From: Mimi Zohar <zohar@linux.ibm.com>
To: Nayna Jain <nayna@linux.vnet.ibm.com>, linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org,
linux-kernel@vger.kernel.org, dhowells@redhat.com,
jforbes@redhat.com, Seth Forshee <seth.forshee@canonical.com>,
kexec <kexec@lists.infradead.org>
Subject: Re: [PATCH v4 1/6] x86/ima: define arch_ima_get_secureboot
Date: Thu, 27 Sep 2018 07:33:01 -0400 [thread overview]
Message-ID: <1538047981.3459.74.camel@linux.ibm.com> (raw)
In-Reply-To: <20180926122210.14642-2-nayna@linux.vnet.ibm.com>
[Cc'ing the kexec mailing list, and Seth]
On Wed, 2018-09-26 at 17:52 +0530, Nayna Jain wrote:
> Distros are concerned about totally disabling the kexec_load syscall.
> As a compromise, the kexec_load syscall will only be disabled when
> CONFIG_KEXEC_VERIFY_SIG is configured and the system is booted with
> secureboot enabled.
>
> This patch defines the new arch specific function called
> arch_ima_get_secureboot() to retrieve the secureboot state of the system.
>
> Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com>
> Suggested-by: Seth Forshee <seth.forshee@canonical.com>
Nice!
Mimi
> ---
> arch/x86/kernel/Makefile | 2 ++
> arch/x86/kernel/ima_arch.c | 17 +++++++++++++++++
> include/linux/ima.h | 9 +++++++++
> 3 files changed, 28 insertions(+)
> create mode 100644 arch/x86/kernel/ima_arch.c
>
> diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
> index 02d6f5cf4e70..f32406e51424 100644
> --- a/arch/x86/kernel/Makefile
> +++ b/arch/x86/kernel/Makefile
> @@ -149,3 +149,5 @@ ifeq ($(CONFIG_X86_64),y)
> obj-$(CONFIG_MMCONF_FAM10H) += mmconf-fam10h_64.o
> obj-y += vsmp_64.o
> endif
> +
> +obj-$(CONFIG_IMA) += ima_arch.o
> diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c
> new file mode 100644
> index 000000000000..bb5a88d2b271
> --- /dev/null
> +++ b/arch/x86/kernel/ima_arch.c
> @@ -0,0 +1,17 @@
> +/* SPDX-License-Identifier: GPL-2.0+ */
> +/*
> + * Copyright (C) 2018 IBM Corporation
> + */
> +#include <linux/efi.h>
> +#include <linux/ima.h>
> +
> +extern struct boot_params boot_params;
> +
> +bool arch_ima_get_secureboot(void)
> +{
> + if (efi_enabled(EFI_BOOT) &&
> + (boot_params.secure_boot == efi_secureboot_mode_enabled))
> + return true;
> + else
> + return false;
> +}
> diff --git a/include/linux/ima.h b/include/linux/ima.h
> index 84806b54b50a..4852255aa4f4 100644
> --- a/include/linux/ima.h
> +++ b/include/linux/ima.h
> @@ -30,6 +30,15 @@ extern void ima_post_path_mknod(struct dentry *dentry);
> extern void ima_add_kexec_buffer(struct kimage *image);
> #endif
>
> +#ifdef CONFIG_X86
> +extern bool arch_ima_get_secureboot(void);
> +#else
> +static inline bool arch_ima_get_secureboot(void)
> +{
> + return false;
> +}
> +#endif
> +
> #else
> static inline int ima_bprm_check(struct linux_binprm *bprm)
> {
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v4 1/6] x86/ima: define arch_ima_get_secureboot
Date: Thu, 27 Sep 2018 07:33:01 -0400 [thread overview]
Message-ID: <1538047981.3459.74.camel@linux.ibm.com> (raw)
In-Reply-To: <20180926122210.14642-2-nayna@linux.vnet.ibm.com>
[Cc'ing the kexec mailing list, and Seth]
On Wed, 2018-09-26 at 17:52 +0530, Nayna Jain wrote:
> Distros are concerned about totally disabling the kexec_load syscall.
> As a compromise, the kexec_load syscall will only be disabled when
> CONFIG_KEXEC_VERIFY_SIG is configured and the system is booted with
> secureboot enabled.
>
> This patch defines the new arch specific function called
> arch_ima_get_secureboot() to retrieve the secureboot state of the system.
>
> Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com>
> Suggested-by: Seth Forshee <seth.forshee@canonical.com>
Nice!
Mimi
> ---
> arch/x86/kernel/Makefile | 2 ++
> arch/x86/kernel/ima_arch.c | 17 +++++++++++++++++
> include/linux/ima.h | 9 +++++++++
> 3 files changed, 28 insertions(+)
> create mode 100644 arch/x86/kernel/ima_arch.c
>
> diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
> index 02d6f5cf4e70..f32406e51424 100644
> --- a/arch/x86/kernel/Makefile
> +++ b/arch/x86/kernel/Makefile
> @@ -149,3 +149,5 @@ ifeq ($(CONFIG_X86_64),y)
> obj-$(CONFIG_MMCONF_FAM10H) += mmconf-fam10h_64.o
> obj-y += vsmp_64.o
> endif
> +
> +obj-$(CONFIG_IMA) += ima_arch.o
> diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c
> new file mode 100644
> index 000000000000..bb5a88d2b271
> --- /dev/null
> +++ b/arch/x86/kernel/ima_arch.c
> @@ -0,0 +1,17 @@
> +/* SPDX-License-Identifier: GPL-2.0+ */
> +/*
> + * Copyright (C) 2018 IBM Corporation
> + */
> +#include <linux/efi.h>
> +#include <linux/ima.h>
> +
> +extern struct boot_params boot_params;
> +
> +bool arch_ima_get_secureboot(void)
> +{
> + if (efi_enabled(EFI_BOOT) &&
> + (boot_params.secure_boot == efi_secureboot_mode_enabled))
> + return true;
> + else
> + return false;
> +}
> diff --git a/include/linux/ima.h b/include/linux/ima.h
> index 84806b54b50a..4852255aa4f4 100644
> --- a/include/linux/ima.h
> +++ b/include/linux/ima.h
> @@ -30,6 +30,15 @@ extern void ima_post_path_mknod(struct dentry *dentry);
> extern void ima_add_kexec_buffer(struct kimage *image);
> #endif
>
> +#ifdef CONFIG_X86
> +extern bool arch_ima_get_secureboot(void);
> +#else
> +static inline bool arch_ima_get_secureboot(void)
> +{
> + return false;
> +}
> +#endif
> +
> #else
> static inline int ima_bprm_check(struct linux_binprm *bprm)
> {
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Nayna Jain <nayna@linux.vnet.ibm.com>, linux-integrity@vger.kernel.org
Cc: linux-efi@vger.kernel.org, kexec <kexec@lists.infradead.org>,
linux-kernel@vger.kernel.org, dhowells@redhat.com,
Seth Forshee <seth.forshee@canonical.com>,
linux-security-module@vger.kernel.org, jforbes@redhat.com
Subject: Re: [PATCH v4 1/6] x86/ima: define arch_ima_get_secureboot
Date: Thu, 27 Sep 2018 07:33:01 -0400 [thread overview]
Message-ID: <1538047981.3459.74.camel@linux.ibm.com> (raw)
In-Reply-To: <20180926122210.14642-2-nayna@linux.vnet.ibm.com>
[Cc'ing the kexec mailing list, and Seth]
On Wed, 2018-09-26 at 17:52 +0530, Nayna Jain wrote:
> Distros are concerned about totally disabling the kexec_load syscall.
> As a compromise, the kexec_load syscall will only be disabled when
> CONFIG_KEXEC_VERIFY_SIG is configured and the system is booted with
> secureboot enabled.
>
> This patch defines the new arch specific function called
> arch_ima_get_secureboot() to retrieve the secureboot state of the system.
>
> Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com>
> Suggested-by: Seth Forshee <seth.forshee@canonical.com>
Nice!
Mimi
> ---
> arch/x86/kernel/Makefile | 2 ++
> arch/x86/kernel/ima_arch.c | 17 +++++++++++++++++
> include/linux/ima.h | 9 +++++++++
> 3 files changed, 28 insertions(+)
> create mode 100644 arch/x86/kernel/ima_arch.c
>
> diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
> index 02d6f5cf4e70..f32406e51424 100644
> --- a/arch/x86/kernel/Makefile
> +++ b/arch/x86/kernel/Makefile
> @@ -149,3 +149,5 @@ ifeq ($(CONFIG_X86_64),y)
> obj-$(CONFIG_MMCONF_FAM10H) += mmconf-fam10h_64.o
> obj-y += vsmp_64.o
> endif
> +
> +obj-$(CONFIG_IMA) += ima_arch.o
> diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c
> new file mode 100644
> index 000000000000..bb5a88d2b271
> --- /dev/null
> +++ b/arch/x86/kernel/ima_arch.c
> @@ -0,0 +1,17 @@
> +/* SPDX-License-Identifier: GPL-2.0+ */
> +/*
> + * Copyright (C) 2018 IBM Corporation
> + */
> +#include <linux/efi.h>
> +#include <linux/ima.h>
> +
> +extern struct boot_params boot_params;
> +
> +bool arch_ima_get_secureboot(void)
> +{
> + if (efi_enabled(EFI_BOOT) &&
> + (boot_params.secure_boot == efi_secureboot_mode_enabled))
> + return true;
> + else
> + return false;
> +}
> diff --git a/include/linux/ima.h b/include/linux/ima.h
> index 84806b54b50a..4852255aa4f4 100644
> --- a/include/linux/ima.h
> +++ b/include/linux/ima.h
> @@ -30,6 +30,15 @@ extern void ima_post_path_mknod(struct dentry *dentry);
> extern void ima_add_kexec_buffer(struct kimage *image);
> #endif
>
> +#ifdef CONFIG_X86
> +extern bool arch_ima_get_secureboot(void);
> +#else
> +static inline bool arch_ima_get_secureboot(void)
> +{
> + return false;
> +}
> +#endif
> +
> #else
> static inline int ima_bprm_check(struct linux_binprm *bprm)
> {
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2018-09-27 11:33 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-26 12:22 [PATCH v4 0/6] Add support for architecture specific IMA policies Nayna Jain
2018-09-26 12:22 ` Nayna Jain
2018-09-26 12:22 ` [PATCH v4 1/6] x86/ima: define arch_ima_get_secureboot Nayna Jain
2018-09-26 12:22 ` Nayna Jain
2018-09-27 11:33 ` Mimi Zohar [this message]
2018-09-27 11:33 ` Mimi Zohar
2018-09-27 11:33 ` Mimi Zohar
2018-09-26 12:22 ` [PATCH v4 2/6] ima: prevent kexec_load syscall based on runtime secureboot flag Nayna Jain
2018-09-26 12:22 ` Nayna Jain
2018-09-27 11:33 ` Mimi Zohar
2018-09-27 11:33 ` Mimi Zohar
2018-09-27 11:33 ` Mimi Zohar
2018-09-26 12:22 ` [PATCH v4 3/6] ima: refactor ima_init_policy() Nayna Jain
2018-09-26 12:22 ` Nayna Jain
2018-09-27 12:16 ` Mimi Zohar
2018-09-27 12:16 ` Mimi Zohar
2018-09-27 12:16 ` Mimi Zohar
2018-09-28 0:51 ` Mimi Zohar
2018-09-28 0:51 ` Mimi Zohar
2018-09-28 0:51 ` Mimi Zohar
2018-09-26 12:22 ` [PATCH v4 4/6] ima: add support for arch specific policies Nayna Jain
2018-09-26 12:22 ` Nayna Jain
2018-09-27 13:27 ` Mimi Zohar
2018-09-27 13:27 ` Mimi Zohar
2018-09-27 13:27 ` Mimi Zohar
2018-09-26 12:22 ` [PATCH v4 5/6] ima: add support for external setting of ima_appraise Nayna Jain
2018-09-26 12:22 ` Nayna Jain
2018-09-27 13:20 ` Mimi Zohar
2018-09-27 13:20 ` Mimi Zohar
2018-09-27 13:20 ` Mimi Zohar
2018-10-05 17:44 ` Nayna Jain
2018-10-05 17:44 ` Nayna Jain
2018-09-26 12:22 ` [PATCH v4 6/6] x86/ima: define arch_get_ima_policy() for x86 Nayna Jain
2018-09-26 12:22 ` Nayna Jain
2018-09-27 13:31 ` Mimi Zohar
2018-09-27 13:31 ` Mimi Zohar
2018-09-27 13:31 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1538047981.3459.74.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=jforbes@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nayna@linux.vnet.ibm.com \
--cc=seth.forshee@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.