linux/include
Kees Cook 7984754b99 kexec: add sysctl to disable kexec_load
For general-purpose (i.e.  distro) kernel builds it makes sense to build
with CONFIG_KEXEC to allow end users to choose what kind of things they
want to do with kexec.  However, in the face of trying to lock down a
system with such a kernel, there needs to be a way to disable kexec_load
(much like module loading can be disabled).  Without this, it is too easy
for the root user to modify kernel memory even when CONFIG_STRICT_DEVMEM
and modules_disabled are set.  With this change, it is still possible to
load an image for use later, then disable kexec_load so the image (or lack
of image) can't be altered.

The intention is for using this in environments where "perfect"
enforcement is hard.  Without a verified boot, along with verified
modules, and along with verified kexec, this is trying to give a system a
better chance to defend itself (or at least grow the window of
discoverability) against attack in the face of a privilege escalation.

In my mind, I consider several boot scenarios:

1) Verified boot of read-only verified root fs loading fd-based
   verification of kexec images.
2) Secure boot of writable root fs loading signed kexec images.
3) Regular boot loading kexec (e.g. kcrash) image early and locking it.
4) Regular boot with no control of kexec image at all.

1 and 2 don't exist yet, but will soon once the verified kexec series has
landed.  4 is the state of things now.  The gap between 2 and 4 is too
large, so this change creates scenario 3, a middle-ground above 4 when 2
and 1 are not possible for a system.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Eric Biederman <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-01-23 16:37:03 -08:00
..
acpi PCI changes for the v3.14 merge window: 2014-01-22 16:39:28 -08:00
asm-generic add generic fixmap.h 2014-01-23 16:36:54 -08:00
clocksource
crypto crypto: scatterwalk - Use sg_chain_ptr on chain entries 2013-12-09 19:58:52 +08:00
drm drm/radeon: 0x9649 is SUMO2 not SUMO 2013-12-23 10:03:41 -05:00
dt-bindings For the 3.13 merge window we have a couple of new drivers for the AMS 2013-11-15 16:37:40 -08:00
keys
kvm KVM: arm-vgic: Set base addr through device API 2013-12-21 10:01:22 -08:00
linux kexec: add sysctl to disable kexec_load 2014-01-23 16:37:03 -08:00
math-emu
media [media] videobuf2: Add support for file access mode flags for DMABUF exporting 2013-12-09 14:50:50 -02:00
memory
misc
net Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-01-20 10:42:08 -08:00
pcmcia
ras
rdma IB/core: const'ify inbuf in struct ib_udata 2013-12-16 10:38:28 -08:00
rxrpc
scsi [SCSI] libiscsi: Add local_ipaddr parameter in iscsi_conn struct 2013-12-19 20:56:26 -08:00
sound Merge remote-tracking branch 'asoc/topic/compress' into asoc-next 2014-01-20 11:50:41 +00:00
target target/file: Update hw_max_sectors based on current block_size 2013-12-19 00:18:54 -08:00
trace f2fs updates for v3.14 2014-01-23 09:21:09 -08:00
uapi uapi: convert u64 to __u64 in exported headers 2014-01-23 16:36:55 -08:00
video fbdev changes for 3.13 2013-11-14 14:44:20 +09:00
xen Features: 2014-01-22 22:00:18 -08:00
Kbuild