linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Luis Chamberlain <mcgrof@kernel.org>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, Jessica Yu <jeyu@kernel.org>,
	David Howells <dhowells@redhat.com>,
	Seth Forshee <seth.forshee@canonical.com>,
	Justin Forbes <jforbes@redhat.com>,
	Matthew Garrett <mjg59@google.com>
Subject: Re: [PATCH] x86/ima: require signed kernel modules
Date: Mon, 4 Feb 2019 14:30:26 -0800	[thread overview]
Message-ID: <20190204223026.GR11489@garbanzo.do-not-panic.com> (raw)
In-Reply-To: <1549317910.4146.124.camel@linux.ibm.com>

On Mon, Feb 04, 2019 at 05:05:10PM -0500, Mimi Zohar wrote:
> On Mon, 2019-02-04 at 12:38 -0800, Luis Chamberlain wrote:
> > On Thu, Jan 31, 2019 at 02:18:59PM -0500, Mimi Zohar wrote:
> > > diff --git a/kernel/module.c b/kernel/module.c
> > > index 2ad1b5239910..70a9709d19eb 100644
> > > --- a/kernel/module.c
> > > +++ b/kernel/module.c
> > > @@ -275,16 +275,23 @@ static void module_assert_mutex_or_preempt(void)
> > >  
> > >  static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
> > >  module_param(sig_enforce, bool_enable_only, 0644);
> > > +static bool sig_required;
> > >  
> > >  /*
> > >   * Export sig_enforce kernel cmdline parameter to allow other subsystems rely
> > >   * on that instead of directly to CONFIG_MODULE_SIG_FORCE config.
> > 
> > But the docs were't updated.
> 
> Neither "CONFIG_MODULE_SIG_FORCE" nor "module.sig_enforce" has
> changed.  Which docs are you referring to? 

You renamed is_module_sig_enforced() to is_module_sig_enforced_or_required()
and left the above doc which only justifies the enforced path.

> > >   */
> > > -bool is_module_sig_enforced(void)
> > > +bool is_module_sig_enforced_or_required(void)
> > >  {
> > > -	return sig_enforce;
> > > +	return sig_enforce || sig_required;
> > >  }
> > > -EXPORT_SYMBOL(is_module_sig_enforced);
> > > +EXPORT_SYMBOL(is_module_sig_enforced_or_required);
> > 
> > Meh, this is getting sloppy, the module signing infrastructure should
> > just be LSM'ified now that we have stacked LSMs. That would
> > compartamentaliz that code and make this much easier to read / understand
> > and mantain.
> > 
> > Can you take a look at doing it that way instead?
> 
> This patch is about coordinating the existing methods of verifying
> kernel module signatures.

I understand.

> > 
> > >  /* Block module loading/unloading? */
> > >  int modules_disabled = 0;
> > > @@ -2789,7 +2796,7 @@ static int module_sig_check(struct load_info *info, int flags)
> > >  	}
> > >  
> > >  	/* Not having a signature is only an error if we're strict. */
> > > -	if (err == -ENOKEY && !is_module_sig_enforced())
> > > +	if (err == -ENOKEY && !is_module_sig_enforced_or_required())
> > 
> > This is where I think a proper LSM hook would make sense. I think
> > that these "questions" model for signing don't work well on the LSM
> > hook model, perhaps just:
> > 
> > kernel_module_signed()
> > 
> > Suffices, therefore if not enforced or required its signed. If its
> > enforced or required and really signed, then it signed.
> > 
> > >  		err = 0;
> > >  
> > >  	return err;
> > > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> > > index 357edd140c09..bbaf87f688be 100644
> > > --- a/security/integrity/ima/ima_main.c
> > > +++ b/security/integrity/ima/ima_main.c
> > > @@ -563,7 +563,7 @@ int ima_load_data(enum kernel_load_data_id id)
> > >  		}
> > >  		break;
> > >  	case LOADING_MODULE:
> > > -		sig_enforce = is_module_sig_enforced();
> > > +		sig_enforce = is_module_sig_enforced_or_required();
> > 
> > Yet another user.
> > 
> > >  		if (ima_enforce && (!sig_enforce
> > >  				    && (ima_appraise & IMA_APPRAISE_MODULES))) {
> > > -- 
> > > 2.7.5
> > 
> > Plus I think LSM'ifying module signing may help cleaning up some of the
> > #ifdery and config options around module signing. I'm suggestin this now 
> > as this has been on my mental TODO list for a while, and just not sure
> > when we'd get to it, if not you, not sure when it'd get done.
> > 
> > Then, do we have proper unit tests for the mixture of options to ensure
> > we can easily ensure we don't regress?
> > 
> 
> There are already two methods  - appended signatures and IMA xattrs -
> for validating kernel modules.
> 
> Kernel modules shouldn't be treated any differently than any other
> file.

The good 'ol kernel module signing code *does* treat it as such.

> Based on the IMA policy, the kernel module signature can be
> verified.  Also based on the IMA policy, the file hash added to the
> measurement list, and the file hash used to extend the TPM PCR.
>  Lastly, based on policy the file hash can be added to the audit log.

Sure...

> I don't see a need for an additional LSM just for verifying kernel
> module signatures.

But it is one, module signing was just spawned pre the boom of LSMs.

I do believe that treating the code as such would help with its reading
and long term maintenance.

Anyway, I had to try to convince you.

 Luis

  reply	other threads:[~2019-02-04 22:30 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-31 19:18 [PATCH] ima: requiring signed kernel modules Mimi Zohar
2019-01-31 19:18 ` [PATCH] x86/ima: require " Mimi Zohar
2019-02-04 20:38   ` Luis Chamberlain
2019-02-04 22:05     ` Mimi Zohar
2019-02-04 22:30       ` Luis Chamberlain [this message]
2019-02-05 12:24         ` Mimi Zohar
2019-02-05 21:13           ` Luis Chamberlain
2019-02-05 23:13             ` Mimi Zohar
2019-02-05 15:18   ` Seth Forshee
2019-02-05 16:47     ` Mimi Zohar
2019-02-05 18:32       ` Seth Forshee
2019-02-05 18:52         ` Mimi Zohar
2019-02-08 19:21           ` Seth Forshee
2019-02-10 15:39             ` Mimi Zohar
2019-02-05 16:10   ` Nayna
2019-02-11 15:56   ` Jessica Yu
2019-02-11 16:19     ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190204223026.GR11489@garbanzo.do-not-panic.com \
    --to=mcgrof@kernel.org \
    --cc=dhowells@redhat.com \
    --cc=jeyu@kernel.org \
    --cc=jforbes@redhat.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mjg59@google.com \
    --cc=seth.forshee@canonical.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).