Received: by 10.213.65.68 with SMTP id h4csp1977381imn; Thu, 5 Apr 2018 07:03:30 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/Z+VEIUSU54PZTXHKuuyNCuyDp3IKvl6Nleyj3tYYsown4u6OVoRo5RPr7CkSlLb61Rn0A X-Received: by 10.99.96.141 with SMTP id u135mr15147283pgb.49.1522937010704; Thu, 05 Apr 2018 07:03:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522937010; cv=none; d=google.com; s=arc-20160816; b=B4Foh49pXufztfBB5c75D/ED77jFHi9JUfDdv2btHJ/ysDYoHtpLxE6ttfmQxYkyeI a6DOpbQK/Q2N25QVNyswodEdcMBwvbtsOuCz6NIO/5uR0OYTeo7RzZgQlUmY/M6DGqGz LQDhzLmX4EGXaEV/zFFLq9uHg0U8Y9MPv8q6Bg2yYcmlHyroLAV07akTY9CcdQCajf1D UXbJRiohTRyLNYMlK922nxa2vfm7JZ/pv7WSXQp6DbbNKpr7F2NiBHya7F6ashXSQF3x VE+hTVj9N4njXf0GKA1pbAo2X0p9Po4hUb51GXCtXB9pwqMUR3P6RPO2C8mdCnIZ0DCi ZoDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject :arc-authentication-results; bh=zokNviR9uuH4tkvyokOKtDZIxTKuqIScyx/iFeFkXpU=; b=aeMVazO2PH8RIOHxM2XK2SKYpLIghwN1dn+nfWvL2NKyKmqdUwbT6HiSR/jsUpOF88 SFtyzOHVdDkwwYvchaenGrvZg4U2QVQdVIIeaCrEXSMzEj2jO9q3phPwgNJVf9Vgtv0S epMmex95yaAPIsDwhGYeG8XVox4fTfZMUS7h3usxVlqzY1s6W5x2iQt2SGLQqyVa0aHI FYnUwc0FC8Ngda8mXqsH+UVzFpFwULONg8p7omEhZTHs5bKGYPzTsAaIiD97NGx5kupu KJaykuC2s+o1J+wItDo/hWDuHze0Ys6uf87tluFxM6jf2B0QZDt4MynEM5sUG81RvqAk OFXg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f6si5569427pgr.690.2018.04.05.07.03.16; Thu, 05 Apr 2018 07:03:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751618AbeDEOB0 (ORCPT + 99 others); Thu, 5 Apr 2018 10:01:26 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:55432 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751344AbeDEOBX (ORCPT ); Thu, 5 Apr 2018 10:01:23 -0400 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w35E0KDB025234 for ; Thu, 5 Apr 2018 10:01:23 -0400 Received: from e06smtp13.uk.ibm.com (e06smtp13.uk.ibm.com [195.75.94.109]) by mx0a-001b2d01.pphosted.com with ESMTP id 2h5hkhjkn2-1 (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NOT) for ; Thu, 05 Apr 2018 10:01:21 -0400 Received: from localhost by e06smtp13.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 5 Apr 2018 15:01:19 +0100 Received: from b06cxnps4076.portsmouth.uk.ibm.com (9.149.109.198) by e06smtp13.uk.ibm.com (192.168.101.143) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 5 Apr 2018 15:01:13 +0100 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w35E1DfI7340274; Thu, 5 Apr 2018 14:01:13 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1DD99A4059; Thu, 5 Apr 2018 14:53:38 +0100 (BST) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CAA3CA405E; Thu, 5 Apr 2018 14:53:35 +0100 (BST) Received: from localhost.localdomain (unknown [9.80.101.38]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 5 Apr 2018 14:53:35 +0100 (BST) Subject: Re: An actual suggestion (Re: [GIT PULL] Kernel lockdown for secure boot) From: Mimi Zohar To: joeyli , David Howells Cc: Andy Lutomirski , Greg Kroah-Hartman , "Theodore Y. Ts'o" , Matthew Garrett , Linus Torvalds , Ard Biesheuvel , James Morris , Alan Cox , Linux Kernel Mailing List , Justin Forbes , linux-man , LSM List , Linux API , Kees Cook , linux-efi Date: Thu, 05 Apr 2018 10:01:09 -0400 In-Reply-To: <20180405021650.GC7362@linux-l9pv.suse> References: <1119.1522858644@warthog.procyon.org.uk> <20180405021650.GC7362@linux-l9pv.suse> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 18040514-0012-0000-0000-000005C76E53 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18040514-0013-0000-0000-0000194385CF Message-Id: <1522936869.16421.63.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-04-05_07:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1804050148 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2018-04-05 at 10:16 +0800, joeyli wrote: > Hi David, > > On Wed, Apr 04, 2018 at 05:17:24PM +0100, David Howells wrote: > > Andy Lutomirski wrote: > > > > > Since this thread has devolved horribly, I'm going to propose a solution. > > > > > > 1. Split the "lockdown" state into three levels: (please don't > > > bikeshed about the names right now.) > > > > > > LOCKDOWN_NONE: normal behavior > > > > > > LOCKDOWN_PROTECT_INTEGREITY: kernel tries to keep root from writing to > > > kernel memory > > > > > > LOCKDOWN_PROTECT_INTEGRITY_AND_SECRECY: kernel tries to keep root from > > > reading or writing kernel memory. > > > > In theory, it's good idea, but in practice it's not as easy to implement as I > > think you think. > > > > Let me list here the things that currently get restricted by lockdown: > > > [...snip] > > (5) Kexec. > > > > About IMA with kernel module signing and kexec(not on x86_64 yet)... Only carrying the measurement list across kexec is architecture specific, but everything else should work.   > Because IMA can be used to verify the integrity of kernel module or even > the image for kexec. I think that the > IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY must be enabled at runtime > when kernel is locked-down. I think we need to understand the problem a bit better.  Is the problem that you're using the secondary keyring and loading the UEFI keys onto the secondary keyring? > Because the root can enroll master key to keyring then IMA trusts the ima key > derived from master key. It causes that the arbitrary signed module can be loaded > when the root compromised. With only the builtin keyring, only keys signed by a builtin key can be added to the IMA keyring. Mimi