From mboxrd@z Thu Jan 1 00:00:00 1970 From: alf@i100.no To: development@lists.ipfire.org Subject: Re: [PATCH 03/11] Kernel: Pin loading kernel files to one filesystem Date: Mon, 21 Mar 2022 21:24:48 +0100 Message-ID: In-Reply-To: <63A98A2B-447B-4613-96FA-45C220F94BE4@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6504230204061768828==" List-Id: --===============6504230204061768828== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Den 2022-03-21 19:50, skrev Michael Tremer: > Hello, >=20 >> On 21 Mar 2022, at 17:15, Arne Fitzenreiter wrote: >>=20 >> At my knowledge enforce loadpin is incompatible with initramfs. >> https://lwn.net/Articles/682302/ >=20 > I cannot find that being mentioned in this article. And I am not sure > whether the initramdisk counts as its own file system. >=20 Quoting what I think is the relevant section from the article " The current module is also likely to run into trouble on systems that=20 boot with an initramfs image; the first modules will almost certainly be=20 loaded from that image (that's why it exists, usually), causing loads to=20 be pinned to a temporary filesystem that will go away at the end of the=20 bootstrap process. In the current patch, if the filesystem to which=20 loading is pinned disappears, loading of files will be disabled entirely=20 =E2=80=94 behavior that makes sense, but which may not lead to the desired=20 results in an initramfs setting. " And a somewhat related discussion https://forums.gentoo.org/viewtopic-p-8686594.html?sid=3Dbbf2ffea6f1ad4a3f690= 73bfabfdb021 And a patch to the kernel, which I could not figure out if has been=20 merged https://lkml.org/lkml/2021/4/8/1446 But it does not seem to be merged to me https://github.com/torvalds/linux/blob/5bfc75d92efd494db37f5c4c173d3639d47729= 66/security/loadpin/loadpin.c Alf >> Also we have some older installations that have a seperate /var=20 >> partition and /lib/firmware was moved to /var/lib/firmware >> so i think we cannot apply this! >=20 > The firmware currently is in /lib/firmware and since we have now a way > to compress it, there is no need to move it any more. That should > allow us enabling this switch. >=20 > Best, > -Michael >=20 >> Arne >>=20 >>=20 >> Am 2022-03-19 22:09, schrieb Peter M=C3=BCller: >>> This can be safely enabled on IPFire, as we never swap filesystems >>> during runtime. >>> Fixes: #12432 >>> Signed-off-by: Peter M=C3=BCller >>> --- >>> config/kernel/kernel.config.aarch64-ipfire | 3 ++- >>> config/kernel/kernel.config.armv6l-ipfire | 3 ++- >>> config/kernel/kernel.config.riscv64-ipfire | 3 ++- >>> config/kernel/kernel.config.x86_64-ipfire | 3 ++- >>> 4 files changed, 8 insertions(+), 4 deletions(-) >>> diff --git a/config/kernel/kernel.config.aarch64-ipfire >>> b/config/kernel/kernel.config.aarch64-ipfire >>> index 35c249253..d9179c061 100644 >>> --- a/config/kernel/kernel.config.aarch64-ipfire >>> +++ b/config/kernel/kernel.config.aarch64-ipfire >>> @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=3Dy >>> # CONFIG_SECURITY_SMACK is not set >>> # CONFIG_SECURITY_TOMOYO is not set >>> # CONFIG_SECURITY_APPARMOR is not set >>> -# CONFIG_SECURITY_LOADPIN is not set >>> +CONFIG_SECURITY_LOADPIN=3Dy >>> +CONFIG_SECURITY_LOADPIN_ENFORCE=3Dy >>> # CONFIG_SECURITY_YAMA is not set >>> # CONFIG_SECURITY_SAFESETID is not set >>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set >>> diff --git a/config/kernel/kernel.config.armv6l-ipfire >>> b/config/kernel/kernel.config.armv6l-ipfire >>> index 5b4ff8e20..522278160 100644 >>> --- a/config/kernel/kernel.config.armv6l-ipfire >>> +++ b/config/kernel/kernel.config.armv6l-ipfire >>> @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=3Dy >>> # CONFIG_SECURITY_SMACK is not set >>> # CONFIG_SECURITY_TOMOYO is not set >>> # CONFIG_SECURITY_APPARMOR is not set >>> -# CONFIG_SECURITY_LOADPIN is not set >>> +CONFIG_SECURITY_LOADPIN=3Dy >>> +CONFIG_SECURITY_LOADPIN_ENFORCE=3Dy >>> # CONFIG_SECURITY_YAMA is not set >>> # CONFIG_SECURITY_SAFESETID is not set >>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set >>> diff --git a/config/kernel/kernel.config.riscv64-ipfire >>> b/config/kernel/kernel.config.riscv64-ipfire >>> index d4c0e0451..ebb830eb7 100644 >>> --- a/config/kernel/kernel.config.riscv64-ipfire >>> +++ b/config/kernel/kernel.config.riscv64-ipfire >>> @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=3Dy >>> # CONFIG_SECURITY_SMACK is not set >>> # CONFIG_SECURITY_TOMOYO is not set >>> # CONFIG_SECURITY_APPARMOR is not set >>> -# CONFIG_SECURITY_LOADPIN is not set >>> +CONFIG_SECURITY_LOADPIN=3Dy >>> +CONFIG_SECURITY_LOADPIN_ENFORCE=3Dy >>> # CONFIG_SECURITY_YAMA is not set >>> # CONFIG_SECURITY_SAFESETID is not set >>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set >>> diff --git a/config/kernel/kernel.config.x86_64-ipfire >>> b/config/kernel/kernel.config.x86_64-ipfire >>> index 8b525ef89..675c3ce1e 100644 >>> --- a/config/kernel/kernel.config.x86_64-ipfire >>> +++ b/config/kernel/kernel.config.x86_64-ipfire >>> @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=3Dy >>> # CONFIG_SECURITY_SMACK is not set >>> # CONFIG_SECURITY_TOMOYO is not set >>> # CONFIG_SECURITY_APPARMOR is not set >>> -# CONFIG_SECURITY_LOADPIN is not set >>> +CONFIG_SECURITY_LOADPIN=3Dy >>> +CONFIG_SECURITY_LOADPIN_ENFORCE=3Dy >>> # CONFIG_SECURITY_YAMA is not set >>> # CONFIG_SECURITY_SAFESETID is not set >>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set --===============6504230204061768828==--