lockdown: also lock down previous kgdb use

Bugzilla: https://bugzilla.redhat.com/2104750

CVE: CVE-2022-21499

Description:
KDB and KGDB must be appropriately restricted when kernel
lockdown is in effect. This is pertinent to RHEL since
the kernel CONFIG options that enable KDB and KGDB support
are selected for both the normal and debug RHEL kernels.

Upstream Status: eadb2f47a3ced5c64b23b90fd2a3463f63726066

Tested:
Verified that when UEFI Secure Boot is enabled, writes to memory
in kdb fail with a permission error and any entry into kgdb is
blocked.

commit eadb2f47a3ced5c64b23b90fd2a3463f63726066
Author: Daniel Thompson daniel.thompson@linaro.org
Date: Mon May 23 19:11:02 2022 +0100

lockdown: also lock down previous kgdb use  

KGDB and KDB allow read and write access to kernel memory, and thus  
should be restricted during lockdown.  An attacker with access to a  
serial port (for example, via a hypervisor console, which some cloud  
vendors provide over the network) could trigger the debugger so it is  
important that the debugger respect the lockdown mode when/if it is  
triggered.  

Fix this by integrating lockdown into kdb's existing permissions  
mechanism.  Unfortunately kgdb does not have any permissions mechanism  
(although it certainly could be added later) so, for now, kgdb is simply  
and brutally disabled by immediately exiting the gdb stub without taking  
any action.  

For lockdowns established early in the boot (e.g. the normal case) then  
this should be fine but on systems where kgdb has set breakpoints before  
the lockdown is enacted than "bad things" will happen.  

CVE: CVE-2022-21499  
Co-developed-by: Stephen Brennan <stephen.s.brennan@oracle.com>  
Signed-off-by: Stephen Brennan <stephen.s.brennan@oracle.com>  
Reviewed-by: Douglas Anderson <dianders@chromium.org>  
Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>  
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>  

Signed-off-by: Lenny Szubowicz lszubowi@redhat.com