From: Matthew Garrett <matthewgarrett@google.com> To: linux-integrity@vger.kernel.org Cc: dhowells@redhat.com, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, kexec@lists.infradead.org, dyoung@redhat.com, ebiederm@xmission.com, Matthew Garrett <matthewgarrett@google.com>, Matthew Garrett <mjg59@google.com> Subject: [RFC] kexec: Allow kexec_file() with appropriate IMA policy when locked down Date: Mon, 18 Mar 2019 12:51:39 -0700 [thread overview] Message-ID: <20190318195139.111959-1-matthewgarrett@google.com> (raw) In-Reply-To: <1552822761.8658.158.camel@linux.ibm.com> Systems in lockdown mode should block the kexec of untrusted kernels. For x86 and ARM we can ensure that a kernel is trustworthy by validating a PE signature, but this isn't possible on other architectures. On those platforms we can use IMA digital signatures instead. Add a function to determine whether IMA has or will verify signatures for a given event type, and if so permit kexec_file() even if the kernel is otherwise locked down. This is restricted to cases where CONFIG_INTEGRITY_TRUSTED_KEYRING is set in order to prevent an attacker from loading additional keys at runtime. Signed-off-by: Matthew Garrett <mjg59@google.com> --- include/linux/ima.h | 9 +++++ kernel/kexec_file.c | 9 +++-- security/integrity/ima/ima.h | 3 ++ security/integrity/ima/ima_main.c | 2 +- security/integrity/ima/ima_policy.c | 52 +++++++++++++++++++++++++++++ 5 files changed, 72 insertions(+), 3 deletions(-) diff --git a/include/linux/ima.h b/include/linux/ima.h index dc12fbcf484c..a78c04580a3c 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -132,4 +132,13 @@ static inline int ima_inode_removexattr(struct dentry *dentry, return 0; } #endif /* CONFIG_IMA_APPRAISE */ + +#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) +extern bool ima_appraise_signature(enum kernel_read_file_id func); +#else +static inline bool ima_appraise_kexec_signature(enum kernel_read_file_id func) +{ + return false; +} +#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ #endif /* _LINUX_IMA_H */ diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 0cfe4f6f7f85..3598f93a731a 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -20,11 +20,11 @@ #include <linux/mutex.h> #include <linux/list.h> #include <linux/fs.h> -#include <linux/ima.h> #include <crypto/hash.h> #include <crypto/sha.h> #include <linux/elf.h> #include <linux/elfcore.h> +#include <linux/ima.h> #include <linux/kernel.h> #include <linux/syscalls.h> #include <linux/vmalloc.h> @@ -240,7 +240,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, ret = 0; - if (kernel_is_locked_down(reason)) { + /* If IMA is guaranteed to appraise a signature on the kexec + * image, permit it even if the kernel is otherwise locked + * down. + */ + if (!ima_appraise_signature(READING_KEXEC_IMAGE) && + kernel_is_locked_down(reason)) { ret = -EPERM; goto out; } diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index cc12f3449a72..93a6825bfcaf 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -20,6 +20,7 @@ #include <linux/types.h> #include <linux/crypto.h> #include <linux/fs.h> +#include <linux/ima.h> #include <linux/security.h> #include <linux/hash.h> #include <linux/tpm.h> @@ -115,6 +116,8 @@ struct ima_kexec_hdr { u64 count; }; +extern const int read_idmap[]; + #ifdef CONFIG_HAVE_IMA_KEXEC void ima_load_kexec_buffer(void); #else diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 357edd140c09..927fe889201a 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -473,7 +473,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) return 0; } -static const int read_idmap[READING_MAX_ID] = { +const int read_idmap[READING_MAX_ID] = { [READING_FIRMWARE] = FIRMWARE_CHECK, [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK, [READING_MODULE] = MODULE_CHECK, diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 8bc8a1c8cb3f..bbd1d5b3d45a 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -21,6 +21,7 @@ #include <linux/genhd.h> #include <linux/seq_file.h> #include <linux/ima.h> +#include <linux/evm.h> #include "ima.h" @@ -1336,4 +1337,55 @@ int ima_policy_show(struct seq_file *m, void *v) seq_puts(m, "\n"); return 0; } + #endif /* CONFIG_IMA_READ_POLICY */ + +#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) +/* + * ima_appraise_signature: whether IMA will appraise a given function using + * an IMA digital signature. This is restricted to cases where the kernel + * has a set of built-in trusted keys in order to avoid an attacker simply + * loading additional keys. + */ +bool ima_appraise_signature(enum kernel_read_file_id id) +{ + struct ima_rule_entry *entry; + bool found = false; + enum ima_hooks func; + + if (id >= READING_MAX_ID) + return false; + + func = read_idmap[id] ?: FILE_CHECK; + + rcu_read_lock(); + list_for_each_entry_rcu(entry, ima_rules, list) { + if (entry->action != APPRAISE) + continue; + + /* + * A generic entry will match, but otherwise require that it + * match the func we're looking for + */ + if (entry->func && entry->func != func) + continue; + + /* + * We require this to be a digital signature, not a raw IMA + * hash. + */ + if (entry->flags & IMA_DIGSIG_REQUIRED) + found = true; + + /* + * We've found a rule that matches, so break now even if it + * didn't require a digital signature - a later rule that does + * won't override it, so would be a false positive. + */ + break; + } + + rcu_read_unlock(); + return found; +} +#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ -- 2.21.0.225.g810b269d1ac-goog
WARNING: multiple messages have this Message-ID (diff)
From: Matthew Garrett <matthewgarrett@google.com> To: linux-integrity@vger.kernel.org Cc: Matthew Garrett <matthewgarrett@google.com>, dmitry.kasatkin@gmail.com, kexec@lists.infradead.org, zohar@linux.ibm.com, dhowells@redhat.com, Matthew Garrett <mjg59@google.com>, ebiederm@xmission.com, dyoung@redhat.com Subject: [RFC] kexec: Allow kexec_file() with appropriate IMA policy when locked down Date: Mon, 18 Mar 2019 12:51:39 -0700 [thread overview] Message-ID: <20190318195139.111959-1-matthewgarrett@google.com> (raw) In-Reply-To: <1552822761.8658.158.camel@linux.ibm.com> Systems in lockdown mode should block the kexec of untrusted kernels. For x86 and ARM we can ensure that a kernel is trustworthy by validating a PE signature, but this isn't possible on other architectures. On those platforms we can use IMA digital signatures instead. Add a function to determine whether IMA has or will verify signatures for a given event type, and if so permit kexec_file() even if the kernel is otherwise locked down. This is restricted to cases where CONFIG_INTEGRITY_TRUSTED_KEYRING is set in order to prevent an attacker from loading additional keys at runtime. Signed-off-by: Matthew Garrett <mjg59@google.com> --- include/linux/ima.h | 9 +++++ kernel/kexec_file.c | 9 +++-- security/integrity/ima/ima.h | 3 ++ security/integrity/ima/ima_main.c | 2 +- security/integrity/ima/ima_policy.c | 52 +++++++++++++++++++++++++++++ 5 files changed, 72 insertions(+), 3 deletions(-) diff --git a/include/linux/ima.h b/include/linux/ima.h index dc12fbcf484c..a78c04580a3c 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -132,4 +132,13 @@ static inline int ima_inode_removexattr(struct dentry *dentry, return 0; } #endif /* CONFIG_IMA_APPRAISE */ + +#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) +extern bool ima_appraise_signature(enum kernel_read_file_id func); +#else +static inline bool ima_appraise_kexec_signature(enum kernel_read_file_id func) +{ + return false; +} +#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ #endif /* _LINUX_IMA_H */ diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 0cfe4f6f7f85..3598f93a731a 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -20,11 +20,11 @@ #include <linux/mutex.h> #include <linux/list.h> #include <linux/fs.h> -#include <linux/ima.h> #include <crypto/hash.h> #include <crypto/sha.h> #include <linux/elf.h> #include <linux/elfcore.h> +#include <linux/ima.h> #include <linux/kernel.h> #include <linux/syscalls.h> #include <linux/vmalloc.h> @@ -240,7 +240,12 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, ret = 0; - if (kernel_is_locked_down(reason)) { + /* If IMA is guaranteed to appraise a signature on the kexec + * image, permit it even if the kernel is otherwise locked + * down. + */ + if (!ima_appraise_signature(READING_KEXEC_IMAGE) && + kernel_is_locked_down(reason)) { ret = -EPERM; goto out; } diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index cc12f3449a72..93a6825bfcaf 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -20,6 +20,7 @@ #include <linux/types.h> #include <linux/crypto.h> #include <linux/fs.h> +#include <linux/ima.h> #include <linux/security.h> #include <linux/hash.h> #include <linux/tpm.h> @@ -115,6 +116,8 @@ struct ima_kexec_hdr { u64 count; }; +extern const int read_idmap[]; + #ifdef CONFIG_HAVE_IMA_KEXEC void ima_load_kexec_buffer(void); #else diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 357edd140c09..927fe889201a 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -473,7 +473,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) return 0; } -static const int read_idmap[READING_MAX_ID] = { +const int read_idmap[READING_MAX_ID] = { [READING_FIRMWARE] = FIRMWARE_CHECK, [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK, [READING_MODULE] = MODULE_CHECK, diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 8bc8a1c8cb3f..bbd1d5b3d45a 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -21,6 +21,7 @@ #include <linux/genhd.h> #include <linux/seq_file.h> #include <linux/ima.h> +#include <linux/evm.h> #include "ima.h" @@ -1336,4 +1337,55 @@ int ima_policy_show(struct seq_file *m, void *v) seq_puts(m, "\n"); return 0; } + #endif /* CONFIG_IMA_READ_POLICY */ + +#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) +/* + * ima_appraise_signature: whether IMA will appraise a given function using + * an IMA digital signature. This is restricted to cases where the kernel + * has a set of built-in trusted keys in order to avoid an attacker simply + * loading additional keys. + */ +bool ima_appraise_signature(enum kernel_read_file_id id) +{ + struct ima_rule_entry *entry; + bool found = false; + enum ima_hooks func; + + if (id >= READING_MAX_ID) + return false; + + func = read_idmap[id] ?: FILE_CHECK; + + rcu_read_lock(); + list_for_each_entry_rcu(entry, ima_rules, list) { + if (entry->action != APPRAISE) + continue; + + /* + * A generic entry will match, but otherwise require that it + * match the func we're looking for + */ + if (entry->func && entry->func != func) + continue; + + /* + * We require this to be a digital signature, not a raw IMA + * hash. + */ + if (entry->flags & IMA_DIGSIG_REQUIRED) + found = true; + + /* + * We've found a rule that matches, so break now even if it + * didn't require a digital signature - a later rule that does + * won't override it, so would be a false positive. + */ + break; + } + + rcu_read_unlock(); + return found; +} +#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ -- 2.21.0.225.g810b269d1ac-goog _______________________________________________ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2019-03-18 19:51 UTC|newest] Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-03-12 19:57 [RFC] kexec: Allow kexec_file() with appropriate IMA policy when locked down Matthew Garrett 2019-03-13 11:58 ` Mimi Zohar 2019-03-13 20:36 ` Matthew Garrett 2019-03-13 21:29 ` Mimi Zohar 2019-03-13 21:59 ` Matthew Garrett 2019-03-14 1:08 ` Mimi Zohar 2019-03-14 21:08 ` Matthew Garrett 2019-03-14 22:31 ` Mimi Zohar 2019-03-14 22:54 ` Matthew Garrett 2019-03-14 23:58 ` Mimi Zohar 2019-03-15 22:03 ` Matthew Garrett 2019-03-17 11:39 ` Mimi Zohar 2019-03-17 11:39 ` Mimi Zohar 2019-03-18 19:51 ` Matthew Garrett [this message] 2019-03-18 19:51 ` Matthew Garrett
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190318195139.111959-1-matthewgarrett@google.com \ --to=matthewgarrett@google.com \ --cc=dhowells@redhat.com \ --cc=dmitry.kasatkin@gmail.com \ --cc=dyoung@redhat.com \ --cc=ebiederm@xmission.com \ --cc=kexec@lists.infradead.org \ --cc=linux-integrity@vger.kernel.org \ --cc=mjg59@google.com \ --cc=zohar@linux.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.