lib/security: hard_lockdown flag to stop runtime disable of signed boot

Currently if signed-boot is enabled in configure the presence of the
LOCKDOWN_FILE is used as a runtime determination to perform the actual
verification.  In some environments this may be acceptable or even the
intended operation but in other environments could be a security hole
since the removal of the file will then cause boot task verification.
Add a 'hard_lockdown' enable flag to generate a HARD_LOCKDOWN
preprocessor definition to force the system to always do a signed boot
verification for each boot task, which in the case of a missing file the
boot will fail.

Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>

diff --git a/configure.ac b/configure.ac
index 9eb08552910c0e79fdf08634157d12eea8d599a0..ed2ea828cb165f497e70bc3b458aa4e533e7d2f8 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -239,6 +239,14 @@ AC_ARG_VAR(
 AS_IF([test "x$VERIFY_DIGEST" = x], [VERIFY_DIGEST="sha256"])
 AC_DEFINE_UNQUOTED(VERIFY_DIGEST, "$VERIFY_DIGEST", [openssl verify dgst])
 
+AC_ARG_ENABLE([hard-lockdown],
+             [AS_HELP_STRING([--enable-hard-lockdown],
+                             [if signed boot configured, the absence of the
+                              LOCKDOWN_FILE does not disable signed boot at
+                              runtime @<:@default=no@:>@])],
+             [AC_DEFINE(HARD_LOCKDOWN, 1, [Enable hard lockdown])],
+             [])
+
 AC_ARG_ENABLE(
        [busybox],
        [AS_HELP_STRING(

diff --git a/lib/security/gpg.c b/lib/security/gpg.c
index 761d6ced1bb986d6dccffd2fc01e3a3e9f42437f..aae85aa06e1084fbf365f537b8003bfee3b098b9 100644 (file)
--- a/lib/security/gpg.c
+++ b/lib/security/gpg.c
@@ -354,8 +354,10 @@ int lockdown_status() {
        /* assume most restrictive lockdown type */
        int ret = PB_LOCKDOWN_SIGN;
 
+#if !defined(HARD_LOCKDOWN)
        if (access(LOCKDOWN_FILE, F_OK) == -1)
                return PB_LOCKDOWN_NONE;
+#endif
 
        /* determine lockdown type */
        FILE *authorized_signatures_handle = NULL;

diff --git a/lib/security/openssl.c b/lib/security/openssl.c
index 03ea3326484fe1e1b1ab96de072163086d7379f7..6454f8a8668c14b2db7f5f3961a792ea9f4b5685 100644 (file)
--- a/lib/security/openssl.c
+++ b/lib/security/openssl.c
@@ -456,8 +456,10 @@ int lockdown_status(void)
        int ret = PB_LOCKDOWN_SIGN;
        PKCS12 *p12 = NULL;
 
+#if !defined(HARD_LOCKDOWN)
        if (access(LOCKDOWN_FILE, F_OK) == -1)
                return PB_LOCKDOWN_NONE;
+#endif
 
        /* determine lockdown type */
 
@@ -471,6 +473,6 @@ int lockdown_status(void)
                fclose(authorized_signatures_handle);
        }
 
-    return ret;
+       return ret;
 }
 

diff --git a/ui/ncurses/nc-boot-editor.c b/ui/ncurses/nc-boot-editor.c
index 2e5749bae46210128529ed4faa27c149734e6b91..3f7c5e515b36bf72dfdbfa255e1eb8c88af54ff8 100644 (file)
--- a/ui/ncurses/nc-boot-editor.c
+++ b/ui/ncurses/nc-boot-editor.c
@@ -637,9 +637,11 @@ struct boot_editor *boot_editor_init(struct cui *cui,
                return NULL;
 
 #if defined(SIGNED_BOOT)
+#if !defined(HARD_LOCKDOWN)
        if (access(LOCKDOWN_FILE, F_OK) == -1)
                boot_editor->use_signature_files = false;
        else
+#endif
                boot_editor->use_signature_files = true;
 #else
        boot_editor->use_signature_files = false;

diff --git a/ui/ncurses/nc-cui.c b/ui/ncurses/nc-cui.c
index 20a90483cd07accc318546d9fc26aab48c9f72dc..8a3f97dc9b593f58bd14d40989b6d389eacf2365 100644 (file)
--- a/ui/ncurses/nc-cui.c
+++ b/ui/ncurses/nc-cui.c
@@ -61,10 +61,14 @@ static void cui_cancel_autoboot_on_exit(struct cui *cui);
 
 static bool lockdown_active(void)
 {
+#if defined(SIGNED_BOOT) && defined(HARD_LOCKDOWN)
+       return true;
+#else
        bool lockdown = false;
        if (access(LOCKDOWN_FILE, F_OK) != -1)
                lockdown = true;
        return lockdown;
+#endif
 }
 
 static void cui_start(void)