• Andrew Donnellan's avatar
    powerpc/rtas: Restrict RTAS requests from userspace · bd59380c
    Andrew Donnellan authored
    A number of userspace utilities depend on making calls to RTAS to retrieve
    information and update various things.
    
    The existing API through which we expose RTAS to userspace exposes more
    RTAS functionality than we actually need, through the sys_rtas syscall,
    which allows root (or anyone with CAP_SYS_ADMIN) to make any RTAS call they
    want with arbitrary arguments.
    
    Many RTAS calls take the address of a buffer as an argument, and it's up to
    the caller to specify the physical address of the buffer as an argument. We
    allocate a buffer (the "RMO buffer") in the Real Memory Area that RTAS can
    access, and then expose the physical address and size of this buffer in
    /proc/powerpc/rtas/rmo_buffer. Userspace is expected to read this address,
    poke at the buffer using /dev/mem, and pass an address in the RMO buffer to
    the RTAS call.
    
    However, there's nothing stopping the caller from specifying whatever
    address they want in the RTAS call, and it's easy to construct a series of
    RTAS calls that can overwrite arbitrary bytes (even without /dev/mem
    access).
    
    Additionally, there are some RTAS calls that do potentially dangerous
    things and for which there are no legitimate userspace use cases.
    
    In the past, this would not have been a particularly big deal as it was
    assumed that root could modify all system state freely, but with Secure
    Boot and lockdown we need to care about this.
    
    We can't fundamentally change the ABI at this point, however we can address
    this by implementing a filter that checks RTAS calls against a list
    of permitted calls and forces the caller to use addresses within the RMO
    buffer.
    
    The list is based off the list of calls that are used by the librtas
    userspace library, and has been tested with a number of existing userspace
    RTAS utilities. For compatibility with any applications we are not aware of
    that require other calls, the filter can be turned off at build time.
    
    Cc: stable@vger.kernel.org
    Reported-by: default avatarDaniel Axtens <dja@axtens.net>
    Signed-off-by: default avatarAndrew Donnellan <ajd@linux.ibm.com>
    Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20200820044512.7543-1-ajd@linux.ibm.com
    bd59380c
Kconfig 37.4 KB