Re: [PATCH v2 07/10] powerpc/configs/skiroot: Enable security features

public inbox for linuxppc-dev@ozlabs.org 
 help / color / mirror / Atom feed

From: Daniel Axtens <dja@axtens•net>
To: Joel Stanley <joel@jms•id.au>, Michael Ellerman <mpe@ellerman•id.au>
Cc: linuxppc-dev <linuxppc-dev@ozlabs•org>,
	Oliver O'Halloran <oohall@gmail•com>
Subject: Re: [PATCH v2 07/10] powerpc/configs/skiroot: Enable security features
Date: Wed, 29 Jan 2020 12:29:45 +1100	[thread overview]
Message-ID: <877e1bjbhy.fsf@dja-thinkpad.axtens.net> (raw)
In-Reply-To: <CACPK8XeXNb_9ftjtTKG2i6DbyFwWFAT4bPhQ0+6eR8i-1a5JrQ@mail.gmail.com>

Joel Stanley <joel@jms•id.au> writes:

> On Tue, 21 Jan 2020 at 04:30, Michael Ellerman <mpe@ellerman•id.au> wrote:
>>
>> From: Joel Stanley <joel@jms•id.au>
>>
>> This turns on HARDENED_USERCOPY with HARDENED_USERCOPY_PAGESPAN, and
>> FORTIFY_SOURCE.
>>
>> It also enables SECURITY_LOCKDOWN_LSM with _EARLY and
>> LOCK_DOWN_KERNEL_FORCE_INTEGRITY options enabled. This still allows
>> xmon to be used in read-only mode.
>>
>> MODULE_SIG is selected by lockdown, so it is still enabled.
>>
>> Signed-off-by: Joel Stanley <joel@jms•id.au>
>> [mpe: Switch to lockdown integrity mode per oohal]
>> Signed-off-by: Michael Ellerman <mpe@ellerman•id.au>
>
> I did some testing and with change we break kexec. As it's critical
> for this kernel to be able to kexec we need to set KEXEC_FILE=y if
> we're setting FORCE_INTEGRITY=y.
>
> I've tested your series with that modification made and userspace was
> once again able to kexec (with -s).

Has the changes that enable this landed in kexec-lite and petitboot yet?
I had to manually patch them when I was experimenting with it
recently...

Regards,
Daniel

>
> Cheers,
>
> Joel
>
>> ---
>>  arch/powerpc/configs/skiroot_defconfig | 11 ++++++++++-
>>  1 file changed, 10 insertions(+), 1 deletion(-)
>>
>> v2: Switch to lockdown integrity mode rather than confidentiality as noticed by
>> dja and discussed with jms and oohal.
>>
>> diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig
>> index 24a210fe0049..93b478436a2b 100644
>> --- a/arch/powerpc/configs/skiroot_defconfig
>> +++ b/arch/powerpc/configs/skiroot_defconfig
>> @@ -49,7 +49,6 @@ CONFIG_JUMP_LABEL=y
>>  CONFIG_STRICT_KERNEL_RWX=y
>>  CONFIG_MODULES=y
>>  CONFIG_MODULE_UNLOAD=y
>> -CONFIG_MODULE_SIG=y
>>  CONFIG_MODULE_SIG_FORCE=y
>>  CONFIG_MODULE_SIG_SHA512=y
>>  CONFIG_PARTITION_ADVANCED=y
>> @@ -272,6 +271,16 @@ CONFIG_NLS_ASCII=y
>>  CONFIG_NLS_ISO8859_1=y
>>  CONFIG_NLS_UTF8=y
>>  CONFIG_ENCRYPTED_KEYS=y
>> +CONFIG_SECURITY=y
>> +CONFIG_HARDENED_USERCOPY=y
>> +# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
>> +CONFIG_HARDENED_USERCOPY_PAGESPAN=y
>> +CONFIG_FORTIFY_SOURCE=y
>> +CONFIG_SECURITY_LOCKDOWN_LSM=y
>> +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
>> +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
>> +# CONFIG_INTEGRITY is not set
>> +CONFIG_LSM="yama,loadpin,safesetid,integrity"
>>  # CONFIG_CRYPTO_HW is not set
>>  CONFIG_CRC16=y
>>  CONFIG_CRC_ITU_T=y
>> --
>> 2.21.1
>>

next prev parent reply	other threads:[~2020-01-29  1:31 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-21  4:29 [PATCH v2 01/10] powerpc/configs: Drop CONFIG_QLGE which moved to staging Michael Ellerman
2020-01-21  4:29 ` [PATCH v2 02/10] powerpc/configs: NET_CADENCE became NET_VENDOR_CADENCE Michael Ellerman
2020-01-21  4:29 ` [PATCH v2 03/10] powerpc/configs: Drop NET_VENDOR_HP which moved to staging Michael Ellerman
2020-01-21  4:29 ` [PATCH v2 04/10] powerpc/configs/skiroot: Drop HID_LOGITECH Michael Ellerman
2020-01-21  4:29 ` [PATCH v2 05/10] powerpc/configs/skiroot: Drop default n CONFIG_CRYPTO_ECHAINIV Michael Ellerman
2020-01-21  4:29 ` [PATCH v2 06/10] powerpc/configs/skiroot: Update for symbol movement only Michael Ellerman
2020-01-21  4:29 ` [PATCH v2 07/10] powerpc/configs/skiroot: Enable security features Michael Ellerman
2020-01-23 13:38   ` Joel Stanley
2020-01-29  1:29     ` Daniel Axtens [this message]
2020-01-21  4:29 ` [PATCH v2 08/10] powerpc/configs/skiroot: Disable xmon default & enable reboot on panic Michael Ellerman
2020-01-21  4:29 ` [PATCH v2 09/10] powerpc/configs/skiroot: Enable some more hardening options Michael Ellerman
2020-01-21  4:30 ` [PATCH v2 10/10] powerpc/configs/skiroot: Enable CONFIG_PRINTK_CALLER Michael Ellerman
2020-02-04 12:01 ` [PATCH v2 01/10] powerpc/configs: Drop CONFIG_QLGE which moved to staging Michael Ellerman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=877e1bjbhy.fsf@dja-thinkpad.axtens.net \
    --to=dja@axtens$(echo .)net \
    --cc=joel@jms$(echo .)id.au \
    --cc=linuxppc-dev@ozlabs$(echo .)org \
    --cc=mpe@ellerman$(echo .)id.au \
    --cc=oohall@gmail$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox