Re: [RFC] kexec: Allow kexec_file() with appropriate IMA policy when locked down

From: Mimi Zohar <zohar@linux.ibm.com>
To: Matthew Garrett <mjg59@google.com>
Cc: linux-integrity <linux-integrity@vger.kernel.org>,
	David Howells <dhowells@redhat.com>,
	Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Subject: Re: [RFC] kexec: Allow kexec_file() with appropriate IMA policy when locked down
Date: Wed, 13 Mar 2019 17:29:16 -0400	[thread overview]
Message-ID: <1552512556.24794.229.camel@linux.ibm.com> (raw)
In-Reply-To: <CACdnJuvThFMhGtKT9PYSH-jZD69CBktQNiJmCc=d4PFRbzQvGw@mail.gmail.com>

On Wed, 2019-03-13 at 13:36 -0700, Matthew Garrett wrote:
> On Wed, Mar 13, 2019 at 4:58 AM Mimi Zohar <zohar@linux.ibm.com> wrote:
> >
> > On Tue, 2019-03-12 at 12:57 -0700, Matthew Garrett wrote:
> > > Systems in lockdown mode should block the kexec of untrusted kernels.
> > > For x86 and ARM we can ensure that a kernel is trustworthy by validating
> > > a PE signature, but this isn't possible on other architectures. On those
> > > platforms we can use IMA instead, either with native IMA digital
> > > signatures or EVM-protected IMA hashes. Add a function to determine
> > > whether IMA will verify signatures on kexec files, and if so permit
> > > kexec_file() even if the kernel is otherwise locked down. This is
> > > restricted to cases where CONFIG_INTEGRITY_TRUSTED_KEYRING is set in
> > > order to prevent an attacker from loading additional keys at runtime.
> >
> > Thank you for working on this!  With the changes suggested below, it
> > might work.  :)
> 
> Ok, I'll incorporate them - just one question:
> 
> > > +bool evm_key_loaded(void)
> > >  {
> > >       return (bool)(evm_initialized & EVM_KEY_MASK);
> > >  }
> >
> > This might be sufficient for your environment, but in general it
> > isn't.
> 
> Oh hm. The only case I can see where this isn't sufficient is if the
> filesystem returns EOPNOTSUPP for the EVM xattr, but in that case we
> should already have failed to get the IMA xattr and will fail
> appraisal as a result?

The evm_initialized flag is an indication that EVM has been
initialized on the system.  Both hmac and signatures could be
supported.  Even checking for EVM_INIT_X509 doesn't provide any
guarantees that the particular file has an EVM signature.

(The hmac can be updated (eg. change in security xattrs,
remove/additional of protected xattr), so we can't rely on them.)

> 
> > > +#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
> >
> > With these defines, the function isn't limited to just "lockdown".
> >  Either fix the defines or the patch description.
> 
> The function will be called even when lockdown isn't enabled, but it
> won't have any impact on the logic flow.

Ok, so inverting the test order should prevent unnecessarily calling
ima_apprase_kexec_signature().

+               if (!ima_appraise_kexec_signature() &&
+                   kernel_is_locked_down(reason)) {

Mimi