[PATCH 4/6][B] powerpc/xmon: Restrict when kernel is locked down
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Tue Jun 23 17:15:00 UTC 2020
On Fri, Jun 19, 2020 at 07:48:31AM -0500, Seth Forshee wrote:
> From: "Christopher M. Riedl" <cmr at informatik.wtf>
>
> BugLink: https://bugs.launchpad.net/bugs/1884159
>
> Xmon should be either fully or partially disabled depending on the
> kernel lockdown state.
>
> Put xmon into read-only mode for lockdown=integrity and prevent user
> entry into xmon when lockdown=confidentiality. Xmon checks the lockdown
> state on every attempted entry:
>
> (1) during early xmon'ing
>
> (2) when triggered via sysrq
>
> (3) when toggled via debugfs
>
> (4) when triggered via a previously enabled breakpoint
>
> The following lockdown state transitions are handled:
>
> (1) lockdown=none -> lockdown=integrity
> set xmon read-only mode
>
> (2) lockdown=none -> lockdown=confidentiality
> clear all breakpoints, set xmon read-only mode,
> prevent user re-entry into xmon
>
> (3) lockdown=integrity -> lockdown=confidentiality
> clear all breakpoints, set xmon read-only mode,
> prevent user re-entry into xmon
>
> Suggested-by: Andrew Donnellan <ajd at linux.ibm.com>
> Signed-off-by: Christopher M. Riedl <cmr at informatik.wtf>
> Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>
> Link: https://lore.kernel.org/r/20190907061124.1947-3-cmr@informatik.wtf
> (backported from commit 69393cb03ccdf29f3b452d3482ef918469d1c098)
> Signed-off-by: Seth Forshee <seth.forshee at canonical.com>
> ---
> arch/powerpc/xmon/xmon.c | 106 ++++++++++++++++++++++++++++++++-------
> 1 file changed, 89 insertions(+), 17 deletions(-)
I was finally able to test this and then noticed that CONFIG_LOCK_DOWN_KERNEL
is not set for ppc64el. Should we enable it for this patchset?
Cascardo.
More information about the kernel-team
mailing list