.config b/kernel-aarch64.config index 21df2fad32d..2f9cab3b141 100644 --- a/kernel-aarch64.config +++ b/kernel-aarch64.config @@ -1725,7 +1725,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y CONFIG_EFI_PARTITION=y # CONFIG_EFI_PGT_DUMP is not set # CONFIG_EFI_RCI2_TABLE is not set -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m CONFIG_EFIVAR_FS=y CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y CONFIG_EFI_VARS_PSTORE=y diff --git a/kernel-armv7hl-debug.config b/kernel-armv7hl-debug.config index f94f3971be1..5fe089172c4 100644 --- a/kernel-armv7hl-debug.config +++ b/kernel-armv7hl-debug.config @@ -1762,7 +1762,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y CONFIG_EFI_PARTITION=y CONFIG_EFI_PGT_DUMP=y # CONFIG_EFI_RCI2_TABLE is not set -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m CONFIG_EFIVAR_FS=y CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y CONFIG_EFI_VARS_PSTORE=y diff --git a/kernel-armv7hl-lpae-debug.config b/kernel-armv7hl-lpae-debug.config index 3941abcffc4..223238f141b 100644 --- a/kernel-armv7hl-lpae-debug.config +++ b/kernel-armv7hl-lpae-debug.config @@ -1701,7 +1701,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y CONFIG_EFI_PARTITION=y CONFIG_EFI_PGT_DUMP=y # CONFIG_EFI_RCI2_TABLE is not set -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m CONFIG_EFIVAR_FS=y CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y CONFIG_EFI_VARS_PSTORE=y diff --git a/kernel-armv7hl-lpae.config b/kernel-armv7hl-lpae.config index 02461d14b79..8c0a47ce90e 100644 --- a/kernel-armv7hl-lpae.config +++ b/kernel-armv7hl-lpae.config @@ -1694,7 +1694,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y CONFIG_EFI_PARTITION=y # CONFIG_EFI_PGT_DUMP is not set # CONFIG_EFI_RCI2_TABLE is not set -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m CONFIG_EFIVAR_FS=y CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y CONFIG_EFI_VARS_PSTORE=y diff --git a/kernel-armv7hl.config b/kernel-armv7hl.config index 6cc7b413783..8df753f0be2 100644 --- a/kernel-armv7hl.config +++ b/kernel-armv7hl.config @@ -1755,7 +1755,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y CONFIG_EFI_PARTITION=y # CONFIG_EFI_PGT_DUMP is not set # CONFIG_EFI_RCI2_TABLE is not set -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m CONFIG_EFIVAR_FS=y CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y CONFIG_EFI_VARS_PSTORE=y diff --git a/kernel-i686-debug.config b/kernel-i686-debug.config index 272fe3f1291..0d9448b888d 100644 --- a/kernel-i686-debug.config +++ b/kernel-i686-debug.config @@ -1484,7 +1484,7 @@ CONFIG_EFI_PGT_DUMP=y CONFIG_EFI_RCI2_TABLE=y CONFIG_EFI_RUNTIME_MAP=y CONFIG_EFI_STUB=y -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m CONFIG_EFIVAR_FS=y # CONFIG_EFI_VARS is not set # CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set diff --git a/kernel-i686.config b/kernel-i686.config index f9c8e2035ed..1e3916c40b8 100644 --- a/kernel-i686.config +++ b/kernel-i686.config @@ -1475,7 +1475,7 @@ CONFIG_EFI_PARTITION=y CONFIG_EFI_RCI2_TABLE=y CONFIG_EFI_RUNTIME_MAP=y CONFIG_EFI_STUB=y -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m CONFIG_EFIVAR_FS=y # CONFIG_EFI_VARS is not set # CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config index a40147d602d..7c7573e0937 100644 --- a/kernel-x86_64-debug.config +++ b/kernel-x86_64-debug.config @@ -1528,7 +1528,7 @@ CONFIG_EFI_PGT_DUMP=y CONFIG_EFI_RCI2_TABLE=y CONFIG_EFI_RUNTIME_MAP=y CONFIG_EFI_STUB=y -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m CONFIG_EFIVAR_FS=y # CONFIG_EFI_VARS is not set # CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set diff --git a/kernel-x86_64.config b/kernel-x86_64.config index 99e01899102..17386faeff6 100644 --- a/kernel-x86_64.config +++ b/kernel-x86_64.config @@ -1519,7 +1519,7 @@ CONFIG_EFI_PARTITION=y CONFIG_EFI_RCI2_TABLE=y CONFIG_EFI_RUNTIME_MAP=y CONFIG_EFI_STUB=y -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m CONFIG_EFIVAR_FS=y # CONFIG_EFI_VARS is not set # CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set diff --git a/kernel.spec b/kernel.spec index 9d4dcf3212b..c28e1b32fd5 100644 --- a/kernel.spec +++ b/kernel.spec @@ -507,6 +507,9 @@ Patch202: 0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch Patch204: efi-secureboot.patch
Patch205: lift-lockdown-sysrq.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1759325 +# Submitted upstream at https://lore.kernel.org/patchwork/patch/1136967/ +Patch206: efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch
# 300 - ARM patches Patch300: arm64-Add-option-of-13-for-FORCE_MAX_ZONEORDER.patch
Javier Martinez Canillas schreef op do 10-10-2019 om 13:38 [+0200]:
configs/fedora/generic/CONFIG_EFI_TEST | 2 +- [...] kernel-aarch64-debug.config | 2 +- kernel-aarch64.config | 2 +- kernel-armv7hl-debug.config | 2 +- kernel-armv7hl-lpae-debug.config | 2 +- kernel-armv7hl-lpae.config | 2 +- kernel-armv7hl.config | 2 +- kernel-i686-debug.config | 2 +- kernel-i686.config | 2 +- kernel-x86_64-debug.config | 2 +- kernel-x86_64.config | 2 +-
You enabled it globally ("generic") but no changes show up in the shipped .config files for ppc64le or in s390x. So you didn't run build_configs.sh, did you?
--- a/configs/fedora/generic/CONFIG_EFI_TEST +++ b/configs/fedora/generic/CONFIG_EFI_TEST @@ -1 +1 @@ -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m
If my grepping of the upstream tree is correct EFI is indeed not relevant for powerpc or s390. So I think you should not set this globally, but only for the other four arches (as you tried to do above, but incorrectly). I think it would be easiest to disable this in .../powerpc/CONFIG_EFI_TEST and ../s390x/CONFIG_EFI_TEST.
Thanks,
Paul Bolle
On Thu, Oct 10, 2019 at 02:59:39PM +0200, Paul Bolle wrote:
Javier Martinez Canillas schreef op do 10-10-2019 om 13:38 [+0200]:
configs/fedora/generic/CONFIG_EFI_TEST | 2 +- [...] kernel-aarch64-debug.config | 2 +- kernel-aarch64.config | 2 +- kernel-armv7hl-debug.config | 2 +- kernel-armv7hl-lpae-debug.config | 2 +- kernel-armv7hl-lpae.config | 2 +- kernel-armv7hl.config | 2 +- kernel-i686-debug.config | 2 +- kernel-i686.config | 2 +- kernel-x86_64-debug.config | 2 +- kernel-x86_64.config | 2 +-
You enabled it globally ("generic") but no changes show up in the shipped .config files for ppc64le or in s390x. So you didn't run build_configs.sh, did you?
Not sure what other maintainers do, but I prefer to just run build_configs.sh myself rather than get it as part of the patch. It makes reviewing the patch easier.
Really it should be run pre-build automatically, and that might start happening in the not-to-distant future.
--- a/configs/fedora/generic/CONFIG_EFI_TEST +++ b/configs/fedora/generic/CONFIG_EFI_TEST @@ -1 +1 @@ -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m
If my grepping of the upstream tree is correct EFI is indeed not relevant for powerpc or s390. So I think you should not set this globally, but only for the other four arches (as you tried to do above, but incorrectly). I think it would be easiest to disable this in .../powerpc/CONFIG_EFI_TEST and ../s390x/CONFIG_EFI_TEST.
Indeed, and when I applied this I flipped it off for s390 and ppc. Thanks for the review.
- Jeremy
On Thu, Oct 10, 2019 at 01:38:57PM +0200, Javier Martinez Canillas wrote:
The driver is needed for testing purposes, enable it on the architectures where EFI is supported. Also, disallow access to the registered device if the kernel is locked down.
Applied, thanks.I did see the bugzilla, but got busy and lost it in the shuffle. Sorry about that.
- Jeremy
kernel@lists.fedoraproject.org