security/lock_down.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 /* Lock down the kernel
   3  *
   4  * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
   5  * Written by David Howells (dhowells@redhat.com)
   6  *
   7  * This program is free software; you can redistribute it and/or
   8  * modify it under the terms of the GNU General Public Licence
   9  * as published by the Free Software Foundation; either version
  10  * 2 of the Licence, or (at your option) any later version.
  11  */
  12
  13 #include <linux/security.h>
  14 #include <linux/export.h>
  15 #include <linux/efi.h>
  16 #include <linux/sysrq.h>
  17 #include <asm/setup.h>
  18 #ifdef CONFIG_S390
  19 #include <asm/ipl.h>
  20 #endif
  21
  22 #ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
  23 static __read_mostly bool kernel_locked_down;
  24 #else
  25 static __ro_after_init bool kernel_locked_down;
  26 #endif
  27
  28 /*
  29  * Put the kernel into lock-down mode.
  30  */
  31 static void __init lock_kernel_down(const char *where)
  32 {
  33         if (!kernel_locked_down) {
  34                 kernel_locked_down = true;
  35                 pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",
  36                           where);
  37         }
  38 }
  39
  40 static int __init lockdown_param(char *ignored)
  41 {
  42         lock_kernel_down("command line");
  43         return 0;
  44 }
  45
  46 early_param("lockdown", lockdown_param);
  47
  48 /*
  49  * Lock the kernel down from very early in the arch setup.  This must happen
  50  * prior to things like ACPI being initialised.
  51  */
  52 void __init init_lockdown(void)
  53 {
  54 #ifdef CONFIG_LOCK_DOWN_FORCE
  55         lock_kernel_down("Kernel configuration");
  56 #endif
  57 #ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
  58         if (efi_enabled(EFI_SECURE_BOOT))
  59                 lock_kernel_down("EFI secure boot");
  60 #endif
  61 #ifdef CONFIG_S390
  62         if (ipl_get_secureboot())
  63                 lock_kernel_down("Secure IPL");
  64 #endif
  65 }
  66
  67 /**
  68  * kernel_is_locked_down - Find out if the kernel is locked down
  69  * @what: Tag to use in notice generated if lockdown is in effect
  70  */
  71 bool __kernel_is_locked_down(const char *what, bool first)
  72 {
  73         if (what && first && kernel_locked_down)
  74                 pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
  75                           current->comm, what);
  76         return kernel_locked_down;
  77 }
  78 EXPORT_SYMBOL(__kernel_is_locked_down);
  79
  80 #ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
  81
  82 /*
  83  * Take the kernel out of lockdown mode.
  84  */
  85 static void lift_kernel_lockdown(void)
  86 {
  87         pr_notice("Lifting lockdown\n");
  88         kernel_locked_down = false;
  89 }
  90
  91 /*
  92  * Allow lockdown to be lifted by pressing something like SysRq+x (and not by
  93  * echoing the appropriate letter into the sysrq-trigger file).
  94  */
  95 static void sysrq_handle_lockdown_lift(int key)
  96 {
  97         if (kernel_locked_down)
  98                 lift_kernel_lockdown();
  99 }
 100
 101 static struct sysrq_key_op lockdown_lift_sysrq_op = {
 102         .handler        = sysrq_handle_lockdown_lift,
 103         .help_msg       = "unSB(x)",
 104         .action_msg     = "Disabling Secure Boot restrictions",
 105         .enable_mask    = SYSRQ_DISABLE_USERSPACE,
 106 };
 107
 108 static int __init lockdown_lift_sysrq(void)
 109 {
 110         if (kernel_locked_down) {
 111                 lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;
 112                 register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);
 113         }
 114         return 0;
 115 }
 116
 117 late_initcall(lockdown_lift_sysrq);
 118
 119 #endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */