From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1A93C48BD9 for ; Thu, 27 Jun 2019 04:59:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9980A2189F for ; Thu, 27 Jun 2019 04:59:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727124AbfF0E7f (ORCPT ); Thu, 27 Jun 2019 00:59:35 -0400 Received: from namei.org ([65.99.196.166]:48942 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725385AbfF0E7f (ORCPT ); Thu, 27 Jun 2019 00:59:35 -0400 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id x5R4x9Cl020018; Thu, 27 Jun 2019 04:59:09 GMT Date: Thu, 27 Jun 2019 14:59:09 +1000 (AEST) From: James Morris To: Matthew Garrett cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Jiri Bohac , David Howells , Matthew Garrett , kexec@lists.infradead.org Subject: Re: [PATCH V34 09/29] kexec_file: Restrict at runtime if the kernel is locked down In-Reply-To: <20190622000358.19895-10-matthewgarrett@google.com> Message-ID: References: <20190622000358.19895-1-matthewgarrett@google.com> <20190622000358.19895-10-matthewgarrett@google.com> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 21 Jun 2019, Matthew Garrett wrote: > From: Jiri Bohac > > When KEXEC_SIG is not enabled, kernel should not load images through > kexec_file systemcall if the kernel is locked down. This is not a criticism of the patch but a related issue which I haven't seen discussed (apologies if it has). If signed code is loaded into ring 0, verified by the kernel, then executed, you still lose your secure/trusted/verified boot state. If the currently running kernel has been runtime-compromised, any signature verification performed by the kernel cannot be trusted. This problem is out of scope for the lockdown threat model (which naturally cannot include a compromised kernel), but folk should be aware that signature-verified kexec does not provide equivalent assurance to a full reboot on a secure-boot system. Potential mitigations here include runtime integrity verification of the kernel via a separate security monitor (hypervisor, SMM, TEE etc.) or some kind of platform support for kexec verification. -- James Morris From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from namei.org ([65.99.196.166]) by casper.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux)) id 1hgMVG-0006Wi-27 for kexec@lists.infradead.org; Thu, 27 Jun 2019 04:59:24 +0000 Date: Thu, 27 Jun 2019 14:59:09 +1000 (AEST) From: James Morris Subject: Re: [PATCH V34 09/29] kexec_file: Restrict at runtime if the kernel is locked down In-Reply-To: <20190622000358.19895-10-matthewgarrett@google.com> Message-ID: References: <20190622000358.19895-1-matthewgarrett@google.com> <20190622000358.19895-10-matthewgarrett@google.com> MIME-Version: 1.0 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "kexec" Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: Matthew Garrett Cc: Jiri Bohac , linux-api@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Matthew Garrett , David Howells , linux-security-module@vger.kernel.org On Fri, 21 Jun 2019, Matthew Garrett wrote: > From: Jiri Bohac > > When KEXEC_SIG is not enabled, kernel should not load images through > kexec_file systemcall if the kernel is locked down. This is not a criticism of the patch but a related issue which I haven't seen discussed (apologies if it has). If signed code is loaded into ring 0, verified by the kernel, then executed, you still lose your secure/trusted/verified boot state. If the currently running kernel has been runtime-compromised, any signature verification performed by the kernel cannot be trusted. This problem is out of scope for the lockdown threat model (which naturally cannot include a compromised kernel), but folk should be aware that signature-verified kexec does not provide equivalent assurance to a full reboot on a secure-boot system. Potential mitigations here include runtime integrity verification of the kernel via a separate security monitor (hypervisor, SMM, TEE etc.) or some kind of platform support for kexec verification. -- James Morris _______________________________________________ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec