security/lock_down.c

   1 /* Lock down the kernel
   2  *
   3  * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
   4  * Written by David Howells (dhowells@redhat.com)
   5  *
   6  * This program is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU General Public Licence
   8  * as published by the Free Software Foundation; either version
   9  * 2 of the Licence, or (at your option) any later version.
  10  */
  11
  12 #include <linux/security.h>
  13 #include <linux/export.h>
  14 #include <linux/sysrq.h>
  15 #include <linux/efi.h>
  16 #include <asm/setup.h>
  17
  18 #ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
  19 static __read_mostly bool kernel_locked_down;
  20 #else
  21 static __ro_after_init bool kernel_locked_down;
  22 #endif
  23
  24 /*
  25  * Put the kernel into lock-down mode.
  26  */
  27 static void __init lock_kernel_down(const char *where)
  28 {
  29         if (!kernel_locked_down) {
  30                 kernel_locked_down = true;
  31                 pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",
  32                           where);
  33         }
  34 }
  35
  36 static int __init lockdown_param(char *ignored)
  37 {
  38         lock_kernel_down("command line");
  39         return 0;
  40 }
  41
  42 early_param("lockdown", lockdown_param);
  43
  44 /*
  45  * Lock the kernel down from very early in the arch setup.  This must happen
  46  * prior to things like ACPI being initialised.
  47  */
  48 void __init init_lockdown(void)
  49 {
  50 #ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
  51         if (efi_enabled(EFI_SECURE_BOOT))
  52                 lock_kernel_down("EFI secure boot");
  53 #endif
  54 }
  55
  56 /**
  57  * kernel_is_locked_down - Find out if the kernel is locked down
  58  * @what: Tag to use in notice generated if lockdown is in effect
  59  */
  60 bool __kernel_is_locked_down(const char *what, bool first)
  61 {
  62         if (what && first && kernel_locked_down)
  63                 pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n",
  64                           what);
  65         return kernel_locked_down;
  66 }
  67 EXPORT_SYMBOL(__kernel_is_locked_down);
  68
  69 #ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
  70
  71 /*
  72  * Take the kernel out of lockdown mode.
  73  */
  74 static void lift_kernel_lockdown(void)
  75 {
  76         pr_notice("Lifting lockdown\n");
  77         kernel_locked_down = false;
  78 }
  79
  80 /*
  81  * Allow lockdown to be lifted by pressing something like SysRq+x (and not by
  82  * echoing the appropriate letter into the sysrq-trigger file).
  83  */
  84 static void sysrq_handle_lockdown_lift(int key)
  85 {
  86         if (kernel_locked_down)
  87                 lift_kernel_lockdown();
  88 }
  89
  90 static struct sysrq_key_op lockdown_lift_sysrq_op = {
  91         .handler        = sysrq_handle_lockdown_lift,
  92         .help_msg       = "unSB(x)",
  93         .action_msg     = "Disabling Secure Boot restrictions",
  94         .enable_mask    = SYSRQ_DISABLE_USERSPACE,
  95 };
  96
  97 static int __init lockdown_lift_sysrq(void)
  98 {
  99         if (kernel_locked_down) {
 100                 lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;
 101                 register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);
 102         }
 103         return 0;
 104 }
 105
 106 late_initcall(lockdown_lift_sysrq);
 107
 108 #endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */