Received: by 10.192.165.156 with SMTP id m28csp1143815imm; Wed, 11 Apr 2018 13:15:10 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+xQ0Q5XUOtmG1rpHqEMHoUR6tywMWuPfFx+Z7Z4gYkJfb3ShVaHFzEFxuO2lfTTZuMGMJ+ X-Received: by 2002:a17:902:2e:: with SMTP id 43-v6mr6540171pla.282.1523477710629; Wed, 11 Apr 2018 13:15:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523477710; cv=none; d=google.com; s=arc-20160816; b=Y51D7Ox9W3cc8j4BL3rnmM5aZORWasCLrhxhZ5TPNrhGCjSaqIdV4IU9QhpBbhFaIk AdWPt3kZDOiUAz7YIagsgk1ge1+aVx9WtAVFcHyGvz6Q9dLBnMK196DURYyEWRRLmBfX jf+3EWCeCV6GrL7z3RYG8Lfo3uqxHMO6g7RWyZlLgIU63cas/nzI2gmn4wfp3VgI2TTU j3u0tQlfS//L1XLg+7eAzgbAfQUiDZjJWEjICOzZr5kHrdaINO6agynza7A59F5V7X8N mKX28/ZlQoaugk7zeZS5tfTM5VAxOCnZh4r/1XpkkcUrWQ6uQ3SorDnAy0/Q1fhbvunN NtLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject :arc-authentication-results; bh=mb7TNi6xnitNxhYyjf/H8i69LvSwkQQ7+vBqLt9J7JQ=; b=PCiT7lFSLK08AllVMlmbBy04/jLtIvr0c8sS3Q2MlC4vHSErWOWxu/56blsnoK0VUh mx79UwR9OunGvGZFavQUvODw5BDvv/rxioF19YuKKy51N3hfNdgoUoNEzBbQ8t0lG6kV xtnGI+4BZ1Xn82YJQtYM1SqMu3Q+9IDNdbPNfE5jr6AHs7Z/u2gHpHmWGQihvudZu+z2 d6T3eiIA9Bgmi9v3yCvoac2KPRFNmWo/JF5BnZ9wKAcOKrnFkIifWqVEBsYUEdEHC5CV BjPMiDaW0s32Q+uZXht4KPEDKhQwXprwJjrJc2IP1SrPJ9YM02tzXWr9/dNWpYDd4CZB eXqw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q14si1202584pgr.311.2018.04.11.13.14.33; Wed, 11 Apr 2018 13:15:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932731AbeDKUJr (ORCPT + 99 others); Wed, 11 Apr 2018 16:09:47 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:38548 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932268AbeDKUJn (ORCPT ); Wed, 11 Apr 2018 16:09:43 -0400 Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w3BK9ZOC068527 for ; Wed, 11 Apr 2018 16:09:43 -0400 Received: from e06smtp13.uk.ibm.com (e06smtp13.uk.ibm.com [195.75.94.109]) by mx0a-001b2d01.pphosted.com with ESMTP id 2h9n3xtwmh-1 (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NOT) for ; Wed, 11 Apr 2018 16:09:43 -0400 Received: from localhost by e06smtp13.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 11 Apr 2018 21:09:40 +0100 Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196) by e06smtp13.uk.ibm.com (192.168.101.143) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 11 Apr 2018 21:09:37 +0100 Received: from d06av24.portsmouth.uk.ibm.com (mk.ibm.com [9.149.105.60]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w3BK9aMf43385024; Wed, 11 Apr 2018 20:09:36 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9D9784204B; Wed, 11 Apr 2018 21:01:18 +0100 (BST) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B5BD44203F; Wed, 11 Apr 2018 21:01:17 +0100 (BST) Received: from dhcp-9-2-55-36.watson.ibm.com (unknown [9.2.55.36]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 11 Apr 2018 21:01:17 +0100 (BST) Subject: Re: [PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked down From: Mimi Zohar To: "Eric W. Biederman" , David Howells Cc: torvalds@linux-foundation.org, linux-man@vger.kernel.org, linux-api@vger.kernel.org, jmorris@namei.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Date: Wed, 11 Apr 2018 16:09:35 -0400 In-Reply-To: <87po35k1q6.fsf@xmission.com> References: <152346387861.4030.4408662483445703127.stgit@warthog.procyon.org.uk> <152346391877.4030.6270466586590461223.stgit@warthog.procyon.org.uk> <87po35k1q6.fsf@xmission.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 18041120-0012-0000-0000-000005C9BD7D X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18041120-0013-0000-0000-00001945EF8C Message-Id: <1523477375.5268.78.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-04-11_09:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=3 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1804110186 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2018-04-11 at 14:00 -0500, Eric W. Biederman wrote: > David Howells writes: > > > From: Matthew Garrett > > > > The kexec_load() syscall permits the loading and execution of arbitrary > > code in ring 0, which is something that lock-down is meant to prevent. It > > makes sense to disable kexec_load() in this situation. > > > > This does not affect kexec_file_load() syscall which can check for a > > signature on the image to be booted. > > Maybing I am missing it but I am not seeing anything that would require > kexec_file_load be configured such that it checks the loaded kernel. > > Without that I don't see the point of disabling kexec_load. > > Nacked-by: "Eric W. Biederman" The IMA "secure boot" policy requires the kexec image to be signed.  This call to kernel_is_locked_down() could be replaced with a call to security_kernel_read_file(NULL, READING_KEXEC_IMAGE). It would be similar to the existing init_module syscall calling security_kernel_read_file(). Mimi