]>
Commit | Line | Data |
---|---|---|
0a8dc8c9 DH |
1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* Lock down the kernel | |
3 | * | |
4 | * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved. | |
5 | * Written by David Howells (dhowells@redhat.com) | |
6 | * | |
7 | * This program is free software; you can redistribute it and/or | |
8 | * modify it under the terms of the GNU General Public Licence | |
9 | * as published by the Free Software Foundation; either version | |
10 | * 2 of the Licence, or (at your option) any later version. | |
11 | */ | |
12 | ||
13 | #include <linux/security.h> | |
14 | #include <linux/export.h> | |
3da3c68e KM |
15 | #include <linux/sysrq.h> |
16 | #include <asm/setup.h> | |
0a8dc8c9 | 17 | |
3da3c68e KM |
18 | #ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ |
19 | static __read_mostly bool kernel_locked_down; | |
20 | #else | |
0a8dc8c9 | 21 | static __ro_after_init bool kernel_locked_down; |
3da3c68e | 22 | #endif |
0a8dc8c9 DH |
23 | |
24 | /* | |
25 | * Put the kernel into lock-down mode. | |
26 | */ | |
27 | static void __init lock_kernel_down(const char *where) | |
28 | { | |
29 | if (!kernel_locked_down) { | |
30 | kernel_locked_down = true; | |
31 | pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n", | |
32 | where); | |
33 | } | |
34 | } | |
35 | ||
36 | static int __init lockdown_param(char *ignored) | |
37 | { | |
38 | lock_kernel_down("command line"); | |
39 | return 0; | |
40 | } | |
41 | ||
42 | early_param("lockdown", lockdown_param); | |
43 | ||
44 | /* | |
45 | * Lock the kernel down from very early in the arch setup. This must happen | |
46 | * prior to things like ACPI being initialised. | |
47 | */ | |
48 | void __init init_lockdown(void) | |
49 | { | |
50 | #ifdef CONFIG_LOCK_DOWN_FORCE | |
51 | lock_kernel_down("Kernel configuration"); | |
52 | #endif | |
53 | } | |
54 | ||
55 | /** | |
56 | * kernel_is_locked_down - Find out if the kernel is locked down | |
57 | * @what: Tag to use in notice generated if lockdown is in effect | |
58 | */ | |
59 | bool __kernel_is_locked_down(const char *what, bool first) | |
60 | { | |
61 | if (what && first && kernel_locked_down) | |
f127f150 DH |
62 | pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n", |
63 | current->comm, what); | |
0a8dc8c9 DH |
64 | return kernel_locked_down; |
65 | } | |
66 | EXPORT_SYMBOL(__kernel_is_locked_down); | |
3da3c68e KM |
67 | |
68 | #ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ | |
69 | ||
70 | /* | |
71 | * Take the kernel out of lockdown mode. | |
72 | */ | |
73 | static void lift_kernel_lockdown(void) | |
74 | { | |
75 | pr_notice("Lifting lockdown\n"); | |
76 | kernel_locked_down = false; | |
77 | } | |
78 | ||
79 | /* | |
80 | * Allow lockdown to be lifted by pressing something like SysRq+x (and not by | |
81 | * echoing the appropriate letter into the sysrq-trigger file). | |
82 | */ | |
83 | static void sysrq_handle_lockdown_lift(int key) | |
84 | { | |
85 | if (kernel_locked_down) | |
86 | lift_kernel_lockdown(); | |
87 | } | |
88 | ||
89 | static struct sysrq_key_op lockdown_lift_sysrq_op = { | |
90 | .handler = sysrq_handle_lockdown_lift, | |
91 | .help_msg = "unSB(x)", | |
92 | .action_msg = "Disabling Secure Boot restrictions", | |
93 | .enable_mask = SYSRQ_DISABLE_USERSPACE, | |
94 | }; | |
95 | ||
96 | static int __init lockdown_lift_sysrq(void) | |
97 | { | |
98 | if (kernel_locked_down) { | |
99 | lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY; | |
100 | register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op); | |
101 | } | |
102 | return 0; | |
103 | } | |
104 | ||
105 | late_initcall(lockdown_lift_sysrq); | |
106 | ||
107 | #endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */ |