From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andrew Donnellan <ajd@linux.ibm.com>,
"Christopher M. Riedl" <cmr@informatik.wtf>,
Michael Ellerman <mpe@ellerman.id.au>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 18/38] powerpc/xmon: Restrict when kernel is locked down
Date: Fri, 5 Jun 2020 16:15:01 +0200 [thread overview]
Message-ID: <20200605140253.653389136@linuxfoundation.org> (raw)
In-Reply-To: <20200605140252.542768750@linuxfoundation.org>
From: Christopher M. Riedl <cmr@informatik.wtf>
[ Upstream commit 69393cb03ccdf29f3b452d3482ef918469d1c098 ]
Xmon should be either fully or partially disabled depending on the
kernel lockdown state.
Put xmon into read-only mode for lockdown=integrity and prevent user
entry into xmon when lockdown=confidentiality. Xmon checks the lockdown
state on every attempted entry:
(1) during early xmon'ing
(2) when triggered via sysrq
(3) when toggled via debugfs
(4) when triggered via a previously enabled breakpoint
The following lockdown state transitions are handled:
(1) lockdown=none -> lockdown=integrity
set xmon read-only mode
(2) lockdown=none -> lockdown=confidentiality
clear all breakpoints, set xmon read-only mode,
prevent user re-entry into xmon
(3) lockdown=integrity -> lockdown=confidentiality
clear all breakpoints, set xmon read-only mode,
prevent user re-entry into xmon
Suggested-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Christopher M. Riedl <cmr@informatik.wtf>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20190907061124.1947-3-cmr@informatik.wtf
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/xmon/xmon.c | 103 ++++++++++++++++++++++++++++-------
include/linux/security.h | 2 +
security/lockdown/lockdown.c | 2 +
3 files changed, 86 insertions(+), 21 deletions(-)
diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
index 8057aafd5f5e..6d130c89fbd8 100644
--- a/arch/powerpc/xmon/xmon.c
+++ b/arch/powerpc/xmon/xmon.c
@@ -25,6 +25,7 @@
#include <linux/nmi.h>
#include <linux/ctype.h>
#include <linux/highmem.h>
+#include <linux/security.h>
#include <asm/debugfs.h>
#include <asm/ptrace.h>
@@ -187,6 +188,8 @@ static void dump_tlb_44x(void);
static void dump_tlb_book3e(void);
#endif
+static void clear_all_bpt(void);
+
#ifdef CONFIG_PPC64
#define REG "%.16lx"
#else
@@ -283,10 +286,38 @@ Commands:\n\
" U show uptime information\n"
" ? help\n"
" # n limit output to n lines per page (for dp, dpa, dl)\n"
-" zr reboot\n\
- zh halt\n"
+" zr reboot\n"
+" zh halt\n"
;
+#ifdef CONFIG_SECURITY
+static bool xmon_is_locked_down(void)
+{
+ static bool lockdown;
+
+ if (!lockdown) {
+ lockdown = !!security_locked_down(LOCKDOWN_XMON_RW);
+ if (lockdown) {
+ printf("xmon: Disabled due to kernel lockdown\n");
+ xmon_is_ro = true;
+ }
+ }
+
+ if (!xmon_is_ro) {
+ xmon_is_ro = !!security_locked_down(LOCKDOWN_XMON_WR);
+ if (xmon_is_ro)
+ printf("xmon: Read-only due to kernel lockdown\n");
+ }
+
+ return lockdown;
+}
+#else /* CONFIG_SECURITY */
+static inline bool xmon_is_locked_down(void)
+{
+ return false;
+}
+#endif
+
static struct pt_regs *xmon_regs;
static inline void sync(void)
@@ -438,7 +469,10 @@ static bool wait_for_other_cpus(int ncpus)
return false;
}
-#endif /* CONFIG_SMP */
+#else /* CONFIG_SMP */
+static inline void get_output_lock(void) {}
+static inline void release_output_lock(void) {}
+#endif
static inline int unrecoverable_excp(struct pt_regs *regs)
{
@@ -455,6 +489,7 @@ static int xmon_core(struct pt_regs *regs, int fromipi)
int cmd = 0;
struct bpt *bp;
long recurse_jmp[JMP_BUF_LEN];
+ bool locked_down;
unsigned long offset;
unsigned long flags;
#ifdef CONFIG_SMP
@@ -465,6 +500,8 @@ static int xmon_core(struct pt_regs *regs, int fromipi)
local_irq_save(flags);
hard_irq_disable();
+ locked_down = xmon_is_locked_down();
+
if (!fromipi) {
tracing_enabled = tracing_is_on();
tracing_off();
@@ -518,7 +555,8 @@ static int xmon_core(struct pt_regs *regs, int fromipi)
if (!fromipi) {
get_output_lock();
- excprint(regs);
+ if (!locked_down)
+ excprint(regs);
if (bp) {
printf("cpu 0x%x stopped at breakpoint 0x%tx (",
cpu, BP_NUM(bp));
@@ -570,10 +608,14 @@ static int xmon_core(struct pt_regs *regs, int fromipi)
}
remove_bpts();
disable_surveillance();
- /* for breakpoint or single step, print the current instr. */
- if (bp || TRAP(regs) == 0xd00)
- ppc_inst_dump(regs->nip, 1, 0);
- printf("enter ? for help\n");
+
+ if (!locked_down) {
+ /* for breakpoint or single step, print curr insn */
+ if (bp || TRAP(regs) == 0xd00)
+ ppc_inst_dump(regs->nip, 1, 0);
+ printf("enter ? for help\n");
+ }
+
mb();
xmon_gate = 1;
barrier();
@@ -597,8 +639,9 @@ static int xmon_core(struct pt_regs *regs, int fromipi)
spin_cpu_relax();
touch_nmi_watchdog();
} else {
- cmd = cmds(regs);
- if (cmd != 0) {
+ if (!locked_down)
+ cmd = cmds(regs);
+ if (locked_down || cmd != 0) {
/* exiting xmon */
insert_bpts();
xmon_gate = 0;
@@ -635,13 +678,16 @@ static int xmon_core(struct pt_regs *regs, int fromipi)
"can't continue\n");
remove_bpts();
disable_surveillance();
- /* for breakpoint or single step, print the current instr. */
- if (bp || TRAP(regs) == 0xd00)
- ppc_inst_dump(regs->nip, 1, 0);
- printf("enter ? for help\n");
+ if (!locked_down) {
+ /* for breakpoint or single step, print current insn */
+ if (bp || TRAP(regs) == 0xd00)
+ ppc_inst_dump(regs->nip, 1, 0);
+ printf("enter ? for help\n");
+ }
}
- cmd = cmds(regs);
+ if (!locked_down)
+ cmd = cmds(regs);
insert_bpts();
in_xmon = 0;
@@ -670,7 +716,10 @@ static int xmon_core(struct pt_regs *regs, int fromipi)
}
}
#endif
- insert_cpu_bpts();
+ if (locked_down)
+ clear_all_bpt();
+ else
+ insert_cpu_bpts();
touch_nmi_watchdog();
local_irq_restore(flags);
@@ -3761,6 +3810,11 @@ static void xmon_init(int enable)
#ifdef CONFIG_MAGIC_SYSRQ
static void sysrq_handle_xmon(int key)
{
+ if (xmon_is_locked_down()) {
+ clear_all_bpt();
+ xmon_init(0);
+ return;
+ }
/* ensure xmon is enabled */
xmon_init(1);
debugger(get_irq_regs());
@@ -3782,7 +3836,6 @@ static int __init setup_xmon_sysrq(void)
device_initcall(setup_xmon_sysrq);
#endif /* CONFIG_MAGIC_SYSRQ */
-#ifdef CONFIG_DEBUG_FS
static void clear_all_bpt(void)
{
int i;
@@ -3800,18 +3853,22 @@ static void clear_all_bpt(void)
iabr = NULL;
dabr.enabled = 0;
}
-
- printf("xmon: All breakpoints cleared\n");
}
+#ifdef CONFIG_DEBUG_FS
static int xmon_dbgfs_set(void *data, u64 val)
{
xmon_on = !!val;
xmon_init(xmon_on);
/* make sure all breakpoints removed when disabling */
- if (!xmon_on)
+ if (!xmon_on) {
clear_all_bpt();
+ get_output_lock();
+ printf("xmon: All breakpoints cleared\n");
+ release_output_lock();
+ }
+
return 0;
}
@@ -3837,7 +3894,11 @@ static int xmon_early __initdata;
static int __init early_parse_xmon(char *p)
{
- if (!p || strncmp(p, "early", 5) == 0) {
+ if (xmon_is_locked_down()) {
+ xmon_init(0);
+ xmon_early = 0;
+ xmon_on = 0;
+ } else if (!p || strncmp(p, "early", 5) == 0) {
/* just "xmon" is equivalent to "xmon=early" */
xmon_init(1);
xmon_early = 1;
diff --git a/include/linux/security.h b/include/linux/security.h
index 9df7547afc0c..fd022768e91d 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -117,12 +117,14 @@ enum lockdown_reason {
LOCKDOWN_MODULE_PARAMETERS,
LOCKDOWN_MMIOTRACE,
LOCKDOWN_DEBUGFS,
+ LOCKDOWN_XMON_WR,
LOCKDOWN_INTEGRITY_MAX,
LOCKDOWN_KCORE,
LOCKDOWN_KPROBES,
LOCKDOWN_BPF_READ,
LOCKDOWN_PERF,
LOCKDOWN_TRACEFS,
+ LOCKDOWN_XMON_RW,
LOCKDOWN_CONFIDENTIALITY_MAX,
};
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 40b790536def..b2f87015d6e9 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -32,12 +32,14 @@ static const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
[LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters",
[LOCKDOWN_MMIOTRACE] = "unsafe mmio",
[LOCKDOWN_DEBUGFS] = "debugfs access",
+ [LOCKDOWN_XMON_WR] = "xmon write access",
[LOCKDOWN_INTEGRITY_MAX] = "integrity",
[LOCKDOWN_KCORE] = "/proc/kcore access",
[LOCKDOWN_KPROBES] = "use of kprobes",
[LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM",
[LOCKDOWN_PERF] = "unsafe use of perf",
[LOCKDOWN_TRACEFS] = "use of tracefs",
+ [LOCKDOWN_XMON_RW] = "xmon read and write access",
[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
};
--
2.25.1
next prev parent reply other threads:[~2020-06-05 14:18 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-05 14:14 [PATCH 5.4 00/38] 5.4.45-rc1 review Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.4 01/38] Revert "cgroup: Add memory barriers to plug cgroup_rstat_updated() race window" Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.4 02/38] mm: Fix mremap not considering huge pmd devmap Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.4 03/38] HID: sony: Fix for broken buttons on DS3 USB dongles Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.4 04/38] HID: multitouch: enable multi-input as a quirk for some devices Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.4 05/38] HID: i2c-hid: add Schneider SCL142ALM to descriptor override Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.4 06/38] p54usb: add AirVasT USB stick device-id Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.4 07/38] mt76: mt76x02u: Add support for newer versions of the XBox One wifi adapter Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.4 08/38] kernel/relay.c: handle alloc_percpu returning NULL in relay_open Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.4 09/38] mmc: fix compilation of user API Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.4 10/38] media: Revert "staging: imgu: Address a compiler warning on alignment" Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.4 11/38] media: staging: ipu3-imgu: Move alignment attribute to field Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.4 12/38] scsi: ufs: Release clock if DMA map fails Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.4 13/38] net: dsa: mt7530: set CPU port to fallback mode Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.4 14/38] airo: Fix read overflows sending packets Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.4 15/38] drm/i915: fix port checks for MST support on gen >= 11 Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.4 16/38] scsi: hisi_sas: Check sas_port before using it Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.4 17/38] powerpc/powernv: Avoid re-registration of imc debugfs directory Greg Kroah-Hartman
2020-06-05 14:15 ` Greg Kroah-Hartman [this message]
2020-06-05 14:15 ` [PATCH 5.4 19/38] spi: dw: use "smp_mb()" to avoid sending spi data error Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.4 20/38] ASoC: intel - fix the card names Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.4 21/38] s390/ftrace: save traced function caller Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.4 22/38] RDMA/qedr: Fix qpids xarray api used Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.4 23/38] RDMA/qedr: Fix synchronization methods and memory leaks in qedr Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.4 24/38] ARC: Fix ICCM & DCCM runtime size checks Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.4 25/38] ARC: [plat-eznps]: Restrict to CONFIG_ISA_ARCOMPACT Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.4 26/38] evm: Fix RCU list related warnings Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.4 27/38] scsi: pm: Balance pm_only counter of request queue during system resume Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.4 28/38] i2c: altera: Fix race between xfer_msg and isr thread Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.4 29/38] io_uring: initialize ctx->sqo_wait earlier Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.4 30/38] x86/mmiotrace: Use cpumask_available() for cpumask_var_t variables Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.4 31/38] net: bmac: Fix read of MAC address from ROM Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.4 32/38] drm/edid: Add Oculus Rift S to non-desktop list Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.4 33/38] s390/mm: fix set_huge_pte_at() for empty ptes Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.4 34/38] null_blk: return error for invalid zone size Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.4 35/38] net/ethernet/freescale: rework quiesce/activate for ucc_geth Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.4 36/38] net: ethernet: stmmac: Enable interface clocks on probe for IPQ806x Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.4 37/38] selftests: mlxsw: qos_mc_aware: Specify arping timeout as an integer Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.4 38/38] net: smsc911x: Fix runtime PM imbalance on error Greg Kroah-Hartman
2020-06-05 22:16 ` [PATCH 5.4 00/38] 5.4.45-rc1 review Shuah Khan
[not found] ` <20200605140252.542768750-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
2020-06-06 6:22 ` Jon Hunter
2020-06-06 6:22 ` Jon Hunter
2020-06-06 13:33 ` Guenter Roeck
2020-06-06 16:26 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200605140253.653389136@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ajd@linux.ibm.com \
--cc=cmr@informatik.wtf \
--cc=linux-kernel@vger.kernel.org \
--cc=mpe@ellerman.id.au \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.