CVE-2025-1272: security: Re-enable lockdown LSM in some setup_arch()

JIRA: https://issues.redhat.com/browse/RHEL-78974
CVE: CVE-2025-1272
Upstream Status: RHEL-only

Restore the functionality of the lockdown LSM routines in the
architecture-specific setup_arch() routines for x86, s390,
powerpc, and arm64.

Calls to the LSM lockdown routines security_lock_kernel_down() and
security_locked_down() are ineffective prior to a call to
early_security_init(). And commit 77b644c ("init/main.c:
Initialize early LSMs after arch code, static keys and calls")
moved the call to early_security_init() in start_kernel()
from before the call to setup_arch() to after it.

Secondly, even if lock_kernel_down() is called directly, e.g. via
the kernel parameter lockdown, or CONFIG_LOCK_DOWN_KERNEL_FORCE_*,
security_locked_down() will return false until early_security_init()
is called. An example of such an early call occurs in
acpi_table_upgrade() if CONFIG_ACPI_TABLE_UPGRADE is enabled.

Fix this by calling early_security_init() in the arch-specifc
setup_arch() routines that depend on early enablement of the
lockdown LSM.

First, make it safe to call early_security_init() more than once.
All subsequent calls do nothing.

Then add a call to early_security_init() into the x86, s390, and
powerpc, and arm64 versions of setup_arch(). Both static_call_init()
and jump_table_init() are prerequisites for early_security_init().
So add or move them accordingly. All three of these routines
can be safely called more than once.

Tested: Kernel lockdown tested on x86_64, s390x, ppc64le, and arm64.

Fixes: 77b644c ("init/main.c: Initialize early LSMs after arch code, static keys and calls")

Signed-off-by: Lenny Szubowicz <[email protected]>

Author: LennySzubowicz

arch/arm64/kernel/setup.c

@@ -31,6 +31,7 @@
 #include <linux/psci.h>
 #include <linux/sched/task.h>
 #include <linux/mm.h>
+#include <linux/security.h>
 
 #include <asm/acpi.h>
 #include <asm/fixmap.h>
@@ -294,6 +295,10 @@ void __init __no_sanitize_address setup_arch(char **cmdline_p)
 
 	parse_early_param();
 
+	/* Initialize the lockdown LSM */
+	static_call_init();
+	early_security_init();
+
 	/*
 	 * The primary CPU enters the kernel with all DAIF exceptions masked.
 	 *

arch/powerpc/kernel/setup-common.c

@@ -870,6 +870,11 @@ void __init setup_arch(char **cmdline_p)
 	 */
 	initialize_cache_info();
 
+	/* Initialize the lockdown LSM */
+	jump_label_init();
+	static_call_init();
+	early_security_init();
+
 	/*
 	 * Lock down the kernel if booted in secure mode. This is required to
 	 * maintain kernel integrity.

arch/s390/kernel/setup.c

@@ -892,6 +892,11 @@ void __init setup_arch(char **cmdline_p)
 
 	log_component_list();
 
+	/* Initialize the lockdown LSM */
+	jump_label_init();
+	static_call_init();
+	early_security_init();
+
 	if (ipl_get_secureboot())
 		security_lock_kernel_down("Secure IPL mode", LOCKDOWN_INTEGRITY_MAX);
 
@@ -906,7 +911,6 @@ void __init setup_arch(char **cmdline_p)
 	if (IS_ENABLED(CONFIG_EXPOLINE_AUTO))
 		nospec_auto_detect();
 
-	jump_label_init();
 	parse_early_param();
 #ifdef CONFIG_CRASH_DUMP
 	/* Deactivate elfcorehdr= kernel parameter */

arch/x86/kernel/setup.c

@@ -838,8 +838,11 @@ void __init setup_arch(char **cmdline_p)
 
 	idt_setup_early_traps();
 	early_cpu_init();
+
+	/* Initialize the lockdown LSM */
 	jump_label_init();
 	static_call_init();
+	early_security_init();
 	early_ioremap_init();
 
 	setup_olpc_ofw_pgd();

security/security.c

@@ -477,6 +477,10 @@ static void __init ordered_lsm_init(void)
 int __init early_security_init(void)
 {
 	struct lsm_info *lsm;
+	static bool early_security_initialized;
+
+	if (early_security_initialized)
+		return 0;
 
 	for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) {
 		if (!lsm->enabled)
@@ -485,6 +489,7 @@ int __init early_security_init(void)
 		initialize_lsm(lsm);
 	}
 
+	early_security_initialized = true;
 	return 0;
 }