From: Nayna Jain <nayna@linux.vnet.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, linux-security-module@vger.kernel.org,
linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org,
dhowells@redhat.com, jforbes@redhat.com,
seth.forshee@canonical.com, kexec@lists.infradead.org,
Nayna Jain <nayna@linux.ibm.com>
Subject: [PATCH v5 2/5] ima: prevent kexec_load syscall based on runtime secureboot flag
Date: Fri, 5 Oct 2018 23:10:12 +0530 [thread overview]
Message-ID: <20181005174015.21939-3-nayna@linux.vnet.ibm.com> (raw)
In-Reply-To: <20181005174015.21939-1-nayna@linux.vnet.ibm.com>
From: Nayna Jain <nayna@linux.ibm.com>
When CONFIG_KEXEC_VERIFY_SIG is enabled, the kexec_file_load syscall
requires the kexec'd kernel image to be signed. Distros are concerned
about totally disabling the kexec_load syscall. As a compromise, the
kexec_load syscall will only be disabled when CONFIG_KEXEC_VERIFY_SIG
is configured and the system is booted with secureboot enabled.
This patch disables the kexec_load syscall only for systems booted with
secureboot enabled.
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
security/integrity/ima/ima_main.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index dce0a8a217bb..bdb6e5563d05 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -505,20 +505,24 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
*/
int ima_load_data(enum kernel_load_data_id id)
{
- bool sig_enforce;
+ bool ima_enforce, sig_enforce;
- if ((ima_appraise & IMA_APPRAISE_ENFORCE) != IMA_APPRAISE_ENFORCE)
- return 0;
+ ima_enforce =
+ (ima_appraise & IMA_APPRAISE_ENFORCE) == IMA_APPRAISE_ENFORCE;
switch (id) {
case LOADING_KEXEC_IMAGE:
- if (ima_appraise & IMA_APPRAISE_KEXEC) {
+#ifdef CONFIG_KEXEC_VERIFY_SIG
+ if (arch_ima_get_secureboot())
+ return -EACCES;
+#endif
+ if (ima_enforce && (ima_appraise & IMA_APPRAISE_KEXEC)) {
pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
return -EACCES; /* INTEGRITY_UNKNOWN */
}
break;
case LOADING_FIRMWARE:
- if (ima_appraise & IMA_APPRAISE_FIRMWARE) {
+ if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE)) {
pr_err("Prevent firmware sysfs fallback loading.\n");
return -EACCES; /* INTEGRITY_UNKNOWN */
}
@@ -526,7 +530,8 @@ int ima_load_data(enum kernel_load_data_id id)
case LOADING_MODULE:
sig_enforce = is_module_sig_enforced();
- if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES)) {
+ if (ima_enforce && (!sig_enforce
+ && (ima_appraise & IMA_APPRAISE_MODULES))) {
pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
return -EACCES; /* INTEGRITY_UNKNOWN */
}
--
2.13.6
WARNING: multiple messages have this Message-ID (diff)
From: Nayna Jain <nayna@linux.vnet.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: linux-efi@vger.kernel.org, Nayna Jain <nayna@linux.ibm.com>,
kexec@lists.infradead.org, linux-kernel@vger.kernel.org,
zohar@linux.ibm.com, dhowells@redhat.com,
seth.forshee@canonical.com,
linux-security-module@vger.kernel.org, jforbes@redhat.com
Subject: [PATCH v5 2/5] ima: prevent kexec_load syscall based on runtime secureboot flag
Date: Fri, 5 Oct 2018 23:10:12 +0530 [thread overview]
Message-ID: <20181005174015.21939-3-nayna@linux.vnet.ibm.com> (raw)
In-Reply-To: <20181005174015.21939-1-nayna@linux.vnet.ibm.com>
From: Nayna Jain <nayna@linux.ibm.com>
When CONFIG_KEXEC_VERIFY_SIG is enabled, the kexec_file_load syscall
requires the kexec'd kernel image to be signed. Distros are concerned
about totally disabling the kexec_load syscall. As a compromise, the
kexec_load syscall will only be disabled when CONFIG_KEXEC_VERIFY_SIG
is configured and the system is booted with secureboot enabled.
This patch disables the kexec_load syscall only for systems booted with
secureboot enabled.
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
security/integrity/ima/ima_main.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index dce0a8a217bb..bdb6e5563d05 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -505,20 +505,24 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
*/
int ima_load_data(enum kernel_load_data_id id)
{
- bool sig_enforce;
+ bool ima_enforce, sig_enforce;
- if ((ima_appraise & IMA_APPRAISE_ENFORCE) != IMA_APPRAISE_ENFORCE)
- return 0;
+ ima_enforce =
+ (ima_appraise & IMA_APPRAISE_ENFORCE) == IMA_APPRAISE_ENFORCE;
switch (id) {
case LOADING_KEXEC_IMAGE:
- if (ima_appraise & IMA_APPRAISE_KEXEC) {
+#ifdef CONFIG_KEXEC_VERIFY_SIG
+ if (arch_ima_get_secureboot())
+ return -EACCES;
+#endif
+ if (ima_enforce && (ima_appraise & IMA_APPRAISE_KEXEC)) {
pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
return -EACCES; /* INTEGRITY_UNKNOWN */
}
break;
case LOADING_FIRMWARE:
- if (ima_appraise & IMA_APPRAISE_FIRMWARE) {
+ if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE)) {
pr_err("Prevent firmware sysfs fallback loading.\n");
return -EACCES; /* INTEGRITY_UNKNOWN */
}
@@ -526,7 +530,8 @@ int ima_load_data(enum kernel_load_data_id id)
case LOADING_MODULE:
sig_enforce = is_module_sig_enforced();
- if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES)) {
+ if (ima_enforce && (!sig_enforce
+ && (ima_appraise & IMA_APPRAISE_MODULES))) {
pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
return -EACCES; /* INTEGRITY_UNKNOWN */
}
--
2.13.6
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2018-10-05 17:43 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-05 17:40 [PATCH v5 0/6] Add support for architecture specific IMA policies Nayna Jain
2018-10-05 17:40 ` Nayna Jain
2018-10-05 17:40 ` [PATCH v5 1/5] x86/ima: define arch_ima_get_secureboot Nayna Jain
2018-10-05 17:40 ` Nayna Jain
2018-10-05 17:40 ` Nayna Jain [this message]
2018-10-05 17:40 ` [PATCH v5 2/5] ima: prevent kexec_load syscall based on runtime secureboot flag Nayna Jain
2018-10-05 17:40 ` [PATCH v5 3/5] ima: refactor ima_init_policy() Nayna Jain
2018-10-05 17:40 ` Nayna Jain
2018-10-05 17:40 ` [PATCH v5 4/5] ima: add support for arch specific policies Nayna Jain
2018-10-05 17:40 ` Nayna Jain
2018-10-05 17:40 ` [PATCH v5 5/5] x86/ima: define arch_get_ima_policy() for x86 Nayna Jain
2018-10-05 17:40 ` Nayna Jain
2018-10-08 11:20 ` [PATCH v5 0/6] Add support for architecture specific IMA policies Mimi Zohar
2018-10-08 11:20 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181005174015.21939-3-nayna@linux.vnet.ibm.com \
--to=nayna@linux.vnet.ibm.com \
--cc=dhowells@redhat.com \
--cc=jforbes@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=seth.forshee@canonical.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.