From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754521AbdDGHqq (ORCPT ); Fri, 7 Apr 2017 03:46:46 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:59325 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754221AbdDGHqk (ORCPT ); Fri, 7 Apr 2017 03:46:40 -0400 Subject: Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set From: Mimi Zohar To: David Howells Cc: Dave Young , linux-kernel@vger.kernel.org, Matthew Garrett , linux-efi@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, Chun-Yi Lee , gregkh@linuxfoundation.org, kexec@lists.infradead.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, matthew.garrett@nebula.com Date: Fri, 07 Apr 2017 03:46:20 -0400 In-Reply-To: <21572.1491548994@warthog.procyon.org.uk> References: <1491536950.4184.10.camel@linux.vnet.ibm.com> <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142335441.5101.2294976563846442575.stgit@warthog.procyon.org.uk> <20170407030545.GA4296@dhcp-128-65.nay.redhat.com> <21572.1491548994@warthog.procyon.org.uk> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-MML: disable x-cbid: 17040707-0024-0000-0000-000003C71FA2 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17040707-0025-0000-0000-000011455381 Message-Id: <1491551180.4184.50.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-04-07_07:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1704070068 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2017-04-07 at 08:09 +0100, David Howells wrote: > Mimi Zohar wrote: > > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) > > > > + return -EPERM; > > > > + > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be > > required. > > Okay, fair enough. I can stick in an OR with an IS_ENABLED on some IMA > symbol. CONFIG_IMA_KEXEC maybe? And also require IMA be enabled? Not quite, since as Dave pointed out, IMA is policy driven.  As a policy is installed, we could set a flag. Mimi From mboxrd@z Thu Jan 1 00:00:00 1970 From: zohar@linux.vnet.ibm.com (Mimi Zohar) Date: Fri, 07 Apr 2017 03:46:20 -0400 Subject: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set In-Reply-To: <21572.1491548994@warthog.procyon.org.uk> References: <1491536950.4184.10.camel@linux.vnet.ibm.com> <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142335441.5101.2294976563846442575.stgit@warthog.procyon.org.uk> <20170407030545.GA4296@dhcp-128-65.nay.redhat.com> <21572.1491548994@warthog.procyon.org.uk> Message-ID: <1491551180.4184.50.camel@linux.vnet.ibm.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Fri, 2017-04-07 at 08:09 +0100, David Howells wrote: > Mimi Zohar wrote: > > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) > > > > + return -EPERM; > > > > + > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > in ?kernel_read_file_from_fd(). ?CONFIG_KEXEC_VERIFY_SIG should not be > > required. > > Okay, fair enough. I can stick in an OR with an IS_ENABLED on some IMA > symbol. CONFIG_IMA_KEXEC maybe? And also require IMA be enabled? Not quite, since as Dave pointed out, IMA is policy driven. ?As a policy is installed, we could set a flag. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5] helo=mx0a-001b2d01.pphosted.com) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1cwObj-00020D-Q4 for kexec@lists.infradead.org; Fri, 07 Apr 2017 07:47:01 +0000 Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v377dBKT063272 for ; Fri, 7 Apr 2017 03:46:38 -0400 Received: from e28smtp04.in.ibm.com (e28smtp04.in.ibm.com [125.16.236.4]) by mx0b-001b2d01.pphosted.com with ESMTP id 29p5rqanwn-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Fri, 07 Apr 2017 03:46:38 -0400 Received: from localhost by e28smtp04.in.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 7 Apr 2017 13:16:35 +0530 Received: from d28av04.in.ibm.com (d28av04.in.ibm.com [9.184.220.66]) by d28relay09.in.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v377kW7H13631518 for ; Fri, 7 Apr 2017 13:16:32 +0530 Received: from d28av04.in.ibm.com (localhost [127.0.0.1]) by d28av04.in.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id v377kVQo006400 for ; Fri, 7 Apr 2017 13:16:31 +0530 Subject: Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set From: Mimi Zohar Date: Fri, 07 Apr 2017 03:46:20 -0400 In-Reply-To: <21572.1491548994@warthog.procyon.org.uk> References: <1491536950.4184.10.camel@linux.vnet.ibm.com> <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142335441.5101.2294976563846442575.stgit@warthog.procyon.org.uk> <20170407030545.GA4296@dhcp-128-65.nay.redhat.com> <21572.1491548994@warthog.procyon.org.uk> Mime-Version: 1.0 Message-Id: <1491551180.4184.50.camel@linux.vnet.ibm.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "kexec" Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: David Howells Cc: Matthew Garrett , linux-efi@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, gregkh@linuxfoundation.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Chun-Yi Lee , linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, matthew.garrett@nebula.com, Dave Young T24gRnJpLCAyMDE3LTA0LTA3IGF0IDA4OjA5ICswMTAwLCBEYXZpZCBIb3dlbGxzIHdyb3RlOgo+ IE1pbWkgWm9oYXIgPHpvaGFyQGxpbnV4LnZuZXQuaWJtLmNvbT4gd3JvdGU6Cj4gCj4gPiA+ID4g KwlpZiAoIUlTX0VOQUJMRUQoQ09ORklHX0tFWEVDX1ZFUklGWV9TSUcpICYmIGtlcm5lbF9pc19s b2NrZWRfZG93bigpKQo+ID4gPiA+ICsJCXJldHVybiAtRVBFUk07Cj4gPiA+ID4gKwo+ID4gPiA+ ICAKPiA+IAo+ID4gSU1BIGNhbiBiZSB1c2VkIHRvIHZlcmlmeSBmaWxlIHNpZ25hdHVyZXMgdG9v LCBiYXNlZCBvbiB0aGUgTFNNIGhvb2tzCj4gPiBpbiDCoGtlcm5lbF9yZWFkX2ZpbGVfZnJvbV9m ZCgpLiDCoENPTkZJR19LRVhFQ19WRVJJRllfU0lHIHNob3VsZCBub3QgYmUKPiA+IHJlcXVpcmVk Lgo+IAo+IE9rYXksIGZhaXIgZW5vdWdoLiAgSSBjYW4gc3RpY2sgaW4gYW4gT1Igd2l0aCBhbiBJ U19FTkFCTEVEIG9uIHNvbWUgSU1BCj4gc3ltYm9sLiAgQ09ORklHX0lNQV9LRVhFQyBtYXliZT8g IEFuZCBhbHNvIHJlcXVpcmUgSU1BIGJlIGVuYWJsZWQ/CgpOb3QgcXVpdGUsIHNpbmNlIGFzIERh dmUgcG9pbnRlZCBvdXQsIElNQSBpcyBwb2xpY3kgZHJpdmVuLiDCoEFzIGEKcG9saWN5IGlzIGlu c3RhbGxlZCwgd2UgY291bGQgc2V0IGEgZmxhZy4KCk1pbWkKCgpfX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fXwprZXhlYyBtYWlsaW5nIGxpc3QKa2V4ZWNAbGlz dHMuaW5mcmFkZWFkLm9yZwpodHRwOi8vbGlzdHMuaW5mcmFkZWFkLm9yZy9tYWlsbWFuL2xpc3Rp bmZvL2tleGVjCg==