Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755569AbdDGI2e (ORCPT ); Fri, 7 Apr 2017 04:28:34 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:44300 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755512AbdDGI2Z (ORCPT ); Fri, 7 Apr 2017 04:28:25 -0400 Subject: Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set From: Mimi Zohar To: Dave Young , David Howells Cc: linux-kernel@vger.kernel.org, Matthew Garrett , linux-efi@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, Chun-Yi Lee , gregkh@linuxfoundation.org, kexec@lists.infradead.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, matthew.garrett@nebula.com Date: Fri, 07 Apr 2017 04:28:08 -0400 In-Reply-To: <20170407074159.GB10737@dhcp-128-65.nay.redhat.com> References: <20170407061935.GB10100@dhcp-128-65.nay.redhat.com> <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142335441.5101.2294976563846442575.stgit@warthog.procyon.org.uk> <20170407030545.GA4296@dhcp-128-65.nay.redhat.com> <1491536950.4184.10.camel@linux.vnet.ibm.com> <21418.1491548875@warthog.procyon.org.uk> <20170407074159.GB10737@dhcp-128-65.nay.redhat.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-MML: disable x-cbid: 17040708-0008-0000-0000-000005513617 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17040708-0009-0000-0000-0000135D6FA5 Message-Id: <1491553688.4184.73.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-04-07_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1704070072 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1732 Lines: 41 On Fri, 2017-04-07 at 15:41 +0800, Dave Young wrote: > On 04/07/17 at 08:07am, David Howells wrote: > > Dave Young wrote: > > > > > > > > + /* Don't permit images to be loaded into trusted kernels if we're not > > > > > > + * going to verify the signature on them > > > > > > + */ > > > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) > > > > > > + return -EPERM; > > > > > > + > > > > > > > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > > > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be > > > > required. > > > > > > Mimi, I remember we talked somthing before about the two signature > > > verification. One can change IMA policy in initramfs userspace, > > > also there are kernel cmdline param to disable IMA, so it can break the > > > lockdown? Suppose kexec boot with ima disabled cmdline param and then > > > kexec reboot again.. > > > > I guess I should lock down the parameter to disable IMA too. > > That is one thing, user can change IMA policy in initramfs userspace, > I'm not sure if IMA enforce the signed policy now, if no it will be also > a problem. I'm not sure how this relates to the question of whether IMA verifies the kexec kernel image signature, as the test would not be based on a Kconfig option, but on a runtime variable. To answer your question, the rule for requiring the policy to be signed is:  appraise func=POLICY_CHECK appraise_type=imasig When the ability to append rules is Kconfig enabled, the builtin policy requires the new policy or additional rules to be signed.  Unfortunately, always requiring the policy to be signed, would have broken userspace. Mimi