[PATCH] lib/security: hard_lockdown flag to stop runtime disable of signed boot
Samuel Mendoza-Jonas
sam at mendozajonas.com
Tue Jun 12 15:18:44 AEST 2018
On Mon, 2018-06-11 at 07:36 +1000, Brett Grandbois wrote:
> Currently if signed-boot is enabled in configure the presence of the
> LOCKDOWN_FILE is used as a runtime determination to perform the actual
> verification. In some environments this may be acceptable or even the
> intended operation but in other environments could be a security hole
> since the removal of the file will then cause boot task verification.
> Add a 'hard_lockdown' enable flag to generate a HARD_LOCKDOWN
> preprocessor definition to force the system to always do a signed boot
> verification for each boot task, which in the case of a missing file the
> boot will fail.
>
> Signed-off-by: Brett Grandbois <brett.grandbois at opengear.com>
Sounds reasonable, merged as 18a47a31
> ---
> configure.ac | 8 ++++++++
> lib/security/gpg.c | 2 ++
> lib/security/openssl.c | 4 +++-
> ui/ncurses/nc-boot-editor.c | 2 ++
> ui/ncurses/nc-cui.c | 4 ++++
> 5 files changed, 19 insertions(+), 1 deletion(-)
>
> diff --git a/configure.ac b/configure.ac
> index bdd7f70..e856bdc 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -239,6 +239,14 @@ AC_ARG_VAR(
> AS_IF([test "x$VERIFY_DIGEST" = x], [VERIFY_DIGEST="sha256"])
> AC_DEFINE_UNQUOTED(VERIFY_DIGEST, "$VERIFY_DIGEST", [openssl verify dgst])
>
> +AC_ARG_ENABLE([hard-lockdown],
> + [AS_HELP_STRING([--enable-hard-lockdown],
> + [if signed boot configured, the absence of the
> + LOCKDOWN_FILE does not disable signed boot at
> + runtime @<:@default=no@:>@])],
> + [AC_DEFINE(HARD_LOCKDOWN, 1, [Enable hard lockdown])],
> + [])
> +
> AC_ARG_ENABLE(
> [busybox],
> [AS_HELP_STRING(
> diff --git a/lib/security/gpg.c b/lib/security/gpg.c
> index 761d6ce..aae85aa 100644
> --- a/lib/security/gpg.c
> +++ b/lib/security/gpg.c
> @@ -354,8 +354,10 @@ int lockdown_status() {
> /* assume most restrictive lockdown type */
> int ret = PB_LOCKDOWN_SIGN;
>
> +#if !defined(HARD_LOCKDOWN)
> if (access(LOCKDOWN_FILE, F_OK) == -1)
> return PB_LOCKDOWN_NONE;
> +#endif
>
> /* determine lockdown type */
> FILE *authorized_signatures_handle = NULL;
> diff --git a/lib/security/openssl.c b/lib/security/openssl.c
> index 03ea332..6454f8a 100644
> --- a/lib/security/openssl.c
> +++ b/lib/security/openssl.c
> @@ -456,8 +456,10 @@ int lockdown_status(void)
> int ret = PB_LOCKDOWN_SIGN;
> PKCS12 *p12 = NULL;
>
> +#if !defined(HARD_LOCKDOWN)
> if (access(LOCKDOWN_FILE, F_OK) == -1)
> return PB_LOCKDOWN_NONE;
> +#endif
>
> /* determine lockdown type */
>
> @@ -471,6 +473,6 @@ int lockdown_status(void)
> fclose(authorized_signatures_handle);
> }
>
> - return ret;
> + return ret;
> }
>
> diff --git a/ui/ncurses/nc-boot-editor.c b/ui/ncurses/nc-boot-editor.c
> index 2e5749b..3f7c5e5 100644
> --- a/ui/ncurses/nc-boot-editor.c
> +++ b/ui/ncurses/nc-boot-editor.c
> @@ -637,9 +637,11 @@ struct boot_editor *boot_editor_init(struct cui *cui,
> return NULL;
>
> #if defined(SIGNED_BOOT)
> +#if !defined(HARD_LOCKDOWN)
> if (access(LOCKDOWN_FILE, F_OK) == -1)
> boot_editor->use_signature_files = false;
> else
> +#endif
> boot_editor->use_signature_files = true;
> #else
> boot_editor->use_signature_files = false;
> diff --git a/ui/ncurses/nc-cui.c b/ui/ncurses/nc-cui.c
> index 20a9048..8a3f97d 100644
> --- a/ui/ncurses/nc-cui.c
> +++ b/ui/ncurses/nc-cui.c
> @@ -61,10 +61,14 @@ static void cui_cancel_autoboot_on_exit(struct cui *cui);
>
> static bool lockdown_active(void)
> {
> +#if defined(SIGNED_BOOT) && defined(HARD_LOCKDOWN)
> + return true;
> +#else
> bool lockdown = false;
> if (access(LOCKDOWN_FILE, F_OK) != -1)
> lockdown = true;
> return lockdown;
> +#endif
> }
>
> static void cui_start(void)
More information about the Petitboot
mailing list