From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933550AbdDGMgo (ORCPT ); Fri, 7 Apr 2017 08:36:44 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:49664 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932949AbdDGMgd (ORCPT ); Fri, 7 Apr 2017 08:36:33 -0400 Subject: Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set From: Mimi Zohar To: David Howells Cc: Dave Young , linux-kernel@vger.kernel.org, Matthew Garrett , linux-efi@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, Chun-Yi Lee , gregkh@linuxfoundation.org, kexec@lists.infradead.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, matthew.garrett@nebula.com Date: Fri, 07 Apr 2017 08:36:17 -0400 In-Reply-To: <27362.1491556638@warthog.procyon.org.uk> References: <1491551180.4184.50.camel@linux.vnet.ibm.com> <1491536950.4184.10.camel@linux.vnet.ibm.com> <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142335441.5101.2294976563846442575.stgit@warthog.procyon.org.uk> <20170407030545.GA4296@dhcp-128-65.nay.redhat.com> <21572.1491548994@warthog.procyon.org.uk> <27362.1491556638@warthog.procyon.org.uk> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-MML: disable x-cbid: 17040712-0020-0000-0000-000000E26ACF X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17040712-0021-0000-0000-000002A1A42C Message-Id: <1491568577.4184.97.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-04-07_11:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1704070106 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2017-04-07 at 10:17 +0100, David Howells wrote: > Mimi Zohar wrote: > > > > Okay, fair enough. I can stick in an OR with an IS_ENABLED on some IMA > > > symbol. CONFIG_IMA_KEXEC maybe? And also require IMA be enabled? > > > > Not quite, since as Dave pointed out, IMA is policy driven. As a > > policy is installed, we could set a flag. > > Does such a flag exist as yet? Not exactly what is needed.  There's a flag named ima_appraise, which is used internally in IMA. A temporary flag is created, while validating the rules. if (default_appraise_rules[i].func == POLICY_CHECK) temp_ima_appraise |= IMA_APPRAISE_POLICY; if (!result && (entry->action == UNKNOWN)) result = -EINVAL; else if (entry->func == MODULE_CHECK) temp_ima_appraise |= IMA_APPRAISE_MODULES; else if (entry->func == FIRMWARE_CHECK) temp_ima_appraise |= IMA_APPRAISE_FIRMWARE; else if (entry->func == POLICY_CHECK) temp_ima_appraise |= IMA_APPRAISE_POLICY; If the entire policy is valid, ima_update_policy_flag() sets the ima_appraise flag. ima_appraise |= temp_ima_appraise; >>From an IMA perspective, either a file hash or signature are valid, but for this usage it must be a signature.  So in addition to testing entry->func, above, entry->flags would need to be tested as well to detect if IMA_DIGSIG_REQUIRED is set. Mimi From mboxrd@z Thu Jan 1 00:00:00 1970 From: zohar@linux.vnet.ibm.com (Mimi Zohar) Date: Fri, 07 Apr 2017 08:36:17 -0400 Subject: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set In-Reply-To: <27362.1491556638@warthog.procyon.org.uk> References: <1491551180.4184.50.camel@linux.vnet.ibm.com> <1491536950.4184.10.camel@linux.vnet.ibm.com> <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142335441.5101.2294976563846442575.stgit@warthog.procyon.org.uk> <20170407030545.GA4296@dhcp-128-65.nay.redhat.com> <21572.1491548994@warthog.procyon.org.uk> <27362.1491556638@warthog.procyon.org.uk> Message-ID: <1491568577.4184.97.camel@linux.vnet.ibm.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Fri, 2017-04-07 at 10:17 +0100, David Howells wrote: > Mimi Zohar wrote: > > > > Okay, fair enough. I can stick in an OR with an IS_ENABLED on some IMA > > > symbol. CONFIG_IMA_KEXEC maybe? And also require IMA be enabled? > > > > Not quite, since as Dave pointed out, IMA is policy driven. As a > > policy is installed, we could set a flag. > > Does such a flag exist as yet? Not exactly what is needed. ?There's a flag named ima_appraise, which is used internally in IMA. A temporary flag is created, while validating the rules. if (default_appraise_rules[i].func == POLICY_CHECK) temp_ima_appraise |= IMA_APPRAISE_POLICY; if (!result && (entry->action == UNKNOWN)) result = -EINVAL; else if (entry->func == MODULE_CHECK) temp_ima_appraise |= IMA_APPRAISE_MODULES; else if (entry->func == FIRMWARE_CHECK) temp_ima_appraise |= IMA_APPRAISE_FIRMWARE; else if (entry->func == POLICY_CHECK) temp_ima_appraise |= IMA_APPRAISE_POLICY; If the entire policy is valid, ima_update_policy_flag() sets the ima_appraise flag. ima_appraise |= temp_ima_appraise; >>From an IMA perspective, either a file hash or signature are valid, but for this usage it must be a signature. ?So in addition to testing entry->func, above, entry->flags would need to be tested as well to detect if IMA_DIGSIG_REQUIRED is set. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1cwT8I-0001tn-5s for kexec@lists.infradead.org; Fri, 07 Apr 2017 12:36:56 +0000 Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v37CXwfV062135 for ; Fri, 7 Apr 2017 08:36:31 -0400 Received: from e28smtp01.in.ibm.com (e28smtp01.in.ibm.com [125.16.236.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 29p6g66563-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Fri, 07 Apr 2017 08:36:31 -0400 Received: from localhost by e28smtp01.in.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 7 Apr 2017 18:06:28 +0530 Received: from d28av01.in.ibm.com (d28av01.in.ibm.com [9.184.220.63]) by d28relay01.in.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v37CaPag14680088 for ; Fri, 7 Apr 2017 18:06:25 +0530 Received: from d28av01.in.ibm.com (localhost [127.0.0.1]) by d28av01.in.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id v37CaOm7028301 for ; Fri, 7 Apr 2017 18:06:24 +0530 Subject: Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set From: Mimi Zohar Date: Fri, 07 Apr 2017 08:36:17 -0400 In-Reply-To: <27362.1491556638@warthog.procyon.org.uk> References: <1491551180.4184.50.camel@linux.vnet.ibm.com> <1491536950.4184.10.camel@linux.vnet.ibm.com> <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142335441.5101.2294976563846442575.stgit@warthog.procyon.org.uk> <20170407030545.GA4296@dhcp-128-65.nay.redhat.com> <21572.1491548994@warthog.procyon.org.uk> <27362.1491556638@warthog.procyon.org.uk> Mime-Version: 1.0 Message-Id: <1491568577.4184.97.camel@linux.vnet.ibm.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "kexec" Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: David Howells Cc: Matthew Garrett , linux-efi@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, gregkh@linuxfoundation.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Chun-Yi Lee , linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, matthew.garrett@nebula.com, Dave Young T24gRnJpLCAyMDE3LTA0LTA3IGF0IDEwOjE3ICswMTAwLCBEYXZpZCBIb3dlbGxzIHdyb3RlOgo+ IE1pbWkgWm9oYXIgPHpvaGFyQGxpbnV4LnZuZXQuaWJtLmNvbT4gd3JvdGU6Cj4gCj4gPiA+IE9r YXksIGZhaXIgZW5vdWdoLiAgSSBjYW4gc3RpY2sgaW4gYW4gT1Igd2l0aCBhbiBJU19FTkFCTEVE IG9uIHNvbWUgSU1BCj4gPiA+IHN5bWJvbC4gIENPTkZJR19JTUFfS0VYRUMgbWF5YmU/ICBBbmQg YWxzbyByZXF1aXJlIElNQSBiZSBlbmFibGVkPwo+ID4gCj4gPiBOb3QgcXVpdGUsIHNpbmNlIGFz IERhdmUgcG9pbnRlZCBvdXQsIElNQSBpcyBwb2xpY3kgZHJpdmVuLiAgQXMgYQo+ID4gcG9saWN5 IGlzIGluc3RhbGxlZCwgd2UgY291bGQgc2V0IGEgZmxhZy4KPiAKPiBEb2VzIHN1Y2ggYSBmbGFn IGV4aXN0IGFzIHlldD8KCk5vdCBleGFjdGx5IHdoYXQgaXMgbmVlZGVkLiDCoFRoZXJlJ3MgYSBm bGFnIG5hbWVkIGltYV9hcHByYWlzZSwgd2hpY2gKaXMgdXNlZCBpbnRlcm5hbGx5IGluIElNQS4g QSB0ZW1wb3JhcnkgZmxhZyBpcyBjcmVhdGVkLCB3aGlsZQp2YWxpZGF0aW5nIHRoZSBydWxlcy4K CglpZiAoZGVmYXVsdF9hcHByYWlzZV9ydWxlc1tpXS5mdW5jID09IFBPTElDWV9DSEVDSykKICAg ICAgICAJdGVtcF9pbWFfYXBwcmFpc2UgfD0gSU1BX0FQUFJBSVNFX1BPTElDWTsKCiAgICAgICAg aWYgKCFyZXN1bHQgJiYgKGVudHJ5LT5hY3Rpb24gPT0gVU5LTk9XTikpCiAgICAgICAgICAgICAg ICByZXN1bHQgPSAtRUlOVkFMOwogICAgICAgIGVsc2UgaWYgKGVudHJ5LT5mdW5jID09IE1PRFVM RV9DSEVDSykKICAgICAgICAgICAgICAgIHRlbXBfaW1hX2FwcHJhaXNlIHw9IElNQV9BUFBSQUlT RV9NT0RVTEVTOwogICAgICAgIGVsc2UgaWYgKGVudHJ5LT5mdW5jID09IEZJUk1XQVJFX0NIRUNL KQogICAgICAgICAgICAgICAgdGVtcF9pbWFfYXBwcmFpc2UgfD0gSU1BX0FQUFJBSVNFX0ZJUk1X QVJFOwogICAgICAgIGVsc2UgaWYgKGVudHJ5LT5mdW5jID09IFBPTElDWV9DSEVDSykKICAgICAg ICAgICAgICAgIHRlbXBfaW1hX2FwcHJhaXNlIHw9IElNQV9BUFBSQUlTRV9QT0xJQ1k7CgpJZiB0 aGUgZW50aXJlIHBvbGljeSBpcyB2YWxpZCwgICBpbWFfdXBkYXRlX3BvbGljeV9mbGFnKCkgc2V0 cyB0aGUgaW1hX2FwcHJhaXNlIGZsYWcuCgogICAgICAgIGltYV9hcHByYWlzZSB8PSB0ZW1wX2lt YV9hcHByYWlzZTsKCkZyb20gYW4gSU1BIHBlcnNwZWN0aXZlLCBlaXRoZXIgYSBmaWxlIGhhc2gg b3Igc2lnbmF0dXJlIGFyZSB2YWxpZCwKYnV0IGZvciB0aGlzIHVzYWdlIGl0IG11c3QgYmUgYSBz aWduYXR1cmUuIMKgU28gaW4gYWRkaXRpb24gdG8gdGVzdGluZwplbnRyeS0+ZnVuYywgYWJvdmUs IGVudHJ5LT5mbGFncyB3b3VsZCBuZWVkIHRvIGJlIHRlc3RlZCBhcyB3ZWxsIHRvCmRldGVjdCBp ZiBJTUFfRElHU0lHX1JFUVVJUkVEIGlzIHNldC4KCk1pbWkKCgpfX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fXwprZXhlYyBtYWlsaW5nIGxpc3QKa2V4ZWNAbGlz dHMuaW5mcmFkZWFkLm9yZwpodHRwOi8vbGlzdHMuaW5mcmFkZWFkLm9yZy9tYWlsbWFuL2xpc3Rp bmZvL2tleGVjCg==