kernel: Enable kernel lockdown configs (#722)

* kernel: enable kernel lockdown lsm

* kernel-hyperv: enable kernel lockdown lsm

* kernel-signed: Use uname_r macro everywhere

There was a build break due to an incorrect name used
for vmlinuz in SOURCE1.

The new 5.10 kernel source introduced a new versioning
scheme when built. EXTRAVERSION will always contain
"-rolling-lts-mariner".

In kernel.spec, the vmlinuz we output has the name:
vmlinuz--rolling-lts-mariner-, which
is constructed using vmlinuz-%{uname_r}

So to fix, use vmlinuz-%{uname_r} in the kernel-signed
specs as well.

* add more lockdown configs

CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y enables the lockdown lsm
very early prior to the security subsystem's initialization.
Still subject to kernel boot parameters.

CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y no lockdown functionality
enabled by default, but can be enabled via kernel commandline or
/sys/kernel/security/lockdown

General distros should set lockdown integrity mode, while special
purpose distros should set lockdown confidentiality mode. These
can be set in the kernel command line

Signed-off-by: Chris Co <chrco@microsoft.com>

SPECS-SIGNED/kernel-signed-aarch64/kernel-signed-aarch64.spec

@@ -3,7 +3,7 @@
 Summary:        Signed Linux Kernel for aarch64 systems
 Name:           kernel-signed-aarch64
 Version:        5.10.13.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -22,7 +22,7 @@ URL:            https://github.com/microsoft/CBL-Mariner-Linux-Kernel
 #   3. Place the unsigned package and signed binary in this spec's folder
 #   4. Build this spec
 Source0:        kernel-%{version}-%{release}.aarch64.rpm
-Source1:        vmlinuz-%{version}-%{release}
+Source1:        vmlinuz-%{uname_r}
 BuildRequires:  cpio
 Requires:       filesystem
 Requires:       kmod
@@ -47,7 +47,7 @@ mkdir -p %{buildroot}/%{_localstatedir}/lib/initramfs/kernel
 cp -rp ./boot/* %{buildroot}/boot
 cp -rp ./lib/* %{buildroot}/lib
 cp -rp ./var/* %{buildroot}/%{_localstatedir}
-cp %{SOURCE1} %{buildroot}/boot/vmlinuz-%{version}-%{release}
+cp %{SOURCE1} %{buildroot}/boot/vmlinuz-%{uname_r}
 
 %triggerin -- initramfs
 mkdir -p %{_localstatedir}/lib/rpm-state/initramfs/pending
@@ -82,6 +82,10 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %config %{_localstatedir}/lib/initramfs/kernel/%{uname_r}
 
 %changelog
+* Fri Mar 05 2021 Chris Co <chrco@microsoft.com> - 5.10.13.1-4
+- Update release number to match kernel spec
+- Use uname_r macro instead of version-release for kernel version
+
 * Thu Mar 04 2021 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.10.13.1-3
 - Update to kernel release 5.10.13.1-3
 

SPECS-SIGNED/kernel-signed-x64/kernel-signed-x64.spec

@@ -3,7 +3,7 @@
 Summary:        Signed Linux Kernel for x86_64 systems
 Name:           kernel-signed-x64
 Version:        5.10.13.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -22,7 +22,7 @@ URL:            https://github.com/microsoft/CBL-Mariner-Linux-Kernel
 #   3. Place the unsigned package and signed binary in this spec's folder
 #   4. Build this spec
 Source0:        kernel-%{version}-%{release}.x86_64.rpm
-Source1:        vmlinuz-%{version}-%{release}
+Source1:        vmlinuz-%{uname_r}
 BuildRequires:  cpio
 Requires:       filesystem
 Requires:       kmod
@@ -47,7 +47,7 @@ mkdir -p %{buildroot}/%{_localstatedir}/lib/initramfs/kernel
 cp -rp ./boot/* %{buildroot}/boot
 cp -rp ./lib/* %{buildroot}/lib
 cp -rp ./var/* %{buildroot}/%{_localstatedir}
-cp %{SOURCE1} %{buildroot}/boot/vmlinuz-%{version}-%{release}
+cp %{SOURCE1} %{buildroot}/boot/vmlinuz-%{uname_r}
 
 %triggerin -- initramfs
 mkdir -p %{_localstatedir}/lib/rpm-state/initramfs/pending
@@ -82,6 +82,10 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %config %{_localstatedir}/lib/initramfs/kernel/%{uname_r}
 
 %changelog
+* Fri Mar 05 2021 Chris Co <chrco@microsoft.com> - 5.10.13.1-4
+- Update release number to match kernel spec
+- Use uname_r macro instead of version-release for kernel version
+
 * Thu Mar 04 2021 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.10.13.1-3
 - Update to kernel release 5.10.13.1-3
 

SPECS/kernel-headers/kernel-headers.spec

@@ -1,7 +1,7 @@
 Summary:        Linux API header files
 Name:           kernel-headers
 Version:        5.10.13.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -35,6 +35,9 @@ cp -rv usr/include/* /%{buildroot}%{_includedir}
 %{_includedir}/*
 
 %changelog
+* Fri Mar 05 2021 Chris Co <chrco@microsoft.com> - 5.10.13.1-4
+- Update to kernel release 5.10.13.1-4
+
 * Thu Mar 04 2021 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.10.13.1-3
 - Update to kernel release 5.10.13.1-3
 

SPECS/kernel-hyperv/config

@@ -3829,7 +3829,11 @@ CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
 # CONFIG_SECURITY_LOADPIN is not set
 CONFIG_SECURITY_YAMA=y
 # CONFIG_SECURITY_SAFESETID is not set
-# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set
 CONFIG_INTEGRITY_AUDIT=y

SPECS/kernel-hyperv/kernel-hyperv.signatures.json

@@ -1,6 +1,6 @@
 {
  "Signatures": {
-  "config": "4df050310cb2c7f7f1c1da1cf793cabf20d65d72fc5d050bb97c801e3a1ce0a3",
+  "config": "0995c172ab132abf29e926e60bb488d3a3aec818a23a1a1fc22cd9bd632f0d04",
   "kernel-5.10.13.1.tar.gz": "b1060b9efcf838f6cea448482ddb60b503e925d049067d6216eaeb88721adb5b",
   "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f"
  }

SPECS/kernel-hyperv/kernel-hyperv.spec

@@ -4,7 +4,7 @@
 Summary:        Linux Kernel optimized for Hyper-V
 Name:           kernel-hyperv
 Version:        5.10.13.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -274,6 +274,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %{_libdir}/perf/include/bpf/*
 
 %changelog
+* Fri Mar 05 2021 Chris Co <chrco@microsoft.com> - 5.10.13.1-2
+- Enable kernel lockdown config
+
 * Thu Feb 18 2021 Chris Co <chrco@microsoft.com> - 5.10.13.1-1
 - Update source to 5.10.13.1
 - Remove CONFIG_GCC_PLUGIN_RANDSTRUCT

SPECS/kernel/config

@@ -6531,7 +6531,11 @@ CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
 # CONFIG_SECURITY_LOADPIN is not set
 CONFIG_SECURITY_YAMA=y
 CONFIG_SECURITY_SAFESETID=y
-# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set
 CONFIG_INTEGRITY_AUDIT=y

SPECS/kernel/config_aarch64

@@ -8673,7 +8673,11 @@ CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
 # CONFIG_SECURITY_LOADPIN is not set
 CONFIG_SECURITY_YAMA=y
 CONFIG_SECURITY_SAFESETID=y
-# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set
 CONFIG_INTEGRITY_AUDIT=y

SPECS/kernel/kernel.signatures.json

@@ -1,7 +1,7 @@
 {
  "Signatures": {
-  "config": "3f39984e80f56ab3e69eb987fe9c5a3eaff59079e5028af0a2b17aa86d419dfa",
-  "config_aarch64": "272a259053a668eed603d78c15f6a776526e8658ef1cb637f0e34d1d5202d88c",
+  "config": "32460fac7d7a53789e659fe44fa3db29507dbad7a56705628b61d73b9c1963ce",
+  "config_aarch64": "3127279789cb4fc837a0913cf4324f7e56eb9ec43022e7cbafd8bd002d182a2b",
   "kernel-5.10.13.1.tar.gz": "b1060b9efcf838f6cea448482ddb60b503e925d049067d6216eaeb88721adb5b",
   "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f"
  }

SPECS/kernel/kernel.spec

@@ -4,7 +4,7 @@
 Summary:        Linux Kernel
 Name:           kernel
 Version:        5.10.13.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -467,6 +467,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %endif
 
 %changelog
+* Fri Mar 05 2021 Chris Co <chrco@microsoft.com> - 5.10.13.1-4
+- Enable kernel lockdown config
+
 * Thu Mar 04 2021 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.10.13.1-3
 - Add configs for CONFIG_BNXT bnxt_en and MSR drivers
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -1,5 +1,5 @@
 filesystem-1.1-7.cm1.aarch64.rpm
-kernel-headers-5.10.13.1-3.cm1.noarch.rpm
+kernel-headers-5.10.13.1-4.cm1.noarch.rpm
 glibc-2.28-17.cm1.aarch64.rpm
 glibc-devel-2.28-17.cm1.aarch64.rpm
 glibc-i18n-2.28-17.cm1.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -1,5 +1,5 @@
 filesystem-1.1-7.cm1.x86_64.rpm
-kernel-headers-5.10.13.1-3.cm1.noarch.rpm
+kernel-headers-5.10.13.1-4.cm1.noarch.rpm
 glibc-2.28-17.cm1.x86_64.rpm
 glibc-devel-2.28-17.cm1.x86_64.rpm
 glibc-i18n-2.28-17.cm1.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -145,7 +145,7 @@ json-c-debuginfo-0.14-3.cm1.aarch64.rpm
 json-c-devel-0.14-3.cm1.aarch64.rpm
 kbd-2.0.4-5.cm1.aarch64.rpm
 kbd-debuginfo-2.0.4-5.cm1.aarch64.rpm
-kernel-headers-5.10.13.1-3.cm1.noarch.rpm
+kernel-headers-5.10.13.1-4.cm1.noarch.rpm
 kmod-25-4.cm1.aarch64.rpm
 kmod-debuginfo-25-4.cm1.aarch64.rpm
 kmod-devel-25-4.cm1.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -145,7 +145,7 @@ json-c-debuginfo-0.14-3.cm1.x86_64.rpm
 json-c-devel-0.14-3.cm1.x86_64.rpm
 kbd-2.0.4-5.cm1.x86_64.rpm
 kbd-debuginfo-2.0.4-5.cm1.x86_64.rpm
-kernel-headers-5.10.13.1-3.cm1.noarch.rpm
+kernel-headers-5.10.13.1-4.cm1.noarch.rpm
 kmod-25-4.cm1.x86_64.rpm
 kmod-debuginfo-25-4.cm1.x86_64.rpm
 kmod-devel-25-4.cm1.x86_64.rpm