Received: by 10.74.165.76 with SMTP id s12csp1193545oom; Fri, 13 Apr 2018 13:42:24 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/pYLDjS6Ah+k/qaYPEGabiaJcJWd4Pt8PACfVTl/JFy4uqhJj5X+feEepfUNUmbiZV7crW X-Received: by 10.99.112.93 with SMTP id a29mr1777916pgn.202.1523652144279; Fri, 13 Apr 2018 13:42:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523652144; cv=none; d=google.com; s=arc-20160816; b=Pckut53rLkTB+qErNRXirRG6wWa++Q8KRM+DPO4evROICxi8WYT9ZIWQPj6nOCixn0 uA6vzcqt9SSLf5r9IngE1njibRHZ+mKrl8mOd1IcbU5B9j9FnfbQ2sco6ZPmB/OM116y /WWR+eoF8EpOOsx7yC/QhkQZEZso2RqgS5tjVlVK3Z1ASzN8OXaXK1ClJhIuIFvvd2k0 GiwmIRJDeUroh4dduTuBMuU/ei0CXn/cmhKKrltdS1WQ5onyy5OUxveFYzAVo6STTqry e/hKNxmXOyOOAYN2QfZJHqhJKHZPXieGVbdqAFpusmlYzx+rmeZi43V0HK1bhD84XyXX lQpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=7f27QD/5WfgbrvpiyKHq46NjB9rW6AcoIu36c050cP4=; b=QTjAMK4AN+xJlyBILMWS0s1MpllR7h3cuxG2xq6BWxZ8omEw16jl5RRmLthzF3vBNZ TSHR6O7I+QBjZ2kNSFHlnqjNommydEdnB8qTmsBlTgXEZ0OwUldoyfednUPfEoMIkauI wuXI7Zz8ob0hnkGUMOt/n7NU5tKDhzrWVa4rK7QI3tGLn0B90VpYxkeqSh7KQWVWSuRL ybtUl5ZlYGyLa3BpMRnZ07xBWatRk+NKnlhDTIIB0ErlSX9P6n8Z8BEjVpwJ6JdVMnYu 1DN2QVhfeqc7GgYG5Yv71ll8FbZ6neIYGZLFsWnCCUgLPPC3EmXGnp+xCRYjvn/UMRoT cQDg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 31-v6si1588883plz.364.2018.04.13.13.42.09; Fri, 13 Apr 2018 13:42:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751154AbeDMUk2 (ORCPT + 99 others); Fri, 13 Apr 2018 16:40:28 -0400 Received: from mx1.redhat.com ([209.132.183.28]:41156 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750904AbeDMUk1 (ORCPT ); Fri, 13 Apr 2018 16:40:27 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0C13C3141B42; Fri, 13 Apr 2018 20:40:27 +0000 (UTC) Received: from localhost (ovpn-116-93.gru2.redhat.com [10.97.116.93]) by smtp.corp.redhat.com (Postfix) with ESMTP id 988D35F7E7; Fri, 13 Apr 2018 20:40:26 +0000 (UTC) Date: Fri, 13 Apr 2018 17:40:25 -0300 From: "Bruno E. O. Meneguele" To: Mimi Zohar Cc: David Howells , Luca Boccassi , linux-integrity , linux-security-module , linux-kernel Subject: Re: [PATCH] lockdown: fix coordination of kernel module signature verification Message-ID: <20180413204025.GC2047@rhlt> References: <1523633272.3272.30.camel@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="E/DnYTRukya0zdZ1" Content-Disposition: inline In-Reply-To: <1523633272.3272.30.camel@linux.vnet.ibm.com> X-PGP-Key: http://keys.gnupg.net/pks/lookup?op=get&search=0x3823031E4660608D User-Agent: Mutt/1.9.2 (2017-12-15) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.47]); Fri, 13 Apr 2018 20:40:27 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --E/DnYTRukya0zdZ1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 13, 2018 at 11:27:52AM -0400, Mimi Zohar wrote: > If both IMA-appraisal and sig_enforce are enabled, then both signatures > are currently required. If the IMA-appraisal signature verification > fails, it could rely on the appended signature verification; but with the > lockdown patch set, the appended signature verification assumes that if > IMA-appraisal is enabled, it has verified the signature. Basically each > signature verification method would be relying on the other to verify the > kernel module signature. >=20 > This patch addresses the problem of requiring both kernel module signature > verification methods, when both are enabled, by verifying just the > appended signature. >=20 > Signed-off-by: Mimi Zohar > --- > kernel/module.c | 4 +--- > security/integrity/ima/ima_main.c | 7 ++++++- > 2 files changed, 7 insertions(+), 4 deletions(-) >=20 > diff --git a/kernel/module.c b/kernel/module.c > index 9c1709a05037..60861eb7bc4d 100644 > --- a/kernel/module.c > +++ b/kernel/module.c > @@ -2803,9 +2803,7 @@ static int module_sig_check(struct load_info *info,= int flags, > if (sig_enforce) { > pr_notice("%s is rejected\n", reason); > return -EKEYREJECTED; > - } > - > - if (can_do_ima_check && is_ima_appraise_enabled()) > + } else if (can_do_ima_check && is_ima_appraise_enabled()) > return 0; > if (kernel_is_locked_down(reason)) > return -EPERM; > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/i= ma_main.c > index 754ece08e1c6..2155b1f316a4 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -480,6 +480,7 @@ static int read_idmap[READING_MAX_ID] =3D { > int ima_post_read_file(struct file *file, void *buf, loff_t size, > enum kernel_read_file_id read_id) > { > + bool sig_enforce =3D is_module_sig_enforced(); > enum ima_hooks func; > u32 secid; > =20 > @@ -490,7 +491,11 @@ int ima_post_read_file(struct file *file, void *buf,= loff_t size, > return 0; > } > =20 > - if (!file && read_id =3D=3D READING_MODULE) /* MODULE_SIG_FORCE enabled= */ > + /* > + * If both IMA-appraisal and appended signature verification are > + * enabled, rely on the appended signature verification. > + */ > + if (sig_enforce && read_id =3D=3D READING_MODULE) > return 0; > =20 > /* permit signed certs */ > --=20 > 2.7.5 >=20 I agree with the solution. Acked-by: Bruno E. O. Meneguele --E/DnYTRukya0zdZ1 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEdWo6nTbnZdbDmXutYdRkFR+RokMFAlrRFbkACgkQYdRkFR+R okM9RQgAusqmb5vXEVaJ+PFyiKcqHJInZJDywwwuS8emd68anOr78WFp9eNQ4X5x CbcJUNPC/pdX8dacb2D6KATja+tN1wnyQ1NIeKbuXWmW0xaYh9KfNcYxgTIUX3am g2uIpKXfIxobGVtIDDtpLfCnaTKaASg1i3m2TnA9WcMnGqEzm7vcBCdfk3FoEr3d MZDnVhl3XgzxXF3c+0Z2xpXbPvQGj7Vk8JPRLQQYoKu/xHN+SPT4QPFQEB49T3/6 gWK9DqGG3105sBx9QQ6KBonCdDehv5I9HnK9ViFpTtFaBWBtemwtjol4IOcOkkrt y5Lh+13cUg8LTKcEOhYddl8CDjsf7g== =gbxv -----END PGP SIGNATURE----- --E/DnYTRukya0zdZ1--