From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753264AbdDGGTz (ORCPT ); Fri, 7 Apr 2017 02:19:55 -0400 Received: from mx1.redhat.com ([209.132.183.28]:46160 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752169AbdDGGTq (ORCPT ); Fri, 7 Apr 2017 02:19:46 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com D0CA99D0C6 Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=dyoung@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com D0CA99D0C6 Date: Fri, 7 Apr 2017 14:19:35 +0800 From: Dave Young To: Mimi Zohar Cc: David Howells , linux-kernel@vger.kernel.org, Matthew Garrett , linux-efi@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, Chun-Yi Lee , gregkh@linuxfoundation.org, kexec@lists.infradead.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, matthew.garrett@nebula.com Subject: Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set Message-ID: <20170407061935.GB10100@dhcp-128-65.nay.redhat.com> References: <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142335441.5101.2294976563846442575.stgit@warthog.procyon.org.uk> <20170407030545.GA4296@dhcp-128-65.nay.redhat.com> <1491536950.4184.10.camel@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1491536950.4184.10.camel@linux.vnet.ibm.com> User-Agent: Mutt/1.7.1 (2016-10-04) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Fri, 07 Apr 2017 06:19:46 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 04/06/17 at 11:49pm, Mimi Zohar wrote: > On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote: > > On 04/05/17 at 09:15pm, David Howells wrote: > > > From: Chun-Yi Lee > > > > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > > > through kexec_file systemcall if securelevel has been set. > > > > > > This code was showed in Matthew's patch but not in git: > > > https://lkml.org/lkml/2015/3/13/778 > > > > > > Cc: Matthew Garrett > > > Signed-off-by: Chun-Yi Lee > > > Signed-off-by: David Howells > > > cc: kexec@lists.infradead.org > > > --- > > > > > > kernel/kexec_file.c | 6 ++++++ > > > 1 file changed, 6 insertions(+) > > > > > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > > > index b118735fea9d..f6937eecd1eb 100644 > > > --- a/kernel/kexec_file.c > > > +++ b/kernel/kexec_file.c > > > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd, > > > if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) > > > return -EPERM; > > > > > > + /* Don't permit images to be loaded into trusted kernels if we're not > > > + * going to verify the signature on them > > > + */ > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) > > > + return -EPERM; > > > + > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be > required. Mimi, I remember we talked somthing before about the two signature verification. One can change IMA policy in initramfs userspace, also there are kernel cmdline param to disable IMA, so it can break the lockdown? Suppose kexec boot with ima disabled cmdline param and then kexec reboot again.. > > Mimi > > > > /* Make sure we have a legal set of flags */ > > > if (flags != (flags & KEXEC_FILE_FLAGS)) > > > return -EINVAL; > > > > > > > > > _______________________________________________ > > > kexec mailing list > > > kexec@lists.infradead.org > > > http://lists.infradead.org/mailman/listinfo/kexec > > > > Acked-by: Dave Young > > > > Thanks > > Dave > > -- > > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > > the body of a message to majordomo@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > >