From: Nayna Jain <nayna@linux.vnet.ibm.com> To: linux-integrity@vger.kernel.org Cc: zohar@linux.ibm.com, linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com, seth.forshee@canonical.com, kexec@lists.infradead.org, Nayna Jain <nayna@linux.ibm.com> Subject: [PATCH v5 2/5] ima: prevent kexec_load syscall based on runtime secureboot flag Date: Fri, 5 Oct 2018 23:10:12 +0530 [thread overview] Message-ID: <20181005174015.21939-3-nayna@linux.vnet.ibm.com> (raw) In-Reply-To: <20181005174015.21939-1-nayna@linux.vnet.ibm.com> From: Nayna Jain <nayna@linux.ibm.com> When CONFIG_KEXEC_VERIFY_SIG is enabled, the kexec_file_load syscall requires the kexec'd kernel image to be signed. Distros are concerned about totally disabling the kexec_load syscall. As a compromise, the kexec_load syscall will only be disabled when CONFIG_KEXEC_VERIFY_SIG is configured and the system is booted with secureboot enabled. This patch disables the kexec_load syscall only for systems booted with secureboot enabled. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> --- security/integrity/ima/ima_main.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index dce0a8a217bb..bdb6e5563d05 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -505,20 +505,24 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, */ int ima_load_data(enum kernel_load_data_id id) { - bool sig_enforce; + bool ima_enforce, sig_enforce; - if ((ima_appraise & IMA_APPRAISE_ENFORCE) != IMA_APPRAISE_ENFORCE) - return 0; + ima_enforce = + (ima_appraise & IMA_APPRAISE_ENFORCE) == IMA_APPRAISE_ENFORCE; switch (id) { case LOADING_KEXEC_IMAGE: - if (ima_appraise & IMA_APPRAISE_KEXEC) { +#ifdef CONFIG_KEXEC_VERIFY_SIG + if (arch_ima_get_secureboot()) + return -EACCES; +#endif + if (ima_enforce && (ima_appraise & IMA_APPRAISE_KEXEC)) { pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n"); return -EACCES; /* INTEGRITY_UNKNOWN */ } break; case LOADING_FIRMWARE: - if (ima_appraise & IMA_APPRAISE_FIRMWARE) { + if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE)) { pr_err("Prevent firmware sysfs fallback loading.\n"); return -EACCES; /* INTEGRITY_UNKNOWN */ } @@ -526,7 +530,8 @@ int ima_load_data(enum kernel_load_data_id id) case LOADING_MODULE: sig_enforce = is_module_sig_enforced(); - if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES)) { + if (ima_enforce && (!sig_enforce + && (ima_appraise & IMA_APPRAISE_MODULES))) { pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n"); return -EACCES; /* INTEGRITY_UNKNOWN */ } -- 2.13.6
WARNING: multiple messages have this Message-ID (diff)
From: Nayna Jain <nayna@linux.vnet.ibm.com> To: linux-integrity@vger.kernel.org Cc: linux-efi@vger.kernel.org, Nayna Jain <nayna@linux.ibm.com>, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, seth.forshee@canonical.com, linux-security-module@vger.kernel.org, jforbes@redhat.com Subject: [PATCH v5 2/5] ima: prevent kexec_load syscall based on runtime secureboot flag Date: Fri, 5 Oct 2018 23:10:12 +0530 [thread overview] Message-ID: <20181005174015.21939-3-nayna@linux.vnet.ibm.com> (raw) In-Reply-To: <20181005174015.21939-1-nayna@linux.vnet.ibm.com> From: Nayna Jain <nayna@linux.ibm.com> When CONFIG_KEXEC_VERIFY_SIG is enabled, the kexec_file_load syscall requires the kexec'd kernel image to be signed. Distros are concerned about totally disabling the kexec_load syscall. As a compromise, the kexec_load syscall will only be disabled when CONFIG_KEXEC_VERIFY_SIG is configured and the system is booted with secureboot enabled. This patch disables the kexec_load syscall only for systems booted with secureboot enabled. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> --- security/integrity/ima/ima_main.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index dce0a8a217bb..bdb6e5563d05 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -505,20 +505,24 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, */ int ima_load_data(enum kernel_load_data_id id) { - bool sig_enforce; + bool ima_enforce, sig_enforce; - if ((ima_appraise & IMA_APPRAISE_ENFORCE) != IMA_APPRAISE_ENFORCE) - return 0; + ima_enforce = + (ima_appraise & IMA_APPRAISE_ENFORCE) == IMA_APPRAISE_ENFORCE; switch (id) { case LOADING_KEXEC_IMAGE: - if (ima_appraise & IMA_APPRAISE_KEXEC) { +#ifdef CONFIG_KEXEC_VERIFY_SIG + if (arch_ima_get_secureboot()) + return -EACCES; +#endif + if (ima_enforce && (ima_appraise & IMA_APPRAISE_KEXEC)) { pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n"); return -EACCES; /* INTEGRITY_UNKNOWN */ } break; case LOADING_FIRMWARE: - if (ima_appraise & IMA_APPRAISE_FIRMWARE) { + if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE)) { pr_err("Prevent firmware sysfs fallback loading.\n"); return -EACCES; /* INTEGRITY_UNKNOWN */ } @@ -526,7 +530,8 @@ int ima_load_data(enum kernel_load_data_id id) case LOADING_MODULE: sig_enforce = is_module_sig_enforced(); - if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES)) { + if (ima_enforce && (!sig_enforce + && (ima_appraise & IMA_APPRAISE_MODULES))) { pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n"); return -EACCES; /* INTEGRITY_UNKNOWN */ } -- 2.13.6 _______________________________________________ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2018-10-05 17:43 UTC|newest] Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-10-05 17:40 [PATCH v5 0/6] Add support for architecture specific IMA policies Nayna Jain 2018-10-05 17:40 ` Nayna Jain 2018-10-05 17:40 ` [PATCH v5 1/5] x86/ima: define arch_ima_get_secureboot Nayna Jain 2018-10-05 17:40 ` Nayna Jain 2018-10-05 17:40 ` Nayna Jain [this message] 2018-10-05 17:40 ` [PATCH v5 2/5] ima: prevent kexec_load syscall based on runtime secureboot flag Nayna Jain 2018-10-05 17:40 ` [PATCH v5 3/5] ima: refactor ima_init_policy() Nayna Jain 2018-10-05 17:40 ` Nayna Jain 2018-10-05 17:40 ` [PATCH v5 4/5] ima: add support for arch specific policies Nayna Jain 2018-10-05 17:40 ` Nayna Jain 2018-10-05 17:40 ` [PATCH v5 5/5] x86/ima: define arch_get_ima_policy() for x86 Nayna Jain 2018-10-05 17:40 ` Nayna Jain 2018-10-08 11:20 ` [PATCH v5 0/6] Add support for architecture specific IMA policies Mimi Zohar 2018-10-08 11:20 ` Mimi Zohar
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20181005174015.21939-3-nayna@linux.vnet.ibm.com \ --to=nayna@linux.vnet.ibm.com \ --cc=dhowells@redhat.com \ --cc=jforbes@redhat.com \ --cc=kexec@lists.infradead.org \ --cc=linux-efi@vger.kernel.org \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=nayna@linux.ibm.com \ --cc=seth.forshee@canonical.com \ --cc=zohar@linux.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.