Merge: CVE-2025-1272: security: Re-enable lockdown LSM in some setup_arch()

CKI KWF Bot · CKI KWF Bot · commit 314615cf6d76 · 2025-03-07T05:33:22.000Z
MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-9/-/merge_requests/3406 JIRA: https://issues.redhat.com/browse/RHEL-78974 CVE: CVE-2025-1272 Upstream Status: RHEL-only Restore the functionality of the lockdown LSM routines in the architecture-specific setup_arch() routines for x86, s390, powerpc, and arm64. Calls to the LSM lockdown routines security_lock_kernel_down() and security_locked_down() are ineffective prior to a call to early_security_init(). And commit 77b644c ("init/main.c: Initialize early LSMs after arch code, static keys and calls") moved the call to early_security_init() in start_kernel() from before the call to setup_arch() to after it. Secondly, even if lock_kernel_down() is called directly, e.g. via the kernel parameter lockdown, or CONFIG_LOCK_DOWN_KERNEL_FORCE_*, security_locked_down() will return false until early_security_init() is called. An example of such an early call occurs in acpi_table_upgrade() if CONFIG_ACPI_TABLE_UPGRADE is enabled. Fix this by calling early_security_init() in the arch-specifc setup_arch() routines that depend on early enablement of the lockdown LSM. First, make it safe to call early_security_init() more than once. All subsequent calls do nothing. Then add a call to early_security_init() into the x86, s390, powerpc, and arm64 versions of setup_arch(). Both static_call_init() and jump_table_init() are prerequisites for early_security_init(). So add or move them accordingly. All three of these routines can be safely called more than once. Tested: Kernel lockdown tested on x86_64, s390x, ppc64le, and arm64. Fixes: 77b644c ("init/main.c: Initialize early LSMs after arch code, static keys and calls") v2: - Added arm64 setup_arch() because it calls acpi_table_upgrade() Signed-off-by: Lenny Szubowicz <lszubowi@redhat.com> Approved-by: Ondrej Mosnáček <omosnacek@gmail.com> Approved-by: Mark Langsdorf <mlangsdo@redhat.com> Approved-by: Steve Best <sbest@redhat.com> Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> Merged-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>
diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c
@@ -31,6 +31,7 @@
 #include <linux/psci.h>
 #include <linux/sched/task.h>
 #include <linux/mm.h>
+#include <linux/security.h>
 
 #include <asm/acpi.h>
 #include <asm/fixmap.h>
@@ -294,6 +295,10 @@ void __init __no_sanitize_address setup_arch(char **cmdline_p)
 
 	parse_early_param();
 
+	/* Initialize the lockdown LSM */
+	static_call_init();
+	early_security_init();
+
 	/*
 	 * The primary CPU enters the kernel with all DAIF exceptions masked.
 	 *
diff --git a/arch/powerpc/kernel/setup-common.c b/arch/powerpc/kernel/setup-common.c
@@ -870,6 +870,11 @@ void __init setup_arch(char **cmdline_p)
 	 */
 	initialize_cache_info();
 
+	/* Initialize the lockdown LSM */
+	jump_label_init();
+	static_call_init();
+	early_security_init();
+
 	/*
 	 * Lock down the kernel if booted in secure mode. This is required to
 	 * maintain kernel integrity.
diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c
@@ -892,6 +892,11 @@ void __init setup_arch(char **cmdline_p)
 
 	log_component_list();
 
+	/* Initialize the lockdown LSM */
+	jump_label_init();
+	static_call_init();
+	early_security_init();
+
 	if (ipl_get_secureboot())
 		security_lock_kernel_down("Secure IPL mode", LOCKDOWN_INTEGRITY_MAX);
 
@@ -906,7 +911,6 @@ void __init setup_arch(char **cmdline_p)
 	if (IS_ENABLED(CONFIG_EXPOLINE_AUTO))
 		nospec_auto_detect();
 
-	jump_label_init();
 	parse_early_param();
 #ifdef CONFIG_CRASH_DUMP
 	/* Deactivate elfcorehdr= kernel parameter */
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
@@ -838,8 +838,11 @@ void __init setup_arch(char **cmdline_p)
 
 	idt_setup_early_traps();
 	early_cpu_init();
+
+	/* Initialize the lockdown LSM */
 	jump_label_init();
 	static_call_init();
+	early_security_init();
 	early_ioremap_init();
 
 	setup_olpc_ofw_pgd();
diff --git a/security/security.c b/security/security.c
@@ -477,6 +477,10 @@ static void __init ordered_lsm_init(void)
 int __init early_security_init(void)
 {
 	struct lsm_info *lsm;
+	static bool early_security_initialized;
+
+	if (early_security_initialized)
+		return 0;
 
 	for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) {
 		if (!lsm->enabled)
@@ -485,6 +489,7 @@ int __init early_security_init(void)
 		initialize_lsm(lsm);
 	}
 
+	early_security_initialized = true;
 	return 0;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -477,6 +477,10 @@ static void __init ordered_lsm_init(void)`
`477`	`477`	`int __init early_security_init(void)`
`478`	`478`	`{`
`479`	`479`	`struct lsm_info *lsm;`
	`480`	`+ static bool early_security_initialized;`
	`481`	`+`
	`482`	`+ if (early_security_initialized)`
	`483`	`+ return 0;`
`480`	`484`
`481`	`485`	`for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) {`
`482`	`486`	`if (!lsm->enabled)`
`@@ -485,6 +489,7 @@ int __init early_security_init(void)`
`485`	`489`	`initialize_lsm(lsm);`
`486`	`490`	`}`
`487`	`491`
	`492`	`+ early_security_initialized = true;`
`488`	`493`	`return 0;`
`489`	`494`	`}`
`490`	`495`