From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932399AbdJ3QoL (ORCPT ); Mon, 30 Oct 2017 12:44:11 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:39988 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752683AbdJ3QoH (ORCPT ); Mon, 30 Oct 2017 12:44:07 -0400 Subject: Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set From: Mimi Zohar To: David Howells Cc: joeyli , linux-security-module@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, jforbes@redhat.com, Matthew Garrett Date: Mon, 30 Oct 2017 12:43:58 -0400 In-Reply-To: <32764.1509378584@warthog.procyon.org.uk> References: <1509032805.5886.52.camel@linux.vnet.ibm.com> <20171026074243.GM8550@linux-l9pv.suse> <150842463163.7923.11081723749106843698.stgit@warthog.procyon.org.uk> <150842468754.7923.10037578333644594134.stgit@warthog.procyon.org.uk> <1508774083.3639.124.camel@linux.vnet.ibm.com> <26694.1509030144@warthog.procyon.org.uk> <32764.1509378584@warthog.procyon.org.uk> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 17103016-0008-0000-0000-000004A589E4 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17103016-0009-0000-0000-00001E3806D7 Message-Id: <1509381838.3583.134.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-10-30_05:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1710300222 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2017-10-30 at 15:49 +0000, David Howells wrote: > Mimi Zohar wrote: > > > Huh?!  With the "secure_boot" policy enabled on the boot command line, > > IMA-appraisal would verify the kexec kernel image, firmware, kernel > > modules, and custom IMA policy signatures. > > What happens if the "secure_boot" policy isn't enabled on the boot command > line? Can you sum up both cases in a paragraph I can add to the patch > description? The other patch automatically enables "secure_boot" for lockdown mode. So there is no need to specify "secure_boot" on the boot command line.  Reordering the patches so that the other patch comes before any call to is_ima_appraise_enabled() will simplify this patch description. > > Other patches in this patch series need to be updated as well to check > > if IMA-appraisal is enabled. > > Which exactly? I've added your "!is_ima_appraise_enabled() &&" line to > kexec_file() and module_sig_check(). Anything else? load_module(), which calls module_sig_check(), is called by both the old and new kernel module syscalls.  IMA is only on the new syscall.  Did you differentiate between the kernel module syscalls? There doesn't seem to be any other patches affected.  That said, the IMA "secure_boot" policy is more stringent than what you have without it.  For example, with the "secure_boot" policy enabled, firwmware needs to be signed as well.  At some point, we'll want to also require the initramfs be signed as well. Both methods work independently of each other, but there needs to be better coordination for when both methods are enabled at the same time (eg. are both signatures required?). For testing purposes, you can use the same certs/signing_key to sign the kexec image, kernel modules and firmware, by loading the signing_key on the .ima keyring.  Using evmctl, sign the files (eg. evmctl ima_sign -a sha256 -k certs/signing_key.pem  --imasig /boot/). Mimi