From: Mimi Zohar <zohar@linux.ibm.com>
To: Nayna Jain <nayna@linux.vnet.ibm.com>, linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org,
linux-kernel@vger.kernel.org, dhowells@redhat.com,
jforbes@redhat.com, Seth Forshee <seth.forshee@canonical.com>,
kexec <kexec@lists.infradead.org>
Subject: Re: [PATCH v4 2/6] ima: prevent kexec_load syscall based on runtime secureboot flag
Date: Thu, 27 Sep 2018 07:33:35 -0400 [thread overview]
Message-ID: <1538048015.3459.76.camel@linux.ibm.com> (raw)
In-Reply-To: <20180926122210.14642-3-nayna@linux.vnet.ibm.com>
[Cc'ing the kexec mailing list, and Seth]
On Wed, 2018-09-26 at 17:52 +0530, Nayna Jain wrote:
> When CONFIG_KEXEC_VERIFY_SIG is enabled, the kexec_file_load syscall
> requires the kexec'd kernel image to be signed. Distros are concerned
> about totally disabling the kexec_load syscall. As a compromise, the
> kexec_load syscall will only be disabled when CONFIG_KEXEC_VERIFY_SIG
> is configured and the system is booted with secureboot enabled.
>
> This patch disables the kexec_load syscall only for systems booted with
> secureboot enabled.
>
> Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com>
Nice!
Mimi
> ---
> security/integrity/ima/ima_main.c | 17 +++++++++++------
> 1 file changed, 11 insertions(+), 6 deletions(-)
>
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index dce0a8a217bb..bdb6e5563d05 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -505,20 +505,24 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
> */
> int ima_load_data(enum kernel_load_data_id id)
> {
> - bool sig_enforce;
> + bool ima_enforce, sig_enforce;
>
> - if ((ima_appraise & IMA_APPRAISE_ENFORCE) != IMA_APPRAISE_ENFORCE)
> - return 0;
> + ima_enforce =
> + (ima_appraise & IMA_APPRAISE_ENFORCE) == IMA_APPRAISE_ENFORCE;
>
> switch (id) {
> case LOADING_KEXEC_IMAGE:
> - if (ima_appraise & IMA_APPRAISE_KEXEC) {
> +#ifdef CONFIG_KEXEC_VERIFY_SIG
> + if (arch_ima_get_secureboot())
> + return -EACCES;
> +#endif
> + if (ima_enforce && (ima_appraise & IMA_APPRAISE_KEXEC)) {
> pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
> return -EACCES; /* INTEGRITY_UNKNOWN */
> }
> break;
> case LOADING_FIRMWARE:
> - if (ima_appraise & IMA_APPRAISE_FIRMWARE) {
> + if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE)) {
> pr_err("Prevent firmware sysfs fallback loading.\n");
> return -EACCES; /* INTEGRITY_UNKNOWN */
> }
> @@ -526,7 +530,8 @@ int ima_load_data(enum kernel_load_data_id id)
> case LOADING_MODULE:
> sig_enforce = is_module_sig_enforced();
>
> - if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES)) {
> + if (ima_enforce && (!sig_enforce
> + && (ima_appraise & IMA_APPRAISE_MODULES))) {
> pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
> return -EACCES; /* INTEGRITY_UNKNOWN */
> }
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v4 2/6] ima: prevent kexec_load syscall based on runtime secureboot flag
Date: Thu, 27 Sep 2018 07:33:35 -0400 [thread overview]
Message-ID: <1538048015.3459.76.camel@linux.ibm.com> (raw)
In-Reply-To: <20180926122210.14642-3-nayna@linux.vnet.ibm.com>
[Cc'ing the kexec mailing list, and Seth]
On Wed, 2018-09-26 at 17:52 +0530, Nayna Jain wrote:
> When CONFIG_KEXEC_VERIFY_SIG is enabled, the kexec_file_load syscall
> requires the kexec'd kernel image to be signed. Distros are concerned
> about totally disabling the kexec_load syscall. As a compromise, the
> kexec_load syscall will only be disabled when CONFIG_KEXEC_VERIFY_SIG
> is configured and the system is booted with secureboot enabled.
>
> This patch disables the kexec_load syscall only for systems booted with
> secureboot enabled.
>
> Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com>
Nice!
Mimi
> ---
> security/integrity/ima/ima_main.c | 17 +++++++++++------
> 1 file changed, 11 insertions(+), 6 deletions(-)
>
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index dce0a8a217bb..bdb6e5563d05 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -505,20 +505,24 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
> */
> int ima_load_data(enum kernel_load_data_id id)
> {
> - bool sig_enforce;
> + bool ima_enforce, sig_enforce;
>
> - if ((ima_appraise & IMA_APPRAISE_ENFORCE) != IMA_APPRAISE_ENFORCE)
> - return 0;
> + ima_enforce =
> + (ima_appraise & IMA_APPRAISE_ENFORCE) == IMA_APPRAISE_ENFORCE;
>
> switch (id) {
> case LOADING_KEXEC_IMAGE:
> - if (ima_appraise & IMA_APPRAISE_KEXEC) {
> +#ifdef CONFIG_KEXEC_VERIFY_SIG
> + if (arch_ima_get_secureboot())
> + return -EACCES;
> +#endif
> + if (ima_enforce && (ima_appraise & IMA_APPRAISE_KEXEC)) {
> pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
> return -EACCES; /* INTEGRITY_UNKNOWN */
> }
> break;
> case LOADING_FIRMWARE:
> - if (ima_appraise & IMA_APPRAISE_FIRMWARE) {
> + if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE)) {
> pr_err("Prevent firmware sysfs fallback loading.\n");
> return -EACCES; /* INTEGRITY_UNKNOWN */
> }
> @@ -526,7 +530,8 @@ int ima_load_data(enum kernel_load_data_id id)
> case LOADING_MODULE:
> sig_enforce = is_module_sig_enforced();
>
> - if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES)) {
> + if (ima_enforce && (!sig_enforce
> + && (ima_appraise & IMA_APPRAISE_MODULES))) {
> pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
> return -EACCES; /* INTEGRITY_UNKNOWN */
> }
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Nayna Jain <nayna@linux.vnet.ibm.com>, linux-integrity@vger.kernel.org
Cc: linux-efi@vger.kernel.org, kexec <kexec@lists.infradead.org>,
linux-kernel@vger.kernel.org, dhowells@redhat.com,
Seth Forshee <seth.forshee@canonical.com>,
linux-security-module@vger.kernel.org, jforbes@redhat.com
Subject: Re: [PATCH v4 2/6] ima: prevent kexec_load syscall based on runtime secureboot flag
Date: Thu, 27 Sep 2018 07:33:35 -0400 [thread overview]
Message-ID: <1538048015.3459.76.camel@linux.ibm.com> (raw)
In-Reply-To: <20180926122210.14642-3-nayna@linux.vnet.ibm.com>
[Cc'ing the kexec mailing list, and Seth]
On Wed, 2018-09-26 at 17:52 +0530, Nayna Jain wrote:
> When CONFIG_KEXEC_VERIFY_SIG is enabled, the kexec_file_load syscall
> requires the kexec'd kernel image to be signed. Distros are concerned
> about totally disabling the kexec_load syscall. As a compromise, the
> kexec_load syscall will only be disabled when CONFIG_KEXEC_VERIFY_SIG
> is configured and the system is booted with secureboot enabled.
>
> This patch disables the kexec_load syscall only for systems booted with
> secureboot enabled.
>
> Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com>
Nice!
Mimi
> ---
> security/integrity/ima/ima_main.c | 17 +++++++++++------
> 1 file changed, 11 insertions(+), 6 deletions(-)
>
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index dce0a8a217bb..bdb6e5563d05 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -505,20 +505,24 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
> */
> int ima_load_data(enum kernel_load_data_id id)
> {
> - bool sig_enforce;
> + bool ima_enforce, sig_enforce;
>
> - if ((ima_appraise & IMA_APPRAISE_ENFORCE) != IMA_APPRAISE_ENFORCE)
> - return 0;
> + ima_enforce =
> + (ima_appraise & IMA_APPRAISE_ENFORCE) == IMA_APPRAISE_ENFORCE;
>
> switch (id) {
> case LOADING_KEXEC_IMAGE:
> - if (ima_appraise & IMA_APPRAISE_KEXEC) {
> +#ifdef CONFIG_KEXEC_VERIFY_SIG
> + if (arch_ima_get_secureboot())
> + return -EACCES;
> +#endif
> + if (ima_enforce && (ima_appraise & IMA_APPRAISE_KEXEC)) {
> pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
> return -EACCES; /* INTEGRITY_UNKNOWN */
> }
> break;
> case LOADING_FIRMWARE:
> - if (ima_appraise & IMA_APPRAISE_FIRMWARE) {
> + if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE)) {
> pr_err("Prevent firmware sysfs fallback loading.\n");
> return -EACCES; /* INTEGRITY_UNKNOWN */
> }
> @@ -526,7 +530,8 @@ int ima_load_data(enum kernel_load_data_id id)
> case LOADING_MODULE:
> sig_enforce = is_module_sig_enforced();
>
> - if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES)) {
> + if (ima_enforce && (!sig_enforce
> + && (ima_appraise & IMA_APPRAISE_MODULES))) {
> pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
> return -EACCES; /* INTEGRITY_UNKNOWN */
> }
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2018-09-27 11:33 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-26 12:22 [PATCH v4 0/6] Add support for architecture specific IMA policies Nayna Jain
2018-09-26 12:22 ` Nayna Jain
2018-09-26 12:22 ` [PATCH v4 1/6] x86/ima: define arch_ima_get_secureboot Nayna Jain
2018-09-26 12:22 ` Nayna Jain
2018-09-27 11:33 ` Mimi Zohar
2018-09-27 11:33 ` Mimi Zohar
2018-09-27 11:33 ` Mimi Zohar
2018-09-26 12:22 ` [PATCH v4 2/6] ima: prevent kexec_load syscall based on runtime secureboot flag Nayna Jain
2018-09-26 12:22 ` Nayna Jain
2018-09-27 11:33 ` Mimi Zohar [this message]
2018-09-27 11:33 ` Mimi Zohar
2018-09-27 11:33 ` Mimi Zohar
2018-09-26 12:22 ` [PATCH v4 3/6] ima: refactor ima_init_policy() Nayna Jain
2018-09-26 12:22 ` Nayna Jain
2018-09-27 12:16 ` Mimi Zohar
2018-09-27 12:16 ` Mimi Zohar
2018-09-27 12:16 ` Mimi Zohar
2018-09-28 0:51 ` Mimi Zohar
2018-09-28 0:51 ` Mimi Zohar
2018-09-28 0:51 ` Mimi Zohar
2018-09-26 12:22 ` [PATCH v4 4/6] ima: add support for arch specific policies Nayna Jain
2018-09-26 12:22 ` Nayna Jain
2018-09-27 13:27 ` Mimi Zohar
2018-09-27 13:27 ` Mimi Zohar
2018-09-27 13:27 ` Mimi Zohar
2018-09-26 12:22 ` [PATCH v4 5/6] ima: add support for external setting of ima_appraise Nayna Jain
2018-09-26 12:22 ` Nayna Jain
2018-09-27 13:20 ` Mimi Zohar
2018-09-27 13:20 ` Mimi Zohar
2018-09-27 13:20 ` Mimi Zohar
2018-10-05 17:44 ` Nayna Jain
2018-10-05 17:44 ` Nayna Jain
2018-09-26 12:22 ` [PATCH v4 6/6] x86/ima: define arch_get_ima_policy() for x86 Nayna Jain
2018-09-26 12:22 ` Nayna Jain
2018-09-27 13:31 ` Mimi Zohar
2018-09-27 13:31 ` Mimi Zohar
2018-09-27 13:31 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1538048015.3459.76.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=jforbes@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nayna@linux.vnet.ibm.com \
--cc=seth.forshee@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.