[PATCH] Enable CONFIG_EFI_TEST as a module (rhbz 1759325)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The driver is needed for testing purposes, enable it on the architectures
where EFI is supported. Also, disallow access to the registered device if
the kernel is locked down.
---
 configs/fedora/generic/CONFIG_EFI_TEST        |  2 +-
 ...k-down-dev-efi_test-and-require-CAP_.patch | 85 +++++++++++++++++++
 kernel-aarch64-debug.config                   |  2 +-
 kernel-aarch64.config                         |  2 +-
 kernel-armv7hl-debug.config                   |  2 +-
 kernel-armv7hl-lpae-debug.config              |  2 +-
 kernel-armv7hl-lpae.config                    |  2 +-
 kernel-armv7hl.config                         |  2 +-
 kernel-i686-debug.config                      |  2 +-
 kernel-i686.config                            |  2 +-
 kernel-x86_64-debug.config                    |  2 +-
 kernel-x86_64.config                          |  2 +-
 kernel.spec                                   |  3 +
 13 files changed, 99 insertions(+), 11 deletions(-)
 create mode 100644 efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch

diff --git a/configs/fedora/generic/CONFIG_EFI_TEST b/configs/fedora/generic/CONFIG_EFI_TEST
index 455eb306151..09ff10ce71f 100644
--- a/configs/fedora/generic/CONFIG_EFI_TEST
+++ b/configs/fedora/generic/CONFIG_EFI_TEST
@@ -1 +1 @@
-# CONFIG_EFI_TEST is not set
+CONFIG_EFI_TEST=m
diff --git a/efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch b/efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch
new file mode 100644
index 00000000000..36ef9b827a5
--- /dev/null
+++ b/efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch
@@ -0,0 +1,85 @@
+From 6ec9c505a12c0b5822c41f2b3bf873ebaeaae034 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@xxxxxxxxxx>
+Date: Wed, 2 Oct 2019 11:21:52 +0200
+Subject: [PATCH] efi/efi_test: lock down /dev/efi_test and require
+ CAP_SYS_ADMIN
+
+The driver exposes EFI runtime services to user-space through an IOCTL
+interface, calling the EFI services function pointers directly without
+using the efivar API.
+
+Disallow access to the /dev/efi_test character device when the kernel is
+locked down to prevent arbitrary user-space to call EFI runtime services.
+
+Also require CAP_SYS_ADMIN to open the chardev to prevent unprivileged
+users to call the EFI runtime services, instead of just relying on the
+chardev file mode bits for this.
+
+The main user of this driver is the fwts [0] tool that already checks if
+the effective user ID is 0 and fails otherwise. So this change shouldn't
+cause any regression to this tool.
+
+[0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfo
+
+Signed-off-by: Javier Martinez Canillas <javierm@xxxxxxxxxx>
+Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>
+Acked-by: Matthew Garrett <mjg59@xxxxxxxxxx>
+---
+ drivers/firmware/efi/test/efi_test.c | 8 ++++++++
+ include/linux/security.h             | 1 +
+ security/lockdown/lockdown.c         | 1 +
+ 3 files changed, 10 insertions(+)
+
+diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c
+index 877745c3aaf..7baf48c01e7 100644
+--- a/drivers/firmware/efi/test/efi_test.c
++++ b/drivers/firmware/efi/test/efi_test.c
+@@ -14,6 +14,7 @@
+ #include <linux/init.h>
+ #include <linux/proc_fs.h>
+ #include <linux/efi.h>
++#include <linux/security.h>
+ #include <linux/slab.h>
+ #include <linux/uaccess.h>
+ 
+@@ -717,6 +718,13 @@ static long efi_test_ioctl(struct file *file, unsigned int cmd,
+ 
+ static int efi_test_open(struct inode *inode, struct file *file)
+ {
++	int ret = security_locked_down(LOCKDOWN_EFI_TEST);
++
++	if (ret)
++		return ret;
++
++	if (!capable(CAP_SYS_ADMIN))
++		return -EACCES;
+ 	/*
+ 	 * nothing special to do here
+ 	 * We do accept multiple open files at the same time as we
+diff --git a/include/linux/security.h b/include/linux/security.h
+index a8d59d612d2..9df7547afc0 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -105,6 +105,7 @@ enum lockdown_reason {
+ 	LOCKDOWN_NONE,
+ 	LOCKDOWN_MODULE_SIGNATURE,
+ 	LOCKDOWN_DEV_MEM,
++	LOCKDOWN_EFI_TEST,
+ 	LOCKDOWN_KEXEC,
+ 	LOCKDOWN_HIBERNATION,
+ 	LOCKDOWN_PCI_ACCESS,
+diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
+index 8a10b43daf7..40b790536de 100644
+--- a/security/lockdown/lockdown.c
++++ b/security/lockdown/lockdown.c
+@@ -20,6 +20,7 @@ static const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
+ 	[LOCKDOWN_NONE] = "none",
+ 	[LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading",
+ 	[LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port",
++	[LOCKDOWN_EFI_TEST] = "/dev/efi_test access",
+ 	[LOCKDOWN_KEXEC] = "kexec of unsigned images",
+ 	[LOCKDOWN_HIBERNATION] = "hibernation",
+ 	[LOCKDOWN_PCI_ACCESS] = "direct PCI access",
+-- 
+2.21.0
+
diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config
index 4b1ce9112b4..0c863055531 100644
--- a/kernel-aarch64-debug.config
+++ b/kernel-aarch64-debug.config
@@ -1733,7 +1733,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y
 CONFIG_EFI_PARTITION=y
 CONFIG_EFI_PGT_DUMP=y
 # CONFIG_EFI_RCI2_TABLE is not set
-# CONFIG_EFI_TEST is not set
+CONFIG_EFI_TEST=m
 CONFIG_EFIVAR_FS=y
 CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y
 CONFIG_EFI_VARS_PSTORE=y
diff --git a/kernel-aarch64.config b/kernel-aarch64.config
index 21df2fad32d..2f9cab3b141 100644
--- a/kernel-aarch64.config
+++ b/kernel-aarch64.config
@@ -1725,7 +1725,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-# CONFIG_EFI_TEST is not set
+CONFIG_EFI_TEST=m
 CONFIG_EFIVAR_FS=y
 CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y
 CONFIG_EFI_VARS_PSTORE=y
diff --git a/kernel-armv7hl-debug.config b/kernel-armv7hl-debug.config
index f94f3971be1..5fe089172c4 100644
--- a/kernel-armv7hl-debug.config
+++ b/kernel-armv7hl-debug.config
@@ -1762,7 +1762,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y
 CONFIG_EFI_PARTITION=y
 CONFIG_EFI_PGT_DUMP=y
 # CONFIG_EFI_RCI2_TABLE is not set
-# CONFIG_EFI_TEST is not set
+CONFIG_EFI_TEST=m
 CONFIG_EFIVAR_FS=y
 CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y
 CONFIG_EFI_VARS_PSTORE=y
diff --git a/kernel-armv7hl-lpae-debug.config b/kernel-armv7hl-lpae-debug.config
index 3941abcffc4..223238f141b 100644
--- a/kernel-armv7hl-lpae-debug.config
+++ b/kernel-armv7hl-lpae-debug.config
@@ -1701,7 +1701,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y
 CONFIG_EFI_PARTITION=y
 CONFIG_EFI_PGT_DUMP=y
 # CONFIG_EFI_RCI2_TABLE is not set
-# CONFIG_EFI_TEST is not set
+CONFIG_EFI_TEST=m
 CONFIG_EFIVAR_FS=y
 CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y
 CONFIG_EFI_VARS_PSTORE=y
diff --git a/kernel-armv7hl-lpae.config b/kernel-armv7hl-lpae.config
index 02461d14b79..8c0a47ce90e 100644
--- a/kernel-armv7hl-lpae.config
+++ b/kernel-armv7hl-lpae.config
@@ -1694,7 +1694,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-# CONFIG_EFI_TEST is not set
+CONFIG_EFI_TEST=m
 CONFIG_EFIVAR_FS=y
 CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y
 CONFIG_EFI_VARS_PSTORE=y
diff --git a/kernel-armv7hl.config b/kernel-armv7hl.config
index 6cc7b413783..8df753f0be2 100644
--- a/kernel-armv7hl.config
+++ b/kernel-armv7hl.config
@@ -1755,7 +1755,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_EFI_PGT_DUMP is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-# CONFIG_EFI_TEST is not set
+CONFIG_EFI_TEST=m
 CONFIG_EFIVAR_FS=y
 CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y
 CONFIG_EFI_VARS_PSTORE=y
diff --git a/kernel-i686-debug.config b/kernel-i686-debug.config
index 272fe3f1291..0d9448b888d 100644
--- a/kernel-i686-debug.config
+++ b/kernel-i686-debug.config
@@ -1484,7 +1484,7 @@ CONFIG_EFI_PGT_DUMP=y
 CONFIG_EFI_RCI2_TABLE=y
 CONFIG_EFI_RUNTIME_MAP=y
 CONFIG_EFI_STUB=y
-# CONFIG_EFI_TEST is not set
+CONFIG_EFI_TEST=m
 CONFIG_EFIVAR_FS=y
 # CONFIG_EFI_VARS is not set
 # CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set
diff --git a/kernel-i686.config b/kernel-i686.config
index f9c8e2035ed..1e3916c40b8 100644
--- a/kernel-i686.config
+++ b/kernel-i686.config
@@ -1475,7 +1475,7 @@ CONFIG_EFI_PARTITION=y
 CONFIG_EFI_RCI2_TABLE=y
 CONFIG_EFI_RUNTIME_MAP=y
 CONFIG_EFI_STUB=y
-# CONFIG_EFI_TEST is not set
+CONFIG_EFI_TEST=m
 CONFIG_EFIVAR_FS=y
 # CONFIG_EFI_VARS is not set
 # CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set
diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config
index a40147d602d..7c7573e0937 100644
--- a/kernel-x86_64-debug.config
+++ b/kernel-x86_64-debug.config
@@ -1528,7 +1528,7 @@ CONFIG_EFI_PGT_DUMP=y
 CONFIG_EFI_RCI2_TABLE=y
 CONFIG_EFI_RUNTIME_MAP=y
 CONFIG_EFI_STUB=y
-# CONFIG_EFI_TEST is not set
+CONFIG_EFI_TEST=m
 CONFIG_EFIVAR_FS=y
 # CONFIG_EFI_VARS is not set
 # CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set
diff --git a/kernel-x86_64.config b/kernel-x86_64.config
index 99e01899102..17386faeff6 100644
--- a/kernel-x86_64.config
+++ b/kernel-x86_64.config
@@ -1519,7 +1519,7 @@ CONFIG_EFI_PARTITION=y
 CONFIG_EFI_RCI2_TABLE=y
 CONFIG_EFI_RUNTIME_MAP=y
 CONFIG_EFI_STUB=y
-# CONFIG_EFI_TEST is not set
+CONFIG_EFI_TEST=m
 CONFIG_EFIVAR_FS=y
 # CONFIG_EFI_VARS is not set
 # CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set
diff --git a/kernel.spec b/kernel.spec
index 9d4dcf3212b..c28e1b32fd5 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -507,6 +507,9 @@ Patch202: 0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch
 Patch204: efi-secureboot.patch
 
 Patch205: lift-lockdown-sysrq.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1759325
+# Submitted upstream at https://lore.kernel.org/patchwork/patch/1136967/
+Patch206: efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch
 
 # 300 - ARM patches
 Patch300: arm64-Add-option-of-13-for-FORCE_MAX_ZONEORDER.patch
-- 
2.21.0
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux