From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from e23smtp07.au.ibm.com ([202.81.31.140]:55032 "EHLO e23smtp07.au.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756838AbcAYPFR (ORCPT ); Mon, 25 Jan 2016 10:05:17 -0500 Received: from localhost by e23smtp07.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 26 Jan 2016 01:05:14 +1000 Message-ID: <1453734258.2713.4.camel@linux.vnet.ibm.com> Subject: Re: [RFC PATCH v2 06/11] kexec: replace call to copy_file_from_fd() with kernel version From: Mimi Zohar To: Dave Young Cc: linux-security-module@vger.kernel.org, Kees Cook , fsdevel@vger.kernel.org, David Woodhouse , "Luis R. Rodriguez" , Dmitry Torokhov , kexec@lists.infradead.org, David Howells , Dmitry Kasatkin , linux-modules@vger.kernel.org Date: Mon, 25 Jan 2016 10:04:18 -0500 In-Reply-To: <20160125063712.GC5616@dhcp-128-65.nay.redhat.com> References: <1453129886-20192-1-git-send-email-zohar@linux.vnet.ibm.com> <1453129886-20192-7-git-send-email-zohar@linux.vnet.ibm.com> <20160125063712.GC5616@dhcp-128-65.nay.redhat.com> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Sender: owner-linux-modules@vger.kernel.org List-ID: On Mon, 2016-01-25 at 14:37 +0800, Dave Young wrote: > Hi, Mimi > > Besides of code issues, I have several thing to be understand: > > What is the effect to kexec behavior with this patchset? > - without IMA enabled (kconfig or kernel cmdline) it will be same as before? Yes, without IMA configured or an IMA policy, it is the same as before. > - with IMA enabled for kernel bzImage, kexec_file_load will check both ima > signature and original pe file signature, those two mechanisms are > somehow duplicated. I'm not sure if we need both for bzImage. IMA provides a uniform method of measuring and appraising all files on the system, based on policy. The IMA policy could prevent the original kexec syscall. On systems without MODULE_SIG_FORCE, the IMA policy would require an IMA signature as well. (The current patch would require both, even when MODULE_SIG_FORCE is enabled.) The pe format is supported on x86. Why require the pe file signature format on all platforms? > Do you have a simple usage documentation about how to test it? The wiki[1] and ima-evm-ctl package[2] have directions for enabling IMA/IMA-appraisal. To include just the kexec image and initramfs file hashes in the IMA measurement list, create a file containing the following IMA policy rules. "cat" the policy and redirect the output to /sys/kernel/security/ima/policy. After loading the kexec image and initramfs, the IMA measurements will be included in the measurement list (/sys/kernel/security/ima/ascii_runtime_measurements) IMA policy: measure func=KEXEC_CHECK measure func=INITRAMFS_CHECK Appraising the kexec image and initramfs is a bit more complicated as it requires creating a key, which is signed by a key on the system keyring, and loading the key onto the trusted IMA keyring. To simplify testing, without CONFIG_IMA_TRUSTED_KEYRING enabled, the key being loaded onto the IMA keyring does not need to be signed. The evmctl man page[2] contains directions for creating and loading the key onto the IMA keyring. To appraise just the kexec image and initramfs files, add the following two rules to the IMA policy and load the policy as before. (The policy can only be loaded once per boot, unless IMA_WRITE_POLICY is configured. With the default appraisal policy, the policy would need to signed.) Sign the kexec image and initramfs with evmctl before loading them. # evmctl ima_sign -k -a sha256 # evmctl ima_sign -k -a sha256 IMA appraise policy: appraise func=KEXEC_CHECK appraise_type=imasig appraise func=INITRAMFS_CHECK appraise_type=imasig [1] http://sourceforge.net/p/linux-ima/wiki/Home [2] http://linux-ima.sourceforge.net/evmctl.1.html > > +{ > > + struct fd f = fdget(fd); > > + int ret = -ENOEXEC; > > -EBADF looks better? Sure. Mimi