[OS-BUILD PATCH] efi,lockdown: fix kernel lockdown on Secure Boot

Ondrej Mosnáček (via Email Bridge) <cki-gitlab@xxxxxxxxxx> · Sat, 15 Feb 2025 07:46:49 -0000

From: Ondrej Mosnacek <omosnace@xxxxxxxxxx>

efi,lockdown: fix kernel lockdown on Secure Boot

Upstream commit 77b644c39d6a ("init/main.c: Initialize early LSMs after
arch code, static keys and calls") changed the order of initialization
of LSM hooks, so the Fedora/RHEL code to automatically put the kernel
into integrity lockdown mode stopped working (because at the time
setup_arch() calls security_lock_kernel_down(), the LSM hooks are not
yet initialized).

Fix this by making security_lock_kernel_down() a normal function
directly defined in security/lockdown/lockdown.c (there is no reason to
make it an LSM hook, anyway), which allows it to be called before
early_security_init()/security_init() gets called.

CVE: CVE-2025-1272
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2333706
RH-Fixes: 77b644c39d6a ("init/main.c: Initialize early LSMs after arch code, static keys and calls")
Upstream Status: RHEL only
Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>

diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index blahblah..blahblah 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -443,7 +443,6 @@ LSM_HOOK(int, 0, bpf_token_capable, const struct bpf_token *token, int cap)
 #endif /* CONFIG_BPF_SYSCALL */
 
 LSM_HOOK(int, 0, locked_down, enum lockdown_reason what)
-LSM_HOOK(int, 0, lock_kernel_down, const char *where, enum lockdown_reason level)
 
 
 #ifdef CONFIG_PERF_EVENTS
diff --git a/include/linux/security.h b/include/linux/security.h
index blahblah..blahblah 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -574,7 +574,6 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
 int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
 int security_inode_getsecctx(struct inode *inode, struct lsm_context *cp);
 int security_locked_down(enum lockdown_reason what);
-int security_lock_kernel_down(const char *where, enum lockdown_reason level);
 int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,
 		      void *val, size_t val_len, u64 id, u64 flags);
 int security_bdev_alloc(struct block_device *bdev);
@@ -1581,10 +1580,6 @@ static inline int security_locked_down(enum lockdown_reason what)
 {
 	return 0;
 }
-static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level)
-{
-	return 0;
-}
 static inline int lsm_fill_user_ctx(struct lsm_ctx __user *uctx,
 				    u32 *uctx_len, void *val, size_t val_len,
 				    u64 id, u64 flags)
@@ -2391,4 +2386,13 @@ static inline void security_initramfs_populated(void)
 }
 #endif /* CONFIG_SECURITY */
 
+#ifdef CONFIG_SECURITY_LOCKDOWN_LSM
+extern int security_lock_kernel_down(const char *where, enum lockdown_reason level);
+#else
+static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level)
+{
+	return 0;
+}
+#endif /* CONFIG_SECURITY_LOCKDOWN_LSM */
+
 #endif /* ! __LINUX_SECURITY_H */
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index blahblah..blahblah 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -72,9 +72,19 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
 	return 0;
 }
 
+/**
+ * security_lock_kernel_down() - Put the kernel into lock-down mode.
+ *
+ * @where: Where the lock-down is originating from (e.g. command line option)
+ * @level: The lock-down level (can only increase)
+ */
+int security_lock_kernel_down(const char *where, enum lockdown_reason level)
+{
+	return lock_kernel_down(where, level);
+}
+
 static struct security_hook_list lockdown_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
-	LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down),
 };
 
 static const struct lsm_id lockdown_lsmid = {
diff --git a/security/security.c b/security/security.c
index blahblah..blahblah 100644
--- a/security/security.c
+++ b/security/security.c
@@ -5801,18 +5801,6 @@ int security_locked_down(enum lockdown_reason what)
 }
 EXPORT_SYMBOL(security_locked_down);
 
-/**
- * security_lock_kernel_down() - Put the kernel into lock-down mode.
- *
- * @where: Where the lock-down is originating from (e.g. command line option)
- * @level: The lock-down level (can only increase)
- */
-int security_lock_kernel_down(const char *where, enum lockdown_reason level)
-{
-	return call_int_hook(lock_kernel_down, where, level);
-}
-EXPORT_SYMBOL(security_lock_kernel_down);
-
 /**
  * security_bdev_alloc() - Allocate a block device LSM blob
  * @bdev: block device

--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3694

-- 
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue







