From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Dave Young <dyoung@redhat.com>
Cc: linux-security-module@vger.kernel.org,
Kees Cook <keescook@chromium.org>,
fsdevel@vger.kernel.org, David Woodhouse <dwmw2@infradead.org>,
"Luis R. Rodriguez" <mcgrof@suse.com>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>,
kexec@lists.infradead.org, David Howells <dhowells@redhat.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-modules@vger.kernel.org
Subject: Re: [RFC PATCH v2 06/11] kexec: replace call to copy_file_from_fd() with kernel version
Date: Tue, 26 Jan 2016 11:40:41 -0500 [thread overview]
Message-ID: <1453826441.2689.8.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20160126012031.GA3228@dhcp-128-65.nay.redhat.com>
Hi Dave,
On Tue, 2016-01-26 at 09:20 +0800, Dave Young wrote:
> Hi, Mimi
>
> On 01/25/16 at 10:04am, Mimi Zohar wrote:
> > On Mon, 2016-01-25 at 14:37 +0800, Dave Young wrote:
> > > Hi, Mimi
> > >
> > > Besides of code issues, I have several thing to be understand:
> > >
> > > What is the effect to kexec behavior with this patchset?
> > > - without IMA enabled (kconfig or kernel cmdline) it will be same as before?
> >
> > Yes, without IMA configured or an IMA policy, it is the same as before.
> >
> > > - with IMA enabled for kernel bzImage, kexec_file_load will check both ima
> > > signature and original pe file signature, those two mechanisms are
> > > somehow duplicated. I'm not sure if we need both for bzImage.
> >
> > IMA provides a uniform method of measuring and appraising all files on
> > the system, based on policy. The IMA policy could prevent the original
> > kexec syscall. On systems without MODULE_SIG_FORCE, the IMA policy
> > would require an IMA signature as well. (The current patch would
> > require both, even when MODULE_SIG_FORCE is enabled.)
>
> Hmm, enabling policy is in userspace (initramfs?) so it may not be good
> enough for secure boot case. IMA can be used as a uniform method for kexec
> kernel signature verification for !UEFI or !secure-boot case.
Normally, the kernel is booted with a builtin policy. The policy, if
it is being replaced, is normally replaced in the initramfs. This patch
set introduces the concept of a signed policy. Refer to the last 3
patches.
> >
> > The pe format is supported on x86. Why require the pe file signature
> > format on all platforms?
>
> For secure boot purpose, an uefi bootable kernel (as an uefi applicatioin)
> require it to be a pe file.
>
> But for !secure-boot it is not mandatory.
It would be more appropriate to say that "UEFI secure boot" requires a
pe file, as opposed to "secure boot" in general.
> > > Do you have a simple usage documentation about how to test it?
> >
> > The wiki[1] and ima-evm-ctl package[2] have directions for enabling
> > IMA/IMA-appraisal.
> >
> > To include just the kexec image and initramfs file hashes in the IMA
> > measurement list, create a file containing the following IMA policy
> > rules. "cat" the policy and redirect the output
> > to /sys/kernel/security/ima/policy. After loading the kexec image and
> > initramfs, the IMA measurements will be included in the measurement list
> > (/sys/kernel/security/ima/ascii_runtime_measurements)
> >
> > IMA policy:
> > measure func=KEXEC_CHECK
> > measure func=INITRAMFS_CHECK
> >
> > Appraising the kexec image and initramfs is a bit more complicated as it
> > requires creating a key, which is signed by a key on the system keyring,
> > and loading the key onto the trusted IMA keyring. To simplify testing,
> > without CONFIG_IMA_TRUSTED_KEYRING enabled, the key being loaded onto
> > the IMA keyring does not need to be signed. The evmctl man page[2]
> > contains directions for creating and loading the key onto the IMA
> > keyring.
> >
> > To appraise just the kexec image and initramfs files, add the following
> > two rules to the IMA policy and load the policy as before. (The policy
> > can only be loaded once per boot, unless IMA_WRITE_POLICY is configured.
> > With the default appraisal policy, the policy would need to signed.)
> > Sign the kexec image and initramfs with evmctl before loading them.
> >
> > # evmctl ima_sign -k <private key> -a sha256 <VM image>
> > # evmctl ima_sign -k <private key> -a sha256 <initramfs>
> >
> > IMA appraise policy:
> > appraise func=KEXEC_CHECK appraise_type=imasig
> > appraise func=INITRAMFS_CHECK appraise_type=imasig
> >
> > [1] http://sourceforge.net/p/linux-ima/wiki/Home
> > [2] http://linux-ima.sourceforge.net/evmctl.1.html
>
> Thank you, will try
>
> >
> > > > +{
> > > > + struct fd f = fdget(fd);
> > > > + int ret = -ENOEXEC;
> > >
> > > -EBADF looks better?
> >
> > Sure.
> >
> Seems you missed another comment about the policy id name?
> can the name be like below?
> KEXEC_KERNEL_CHECK
> KEXEC_INITRAMFS_CHECK
Luis suggested making the enumeration more generic, not IMA specific. I
suggested the following:
enum kernel_read_file_id {
READING_KEXEC_IMAGE = 1,
READING_KEXEC_INITRAMFS,
READING_FIRMWARE,
READING_MODULE,
READING_POLICY,
READING_MAX_ID
};
Mimi
next prev parent reply other threads:[~2016-01-26 16:40 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-18 15:11 [RFC PATCH v2 00/11] vfss: support for a common kernel file loader Mimi Zohar
2016-01-18 15:11 ` [RFC PATCH v2 01/11] ima: separate 'security.ima' reading functionality from collect Mimi Zohar
2016-01-19 20:00 ` Dmitry Kasatkin
2016-01-21 13:19 ` Mimi Zohar
2016-01-21 18:18 ` Dmitry Kasatkin
2016-01-18 15:11 ` [RFC PATCH v2 02/11] vfs: define a generic function to read a file from the kernel Mimi Zohar
2016-01-20 1:09 ` Luis R. Rodriguez
2016-01-21 13:24 ` Mimi Zohar
2016-01-18 15:11 ` [RFC PATCH v2 03/11] ima: provide buffer hash calculation function Mimi Zohar
2016-01-19 19:26 ` Dmitry Kasatkin
2016-01-21 13:18 ` Mimi Zohar
2016-01-18 15:11 ` [RFC PATCH v2 04/11] ima: calculate the hash of a buffer using aynchronous hash(ahash) Mimi Zohar
2016-01-18 15:11 ` [RFC PATCH v2 05/11] ima: define a new hook to measure and appraise a file already in memory Mimi Zohar
2016-01-18 15:11 ` [RFC PATCH v2 06/11] kexec: replace call to copy_file_from_fd() with kernel version Mimi Zohar
2016-01-20 3:22 ` Minfei Huang
2016-01-20 23:12 ` Luis R. Rodriguez
2016-01-21 0:27 ` Dmitry Torokhov
2016-01-25 6:37 ` Dave Young
2016-01-25 7:02 ` Dave Young
2016-01-25 15:04 ` Mimi Zohar
2016-01-25 20:34 ` Luis R. Rodriguez
2016-01-25 23:48 ` Mimi Zohar
2016-01-26 20:48 ` Luis R. Rodriguez
2016-01-26 1:20 ` Dave Young
2016-01-26 16:40 ` Mimi Zohar [this message]
2016-01-27 1:50 ` Dave Young
2016-01-18 15:11 ` [RFC PATCH v2 07/11] firmware: replace call to fw_read_file_contents() " Mimi Zohar
2016-01-20 0:10 ` Kees Cook
2016-01-21 12:04 ` Mimi Zohar
2016-01-20 23:39 ` Luis R. Rodriguez
2016-01-20 23:56 ` Luis R. Rodriguez
2016-01-21 12:05 ` Mimi Zohar
2016-01-21 16:49 ` Luis R. Rodriguez
2016-01-18 15:11 ` [RFC PATCH v2 08/11] module: replace copy_module_from_fd " Mimi Zohar
2016-01-21 0:03 ` Luis R. Rodriguez
2016-01-21 13:12 ` Mimi Zohar
2016-01-21 15:45 ` Paul Moore
2016-01-21 21:15 ` Mimi Zohar
2016-01-21 21:26 ` Paul Moore
2016-01-21 21:58 ` Kees Cook
2016-01-21 16:56 ` Luis R. Rodriguez
2016-01-21 20:37 ` Mimi Zohar
2016-01-18 15:11 ` [RFC PATCH v2 09/11] ima: load policy using path Mimi Zohar
2016-01-21 0:05 ` Luis R. Rodriguez
2016-01-21 13:15 ` Mimi Zohar
2016-01-23 2:59 ` Luis R. Rodriguez
2016-01-18 15:11 ` [RFC PATCH v2 10/11] ima: measure and appraise the IMA policy itself Mimi Zohar
2016-01-18 15:11 ` [RFC PATCH v2 11/11] ima: require signed IMA policy Mimi Zohar
2016-01-21 20:16 ` [RFC PATCH v2 00/11] vfss: support for a common kernel file loader Luis R. Rodriguez
2016-01-21 20:18 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1453826441.2689.8.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dmitry.torokhov@gmail.com \
--cc=dwmw2@infradead.org \
--cc=dyoung@redhat.com \
--cc=fsdevel@vger.kernel.org \
--cc=keescook@chromium.org \
--cc=kexec@lists.infradead.org \
--cc=linux-modules@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mcgrof@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).