Received: by 10.223.185.116 with SMTP id b49csp1902340wrg;
        Thu, 22 Feb 2018 05:09:19 -0800 (PST)
X-Google-Smtp-Source: AH8x2273kYnCHx19hL56fhGIcHilLYKt/8z447bdwHrEWSveXUrT/+WELkOPP/eTdoKdCathF+Ze
X-Received: by 2002:a17:902:6e01:: with SMTP id u1-v6mr6497109plk.12.1519304958966;
        Thu, 22 Feb 2018 05:09:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1519304958; cv=none;
        d=google.com; s=arc-20160816;
        b=TZzEdieXMFfeC5fV5O0CWsbDwmY1cMGF2IqPINfbHV4JivibUwGtL6zELW1f2nd9if
         FMRP5DMO23FBd4r8ulPDZViWO3uJxfnaANiUPLqCLDvx22/mVqB4kSVaLwvKpK5wnkQF
         AQDbzn9HalxD41VciHsUn/aLfOIeNtEv1LmEpDEbBm6YOfKmpNVg9euB7tOh2QlIv4bu
         gbGmKUeCaLgF09tc6u16lASvw3ZEcRszBAfil5QGtPTGC3fxrb2+a4QkEPgNMmJZk0oY
         W5FXT5bxLDVBWiTOuybG9k7Tw0nQOi095uC9pAPomy8vB8XbNTsU4y4n3nhLQs0G+m9d
         8GZw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:content-transfer-encoding
         :content-id:mime-version:subject:cc:to:references:in-reply-to:from
         :organization:arc-authentication-results;
        bh=fTNI3va1cK3fUMxgTYcsZWvcKhm5anRgVqrUzWEfY18=;
        b=BoUBjkCYWklZz14GKLDX7chKLBUGkzOP/4Rnua1KsQG+aYc+fnVl1UANZ+DeFIa1Mm
         2t51goVMCu0M0x5aK5U9NttZqUCtsThOLiujkekP1DDgScZPUfEnTZSXhYjR8EM70HR/
         8+gRNv2rPz3lEH4Q/pr+Qz0XO+OZ8ifAoOIMn5MxMC8e9aF7iPYHpu1BVmzBI3YA34lW
         XRZZDxvGAGYYAEzaQiKXj0GsWPZqFohRV7az/uwPGMwJEZvu6xda7mGeiW5oHQ5RXhbJ
         a+Un9/bACz6Q/wK+diMbnP8WMxL8WHMJC/AdojjJX+w3SaB1GSGpe+vwOVFvpOzmlXDq
         sLwQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v10si25348pgs.164.2018.02.22.05.09.03;
        Thu, 22 Feb 2018 05:09:18 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932444AbeBVNIC convert rfc822-to-8bit (ORCPT
        <rfc822;xuyizhaos@gmail.com> + 99 others);
        Thu, 22 Feb 2018 08:08:02 -0500
Received: from mx3-rdu2.redhat.com ([66.187.233.73]:46568 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S932102AbeBVNH7 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 22 Feb 2018 08:07:59 -0500
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 85D81EAEBE;
        Thu, 22 Feb 2018 13:07:58 +0000 (UTC)
Received: from warthog.procyon.org.uk (ovpn-120-250.rdu2.redhat.com [10.10.120.250])
        by smtp.corp.redhat.com (Postfix) with ESMTP id A17AE2024CA9;
        Thu, 22 Feb 2018 13:07:57 +0000 (UTC)
Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley
        Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United
        Kingdom.
        Registered in England and Wales under Company Registration No. 3798903
From:   David Howells <dhowells@redhat.com>
In-Reply-To: <151024866805.28329.10437019941463042267.stgit@warthog.procyon.org.uk>
References: <151024866805.28329.10437019941463042267.stgit@warthog.procyon.org.uk> <151024863544.28329.2436580122759221600.stgit@warthog.procyon.org.uk>
To:     linux-security-module@vger.kernel.org
Cc:     dhowells@redhat.com, jforbes@redhat.com, jbohac@suse.cz,
        linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 04/30] Enforce module signatures if the kernel is locked down
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <30283.1519304877.1@warthog.procyon.org.uk>
Content-Transfer-Encoding: 8BIT
Date:   Thu, 22 Feb 2018 13:07:57 +0000
Message-ID: <30284.1519304877@warthog.procyon.org.uk>
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 22 Feb 2018 13:07:58 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 22 Feb 2018 13:07:58 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dhowells@redhat.com' RCPT:''
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

I'm considering folding the attached changes into this patch.

It adjusts the errors generated:

 (1) If there's no signature (ENODATA) or we can't check it (ENOPKG, ENOKEY),
     then:

     (a) If signatures are enforced then EKEYREJECTED is returned.

     (b) If IMA will have validated the image, return 0 (okay).

     (c) If there's no signature or we can't check it, but the kernel is
	 locked down then EPERM is returned (this is then consistent with
	 other lockdown cases).

 (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails
     the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we return
     the error we got.

Note that the X.509 code doesn't check for key expiry as the RTC might not be
valid or might not have been transferred to the kernel's clock yet.

David
---
diff --git a/kernel/module.c b/kernel/module.c
index 1eb06a0ccbfb..62419cf48ef6 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2769,8 +2769,9 @@ static inline void kmemleak_load_module(const struct module *mod,
 static int module_sig_check(struct load_info *info, int flags,
 			    bool can_do_ima_check)
 {
-	int err = -ENOKEY;
+	int err = -ENODATA;
 	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
+	const char *reason;
 	const void *mod = info->hdr;
 
 	/*
@@ -2785,18 +2786,42 @@ static int module_sig_check(struct load_info *info, int flags,
 		err = mod_verify_sig(mod, &info->len);
 	}
 
-	if (!err) {
+	switch (err) {
+	case 0:
 		info->sig_ok = true;
 		return 0;
-	}
 
-	/* Not having a signature is only an error if we're strict. */
-	if (err == -ENOKEY && !sig_enforce &&
-	    (!can_do_ima_check || !is_ima_appraise_enabled()) &&
-	    !kernel_is_locked_down("Loading of unsigned modules"))
-		err = 0;
+		/* We don't permit modules to be loaded into trusted kernels
+		 * without a valid signature on them, but if we're not
+		 * enforcing, certain errors are non-fatal.
+		 */
+	case -ENODATA:
+		reason = "Loading of unsigned module";
+		goto decide;
+	case -ENOPKG:
+		reason = "Loading of module with unsupported crypto";
+		goto decide;
+	case -ENOKEY:
+		reason = "Loading of module with unavailable key";
+	decide:
+		if (sig_enforce) {
+			pr_notice("%s is rejected\n", reason);
+			return -EKEYREJECTED;
+		}
 
-	return err;
+		if (can_do_ima_check && is_ima_appraise_enabled())
+			return 0;
+		if (kernel_is_locked_down(reason))
+			return -EPERM;
+		return 0;
+
+		/* All other errors are fatal, including nomem, unparseable
+		 * signatures and signature check failures - even if signatures
+		 * aren't required.
+		 */
+	default:
+		return err;
+	}
 }
 #else /* !CONFIG_MODULE_SIG */
 static int module_sig_check(struct load_info *info, int flags,