linux-next: UEFI Secure boot lockdown patchset

linux-next: UEFI Secure boot lockdown patchset

[David Howells]

[-- Attachment #1: Type: text/plain, Size: 1285 bytes --]


Hi Stephen,

Can you pull the following branch into linux-next please?  It does three
things:

 (1) It restricts various accesses userspace may make upon the kernel when the
     kernel is locked down.

 (2) It engages the lockdown if UEFI Secure Boot mode is detected.

 (3) It passes the UEFI Secure Boot mode indication across kexec.

The restrictions include:

 - Enforcing the use of module signatures
 - Enforcing the use of kexec image signatures
 - Requring IMA to use secure boot rules
 - Disabling:
   - The kexec_load() syscall
   - Use of /dev/{mem,kmem,port,kcore}
   - Hibernation
   - PCI BAR access
   - Direct I/O port access
 - Preventing direct port specification in drivers:
   - SCSI EATA
   - TIOCSSERIAL
   - Module parameters
 - Restricting:
   - MSR access
   - Certain ACPI features
   - kprobes
   - BPF
   - Perf
   - Debugfs

The aim of the restrictions is twofold:

  (1) Prevent userspace from altering the kernel image directly (eg. by
      /dev/mem) or indirectly (eg. by manipulating a device to do DMA);

  (2) Prevent userspace from accessing crypto data stored in the kernel
      (eg. filesystem keys).

A warning is logged if a restriction is triggered for which I've written a
manpage that is referenced in the message (see attached).

David


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Lockdown manpage --]
[-- Type: text/troff, Size: 3463 bytes --]

.\"
.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
.\" Written by David Howells (dhowells@redhat.com)
.\"
.\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
.\" This program is free software; you can redistribute it and/or
.\" modify it under the terms of the GNU General Public License
.\" as published by the Free Software Foundation; either version
.\" 2 of the License, or (at your option) any later version.
.\" %%%LICENSE_END
.\"
.TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual"
.SH NAME
Kernel Lockdown \- Kernel image access prevention feature
.SH DESCRIPTION
The Kernel Lockdown feature is designed to prevent both direct and indirect
access to a running kernel image, attempting to protect against unauthorised
modification of the kernel image and to prevent access to security and
cryptographic data located in kernel memory, whilst still permitting driver
modules to be loaded.
.P
Lockdown is typically enabled during boot and may be terminated, if configured,
by typing a special key combination on a directly attached physical keyboard.
.P
If a prohibited or restricted feature is accessed or used, the kernel will emit
a message that looks like:
.P
.RS
	Lockdown: X: Y is restricted, see man kernel_lockdown.7
.RE
.P
where X indicates the process name and Y indicates what is restricted.
.P
On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
if the system boots in EFI Secure Boot mode.
.P
If the kernel is appropriately configured, lockdown may be lifted by typing the
appropriate sequence on a directly attached physical keyboard.  For x86
machines, this is
.IR SysRq+x .
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH COVERAGE
When lockdown is in effect, a number of features are disabled or have their use
restricted.  This includes special device files and kernel services that allow
direct access of the kernel image:
.P
.RS
/dev/mem
.br
/dev/kmem
.br
/dev/kcore
.br
/dev/ioports
.br
BPF
.br
kprobes
.RE
.P
and the ability to directly configure and control devices, so as to prevent the
use of a device to access or modify a kernel image:
.P
.RS
The use of module parameters that directly specify hardware parameters to
drivers through the kernel command line or when loading a module.
.P
The use of direct PCI BAR access.
.P
The use of the ioperm and iopl instructions on x86.
.P
The use of the KD*IO console ioctls.
.P
The use of the TIOCSSERIAL serial ioctl.
.P
The alteration of MSR registers on x86.
.P
The replacement of the PCMCIA CIS.
.P
The overriding of ACPI tables.
.P
The use of ACPI error injection.
.P
The specification of the ACPI RDSP address.
.P
The use of ACPI custom methods.
.RE
.P
Certain facilities are restricted:
.P
.RS
Only validly signed modules may be loaded (waived if the module file being
loaded is vouched for by IMA appraisal).
.P
Only validly signed binaries may be kexec'd (waived if the binary image file to
be executed is vouched for by IMA appraisal).
.P
Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
saved to a medium that can then be accessed.
.P
Use of debugfs is not permitted as this allows a whole range of actions
including direct configuration of, access to and driving of hardware.
.P
IMA requires the addition of the "secure_boot" rules to the policy, whether or
not they are specified on the command line, for both the builtin and custom
policies in secure boot lockdown mode.
.RE

linux-next: UEFI Secure boot lockdown patchset

[David Howells]

Hi Stephen,

Can you pull the following branch into linux-next please?  It does three
things:

 (1) It restricts various accesses userspace may make upon the kernel when the
     kernel is locked down.

 (2) It engages the lockdown if UEFI Secure Boot mode is detected.

 (3) It passes the UEFI Secure Boot mode indication across kexec.

The restrictions include:

 - Enforcing the use of module signatures
 - Enforcing the use of kexec image signatures
 - Requring IMA to use secure boot rules
 - Disabling:
   - The kexec_load() syscall
   - Use of /dev/{mem,kmem,port,kcore}
   - Hibernation
   - PCI BAR access
   - Direct I/O port access
 - Preventing direct port specification in drivers:
   - SCSI EATA
   - TIOCSSERIAL
   - Module parameters
 - Restricting:
   - MSR access
   - Certain ACPI features
   - kprobes
   - BPF
   - Perf
   - Debugfs

The aim of the restrictions is twofold:

  (1) Prevent userspace from altering the kernel image directly (eg. by
      /dev/mem) or indirectly (eg. by manipulating a device to do DMA);

  (2) Prevent userspace from accessing crypto data stored in the kernel
      (eg. filesystem keys).

A warning is logged if a restriction is triggered for which I've written a
manpage that is referenced in the message (see attached).

David

Re: linux-next: UEFI Secure boot lockdown patchset

[Ard Biesheuvel]

Hi David,

On 1 March 2018 at 11:06, David Howells <dhowells@redhat.com> wrote:
>
> Hi Stephen,
>
> Can you pull the following branch into linux-next please?

Could you please include a URL?

>  It does three
> things:
>
>  (1) It restricts various accesses userspace may make upon the kernel when the
>      kernel is locked down.
>
>  (2) It engages the lockdown if UEFI Secure Boot mode is detected.
>
>  (3) It passes the UEFI Secure Boot mode indication across kexec.
>
> The restrictions include:
>
>  - Enforcing the use of module signatures
>  - Enforcing the use of kexec image signatures
>  - Requring IMA to use secure boot rules
>  - Disabling:
>    - The kexec_load() syscall
>    - Use of /dev/{mem,kmem,port,kcore}
>    - Hibernation
>    - PCI BAR access
>    - Direct I/O port access
>  - Preventing direct port specification in drivers:
>    - SCSI EATA
>    - TIOCSSERIAL
>    - Module parameters
>  - Restricting:
>    - MSR access
>    - Certain ACPI features
>    - kprobes
>    - BPF
>    - Perf
>    - Debugfs
>
> The aim of the restrictions is twofold:
>
>   (1) Prevent userspace from altering the kernel image directly (eg. by
>       /dev/mem) or indirectly (eg. by manipulating a device to do DMA);
>
>   (2) Prevent userspace from accessing crypto data stored in the kernel
>       (eg. filesystem keys).
>
> A warning is logged if a restriction is triggered for which I've written a
> manpage that is referenced in the message (see attached).
>
> David
>

linux-next: UEFI Secure boot lockdown patchset

[Ard Biesheuvel]

Hi David,

On 1 March 2018 at 11:06, David Howells <dhowells@redhat.com> wrote:
>
> Hi Stephen,
>
> Can you pull the following branch into linux-next please?

Could you please include a URL?

>  It does three
> things:
>
>  (1) It restricts various accesses userspace may make upon the kernel when the
>      kernel is locked down.
>
>  (2) It engages the lockdown if UEFI Secure Boot mode is detected.
>
>  (3) It passes the UEFI Secure Boot mode indication across kexec.
>
> The restrictions include:
>
>  - Enforcing the use of module signatures
>  - Enforcing the use of kexec image signatures
>  - Requring IMA to use secure boot rules
>  - Disabling:
>    - The kexec_load() syscall
>    - Use of /dev/{mem,kmem,port,kcore}
>    - Hibernation
>    - PCI BAR access
>    - Direct I/O port access
>  - Preventing direct port specification in drivers:
>    - SCSI EATA
>    - TIOCSSERIAL
>    - Module parameters
>  - Restricting:
>    - MSR access
>    - Certain ACPI features
>    - kprobes
>    - BPF
>    - Perf
>    - Debugfs
>
> The aim of the restrictions is twofold:
>
>   (1) Prevent userspace from altering the kernel image directly (eg. by
>       /dev/mem) or indirectly (eg. by manipulating a device to do DMA);
>
>   (2) Prevent userspace from accessing crypto data stored in the kernel
>       (eg. filesystem keys).
>
> A warning is logged if a restriction is triggered for which I've written a
> manpage that is referenced in the message (see attached).
>
> David
>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: linux-next: UEFI Secure boot lockdown patchset

[David Howells]

I forgot to include the branch URL:

	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=efi-lock-down

Thanks for spotting that, Ard!

David

linux-next: UEFI Secure boot lockdown patchset

[David Howells]

I forgot to include the branch URL:

	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=efi-lock-down

Thanks for spotting that, Ard!

David
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: linux-next: UEFI Secure boot lockdown patchset

[Stephen Rothwell]

[-- Attachment #1: Type: text/plain, Size: 2490 bytes --]

Hi David,

On Thu, 01 Mar 2018 11:06:55 +0000 David Howells <dhowells@redhat.com> wrote:
>
> Can you pull the following branch into linux-next please?  It does three
> things:
> 
>  (1) It restricts various accesses userspace may make upon the kernel when the
>      kernel is locked down.
> 
>  (2) It engages the lockdown if UEFI Secure Boot mode is detected.
> 
>  (3) It passes the UEFI Secure Boot mode indication across kexec.
> 
> The restrictions include:
> 
>  - Enforcing the use of module signatures
>  - Enforcing the use of kexec image signatures
>  - Requring IMA to use secure boot rules
>  - Disabling:
>    - The kexec_load() syscall
>    - Use of /dev/{mem,kmem,port,kcore}
>    - Hibernation
>    - PCI BAR access
>    - Direct I/O port access
>  - Preventing direct port specification in drivers:
>    - SCSI EATA
>    - TIOCSSERIAL
>    - Module parameters
>  - Restricting:
>    - MSR access
>    - Certain ACPI features
>    - kprobes
>    - BPF
>    - Perf
>    - Debugfs
> 
> The aim of the restrictions is twofold:
> 
>   (1) Prevent userspace from altering the kernel image directly (eg. by
>       /dev/mem) or indirectly (eg. by manipulating a device to do DMA);
> 
>   (2) Prevent userspace from accessing crypto data stored in the kernel
>       (eg. filesystem keys).
> 
> A warning is logged if a restriction is triggered for which I've written a
> manpage that is referenced in the message (see attached).

Added from tomorrow.  I actually used this url:

  git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git#efi-lock-down

Thanks for adding your subsystem tree as a participant of linux-next.  As
you may know, this is not a judgement of your code.  The purpose of
linux-next is for integration testing and to lower the impact of
conflicts between subsystems in the next merge window. 

You will need to ensure that the patches/commits in your tree/series have
been:
     * submitted under GPL v2 (or later) and include the Contributor's
        Signed-off-by,
     * posted to the relevant mailing list,
     * reviewed by you (or another maintainer of your subsystem tree),
     * successfully unit tested, and 
     * destined for the current or next Linux merge window.

Basically, this should be just what you would send to Linus (or ask him
to fetch).  It is allowed to be rebased if you deem it necessary.

-- 
Cheers,
Stephen Rothwell 
sfr@canb.auug.org.au

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: linux-next: UEFI Secure boot lockdown patchset

[Matthew Garrett]

On Thu, Mar 1, 2018 at 3:06 AM David Howells <dhowells@redhat.com> wrote:

>   - Requring IMA to use secure boot rules

On systems that have IMA enabled, this appears to enforce a policy that
requires that IMA signatures be present for kexec and modules.
Distributions are already shipping signed modules and kernel images, so
this policy appears to enforce that

(a) they be signed twice, and
(b) distributions have a mechanism for shipping extended attributes in
packages

(a) seems unnecessary, and (b) isn't possible in most distributions
(there's ongoing work in Debian, but it's not merged yet). I can see cases
where you'd want to enforce this via IMA, but I don't think it's
appropriate for all cases. Should the use of the IMA secure_boot policy be
gated behind a config option?

Re: linux-next: UEFI Secure boot lockdown patchset

[David Howells]

Matthew Garrett <mjg59@google.com> wrote:

> (a) seems unnecessary, and (b) isn't possible in most distributions
> (there's ongoing work in Debian, but it's not merged yet). I can see cases
> where you'd want to enforce this via IMA, but I don't think it's
> appropriate for all cases. Should the use of the IMA secure_boot policy be
> gated behind a config option?

Quite probably.  Mimi?

David

Re: linux-next: UEFI Secure boot lockdown patchset

[Mimi Zohar]

On Tue, 2018-05-01 at 20:00 +0100, David Howells wrote:
> Matthew Garrett <mjg59@google.com> wrote:
> 
> > (a) seems unnecessary, and (b) isn't possible in most distributions
> > (there's ongoing work in Debian, but it's not merged yet). I can see cases
> > where you'd want to enforce this via IMA, but I don't think it's
> > appropriate for all cases. Should the use of the IMA secure_boot policy be
> > gated behind a config option?
> 
> Quite probably.  Mimi?

a) Requiring two signatures was addressed by a patch titled "lockdown:
fix coordination of kernel module signature verification" [1]

b) With the coordination of the signature verification above, enabling
either method or both methods, should work properly.

There's been further discussions as to what should remain in the
"lockdown" patch set.  Based on the discussion here [2], it seems like
 "[PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked
down" will be removed.

Instead of preventing the loading of a kernel image (kexec_load
 syscall) being dependent on the lockdown flag, it could be dependent
on the kernel_read_file_id READING_KEXEC_IMAGE.  A version of these
patches was posted [3].

[1] http://kernsec.org/pipermail/linux-security-module-archive/2018-April/006456.html
[2] http://kernsec.org/pipermail/linux-security-module-archive/2018-April/006419.html
[3] http://kernsec.org/pipermail/linux-security-module-archive/2018-April/006443.html

Mimi

Re: linux-next: UEFI Secure boot lockdown patchset

[Matthew Garrett]

On Tue, May 1, 2018 at 1:15 PM Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> a) Requiring two signatures was addressed by a patch titled "lockdown:
> fix coordination of kernel module signature verification" [1]

Ah, I'd missed that - thanks!

> There's been further discussions as to what should remain in the
> "lockdown" patch set.  Based on the discussion here [2], it seems like
>   "[PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked
> down" will be removed.

> Instead of preventing the loading of a kernel image (kexec_load
>   syscall) being dependent on the lockdown flag, it could be dependent
> on the kernel_read_file_id READING_KEXEC_IMAGE.  A version of these
> patches was posted [3].

Hm. My concern is that distributions are going to ship IMA in a
configuration that allows users to add their own keys at boot time (it's
difficult to use it in a generic way otherwise), and that's going to allow
kexecing of arbitrary images without requiring physical access. I think
kexec_file_load() needs to be relying on non-IMA signatures.

Re: linux-next: UEFI Secure boot lockdown patchset

[Mimi Zohar]

On Tue, 2018-05-01 at 21:02 +0000, Matthew Garrett wrote:
> On Tue, May 1, 2018 at 1:15 PM Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> > a) Requiring two signatures was addressed by a patch titled "lockdown:
> > fix coordination of kernel module signature verification" [1]
> 
> Ah, I'd missed that - thanks!
> 
> > There's been further discussions as to what should remain in the
> > "lockdown" patch set.  Based on the discussion here [2], it seems like
> >   "[PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked
> > down" will be removed.
> 
> > Instead of preventing the loading of a kernel image (kexec_load
> >   syscall) being dependent on the lockdown flag, it could be dependent
> > on the kernel_read_file_id READING_KEXEC_IMAGE.  A version of these
> > patches was posted [3].
> 
> Hm. My concern is that distributions are going to ship IMA in a
> configuration that allows users to add their own keys at boot time (it's
> difficult to use it in a generic way otherwise), and that's going to allow
> kexecing of arbitrary images without requiring physical access. I think
> kexec_file_load() needs to be relying on non-IMA signatures.

I don't see how.  Unless the kernel was built with extra room for a
local CA public key (CONFIG_SYSTEM_EXTRA_CERTIFICATE), which would be
loaded onto the builtin keyring, there is no way of adding keys to the
IMA keyring.  Adding the extra public key would require the kernel to
be resigned.

Mimi

Re: linux-next: UEFI Secure boot lockdown patchset

[Matthew Garrett]

On Tue, May 1, 2018 at 2:50 PM Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:

> On Tue, 2018-05-01 at 21:02 +0000, Matthew Garrett wrote:
> > Hm. My concern is that distributions are going to ship IMA in a
> > configuration that allows users to add their own keys at boot time (it's
> > difficult to use it in a generic way otherwise), and that's going to
allow
> > kexecing of arbitrary images without requiring physical access. I think
> > kexec_file_load() needs to be relying on non-IMA signatures.

> I don't see how.  Unless the kernel was built with extra room for a
> local CA public key (CONFIG_SYSTEM_EXTRA_CERTIFICATE), which would be
> loaded onto the builtin keyring, there is no way of adding keys to the
> IMA keyring.  Adding the extra public key would require the kernel to
> be resigned.

Oh, is kexec verified off the _module keyring? We still end up with the
problem that distributions don't have a mechanism to ship IMA signatures
yet, but that avoids the user modification problem. I've just posted a
patchset to debian-dpkg, we'll see how that goes.

Re: linux-next: UEFI Secure boot lockdown patchset

[Mimi Zohar]

On Tue, 2018-05-01 at 21:59 +0000, Matthew Garrett wrote:
> On Tue, May 1, 2018 at 2:50 PM Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> 
> > On Tue, 2018-05-01 at 21:02 +0000, Matthew Garrett wrote:
> > > Hm. My concern is that distributions are going to ship IMA in a
> > > configuration that allows users to add their own keys at boot time (it's
> > > difficult to use it in a generic way otherwise), and that's going to
> allow
> > > kexecing of arbitrary images without requiring physical access. I think
> > > kexec_file_load() needs to be relying on non-IMA signatures.
> 
> > I don't see how.  Unless the kernel was built with extra room for a
> > local CA public key (CONFIG_SYSTEM_EXTRA_CERTIFICATE), which would be
> > loaded onto the builtin keyring, there is no way of adding keys to the
> > IMA keyring.  Adding the extra public key would require the kernel to
> > be resigned.
> 
> Oh, is kexec verified off the _module keyring? We still end up with the
> problem that distributions don't have a mechanism to ship IMA signatures
> yet, but that avoids the user modification problem. I've just posted a
> patchset to debian-dpkg, we'll see how that goes.

I'm not aware of a _module keyring.  With IMA-appraisal, the signature
verification of the kernel image (kexec_file_load) uses the trusted
IMA keyring.  Nayna Jain posted a patch that defines a new platform
keyring[1], which would only be used to validate the kernel image and
initramfs signatures.

Your review would be much appreciated!

I really do hope that some version of including file signatures in
Debian packages will be upstreamed soon.  Good luck!

[1] https://lkml.org/lkml/2018/2/28/1089

Mimi

Re: linux-next: UEFI Secure boot lockdown patchset

[Matthew Garrett]

On Tue, May 1, 2018 at 3:21 PM Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:

> On Tue, 2018-05-01 at 21:59 +0000, Matthew Garrett wrote:
> > Oh, is kexec verified off the _module keyring? We still end up with the
> > problem that distributions don't have a mechanism to ship IMA signatures
> > yet, but that avoids the user modification problem. I've just posted a
> > patchset to debian-dpkg, we'll see how that goes.

> I'm not aware of a _module keyring.  With IMA-appraisal, the signature
> verification of the kernel image (kexec_file_load) uses the trusted
> IMA keyring.  Nayna Jain posted a patch that defines a new platform
> keyring[1], which would only be used to validate the kernel image and
> initramfs signatures.

INTEGRITY_KEYRING_MODULE is defined, but doesn't appear to be used
anywhere. Odd. Anyway, distributions are unlikely to ship with
CONFIG_INTEGRITY_TRUSTED_KEYRING since it makes it impossible for users to
determine which set of IMA or EVM signatures they want to trust. So if
validation is against the IMA keyring rather than builtin_trusted_keys,
it's going to be possible for users to extend the set of trusted keys. If
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG is set then the kernel seems to do the
right thing here, but it's not clear to me how that's supposed to interact
with IMA?

Re: linux-next: UEFI Secure boot lockdown patchset

[Mimi Zohar]

On Tue, 2018-05-01 at 22:32 +0000, Matthew Garrett wrote:
> On Tue, May 1, 2018 at 3:21 PM Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> 
> > On Tue, 2018-05-01 at 21:59 +0000, Matthew Garrett wrote:
> > > Oh, is kexec verified off the _module keyring? We still end up with the
> > > problem that distributions don't have a mechanism to ship IMA signatures
> > > yet, but that avoids the user modification problem. I've just posted a
> > > patchset to debian-dpkg, we'll see how that goes.
> 
> > I'm not aware of a _module keyring.  With IMA-appraisal, the signature
> > verification of the kernel image (kexec_file_load) uses the trusted
> > IMA keyring.  Nayna Jain posted a patch that defines a new platform
> > keyring[1], which would only be used to validate the kernel image and
> > initramfs signatures.
> 
> INTEGRITY_KEYRING_MODULE is defined, but doesn't appear to be used
> anywhere. Odd. Anyway, distributions are unlikely to ship with
> CONFIG_INTEGRITY_TRUSTED_KEYRING since it makes it impossible for users to
> determine which set of IMA or EVM signatures they want to trust. So if
> validation is against the IMA keyring rather than builtin_trusted_keys,
> it's going to be possible for users to extend the set of trusted keys. If
> CONFIG_KEXEC_BZIMAGE_VERIFY_SIG is set then the kernel seems to do the
> right thing here, but it's not clear to me how that's supposed to interact
> with IMA?

>From your description, whatever keys the distros are loading onto the
builtin_trusted_keys keyring for verifying the kexec kernel image,
could just as easily be added to the IMA trusted keyring
(CONFIG_INTEGRITY_TRUSTED_KEYRING).  I don't see the difference.

Loading other keys requires reserving memory for a local CA public
key.

Mimi

Re: linux-next: UEFI Secure boot lockdown patchset

[Matthew Garrett]

On Tue, May 1, 2018 at 4:43 PM Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:

> On Tue, 2018-05-01 at 22:32 +0000, Matthew Garrett wrote:
> > INTEGRITY_KEYRING_MODULE is defined, but doesn't appear to be used
> > anywhere. Odd. Anyway, distributions are unlikely to ship with
> > CONFIG_INTEGRITY_TRUSTED_KEYRING since it makes it impossible for users
to
> > determine which set of IMA or EVM signatures they want to trust. So if
> > validation is against the IMA keyring rather than builtin_trusted_keys,
> > it's going to be possible for users to extend the set of trusted keys.
If
> > CONFIG_KEXEC_BZIMAGE_VERIFY_SIG is set then the kernel seems to do the
> > right thing here, but it's not clear to me how that's supposed to
interact
> > with IMA?

>  From your description, whatever keys the distros are loading onto the
> builtin_trusted_keys keyring for verifying the kexec kernel image,
> could just as easily be added to the IMA trusted keyring
> (CONFIG_INTEGRITY_TRUSTED_KEYRING).  I don't see the difference.

If CONFIG_INTEGRITY_TRUSTED_KEYRING isn't set then you can load new (and
unsigned) IMA keys from userspace. So if IMA is the lockdown control
mechanism for kexec, distros must either set
CONFIG_INTEGRITY_TRUSTED_KEYRING (which I don't think is practical) or IMA
should test kexec against the builtin_trusted_keys keyring rather than the
IMA keyring. Or have I misunderstood how this works?

Re: linux-next: UEFI Secure boot lockdown patchset

[Mimi Zohar]

On Tue, 2018-05-01 at 23:46 +0000, Matthew Garrett wrote:
> On Tue, May 1, 2018 at 4:43 PM Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> 
> > On Tue, 2018-05-01 at 22:32 +0000, Matthew Garrett wrote:
> > > INTEGRITY_KEYRING_MODULE is defined, but doesn't appear to be used
> > > anywhere. Odd. Anyway, distributions are unlikely to ship with
> > > CONFIG_INTEGRITY_TRUSTED_KEYRING since it makes it impossible for users
> to
> > > determine which set of IMA or EVM signatures they want to trust. So if
> > > validation is against the IMA keyring rather than builtin_trusted_keys,
> > > it's going to be possible for users to extend the set of trusted keys.
> If
> > > CONFIG_KEXEC_BZIMAGE_VERIFY_SIG is set then the kernel seems to do the
> > > right thing here, but it's not clear to me how that's supposed to
> interact
> > > with IMA?
> 
> >  From your description, whatever keys the distros are loading onto the
> > builtin_trusted_keys keyring for verifying the kexec kernel image,
> > could just as easily be added to the IMA trusted keyring
> > (CONFIG_INTEGRITY_TRUSTED_KEYRING).  I don't see the difference.
> 
> If CONFIG_INTEGRITY_TRUSTED_KEYRING isn't set then you can load new (and
> unsigned) IMA keys from userspace. So if IMA is the lockdown control
> mechanism for kexec, distros must either set
> CONFIG_INTEGRITY_TRUSTED_KEYRING (which I don't think is practical) or IMA
> should test kexec against the builtin_trusted_keys keyring rather than the
> IMA keyring. Or have I misunderstood how this works?

Another option is enabling both CONFIG_INTEGRITY_TRUSTED_KEYRING and
CONFIG_SYSTEM_EXTRA_CERTIFICATE.

Mimi