linux/Documentation
Kees Cook 7984754b99 kexec: add sysctl to disable kexec_load
For general-purpose (i.e.  distro) kernel builds it makes sense to build
with CONFIG_KEXEC to allow end users to choose what kind of things they
want to do with kexec.  However, in the face of trying to lock down a
system with such a kernel, there needs to be a way to disable kexec_load
(much like module loading can be disabled).  Without this, it is too easy
for the root user to modify kernel memory even when CONFIG_STRICT_DEVMEM
and modules_disabled are set.  With this change, it is still possible to
load an image for use later, then disable kexec_load so the image (or lack
of image) can't be altered.

The intention is for using this in environments where "perfect"
enforcement is hard.  Without a verified boot, along with verified
modules, and along with verified kexec, this is trying to give a system a
better chance to defend itself (or at least grow the window of
discoverability) against attack in the face of a privilege escalation.

In my mind, I consider several boot scenarios:

1) Verified boot of read-only verified root fs loading fd-based
   verification of kexec images.
2) Secure boot of writable root fs loading signed kexec images.
3) Regular boot loading kexec (e.g. kcrash) image early and locking it.
4) Regular boot with no control of kexec image at all.

1 and 2 don't exist yet, but will soon once the verified kexec series has
landed.  4 is the state of things now.  The gap between 2 and 4 is too
large, so this change creates scenario 3, a middle-ground above 4 when 2
and 1 are not possible for a system.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Eric Biederman <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-01-23 16:37:03 -08:00
..
ABI f2fs updates for v3.14 2014-01-23 09:21:09 -08:00
accounting
acpi GPIO tree bulk changes for v3.14 2014-01-21 10:09:12 -08:00
aoe
arm gpio: samsung: Update documentation 2014-01-07 19:00:59 +01:00
arm64
auxdisplay
backlight backlight: lp855x_bl: support new LP8555 device 2013-11-13 12:09:14 +09:00
blackfin
block null_blk: set use_per_node_hctx param to false 2013-12-21 09:30:33 -07:00
blockdev Documentation/blockdev/ramdisk.txt: updates 2014-01-23 16:37:01 -08:00
bus-devices
cdrom
cgroups doc: cgroups: Fix typo in doc/cgroups 2013-12-31 07:33:38 -05:00
connector
console
cpu-freq
cpuidle
cris
crypto
development-process
device-mapper dm cache: add policy name to status output 2014-01-16 13:44:11 -05:00
devicetree dt-bindings: add hym8563 binding 2014-01-23 16:36:59 -08:00
DocBook Merge branch 'master' into for-next 2013-12-19 15:08:32 +01:00
driver-model Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2014-01-22 21:21:55 -08:00
dvb
early-userspace
EDID
extcon extcon: fix switch class porting guide (Documentation) 2014-01-07 11:54:28 +09:00
fault-injection
fb
filesystems Documentation/filesystems/00-INDEX: updates 2014-01-23 16:37:01 -08:00
firmware_class
fmc
frv
gpio gpiolib: return -ENOENT if no GPIO mapping exists 2013-12-12 19:33:59 +01:00
hid
hwmon Merge branch 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging 2013-11-15 16:35:10 -08:00
i2c Documentation: i2c: Remove obsolete example 2014-01-09 23:02:46 +01:00
i2o
ia64
ide
infiniband
input
ioctl
isdn
ja_JP Documentation: ja_JP: Update broken link to tpp 2013-12-10 23:09:08 -08:00
kbuild
kdump
kmsg/s390 s390/zcrypt: add support for EP11 coprocessor cards 2013-12-18 17:37:15 +01:00
ko_KR Documentation: HOWTO: Updates on subsystem trees, patchwork, -next (vs. -mm) in ko_KR 2014-01-08 15:32:51 -08:00
laptops Documentation: Fix size parameter for snprintf 2014-01-02 10:47:33 +01:00
leds
m68k
make
memory-devices
metag
mic misc: mic: Fix endianness issues. 2013-11-27 11:03:38 -08:00
mips
misc-devices Documentation/misc-devices/mei/mei-amt-version.c: remove unneeded call of mei_deinit() 2014-01-08 15:20:20 -08:00
mmc
mn10300
mtd
namespaces
netlabel
networking ipv4: improve documentation of ip_no_pmtu_disc 2013-12-17 15:20:15 -05:00
nfc
parisc
PCI Merge branch 'pci/msi' into next 2014-01-07 17:34:39 -07:00
pcmcia
power More ACPI and power management updates for 3.13-rc1 2013-11-20 13:25:04 -08:00
powerpc
pps
prctl
pti
ptp
rapidio
RCU Merge branches 'doc.2013.12.03a', 'fixes.2013.12.12a', 'rcutorture.2013.12.03a' and 'sparse.2013.12.12a' into HEAD 2013-12-12 12:35:38 -08:00
s390
scheduler H8/300 has been dead for several years, the kernel for it has 2013-11-12 14:13:14 +09:00
scsi [SCSI] Update documentation 2013-12-19 07:39:03 -08:00
security ima: update IMA-templates.txt documentation 2014-01-03 07:42:59 -05:00
serial
sh
sound ASoC: docs: Update the Overview document 2014-01-07 17:56:32 +00:00
spi
sysctl kexec: add sysctl to disable kexec_load 2014-01-23 16:37:03 -08:00
target
thermal
timers
tpm
trace Documentation/trace/postprocess/trace-vmscan-postprocess.pl: fix the traceevent regex 2014-01-23 16:36:52 -08:00
usb doc: Fix typo in USB Gadget Documentation 2014-01-10 15:33:54 +01:00
vDSO
video4linux
virtual Merge tag 'kvm-arm-for-3.14' of git://git.linaro.org/people/christoffer.dall/linux-kvm-arm into kvm-queue 2014-01-15 12:14:29 +01:00
vm mm: documentation: remove hopelessly out-of-date locking doc 2014-01-23 16:36:50 -08:00
w1
watchdog
wimax
x86 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2014-01-22 21:21:55 -08:00
xtensa
zh_CN Documentation: zh_CN: Update broken link to tpp 2013-12-10 23:09:08 -08:00
.gitignore
00-INDEX
applying-patches.txt
assoc_array.txt KEYS: Fix multiple key add into associative array 2013-12-02 11:24:18 +00:00
atomic_ops.txt
bad_memory.txt
basic_profiling.txt
bcache.txt
binfmt_misc.txt
braille-console.txt
bt8xxgpio.txt
btmrvl.txt
BUG-HUNTING
bus-virt-phys-mapping.txt
cachetlb.txt
Changes remove obsolete references to powertweak 2013-11-27 20:34:32 -08:00
circular-buffers.txt documentation: Update circular buffer for load-acquire/store-release 2013-12-03 10:08:57 -08:00
clk.txt
coccinelle.txt
CodingStyle
cpu-hotplug.txt Documentation/cpu-hotplug.txt: fix a typo in example code 2014-01-23 16:37:01 -08:00
cpu-load.txt
cputopology.txt
crc32.txt
dcdbas.txt
debugging-modules.txt
debugging-via-ohci1394.txt
dell_rbu.txt
devices.txt
digsig.txt
DMA-API-HOWTO.txt
DMA-API.txt
DMA-attributes.txt
dma-buf-sharing.txt
DMA-ISA-LPC.txt
dmaengine.txt
dmatest.txt dmatest: add a 'wait' parameter 2013-11-14 11:04:40 -08:00
dontdiff
dynamic-debug-howto.txt dynamic-debug-howto.txt: update since new wildcard support 2014-01-23 16:36:55 -08:00
edac.txt
efi-stub.txt doc: Fix trivial spelling mistake in efi-stub.txt 2013-12-19 15:09:14 +01:00
eisa.txt
email-clients.txt doc: fix some typos 2013-12-02 14:48:28 +01:00
flexible-arrays.txt
futex-requeue-pi.txt
gcov.txt gcov: compile specific gcov implementation based on gcc version 2013-11-13 12:09:34 +09:00
highuid.txt
HOWTO Documentation: HOWTO: Update broken links to tpp 2013-12-10 23:09:08 -08:00
hw_random.txt
hwspinlock.txt
init.txt
initrd.txt
intel_txt.txt
Intel-IOMMU.txt
io_ordering.txt
io-mapping.txt doc: fix some typos 2013-12-02 14:48:28 +01:00
iostats.txt
IPMI.txt
IRQ-affinity.txt
IRQ-domain.txt doc: fix some typos 2013-12-02 14:48:28 +01:00
IRQ.txt
irqflags-tracing.txt
isapnp.txt
java.txt
kernel-doc-nano-HOWTO.txt
kernel-docs.txt
kernel-parameters.txt doc/kmemcheck: add kmemcheck to kernel-parameters 2014-01-23 16:36:53 -08:00
kernel-per-CPU-kthreads.txt
kmemcheck.txt
kmemleak.txt
kobject.txt kobject: remove kset from sysfs immediately in kset_unregister() 2013-12-07 21:20:11 -08:00
kprobes.txt
kref.txt
ldm.txt
local_ops.txt
lockdep-design.txt
lockstat.txt
lockup-watchdogs.txt
logo.gif
logo.txt
magic-number.txt
Makefile
ManagementStyle
md.txt doc: fix some typos in documentations 2013-12-02 14:45:19 +01:00
media-framework.txt
memory-barriers.txt locking/doc: Rename LOCK/UNLOCK to ACQUIRE/RELEASE 2014-01-12 10:37:13 +01:00
memory-hotplug.txt
module-signing.txt Add Documentation/module-signing.txt file 2013-12-13 15:59:11 +00:00
mono.txt
mutex-design.txt locking/doc: Update references to kernel/mutex.c 2013-11-11 12:41:33 +01:00
nommu-mmap.txt
numastat.txt
oops-tracing.txt
padata.txt
parport-lowlevel.txt
parport.txt
percpu-rw-semaphore.txt
phy.txt
pi-futex.txt
pinctrl.txt pinctrl: Fix some typos and grammar issues in the documentation 2014-01-15 13:59:50 +01:00
pnp.txt
preempt-locking.txt
printk-formats.txt vsprintf: add %pad extension for dma_addr_t use 2014-01-23 16:36:56 -08:00
pwm.txt
ramoops.txt
rbtree.txt
remoteproc.txt
rfkill.txt doc: fix some typos in documentations 2013-12-02 14:45:19 +01:00
robust-futex-ABI.txt Documentation/robust-futex-API: Count properly to 4 2013-11-30 14:08:28 +01:00
robust-futexes.txt
rpmsg.txt
rt-mutex-design.txt doc: fix some typos in documentations 2013-12-02 14:45:19 +01:00
rt-mutex.txt
rtc.txt
SAK.txt
SecurityBugs
serial-console.txt
sgi-ioc4.txt
sgi-visws.txt
SM501.txt
smsc_ece1099.txt
sparse.txt
spinlocks.txt
stable_api_nonsense.txt
stable_kernel_rules.txt
static-keys.txt doc: fix some typos in documentations 2013-12-02 14:45:19 +01:00
SubmitChecklist
SubmittingDrivers
SubmittingPatches
svga.txt
sysfs-rules.txt
sysrq.txt
this_cpu_ops.txt
unaligned-memory-access.txt
unicode.txt
unshare.txt
vfio.txt
VGA-softcursor.txt
vgaarbiter.txt
video-output.txt
vme_api.txt VME: Rename vme_slot_get to avoid confusion with reference counting 2013-12-03 11:15:58 -08:00
volatile-considered-harmful.txt
workqueue.txt
ww-mutex-design.txt
xz.txt
zorro.txt zorro/UAPI: Disintegrate include/linux/zorro*.h 2013-11-26 11:09:08 +01:00