* [PATCH] lockdown: Fix kexec lockdown bypass with ima policy
@ 2022-07-19 17:16 Eric Snowberg
2022-07-19 17:38 ` John Haxby
2022-07-20 14:24 ` Greg KH
0 siblings, 2 replies; 3+ messages in thread
From: Eric Snowberg @ 2022-07-19 17:16 UTC (permalink / raw)
To: linux-integrity
Cc: zohar, dmitry.kasatkin, jmorris, serge, matthewgarrett,
linux-security-module, linux-kernel, stable, eric.snowberg
The lockdown LSM is primarily used in conjunction with UEFI Secure Boot.
This LSM may also be used on machines without UEFI. It can also be enabled
when UEFI Secure Boot is disabled. One of lockdown's features is to prevent
kexec from loading untrusted kernels. Lockdown can be enabled through a
bootparam or after the kernel has booted through securityfs.
If IMA appraisal is used with the "ima_appraise=log" boot param,
lockdown can be defeated with kexec on any machine when Secure Boot is
disabled or unavailable. IMA prevents setting "ima_appraise=log"
from the boot param when Secure Boot is enabled, but this does not cover
cases where lockdown is used without Secure Boot.
To defeat lockdown, boot without Secure Boot and add ima_appraise=log
to the kernel command line; then:
$ echo "integrity" > /sys/kernel/security/lockdown
$ echo "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig" > \
/sys/kernel/security/ima/policy
$ kexec -ls unsigned-kernel
Add a call to verify ima appraisal is set to "enforce" whenever lockdown
is enabled. This fixes CVE-2022-21505.
Fixes: 29d3c1c8dfe7 ("kexec: Allow kexec_file() with appropriate IMA policy when locked down")
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
---
security/integrity/ima/ima_policy.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 73917413365b..a8802b8da946 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -2247,6 +2247,10 @@ bool ima_appraise_signature(enum kernel_read_file_id id)
if (id >= READING_MAX_ID)
return false;
+ if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE)
+ && security_locked_down(LOCKDOWN_KEXEC))
+ return false;
+
func = read_idmap[id] ?: FILE_CHECK;
rcu_read_lock();
--
2.27.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] lockdown: Fix kexec lockdown bypass with ima policy
2022-07-19 17:16 [PATCH] lockdown: Fix kexec lockdown bypass with ima policy Eric Snowberg
@ 2022-07-19 17:38 ` John Haxby
2022-07-20 14:24 ` Greg KH
1 sibling, 0 replies; 3+ messages in thread
From: John Haxby @ 2022-07-19 17:38 UTC (permalink / raw)
To: Eric Snowberg
Cc: linux-integrity, zohar, dmitry.kasatkin, jmorris, serge,
matthewgarrett, linux-security-module, linux-kernel, stable
[-- Attachment #1: Type: text/plain, Size: 2193 bytes --]
> On 19 Jul 2022, at 18:16, Eric Snowberg <eric.snowberg@oracle.com> wrote:
>
> The lockdown LSM is primarily used in conjunction with UEFI Secure Boot.
> This LSM may also be used on machines without UEFI. It can also be enabled
> when UEFI Secure Boot is disabled. One of lockdown's features is to prevent
> kexec from loading untrusted kernels. Lockdown can be enabled through a
> bootparam or after the kernel has booted through securityfs.
>
> If IMA appraisal is used with the "ima_appraise=log" boot param,
> lockdown can be defeated with kexec on any machine when Secure Boot is
> disabled or unavailable. IMA prevents setting "ima_appraise=log"
> from the boot param when Secure Boot is enabled, but this does not cover
> cases where lockdown is used without Secure Boot.
>
> To defeat lockdown, boot without Secure Boot and add ima_appraise=log
> to the kernel command line; then:
>
> $ echo "integrity" > /sys/kernel/security/lockdown
> $ echo "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig" > \
> /sys/kernel/security/ima/policy
> $ kexec -ls unsigned-kernel
>
> Add a call to verify ima appraisal is set to "enforce" whenever lockdown
> is enabled. This fixes CVE-2022-21505.
>
> Fixes: 29d3c1c8dfe7 ("kexec: Allow kexec_file() with appropriate IMA policy when locked down")
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
> Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: John Haxby <john.haxby@oracle.com>
> ---
> security/integrity/ima/ima_policy.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 73917413365b..a8802b8da946 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -2247,6 +2247,10 @@ bool ima_appraise_signature(enum kernel_read_file_id id)
> if (id >= READING_MAX_ID)
> return false;
>
> + if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE)
> + && security_locked_down(LOCKDOWN_KEXEC))
> + return false;
> +
> func = read_idmap[id] ?: FILE_CHECK;
>
> rcu_read_lock();
> --
> 2.27.0
>
>
[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 268 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] lockdown: Fix kexec lockdown bypass with ima policy
2022-07-19 17:16 [PATCH] lockdown: Fix kexec lockdown bypass with ima policy Eric Snowberg
2022-07-19 17:38 ` John Haxby
@ 2022-07-20 14:24 ` Greg KH
1 sibling, 0 replies; 3+ messages in thread
From: Greg KH @ 2022-07-20 14:24 UTC (permalink / raw)
To: Eric Snowberg
Cc: linux-integrity, zohar, dmitry.kasatkin, jmorris, serge,
matthewgarrett, linux-security-module, linux-kernel, stable
On Tue, Jul 19, 2022 at 01:16:47PM -0400, Eric Snowberg wrote:
> The lockdown LSM is primarily used in conjunction with UEFI Secure Boot.
> This LSM may also be used on machines without UEFI. It can also be enabled
> when UEFI Secure Boot is disabled. One of lockdown's features is to prevent
> kexec from loading untrusted kernels. Lockdown can be enabled through a
> bootparam or after the kernel has booted through securityfs.
>
> If IMA appraisal is used with the "ima_appraise=log" boot param,
> lockdown can be defeated with kexec on any machine when Secure Boot is
> disabled or unavailable. IMA prevents setting "ima_appraise=log"
> from the boot param when Secure Boot is enabled, but this does not cover
> cases where lockdown is used without Secure Boot.
>
> To defeat lockdown, boot without Secure Boot and add ima_appraise=log
> to the kernel command line; then:
>
> $ echo "integrity" > /sys/kernel/security/lockdown
> $ echo "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig" > \
> /sys/kernel/security/ima/policy
> $ kexec -ls unsigned-kernel
>
> Add a call to verify ima appraisal is set to "enforce" whenever lockdown
> is enabled. This fixes CVE-2022-21505.
>
> Fixes: 29d3c1c8dfe7 ("kexec: Allow kexec_file() with appropriate IMA policy when locked down")
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
> Acked-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> security/integrity/ima/ima_policy.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 73917413365b..a8802b8da946 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -2247,6 +2247,10 @@ bool ima_appraise_signature(enum kernel_read_file_id id)
> if (id >= READING_MAX_ID)
> return false;
>
> + if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE)
> + && security_locked_down(LOCKDOWN_KEXEC))
> + return false;
> +
> func = read_idmap[id] ?: FILE_CHECK;
>
> rcu_read_lock();
> --
> 2.27.0
>
<formletter>
This is not the correct way to submit patches for inclusion in the
stable kernel tree. Please read:
https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.
</formletter>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-07-20 14:24 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-19 17:16 [PATCH] lockdown: Fix kexec lockdown bypass with ima policy Eric Snowberg
2022-07-19 17:38 ` John Haxby
2022-07-20 14:24 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).