Received: by 10.213.65.68 with SMTP id h4csp2117561imn; Thu, 5 Apr 2018 09:14:46 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/22Z6EEWL+iI1n+FT/9lo7XAO3wQjI3ydfppP+n2oX34NglMCugp/SRDePajoEICUvrn6Y X-Received: by 2002:a17:902:8f8f:: with SMTP id z15-v6mr23081238plo.368.1522944886751; Thu, 05 Apr 2018 09:14:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522944886; cv=none; d=google.com; s=arc-20160816; b=RxVWpURlJzGXhuAU5hX9oTfGsClcBj3nSPHbHjzdLL8giSliOyMnM1nJ7qIBn1rJTk L9a4EMj89skE5dzdHNKRNCzbl/PoDItk3Gpvhlb+rVBn/O97phSc58C+GmBUxlgUPUZf 7h+G5rQeXCXiPjLwjwtDftm7oF5EKNG8IIifFIqJ6y/kZGVJICO62ufkup7EMJ2kiThJ a/e6q22uvGA60/IqD+L2jHmcO3dDQfITnZ6xW4Mea+gjA6gfv3xxo3TLwlCpLCbJ2Kd7 B+upD47xavRp+HRnQv440OBCKULWMJHkgClmKpYLrhndSap0J9GA7frALbCPHNhbEG6j wUIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date :arc-authentication-results; bh=t1qmGUOp5nEfZ/1tSQeSFh+NGJkqF/IQPwKRq5YvzSY=; b=ovNMmQh6u6Fo5hb2l5TStUPymdcehvOtpr5PnQq2oJcae3+PnYRRekxT7ttOMk4ZcE R9+7ipZ/xh1XOJCzdnjoeQzOp7+5HaUAT7Js2WCIQnV+31Z4LYA1qLN8Qflzxb9eHUyY iSHcBfOp9LpRr3BBZcGfEDDXfaIXVIfoIaCySJ9qOY3ifei9tcjU6fmdlPNkbqyAG/la 4fIZSziOyi+C1mLU9WrrjLSYJ2++nzK0puT5HrJ1wYArpc5hNnQ4Dlb9mJ+OOgvGu6ru yrtnw6VA3InNN4r1nAOwzQMtCX+qO1p70KnUwT9bcfo9sf4Mn8euMQN8fjX7V+qs0ls3 Gpuw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b89-v6si8534438plb.262.2018.04.05.09.14.32; Thu, 05 Apr 2018 09:14:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751460AbeDEQME (ORCPT + 99 others); Thu, 5 Apr 2018 12:12:04 -0400 Received: from smtp.nue.novell.com ([195.135.221.5]:51764 "EHLO smtp.nue.novell.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750835AbeDEQMC (ORCPT ); Thu, 5 Apr 2018 12:12:02 -0400 Received: from emea4-mta.ukb.novell.com ([10.120.13.87]) by smtp.nue.novell.com with ESMTP (TLS encrypted); Thu, 05 Apr 2018 18:11:59 +0200 Received: from linux-rasp2 (nwb-a10-snat.microfocus.com [10.120.13.202]) by emea4-mta.ukb.novell.com with ESMTP (TLS encrypted); Thu, 05 Apr 2018 17:11:33 +0100 Date: Fri, 6 Apr 2018 00:11:24 +0800 From: jlee@suse.com To: Mimi Zohar Cc: David Howells , Andy Lutomirski , Greg Kroah-Hartman , "Theodore Y. Ts'o" , Matthew Garrett , Linus Torvalds , Ard Biesheuvel , James Morris , Alan Cox , Linux Kernel Mailing List , Justin Forbes , linux-man , LSM List , Linux API , Kees Cook , linux-efi Subject: Re: An actual suggestion (Re: [GIT PULL] Kernel lockdown for secure boot) Message-ID: <20180405161124.y5jfe76lfqog7iiv@linux-rasp2> References: <1119.1522858644@warthog.procyon.org.uk> <20180405021650.GC7362@linux-l9pv.suse> <1522936869.16421.63.camel@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1522936869.16421.63.camel@linux.vnet.ibm.com> User-Agent: Mutt/1.6.2 (2016-07-01) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Mimi, On Thu, Apr 05, 2018 at 10:01:09AM -0400, Mimi Zohar wrote: > On Thu, 2018-04-05 at 10:16 +0800, joeyli wrote: > > Hi David, > > > > On Wed, Apr 04, 2018 at 05:17:24PM +0100, David Howells wrote: > > > Andy Lutomirski wrote: > > > > > > > Since this thread has devolved horribly, I'm going to propose a solution. > > > > > > > > 1. Split the "lockdown" state into three levels: (please don't > > > > bikeshed about the names right now.) > > > > > > > > LOCKDOWN_NONE: normal behavior > > > > > > > > LOCKDOWN_PROTECT_INTEGREITY: kernel tries to keep root from writing to > > > > kernel memory > > > > > > > > LOCKDOWN_PROTECT_INTEGRITY_AND_SECRECY: kernel tries to keep root from > > > > reading or writing kernel memory. > > > > > > In theory, it's good idea, but in practice it's not as easy to implement as I > > > think you think. > > > > > > Let me list here the things that currently get restricted by lockdown: > > > > > [...snip] > > > (5) Kexec. > > > > > > > About IMA with kernel module signing and kexec(not on x86_64 yet)... > > Only carrying the measurement list across kexec is architecture > specific, but everything else should work. ? > > > Because IMA can be used to verify the integrity of kernel module or even > > the image for kexec. I think that the > > IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY must be enabled at runtime > > when kernel is locked-down. > > I think we need to understand the problem a bit better. ?Is the > problem that you're using the secondary keyring and loading the UEFI > keys onto the secondary keyring? > Sorry for my mistake. I want to write INTEGRITY_TRUSTED_KEYRING in above but not IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY. My brain is not clear when writing the mail. > > Because the root can enroll master key to keyring then IMA trusts the ima key > > derived from master key. It causes that the arbitrary signed module can be loaded > > when the root compromised. > > With only the builtin keyring, only keys signed by a builtin key can > be added to the IMA keyring. > Thanks for your description. I saw that the IMA_LOAD_X509 already depends on IMA_TRUSTED_KEYRING (INTEGRITY_TRUSTED_KEYRING). Please ignore my concern. Thanks a lot! Joey Lee