From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754096AbdDGHma (ORCPT ); Fri, 7 Apr 2017 03:42:30 -0400 Received: from mx1.redhat.com ([209.132.183.28]:52518 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754154AbdDGHmL (ORCPT ); Fri, 7 Apr 2017 03:42:11 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 47F27C04B93A Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=dyoung@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 47F27C04B93A Date: Fri, 7 Apr 2017 15:41:59 +0800 From: Dave Young To: David Howells Cc: Mimi Zohar , linux-kernel@vger.kernel.org, Matthew Garrett , linux-efi@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, Chun-Yi Lee , gregkh@linuxfoundation.org, kexec@lists.infradead.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, matthew.garrett@nebula.com Subject: Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set Message-ID: <20170407074159.GB10737@dhcp-128-65.nay.redhat.com> References: <20170407061935.GB10100@dhcp-128-65.nay.redhat.com> <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142335441.5101.2294976563846442575.stgit@warthog.procyon.org.uk> <20170407030545.GA4296@dhcp-128-65.nay.redhat.com> <1491536950.4184.10.camel@linux.vnet.ibm.com> <21418.1491548875@warthog.procyon.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <21418.1491548875@warthog.procyon.org.uk> User-Agent: Mutt/1.7.1 (2016-10-04) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Fri, 07 Apr 2017 07:42:10 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 04/07/17 at 08:07am, David Howells wrote: > Dave Young wrote: > > > > > > + /* Don't permit images to be loaded into trusted kernels if we're not > > > > > + * going to verify the signature on them > > > > > + */ > > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) > > > > > + return -EPERM; > > > > > + > > > > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be > > > required. > > > > Mimi, I remember we talked somthing before about the two signature > > verification. One can change IMA policy in initramfs userspace, > > also there are kernel cmdline param to disable IMA, so it can break the > > lockdown? Suppose kexec boot with ima disabled cmdline param and then > > kexec reboot again.. > > I guess I should lock down the parameter to disable IMA too. That is one thing, user can change IMA policy in initramfs userspace, I'm not sure if IMA enforce the signed policy now, if no it will be also a problem. Thanks Dave From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dave Young Subject: Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set Date: Fri, 7 Apr 2017 15:41:59 +0800 Message-ID: <20170407074159.GB10737@dhcp-128-65.nay.redhat.com> References: <20170407061935.GB10100@dhcp-128-65.nay.redhat.com> <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142335441.5101.2294976563846442575.stgit@warthog.procyon.org.uk> <20170407030545.GA4296@dhcp-128-65.nay.redhat.com> <1491536950.4184.10.camel@linux.vnet.ibm.com> <21418.1491548875@warthog.procyon.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Return-path: Content-Disposition: inline In-Reply-To: <21418.1491548875-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org> Sender: linux-efi-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: David Howells Cc: Mimi Zohar , linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Matthew Garrett , linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, gnomes-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org, Chun-Yi Lee , gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org, kexec-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org, linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, keyrings-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org List-Id: linux-efi@vger.kernel.org On 04/07/17 at 08:07am, David Howells wrote: > Dave Young wrote: > > > > > > + /* Don't permit images to be loaded into trusted kernels if we're not > > > > > + * going to verify the signature on them > > > > > + */ > > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) > > > > > + return -EPERM; > > > > > + > > > > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be > > > required. > > > > Mimi, I remember we talked somthing before about the two signature > > verification. One can change IMA policy in initramfs userspace, > > also there are kernel cmdline param to disable IMA, so it can break the > > lockdown? Suppose kexec boot with ima disabled cmdline param and then > > kexec reboot again.. > > I guess I should lock down the parameter to disable IMA too. That is one thing, user can change IMA policy in initramfs userspace, I'm not sure if IMA enforce the signed policy now, if no it will be also a problem. Thanks Dave From mboxrd@z Thu Jan 1 00:00:00 1970 From: dyoung@redhat.com (Dave Young) Date: Fri, 7 Apr 2017 15:41:59 +0800 Subject: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set In-Reply-To: <21418.1491548875@warthog.procyon.org.uk> References: <20170407061935.GB10100@dhcp-128-65.nay.redhat.com> <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142335441.5101.2294976563846442575.stgit@warthog.procyon.org.uk> <20170407030545.GA4296@dhcp-128-65.nay.redhat.com> <1491536950.4184.10.camel@linux.vnet.ibm.com> <21418.1491548875@warthog.procyon.org.uk> Message-ID: <20170407074159.GB10737@dhcp-128-65.nay.redhat.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On 04/07/17 at 08:07am, David Howells wrote: > Dave Young wrote: > > > > > > + /* Don't permit images to be loaded into trusted kernels if we're not > > > > > + * going to verify the signature on them > > > > > + */ > > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) > > > > > + return -EPERM; > > > > > + > > > > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > > in ?kernel_read_file_from_fd(). ?CONFIG_KEXEC_VERIFY_SIG should not be > > > required. > > > > Mimi, I remember we talked somthing before about the two signature > > verification. One can change IMA policy in initramfs userspace, > > also there are kernel cmdline param to disable IMA, so it can break the > > lockdown? Suppose kexec boot with ima disabled cmdline param and then > > kexec reboot again.. > > I guess I should lock down the parameter to disable IMA too. That is one thing, user can change IMA policy in initramfs userspace, I'm not sure if IMA enforce the signed policy now, if no it will be also a problem. Thanks Dave -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mx1.redhat.com ([209.132.183.28]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1cwOXP-0008RA-Cq for kexec@lists.infradead.org; Fri, 07 Apr 2017 07:42:32 +0000 Date: Fri, 7 Apr 2017 15:41:59 +0800 From: Dave Young Subject: Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set Message-ID: <20170407074159.GB10737@dhcp-128-65.nay.redhat.com> References: <20170407061935.GB10100@dhcp-128-65.nay.redhat.com> <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142335441.5101.2294976563846442575.stgit@warthog.procyon.org.uk> <20170407030545.GA4296@dhcp-128-65.nay.redhat.com> <1491536950.4184.10.camel@linux.vnet.ibm.com> <21418.1491548875@warthog.procyon.org.uk> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <21418.1491548875@warthog.procyon.org.uk> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: "kexec" Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: David Howells Cc: Matthew Garrett , linux-efi@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, gregkh@linuxfoundation.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Chun-Yi Lee , linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, matthew.garrett@nebula.com, Mimi Zohar On 04/07/17 at 08:07am, David Howells wrote: > Dave Young wrote: > = > > > > > + /* Don't permit images to be loaded into trusted kernels if we'= re not > > > > > + * going to verify the signature on them > > > > > + */ > > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_do= wn()) > > > > > + return -EPERM; > > > > > + > > > > > = > > > = > > > IMA can be used to verify file signatures too, based on the LSM hooks > > > in =A0kernel_read_file_from_fd(). =A0CONFIG_KEXEC_VERIFY_SIG should n= ot be > > > required. > > = > > Mimi, I remember we talked somthing before about the two signature = > > verification. One can change IMA policy in initramfs userspace, > > also there are kernel cmdline param to disable IMA, so it can break the > > lockdown? Suppose kexec boot with ima disabled cmdline param and then > > kexec reboot again.. > = > I guess I should lock down the parameter to disable IMA too. That is one thing, user can change IMA policy in initramfs userspace, I'm not sure if IMA enforce the signed policy now, if no it will be also a problem. Thanks Dave _______________________________________________ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec