The driver is needed for testing purposes, enable it on the architectures where EFI is supported. Also, disallow access to the registered device if the kernel is locked down. --- configs/fedora/generic/CONFIG_EFI_TEST | 2 +- ...k-down-dev-efi_test-and-require-CAP_.patch | 85 +++++++++++++++++++ kernel-aarch64-debug.config | 2 +- kernel-aarch64.config | 2 +- kernel-armv7hl-debug.config | 2 +- kernel-armv7hl-lpae-debug.config | 2 +- kernel-armv7hl-lpae.config | 2 +- kernel-armv7hl.config | 2 +- kernel-i686-debug.config | 2 +- kernel-i686.config | 2 +- kernel-x86_64-debug.config | 2 +- kernel-x86_64.config | 2 +- kernel.spec | 3 + 13 files changed, 99 insertions(+), 11 deletions(-) create mode 100644 efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch diff --git a/configs/fedora/generic/CONFIG_EFI_TEST b/configs/fedora/generic/CONFIG_EFI_TEST index 455eb306151..09ff10ce71f 100644 --- a/configs/fedora/generic/CONFIG_EFI_TEST +++ b/configs/fedora/generic/CONFIG_EFI_TEST @@ -1 +1 @@ -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m diff --git a/efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch b/efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch new file mode 100644 index 00000000000..36ef9b827a5 --- /dev/null +++ b/efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch @@ -0,0 +1,85 @@ +From 6ec9c505a12c0b5822c41f2b3bf873ebaeaae034 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas <javierm@xxxxxxxxxx> +Date: Wed, 2 Oct 2019 11:21:52 +0200 +Subject: [PATCH] efi/efi_test: lock down /dev/efi_test and require + CAP_SYS_ADMIN + +The driver exposes EFI runtime services to user-space through an IOCTL +interface, calling the EFI services function pointers directly without +using the efivar API. + +Disallow access to the /dev/efi_test character device when the kernel is +locked down to prevent arbitrary user-space to call EFI runtime services. + +Also require CAP_SYS_ADMIN to open the chardev to prevent unprivileged +users to call the EFI runtime services, instead of just relying on the +chardev file mode bits for this. + +The main user of this driver is the fwts [0] tool that already checks if +the effective user ID is 0 and fails otherwise. So this change shouldn't +cause any regression to this tool. + +[0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfo + +Signed-off-by: Javier Martinez Canillas <javierm@xxxxxxxxxx> +Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx> +Acked-by: Matthew Garrett <mjg59@xxxxxxxxxx> +--- + drivers/firmware/efi/test/efi_test.c | 8 ++++++++ + include/linux/security.h | 1 + + security/lockdown/lockdown.c | 1 + + 3 files changed, 10 insertions(+) + +diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c +index 877745c3aaf..7baf48c01e7 100644 +--- a/drivers/firmware/efi/test/efi_test.c ++++ b/drivers/firmware/efi/test/efi_test.c +@@ -14,6 +14,7 @@ + #include <linux/init.h> + #include <linux/proc_fs.h> + #include <linux/efi.h> ++#include <linux/security.h> + #include <linux/slab.h> + #include <linux/uaccess.h> + +@@ -717,6 +718,13 @@ static long efi_test_ioctl(struct file *file, unsigned int cmd, + + static int efi_test_open(struct inode *inode, struct file *file) + { ++ int ret = security_locked_down(LOCKDOWN_EFI_TEST); ++ ++ if (ret) ++ return ret; ++ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EACCES; + /* + * nothing special to do here + * We do accept multiple open files at the same time as we +diff --git a/include/linux/security.h b/include/linux/security.h +index a8d59d612d2..9df7547afc0 100644 +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -105,6 +105,7 @@ enum lockdown_reason { + LOCKDOWN_NONE, + LOCKDOWN_MODULE_SIGNATURE, + LOCKDOWN_DEV_MEM, ++ LOCKDOWN_EFI_TEST, + LOCKDOWN_KEXEC, + LOCKDOWN_HIBERNATION, + LOCKDOWN_PCI_ACCESS, +diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c +index 8a10b43daf7..40b790536de 100644 +--- a/security/lockdown/lockdown.c ++++ b/security/lockdown/lockdown.c +@@ -20,6 +20,7 @@ static const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { + [LOCKDOWN_NONE] = "none", + [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", + [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", ++ [LOCKDOWN_EFI_TEST] = "/dev/efi_test access", + [LOCKDOWN_KEXEC] = "kexec of unsigned images", + [LOCKDOWN_HIBERNATION] = "hibernation", + [LOCKDOWN_PCI_ACCESS] = "direct PCI access", +-- +2.21.0 + diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config index 4b1ce9112b4..0c863055531 100644 --- a/kernel-aarch64-debug.config +++ b/kernel-aarch64-debug.config @@ -1733,7 +1733,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y CONFIG_EFI_PARTITION=y CONFIG_EFI_PGT_DUMP=y # CONFIG_EFI_RCI2_TABLE is not set -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m CONFIG_EFIVAR_FS=y CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y CONFIG_EFI_VARS_PSTORE=y diff --git a/kernel-aarch64.config b/kernel-aarch64.config index 21df2fad32d..2f9cab3b141 100644 --- a/kernel-aarch64.config +++ b/kernel-aarch64.config @@ -1725,7 +1725,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y CONFIG_EFI_PARTITION=y # CONFIG_EFI_PGT_DUMP is not set # CONFIG_EFI_RCI2_TABLE is not set -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m CONFIG_EFIVAR_FS=y CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y CONFIG_EFI_VARS_PSTORE=y diff --git a/kernel-armv7hl-debug.config b/kernel-armv7hl-debug.config index f94f3971be1..5fe089172c4 100644 --- a/kernel-armv7hl-debug.config +++ b/kernel-armv7hl-debug.config @@ -1762,7 +1762,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y CONFIG_EFI_PARTITION=y CONFIG_EFI_PGT_DUMP=y # CONFIG_EFI_RCI2_TABLE is not set -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m CONFIG_EFIVAR_FS=y CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y CONFIG_EFI_VARS_PSTORE=y diff --git a/kernel-armv7hl-lpae-debug.config b/kernel-armv7hl-lpae-debug.config index 3941abcffc4..223238f141b 100644 --- a/kernel-armv7hl-lpae-debug.config +++ b/kernel-armv7hl-lpae-debug.config @@ -1701,7 +1701,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y CONFIG_EFI_PARTITION=y CONFIG_EFI_PGT_DUMP=y # CONFIG_EFI_RCI2_TABLE is not set -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m CONFIG_EFIVAR_FS=y CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y CONFIG_EFI_VARS_PSTORE=y diff --git a/kernel-armv7hl-lpae.config b/kernel-armv7hl-lpae.config index 02461d14b79..8c0a47ce90e 100644 --- a/kernel-armv7hl-lpae.config +++ b/kernel-armv7hl-lpae.config @@ -1694,7 +1694,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y CONFIG_EFI_PARTITION=y # CONFIG_EFI_PGT_DUMP is not set # CONFIG_EFI_RCI2_TABLE is not set -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m CONFIG_EFIVAR_FS=y CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y CONFIG_EFI_VARS_PSTORE=y diff --git a/kernel-armv7hl.config b/kernel-armv7hl.config index 6cc7b413783..8df753f0be2 100644 --- a/kernel-armv7hl.config +++ b/kernel-armv7hl.config @@ -1755,7 +1755,7 @@ CONFIG_EFI_ARMSTUB_DTB_LOADER=y CONFIG_EFI_PARTITION=y # CONFIG_EFI_PGT_DUMP is not set # CONFIG_EFI_RCI2_TABLE is not set -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m CONFIG_EFIVAR_FS=y CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y CONFIG_EFI_VARS_PSTORE=y diff --git a/kernel-i686-debug.config b/kernel-i686-debug.config index 272fe3f1291..0d9448b888d 100644 --- a/kernel-i686-debug.config +++ b/kernel-i686-debug.config @@ -1484,7 +1484,7 @@ CONFIG_EFI_PGT_DUMP=y CONFIG_EFI_RCI2_TABLE=y CONFIG_EFI_RUNTIME_MAP=y CONFIG_EFI_STUB=y -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m CONFIG_EFIVAR_FS=y # CONFIG_EFI_VARS is not set # CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set diff --git a/kernel-i686.config b/kernel-i686.config index f9c8e2035ed..1e3916c40b8 100644 --- a/kernel-i686.config +++ b/kernel-i686.config @@ -1475,7 +1475,7 @@ CONFIG_EFI_PARTITION=y CONFIG_EFI_RCI2_TABLE=y CONFIG_EFI_RUNTIME_MAP=y CONFIG_EFI_STUB=y -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m CONFIG_EFIVAR_FS=y # CONFIG_EFI_VARS is not set # CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config index a40147d602d..7c7573e0937 100644 --- a/kernel-x86_64-debug.config +++ b/kernel-x86_64-debug.config @@ -1528,7 +1528,7 @@ CONFIG_EFI_PGT_DUMP=y CONFIG_EFI_RCI2_TABLE=y CONFIG_EFI_RUNTIME_MAP=y CONFIG_EFI_STUB=y -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m CONFIG_EFIVAR_FS=y # CONFIG_EFI_VARS is not set # CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set diff --git a/kernel-x86_64.config b/kernel-x86_64.config index 99e01899102..17386faeff6 100644 --- a/kernel-x86_64.config +++ b/kernel-x86_64.config @@ -1519,7 +1519,7 @@ CONFIG_EFI_PARTITION=y CONFIG_EFI_RCI2_TABLE=y CONFIG_EFI_RUNTIME_MAP=y CONFIG_EFI_STUB=y -# CONFIG_EFI_TEST is not set +CONFIG_EFI_TEST=m CONFIG_EFIVAR_FS=y # CONFIG_EFI_VARS is not set # CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set diff --git a/kernel.spec b/kernel.spec index 9d4dcf3212b..c28e1b32fd5 100644 --- a/kernel.spec +++ b/kernel.spec @@ -507,6 +507,9 @@ Patch202: 0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch Patch204: efi-secureboot.patch Patch205: lift-lockdown-sysrq.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1759325 +# Submitted upstream at https://lore.kernel.org/patchwork/patch/1136967/ +Patch206: efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch # 300 - ARM patches Patch300: arm64-Add-option-of-13-for-FORCE_MAX_ZONEORDER.patch -- 2.21.0 _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx