From 9079547f4808ea5c8cd844bf40d3895994bd175e Mon Sep 17 00:00:00 2001

From: Josh Boyer <jwboyer@fedoraproject.org>

Date: Mon, 21 Nov 2016 23:55:55 +0000

Subject: [PATCH 07/32] efi: Add EFI_SECURE_BOOT bit

UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit

that can be passed to efi_enabled() to find out whether secure boot is

enabled.

This will be used by the SysRq+x handler, registered by the x86 arch, to find

out whether secure boot mode is enabled so that it can be disabled.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>

Signed-off-by: David Howells <dhowells@redhat.com>

---

 arch/x86/kernel/setup.c | 15 +++++++++++++++

 include/linux/efi.h     |  1 +

 2 files changed, 16 insertions(+)

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c

index 69780ed..447905e 100644

--- a/arch/x86/kernel/setup.c

+++ b/arch/x86/kernel/setup.c

@@ -1182,6 +1182,7 @@ void __init setup_arch(char **cmdline_p)

 			pr_info("Secure boot disabled\n");

 			break;

 		case efi_secureboot_mode_enabled:

+			set_bit(EFI_SECURE_BOOT, &efi.flags);

 			pr_info("Secure boot enabled\n");

 			break;

 		default:

diff --git a/include/linux/efi.h b/include/linux/efi.h

index 94d34e0..6049600 100644

--- a/include/linux/efi.h

+++ b/include/linux/efi.h

@@ -1069,6 +1069,7 @@ extern int __init efi_setup_pcdp_console(char *);

 #define EFI_DBG			8	/* Print additional debug info at runtime */

 #define EFI_NX_PE_DATA		9	/* Can runtime data regions be mapped non-executable? */

 #define EFI_MEM_ATTR		10	/* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */

+#define EFI_SECURE_BOOT		11	/* Are we in Secure Boot mode? */

 #ifdef CONFIG_EFI

 /*

-- 

2.9.3

From eada0243f0b8fc21588a21c564187219dee03e3c Mon Sep 17 00:00:00 2001

From: David Howells <dhowells@redhat.com>

Date: Fri, 25 Nov 2016 11:52:05 +0000

Subject: [PATCH 08/32] efi: Handle secure boot from UEFI-2.6

UEFI-2.6 adds a new variable, DeployedMode.  If it exists, this must be 1

if we're to engage lockdown mode.

Reported-by: James Bottomley <James.Bottomley@HansenPartnership.com>

Signed-off-by: David Howells <dhowells@redhat.com>

---

 drivers/firmware/efi/libstub/secureboot.c | 16 +++++++++++++++-

 include/linux/efi.h                       |  4 ++++

 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/drivers/firmware/efi/libstub/secureboot.c b/drivers/firmware/efi/libstub/secureboot.c

index ba6ef71..333b159 100644

--- a/drivers/firmware/efi/libstub/secureboot.c

+++ b/drivers/firmware/efi/libstub/secureboot.c

@@ -22,6 +22,9 @@ static const efi_char16_t const efi_SecureBoot_name[] = {

 static const efi_char16_t const efi_SetupMode_name[] = {

 	'S', 'e', 't', 'u', 'p', 'M', 'o', 'd', 'e', 0

 };

+static const efi_char16_t const efi_DeployedMode_name[] = {

+	'D', 'e', 'p', 'l', 'o', 'y', 'e', 'd', 'M', 'o', 'd', 'e', 0

+};

 /* SHIM variables */

 static const efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID;

@@ -40,7 +43,7 @@ static efi_char16_t const shim_MokSBState_name[] = {

 enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg)

 {

 	u32 attr;

-	u8 secboot, setupmode, moksbstate;

+	u8 secboot, setupmode, deployedmode, moksbstate;

 	unsigned long size;

 	efi_status_t status;

@@ -57,6 +57,17 @@ enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg)

 	if (secboot == 0 || setupmode == 1)

 		return efi_secureboot_mode_disabled;

+	/* UEFI-2.6 requires DeployedMode to be 1. */

+	if (sys_table_arg->hdr.revision >= EFI_2_60_SYSTEM_TABLE_REVISION) {

+		size = sizeof(deployedmode);

+		status = get_efi_var(efi_DeployedMode_name, &efi_variable_guid,

+				     NULL, &size, &deployedmode);

+		if (status != EFI_SUCCESS)

+			goto out_efi_err;

+		if (deployedmode == 0)

+			return efi_secureboot_mode_disabled;

+	}

+

 	/*

 	 * See if a user has put the shim into insecure mode. If so, and if the

 	 * variable doesn't have the runtime attribute set, we might as well

 	 * honor that.

diff --git a/include/linux/efi.h b/include/linux/efi.h

index 135ca9c..e1893f5 100644

--- a/include/linux/efi.h

+++ b/include/linux/efi.h

@@ -645,6 +645,10 @@ typedef struct {

 #define EFI_SYSTEM_TABLE_SIGNATURE ((u64)0x5453595320494249ULL)

+#define EFI_2_60_SYSTEM_TABLE_REVISION  ((2 << 16) | (60))

+#define EFI_2_50_SYSTEM_TABLE_REVISION  ((2 << 16) | (50))

+#define EFI_2_40_SYSTEM_TABLE_REVISION  ((2 << 16) | (40))

+#define EFI_2_31_SYSTEM_TABLE_REVISION  ((2 << 16) | (31))

 #define EFI_2_30_SYSTEM_TABLE_REVISION  ((2 << 16) | (30))

 #define EFI_2_20_SYSTEM_TABLE_REVISION  ((2 << 16) | (20))

 #define EFI_2_10_SYSTEM_TABLE_REVISION  ((2 << 16) | (10))

-- 

2.9.3

From 3b0695eda22ad712a2b9be9bb70979d875a37816 Mon Sep 17 00:00:00 2001

From: David Howells <dhowells@redhat.com>

Date: Mon, 21 Nov 2016 23:36:17 +0000

Subject: [PATCH 09/32] Add the ability to lock down access to the running

 kernel image

Provide a single call to allow kernel code to determine whether the system

should be locked down, thereby disallowing various accesses that might

allow the running kernel image to be changed including the loading of

modules that aren't validly signed with a key we recognise, fiddling with

MSR registers and disallowing hibernation,

Signed-off-by: David Howells <dhowells@redhat.com>

---

 include/linux/kernel.h   |  9 +++++++++

 include/linux/security.h | 11 +++++++++++

 security/Kconfig         | 15 +++++++++++++++

 security/Makefile        |  3 +++

 security/lock_down.c     | 40 ++++++++++++++++++++++++++++++++++++++++

 5 files changed, 78 insertions(+)

 create mode 100644 security/lock_down.c

diff --git a/include/linux/kernel.h b/include/linux/kernel.h

index bc6ed52..8ab309d 100644

--- a/include/linux/kernel.h

+++ b/include/linux/kernel.h

@@ -268,6 +268,15 @@ extern int oops_may_print(void);

 void do_exit(long error_code) __noreturn;

 void complete_and_exit(struct completion *, long) __noreturn;

+#ifdef CONFIG_LOCK_DOWN_KERNEL

+extern bool kernel_is_locked_down(void);

+#else

+static inline bool kernel_is_locked_down(void)

+{

+	return false;

+}

+#endif

+

 /* Internal, do not use. */

 int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);

 int __must_check _kstrtol(const char *s, unsigned int base, long *res);

diff --git a/include/linux/security.h b/include/linux/security.h

index c2125e9..41a7325 100644

--- a/include/linux/security.h

+++ b/include/linux/security.h

@@ -1685,5 +1685,16 @@ static inline void free_secdata(void *secdata)

 { }

 #endif /* CONFIG_SECURITY */

+#ifdef CONFIG_LOCK_DOWN_KERNEL

+extern void lock_kernel_down(void);

+#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT

+extern void lift_kernel_lockdown(void);

+#endif

+#else

+static inline void lock_kernel_down(void)

+{

+}

+#endif

+

 #endif /* ! __LINUX_SECURITY_H */

diff --git a/security/Kconfig b/security/Kconfig

index 118f454..fa1a678 100644

--- a/security/Kconfig

+++ b/security/Kconfig

@@ -158,6 +158,21 @@ config HARDENED_USERCOPY_PAGESPAN

 	  been removed. This config is intended to be used only while

 	  trying to find such users.

+config LOCK_DOWN_KERNEL

+	bool "Allow the kernel to be 'locked down'"

+	help

+	  Allow the kernel to be locked down under certain circumstances, for

+	  instance if UEFI secure boot is enabled.  Locking down the kernel

+	  turns off various features that might otherwise allow access to the

+	  kernel image (eg. setting MSR registers).

+

+config ALLOW_LOCKDOWN_LIFT

+	bool

+	help

+	  Allow the lockdown on a kernel to be lifted, thereby restoring the

+	  ability of userspace to access the kernel image (eg. by SysRq+x under

+	  x86).

+

 source security/selinux/Kconfig

 source security/smack/Kconfig

 source security/tomoyo/Kconfig

diff --git a/security/Makefile b/security/Makefile

index f2d71cd..8c4a43e 100644

--- a/security/Makefile

+++ b/security/Makefile

@@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o

 # Object integrity file lists

 subdir-$(CONFIG_INTEGRITY)		+= integrity

 obj-$(CONFIG_INTEGRITY)			+= integrity/

+

+# Allow the kernel to be locked down

+obj-$(CONFIG_LOCK_DOWN_KERNEL)		+= lock_down.o

diff --git a/security/lock_down.c b/security/lock_down.c

new file mode 100644

index 0000000..5788c60

--- /dev/null

+++ b/security/lock_down.c

@@ -0,0 +1,40 @@

+/* Lock down the kernel

+ *

+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.

+ * Written by David Howells (dhowells@redhat.com)

+ *

+ * This program is free software; you can redistribute it and/or

+ * modify it under the terms of the GNU General Public Licence

+ * as published by the Free Software Foundation; either version

+ * 2 of the Licence, or (at your option) any later version.

+ */

+

+#include <linux/security.h>

+#include <linux/export.h>

+

+static __read_mostly bool kernel_locked_down;

+

+/*

+ * Put the kernel into lock-down mode.

+ */

+void lock_kernel_down(void)

+{

+	kernel_locked_down = true;

+}

+

+/*

+ * Take the kernel out of lockdown mode.

+ */

+void lift_kernel_lockdown(void)

+{

+	kernel_locked_down = false;

+}

+

+/**

+ * kernel_is_locked_down - Find out if the kernel is locked down

+ */

+bool kernel_is_locked_down(void)

+{

+	return kernel_locked_down;

+}

+EXPORT_SYMBOL(kernel_is_locked_down);

-- 

2.9.3

From c1cc643f82e1c9efee123eb81befb58e41b87310 Mon Sep 17 00:00:00 2001

From: David Howells <dhowells@redhat.com>

Date: Mon, 21 Nov 2016 23:55:55 +0000

Subject: [PATCH 10/32] efi: Lock down the kernel if booted in secure boot mode

UEFI Secure Boot provides a mechanism for ensuring that the firmware will

only load signed bootloaders and kernels.  Certain use cases may also

require that all kernel modules also be signed.  Add a configuration option

that to lock down the kernel - which includes requiring validly signed

modules - if the kernel is secure-booted.

Signed-off-by: David Howells <dhowells@redhat.com>

---

 arch/x86/Kconfig        | 12 ++++++++++++

 arch/x86/kernel/setup.c |  8 +++++++-

 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig

index bada636..5b19997 100644

--- a/arch/x86/Kconfig

+++ b/arch/x86/Kconfig

@@ -1786,6 +1786,18 @@ config EFI_MIXED

 	   If unsure, say N.

+config EFI_SECURE_BOOT_LOCK_DOWN

+	def_bool n

+	depends on EFI

+	prompt "Lock down the kernel when UEFI Secure Boot is enabled"

+	---help---

+	  UEFI Secure Boot provides a mechanism for ensuring that the firmware

+	  will only load signed bootloaders and kernels.  Certain use cases may

+	  also require that all kernel modules also be signed and that

+	  userspace is prevented from directly changing the running kernel

+	  image.  Say Y here to automatically lock down the kernel when a

+	  system boots with UEFI Secure Boot enabled.

+

 config SECCOMP

 	def_bool y

 	prompt "Enable seccomp to safely compute untrusted bytecode"

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c

index d8972ec..facaeb9 100644

--- a/arch/x86/kernel/setup.c

+++ b/arch/x86/kernel/setup.c

@@ -69,6 +69,7 @@

 #include <linux/crash_dump.h>

 #include <linux/tboot.h>

 #include <linux/jiffies.h>

+#include <linux/security.h>

 #include <video/edid.h>

@@ -1159,7 +1160,12 @@ void __init setup_arch(char **cmdline_p)

 			break;

 		case efi_secureboot_mode_enabled:

 			set_bit(EFI_SECURE_BOOT, &efi.flags);

-			pr_info("Secure boot enabled\n");

+			if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT_LOCK_DOWN)) {

+				lock_kernel_down();

+				pr_info("Secure boot enabled and kernel locked down\n");

+			} else {

+				pr_info("Secure boot enabled\n");

+			}

 			break;

 		default:

 			pr_info("Secure boot could not be determined\n");

-- 

2.9.3

From 03ff1bcf82c3acc3df8e8fd1badbbc9f6a27a2e6 Mon Sep 17 00:00:00 2001

From: David Howells <dhowells@redhat.com>

Date: Wed, 23 Nov 2016 13:22:22 +0000

Subject: [PATCH 11/32] Enforce module signatures if the kernel is locked down

If the kernel is locked down, require that all modules have valid

signatures that we can verify.

Signed-off-by: David Howells <dhowells@redhat.com>

---

 kernel/module.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/module.c b/kernel/module.c

index f57dd63..2a021c3 100644

--- a/kernel/module.c

+++ b/kernel/module.c

@@ -2744,7 +2744,7 @@ static int module_sig_check(struct load_info *info, int flags)

 	}

 	/* Not having a signature is only an error if we're strict. */

-	if (err == -ENOKEY && !sig_enforce)

+	if (err == -ENOKEY && !sig_enforce && !kernel_is_locked_down())

 		err = 0;

 	return err;

-- 

2.9.3

From 328104a3a9859084a25240ea031572e0d20ceaf4 Mon Sep 17 00:00:00 2001

From: Matthew Garrett <matthew.garrett@nebula.com>

Date: Tue, 22 Nov 2016 08:46:16 +0000

Subject: [PATCH 12/32] Restrict /dev/mem and /dev/kmem when the kernel is

 locked down

Allowing users to write to address space makes it possible for the kernel to

be subverted, avoiding module loading restrictions.  Prevent this when the

kernel has been locked down.

Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>

Signed-off-by: David Howells <dhowells@redhat.com>

---

 drivers/char/mem.c | 6 ++++++

 1 file changed, 6 insertions(+)

diff --git a/drivers/char/mem.c b/drivers/char/mem.c

index 5bb1985..6441d21 100644

--- a/drivers/char/mem.c

+++ b/drivers/char/mem.c

@@ -163,6 +163,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,

 	if (p != *ppos)

 		return -EFBIG;

+	if (kernel_is_locked_down())

+		return -EPERM;

+

 	if (!valid_phys_addr_range(p, count))

 		return -EFAULT;

@@ -515,6 +518,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,

 	char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */

 	int err = 0;

+	if (kernel_is_locked_down())

+		return -EPERM;

+

 	if (p < (unsigned long) high_memory) {

 		unsigned long to_write = min_t(unsigned long, count,

 					       (unsigned long)high_memory - p);

-- 

2.9.3

From 2cfe484bdc7e42b42be4887f2b4d23ac9de79593 Mon Sep 17 00:00:00 2001

From: Kyle McMartin <kyle@redhat.com>

Date: Mon, 21 Nov 2016 23:55:56 +0000

Subject: [PATCH 13/32] Add a sysrq option to exit secure boot mode

Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running

kernel image to be modified.  This lifts the lockdown.

Signed-off-by: David Howells <dhowells@redhat.com>

---

 arch/x86/Kconfig            | 10 ++++++++++

 arch/x86/kernel/setup.c     | 31 +++++++++++++++++++++++++++++++

 drivers/input/misc/uinput.c |  1 +

 drivers/tty/sysrq.c         | 19 +++++++++++++------

 include/linux/input.h       |  5 +++++

 include/linux/sysrq.h       |  8 +++++++-

 kernel/debug/kdb/kdb_main.c |  2 +-

 7 files changed, 68 insertions(+), 8 deletions(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig

index 5b19997..c2b481b 100644

--- a/arch/x86/Kconfig

+++ b/arch/x86/Kconfig

@@ -1798,6 +1798,16 @@ config EFI_SECURE_BOOT_LOCK_DOWN

 	  image.  Say Y here to automatically lock down the kernel when a

 	  system boots with UEFI Secure Boot enabled.

+config EFI_ALLOW_SECURE_BOOT_EXIT

+	def_bool n

+	depends on EFI_SECURE_BOOT_LOCK_DOWN && MAGIC_SYSRQ

+	select ALLOW_LOCKDOWN_LIFT

+	prompt "Allow secure boot mode to be exited with SysRq+x on a keyboard"

+	---help---

+	  Allow secure boot mode to be exited and the kernel lockdown lifted by

+	  typing SysRq+x on a keyboard attached to the system (not permitted

+	  through procfs).

+

 config SECCOMP

 	def_bool y

 	prompt "Enable seccomp to safely compute untrusted bytecode"

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c

index facaeb9..de24041 100644

--- a/arch/x86/kernel/setup.c

+++ b/arch/x86/kernel/setup.c

@@ -71,6 +71,11 @@

 #include <linux/jiffies.h>

 #include <linux/security.h>

+#include <linux/fips.h>

+#include <linux/cred.h>

+#include <linux/sysrq.h>

+#include <linux/init_task.h>

+

 #include <video/edid.h>

 #include <asm/mtrr.h>

@@ -1304,6 +1309,32 @@ void __init i386_reserve_resources(void)

 #endif /* CONFIG_X86_32 */

+#ifdef CONFIG_EFI_ALLOW_SECURE_BOOT_EXIT

+

+static void sysrq_handle_secure_boot(int key)

+{

+	if (!efi_enabled(EFI_SECURE_BOOT))

+		return;

+

+	pr_info("Secure boot disabled\n");

+	lift_kernel_lockdown();

+}

+static struct sysrq_key_op secure_boot_sysrq_op = {

+	.handler	=	sysrq_handle_secure_boot,

+	.help_msg	=	"unSB(x)",

+	.action_msg	=	"Disabling Secure Boot restrictions",

+	.enable_mask	=	SYSRQ_DISABLE_USERSPACE,

+};

+static int __init secure_boot_sysrq(void)

+{

+	if (efi_enabled(EFI_SECURE_BOOT))

+		register_sysrq_key('x', &secure_boot_sysrq_op);

+	return 0;

+}

+late_initcall(secure_boot_sysrq);

+#endif /*CONFIG_EFI_ALLOW_SECURE_BOOT_EXIT*/

+

+

 static struct notifier_block kernel_offset_notifier = {

 	.notifier_call = dump_kernel_offset

 };

diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c

index 92595b9..894ed3f 100644

--- a/drivers/input/misc/uinput.c

+++ b/drivers/input/misc/uinput.c

@@ -379,6 +379,7 @@ static int uinput_allocate_device(struct uinput_device *udev)

 	if (!udev->dev)

 		return -ENOMEM;

+	udev->dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;

 	udev->dev->event = uinput_dev_event;

 	input_set_drvdata(udev->dev, udev);

diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c

index 52bbd27..72f46a1 100644

--- a/drivers/tty/sysrq.c

+++ b/drivers/tty/sysrq.c

@@ -479,6 +479,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {

 	/* x: May be registered on mips for TLB dump */

 	/* x: May be registered on ppc/powerpc for xmon */

 	/* x: May be registered on sparc64 for global PMU dump */

+	/* x: May be registered on x86_64 for disabling secure boot */

 	NULL,				/* x */

 	/* y: May be registered on sparc64 for global register dump */

 	NULL,				/* y */

@@ -522,7 +523,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)

                 sysrq_key_table[i] = op_p;

 }

-void __handle_sysrq(int key, bool check_mask)

+void __handle_sysrq(int key, unsigned int from)

 {

 	struct sysrq_key_op *op_p;

 	int orig_log_level;

@@ -542,11 +543,15 @@ void __handle_sysrq(int key, bool check_mask)

         op_p = __sysrq_get_key_op(key);

         if (op_p) {

+		/* Ban synthetic events from some sysrq functionality */

+		if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&

+		    op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)

+			printk("This sysrq operation is disabled from userspace.\n");

 		/*

 		 * Should we check for enabled operations (/proc/sysrq-trigger

 		 * should not) and is the invoked operation enabled?

 		 */

-		if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {

+		if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {

 			pr_cont("%s\n", op_p->action_msg);

 			console_loglevel = orig_log_level;

 			op_p->handler(key);

@@ -578,7 +583,7 @@ void __handle_sysrq(int key, bool check_mask)

 void handle_sysrq(int key)

 {

 	if (sysrq_on())

-		__handle_sysrq(key, true);

+		__handle_sysrq(key, SYSRQ_FROM_KERNEL);

 }

 EXPORT_SYMBOL(handle_sysrq);

@@ -659,7 +664,7 @@ static void sysrq_do_reset(unsigned long _state)

 static void sysrq_handle_reset_request(struct sysrq_state *state)

 {

 	if (state->reset_requested)

-		__handle_sysrq(sysrq_xlate[KEY_B], false);

+		__handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL);

 	if (sysrq_reset_downtime_ms)

 		mod_timer(&state->keyreset_timer,

@@ -810,8 +815,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,

 	default:

 		if (sysrq->active && value && value != 2) {

+			int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ?

+					SYSRQ_FROM_SYNTHETIC : 0;

 			sysrq->need_reinject = false;

-			__handle_sysrq(sysrq_xlate[code], true);

+			__handle_sysrq(sysrq_xlate[code], from);

 		}

 		break;

 	}

@@ -1095,7 +1102,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,

 		if (get_user(c, buf))

 			return -EFAULT;

-		__handle_sysrq(c, false);

+		__handle_sysrq(c, SYSRQ_FROM_PROC);

 	}

 	return count;

diff --git a/include/linux/input.h b/include/linux/input.h

index a65e3b2..8b03571 100644

--- a/include/linux/input.h

+++ b/include/linux/input.h

@@ -42,6 +42,7 @@ struct input_value {

  * @phys: physical path to the device in the system hierarchy

  * @uniq: unique identification code for the device (if device has it)

  * @id: id of the device (struct input_id)

+ * @flags: input device flags (SYNTHETIC, etc.)

  * @propbit: bitmap of device properties and quirks

  * @evbit: bitmap of types of events supported by the device (EV_KEY,

  *	EV_REL, etc.)

@@ -124,6 +125,8 @@ struct input_dev {

 	const char *uniq;

 	struct input_id id;

+	unsigned int flags;

+

 	unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)];

 	unsigned long evbit[BITS_TO_LONGS(EV_CNT)];

@@ -190,6 +193,8 @@ struct input_dev {

 };

 #define to_input_dev(d) container_of(d, struct input_dev, dev)

+#define	INPUTDEV_FLAGS_SYNTHETIC	0x000000001

+

 /*

  * Verify that we are in sync with input_device_id mod_devicetable.h #defines

  */

diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h

index 387fa7d..f7c52a9 100644

--- a/include/linux/sysrq.h

+++ b/include/linux/sysrq.h

@@ -28,6 +28,8 @@

 #define SYSRQ_ENABLE_BOOT	0x0080

 #define SYSRQ_ENABLE_RTNICE	0x0100

+#define SYSRQ_DISABLE_USERSPACE	0x00010000

+

 struct sysrq_key_op {

 	void (*handler)(int);

 	char *help_msg;

@@ -42,8 +44,12 @@ struct sysrq_key_op {

  * are available -- else NULL's).

  */

+#define SYSRQ_FROM_KERNEL	0x0001

+#define SYSRQ_FROM_PROC		0x0002

+#define SYSRQ_FROM_SYNTHETIC	0x0004

+

 void handle_sysrq(int key);

-void __handle_sysrq(int key, bool check_mask);

+void __handle_sysrq(int key, unsigned int from);

 int register_sysrq_key(int key, struct sysrq_key_op *op);

 int unregister_sysrq_key(int key, struct sysrq_key_op *op);

 struct sysrq_key_op *__sysrq_get_key_op(int key);

diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c

index 2a20c0d..d46d2e1 100644

--- a/kernel/debug/kdb/kdb_main.c

+++ b/kernel/debug/kdb/kdb_main.c

@@ -1968,7 +1968,7 @@ static int kdb_sr(int argc, const char **argv)

 		return KDB_ARGCOUNT;

 	kdb_trap_printk++;

-	__handle_sysrq(*argv[1], check_mask);

+	__handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0);

 	kdb_trap_printk--;

 	return 0;

-- 

2.9.3

From a82fdfceffac8e9cdc0287d874a8ba1b9d875e70 Mon Sep 17 00:00:00 2001

From: Matthew Garrett <matthew.garrett@nebula.com>

Date: Tue, 22 Nov 2016 08:46:15 +0000

Subject: [PATCH 14/32] kexec: Disable at runtime if the kernel is locked down

kexec permits the loading and execution of arbitrary code in ring 0, which

is something that lock-down is meant to prevent. It makes sense to disable

kexec in this situation.

This does not affect kexec_file_load() which can check for a signature on the

image to be booted.

Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>

Signed-off-by: David Howells <dhowells@redhat.com>

---

 kernel/kexec.c | 7 +++++++

 1 file changed, 7 insertions(+)

diff --git a/kernel/kexec.c b/kernel/kexec.c

index 980936a..46de8e6 100644

--- a/kernel/kexec.c

+++ b/kernel/kexec.c

@@ -194,6 +194,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,

 		return -EPERM;

 	/*

+	 * kexec can be used to circumvent module loading restrictions, so

+	 * prevent loading in that case

+	 */

+	if (kernel_is_locked_down())

+		return -EPERM;

+

+	/*

 	 * Verify we have a legal set of flags

 	 * This leaves us room for future extensions.

 	 */

-- 

2.9.3

From 43d4cec4b9acbe2954afb355cc32dbd456ca77bd Mon Sep 17 00:00:00 2001

From: Dave Young <dyoung@redhat.com>

Date: Tue, 22 Nov 2016 08:46:15 +0000

Subject: [PATCH 15/32] Copy secure_boot flag in boot params across kexec

 reboot

Kexec reboot in case secure boot being enabled does not keep the secure

boot mode in new kernel, so later one can load unsigned kernel via legacy

kexec_load.  In this state, the system is missing the protections provided

by secure boot.

Adding a patch to fix this by retain the secure_boot flag in original

kernel.