Lockdown as a security module
The lockdown patches have a long and controversial history; LWN first wrote about them in 2012. Opposition has come at all kinds of levels; some developers see lockdown as a way of taking control of systems away from their owners, while others see it as ultimately useless security theater. There does appear to be some value, though, in making a system as resistant to compromise as possible, so these patches have persisted and are often shipped by distributors. Disagreement over more recent versions of the lockdown patch set were focused on details like whether lockdown should be tied to the presence of secure boot or integration with the integrity-measurement infrastructure.
One outcome from the most recent discussion was a concern that the lockdown patches were wiring too much policy into the kernel itself. The kernel has long had a mechanism for pushing security-policy decisions out to user space — the security-module mechanism. So it arguably makes sense to move lockdown decision-making into an LSM; that is indeed what the more recent versions of the patch set do.
First, though, there is the problem of initialization. LSMs exist to apply policies to actions taken by user space, so as long as the LSM infrastructure is running by the time user space starts, everything is fine. Lockdown, though, must act earlier: it needs to be able to block the action of certain types of command-line parameters and must be functional even before a security policy can be loaded. So the patch set starts by creating a new type of "early security module" that is initialized toward the beginning of the boot process. At this point, the module can't do much — even basic amenities like kmalloc() are not available — but it's enough to register its hooks and take control.
Next, a new security hook is provided for LSMs to use:
int (*locked_down)(enum lockdown_reason what);
This hook allows the LSM to decide whether kernel lockdown will prohibit a given action, described by what. Actions include loading unsigned modules (LOCKDOWN_MODULE_SIGNATURE), access to special files like /dev/port (LOCKDOWN_DEV_MEM), hibernating the system (LOCKDOWN_HIBERNATION), use of many perf functions (LOCKDOWN_PERF), kernel tracing (LOCKDOWN_TRACEFS), some BPF function (LOCKDOWN_BPF_READ), and many more. There are, it turns out, a lot of ways for root to compromise or extract information from the kernel; the lockdown patches do their best to close them all off.
In the previous version of the patch, Andy Lutomirski objected to the provision of detailed actions to LSM locked_down() hooks. He argued, instead, for simply providing two values: "confidentiality" (for actions that may leak information from the kernel) and "integrity" (for those that could compromise the kernel). Doing anything else, he said, risks problems in the future if the meaning of any of those actions expands or changes. Garrett thought the extra information could be useful, though, and was less worried about incompatible changes. So this feature remains in the current patch set.
The patch set does maintain the distinction between confidentiality and integrity lockdown, though. The various LOCKDOWN_* constants are ordered so that the integrity-related actions have lower values than those related to confidentiality. All of the integrity-related actions have values less than LOCKDOWN_INTEGRITY_MAX; all actions of any type have lower values than LOCKDOWN_CONFIDENTIALITY_MAX. So a module that wants to distinguish between the two types of actions can do so using a simple comparison and without needing to understand each action specifically.
That feature is used by the static lockdown policy module added by the patch set. While some users may want to put together complex LSM policies regarding lockdown, many others are likely to simply want to lock down everything and be done with it. The static policy module enables that in a number of ways, depending on how the kernel is configured. There is a lockdown= command-line parameter that can be set to either integrity or confidentiality to enable lockdown, which can also be turned on at run time via the /sys/kernel/security/lockdown sysfs knob. There are also, though, kernel configuration options to simply force either lockdown mode with no option for it to be disabled.
Over the years, the lockdown patches have proved to be highly
controversial. There are certainly still developers who are unconvinced by
or opposed to the concept, but it seems that most of the objections have
been addressed through years of patient reworking of the patch set. One
can never be sure that 34 revisions will be enough until the code lands in
the mainline kernel, but the odds seem relatively good that this long story
is finally approaching an end.
| Index entries for this article | |
|---|---|
| Kernel | Security/UEFI secure boot |
Posted Jun 27, 2019 9:04 UTC (Thu)
by james (subscriber, #1325)
[Link]
I think we've seen enough vulnerabilities around this sort of software (Intel ME, AMD's PSP) that we can be sure that running a ten-year-old lockdown LSM is unlikely to be useful.
Posted Jun 27, 2019 12:37 UTC (Thu)
by dunlapg (guest, #57764)
[Link] (4 responses)
I think using a word like "owner" to mean "whoever holds the signing key" is a twisting of the facts at best (as evidenced by the way that "owner" is used in the next paragraph down); and that we should refuse to play along with this misleading terminology.
Something more neutral like "lockholder" or "keymaster" would be more accurate: "Technologies like UEFI secure boot are intended to guarantee that a locked-down system is running software intended by the lockholder" is perfectly understandable, and clues the reader in to the fact that the "lockholder" may or may not be the actual owner of the device.
Posted Jun 27, 2019 14:17 UTC (Thu)
by mjg59 (subscriber, #23239)
[Link] (3 responses)
Posted Jun 27, 2019 17:03 UTC (Thu)
by nybble41 (subscriber, #55106)
[Link]
Posted Jun 28, 2019 4:56 UTC (Fri)
by jfred (subscriber, #126493)
[Link]
See also game consoles, where manufacturers like to say that the software lockdown is a security measure. It's security for the manufacturer, not for the user.
Posted Jun 28, 2019 15:02 UTC (Fri)
by faramir (subscriber, #2327)
[Link]
So you are in favor of confusing at least 99.5% of all people in the world about what this feature does? The only people who will understand what is written as you do will be people who have followed this discussion (mostly security geeks and Linux kernel programmers). The alternative wording will be understood by everyone who understand your preferred wording or at least will clue in people who aren't monitoring this discussion that this feature might not do what they want.
And if we are going to be pedantic about it, I would point out that it is likely that >99.5% of the legal "owners" of the systems in question will not in fact be "keyholders"; so your wording is false using the more widely understood legal meaning.
Lockdown as a security module
Garrett [...] was less worried about incompatible changes.
Lockdown as a security module
Technologies like UEFI secure boot are intended to guarantee that a locked-down system is running the software intended by its owner (for a definition of "owner" as "whoever holds the signing key recognized by the firmware").
Lockdown as a security module
Lockdown as a security module
Lockdown as a security module
Lockdown as a security module