linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Nayna <nayna@linux.vnet.ibm.com>
To: Eric Snowberg <eric.snowberg@oracle.com>,
	dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com
Cc: zohar@linux.ibm.com, dhowells@redhat.com, geert@linux-m68k.org,
	gregkh@linuxfoundation.org, nayna@linux.ibm.com,
	tglx@linutronix.de, bauerman@linux.ibm.com, mpe@ellerman.id.au,
	linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support
Date: Thu, 6 Feb 2020 15:22:04 -0500	[thread overview]
Message-ID: <5c246616-9a3a-3ed2-c1f9-f634cef511c9@linux.vnet.ibm.com> (raw)
In-Reply-To: <20200206164226.24875-1-eric.snowberg@oracle.com>


On 2/6/20 11:42 AM, Eric Snowberg wrote:
> When booting with either "ima_policy=secure_boot module.sig_enforce=1"
> or building a kernel with CONFIG_IMA_ARCH_POLICY and booting with
> "ima_policy=secure_boot", module loading behaves differently based on if
> the module is compressed or not.  Originally when appraising a module
> with ima it had to be uncompressed and ima signed.  Recent changes in 5.4
> have allowed internally signed modules to load [1].  But this only works
> if the internally signed module is compressed.  The uncompressed module
> that is internally signed must still be ima signed. This patch series
> tries to bring the two in line.

We (Mimi and I) have been trying to understand the cover letter. It 
seems "by internally signed" you are referring to modules signed with 
build time generated keys.

Our interpretation of the cover letter is that IMA originally did not 
support appended signatures and now does. Since the modules are signed 
with build time generated keys, the signature verification still fails, 
as the keys are only available on the .builtin keyring and not the .ima 
keyring.

Lastly, there is nothing in these patches that indicate that the kernel 
modules being compressed/uncompressed is related to the signature 
verification.

Thanks & Regards,

      - Nayna


  parent reply	other threads:[~2020-02-06 20:25 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-06 16:42 [RFC PATCH 0/2] ima: uncompressed module appraisal support Eric Snowberg
2020-02-06 16:42 ` [RFC PATCH 1/2] ima: Implement support for uncompressed module appended signatures Eric Snowberg
2020-02-06 17:07   ` Lakshmi Ramasubramanian
2020-02-06 17:30     ` Eric Snowberg
2020-02-06 18:05   ` Mimi Zohar
2020-02-06 19:01     ` Eric Snowberg
2020-02-06 19:10       ` Mimi Zohar
2020-02-06 16:42 ` [RFC PATCH 2/2] ima: Change default secure_boot policy to include " Eric Snowberg
2020-02-06 20:22 ` Nayna [this message]
2020-02-06 21:40   ` [RFC PATCH 0/2] ima: uncompressed module appraisal support Eric Snowberg
2020-02-07 14:51     ` Mimi Zohar
2020-02-07 16:57       ` Eric Snowberg
2020-02-07 17:40         ` Mimi Zohar
2020-02-07 17:49           ` Eric Snowberg
2020-02-07 18:28             ` Mimi Zohar
2020-02-07 18:45               ` Eric Snowberg
2020-02-07 18:54                 ` Mimi Zohar
2020-02-07 21:38                   ` Eric Snowberg
2020-02-08 23:43                     ` Mimi Zohar
2020-02-10 16:34                       ` Eric Snowberg
2020-02-10 17:09                         ` Mimi Zohar
2020-02-10 19:24                           ` Eric Snowberg
2020-02-10 20:33                             ` Mimi Zohar
2020-02-11 17:33                               ` Eric Snowberg
2020-02-12 14:04                                 ` Nayna
2020-02-13 15:32                                   ` Eric Snowberg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5c246616-9a3a-3ed2-c1f9-f634cef511c9@linux.vnet.ibm.com \
    --to=nayna@linux.vnet.ibm.com \
    --cc=bauerman@linux.ibm.com \
    --cc=dhowells@redhat.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=eric.snowberg@oracle.com \
    --cc=geert@linux-m68k.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=jmorris@namei.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mpe@ellerman.id.au \
    --cc=nayna@linux.ibm.com \
    --cc=serge@hallyn.com \
    --cc=tglx@linutronix.de \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).