Received: by 10.74.165.76 with SMTP id s12csp1193545oom;
        Fri, 13 Apr 2018 13:42:24 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/pYLDjS6Ah+k/qaYPEGabiaJcJWd4Pt8PACfVTl/JFy4uqhJj5X+feEepfUNUmbiZV7crW
X-Received: by 10.99.112.93 with SMTP id a29mr1777916pgn.202.1523652144279;
        Fri, 13 Apr 2018 13:42:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523652144; cv=none;
        d=google.com; s=arc-20160816;
        b=Pckut53rLkTB+qErNRXirRG6wWa++Q8KRM+DPO4evROICxi8WYT9ZIWQPj6nOCixn0
         uA6vzcqt9SSLf5r9IngE1njibRHZ+mKrl8mOd1IcbU5B9j9FnfbQ2sco6ZPmB/OM116y
         /WWR+eoF8EpOOsx7yC/QhkQZEZso2RqgS5tjVlVK3Z1ASzN8OXaXK1ClJhIuIFvvd2k0
         GiwmIRJDeUroh4dduTuBMuU/ei0CXn/cmhKKrltdS1WQ5onyy5OUxveFYzAVo6STTqry
         e/hKNxmXOyOOAYN2QfZJHqhJKHZPXieGVbdqAFpusmlYzx+rmeZi43V0HK1bhD84XyXX
         lQpA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=7f27QD/5WfgbrvpiyKHq46NjB9rW6AcoIu36c050cP4=;
        b=QTjAMK4AN+xJlyBILMWS0s1MpllR7h3cuxG2xq6BWxZ8omEw16jl5RRmLthzF3vBNZ
         TSHR6O7I+QBjZ2kNSFHlnqjNommydEdnB8qTmsBlTgXEZ0OwUldoyfednUPfEoMIkauI
         wuXI7Zz8ob0hnkGUMOt/n7NU5tKDhzrWVa4rK7QI3tGLn0B90VpYxkeqSh7KQWVWSuRL
         ybtUl5ZlYGyLa3BpMRnZ07xBWatRk+NKnlhDTIIB0ErlSX9P6n8Z8BEjVpwJ6JdVMnYu
         1DN2QVhfeqc7GgYG5Yv71ll8FbZ6neIYGZLFsWnCCUgLPPC3EmXGnp+xCRYjvn/UMRoT
         cQDg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 31-v6si1588883plz.364.2018.04.13.13.42.09;
        Fri, 13 Apr 2018 13:42:24 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751154AbeDMUk2 (ORCPT <rfc822;mahoosoft4you@gmail.com>
        + 99 others); Fri, 13 Apr 2018 16:40:28 -0400
Received: from mx1.redhat.com ([209.132.183.28]:41156 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1750904AbeDMUk1 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 13 Apr 2018 16:40:27 -0400
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 0C13C3141B42;
        Fri, 13 Apr 2018 20:40:27 +0000 (UTC)
Received: from localhost (ovpn-116-93.gru2.redhat.com [10.97.116.93])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 988D35F7E7;
        Fri, 13 Apr 2018 20:40:26 +0000 (UTC)
Date:   Fri, 13 Apr 2018 17:40:25 -0300
From:   "Bruno E. O. Meneguele" <bmeneg@redhat.com>
To:     Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc:     David Howells <dhowells@redhat.com>,
        Luca Boccassi <bluca@debian.org>,
        linux-integrity <linux-integrity@vger.kernel.org>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] lockdown: fix coordination of kernel module signature
 verification
Message-ID: <20180413204025.GC2047@rhlt>
References: <1523633272.3272.30.camel@linux.vnet.ibm.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
        protocol="application/pgp-signature"; boundary="E/DnYTRukya0zdZ1"
Content-Disposition: inline
In-Reply-To: <1523633272.3272.30.camel@linux.vnet.ibm.com>
X-PGP-Key: http://keys.gnupg.net/pks/lookup?op=get&search=0x3823031E4660608D
User-Agent: Mutt/1.9.2 (2017-12-15)
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.47]); Fri, 13 Apr 2018 20:40:27 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


--E/DnYTRukya0zdZ1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Apr 13, 2018 at 11:27:52AM -0400, Mimi Zohar wrote:
> If both IMA-appraisal and sig_enforce are enabled, then both signatures
> are currently required.  If the IMA-appraisal signature verification
> fails, it could rely on the appended signature verification; but with the
> lockdown patch set, the appended signature verification assumes that if
> IMA-appraisal is enabled, it has verified the signature.  Basically each
> signature verification method would be relying on the other to verify the
> kernel module signature.
>=20
> This patch addresses the problem of requiring both kernel module signature
> verification methods, when both are enabled, by verifying just the
> appended signature.
>=20
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> ---
>  kernel/module.c                   | 4 +---
>  security/integrity/ima/ima_main.c | 7 ++++++-
>  2 files changed, 7 insertions(+), 4 deletions(-)
>=20
> diff --git a/kernel/module.c b/kernel/module.c
> index 9c1709a05037..60861eb7bc4d 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -2803,9 +2803,7 @@ static int module_sig_check(struct load_info *info,=
 int flags,
>  		if (sig_enforce) {
>  			pr_notice("%s is rejected\n", reason);
>  			return -EKEYREJECTED;
> -		}
> -
> -		if (can_do_ima_check && is_ima_appraise_enabled())
> +		} else if (can_do_ima_check && is_ima_appraise_enabled())
>  			return 0;
>  		if (kernel_is_locked_down(reason))
>  			return -EPERM;
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/i=
ma_main.c
> index 754ece08e1c6..2155b1f316a4 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -480,6 +480,7 @@ static int read_idmap[READING_MAX_ID] =3D {
>  int ima_post_read_file(struct file *file, void *buf, loff_t size,
>  		       enum kernel_read_file_id read_id)
>  {
> +	bool sig_enforce =3D is_module_sig_enforced();
>  	enum ima_hooks func;
>  	u32 secid;
> =20
> @@ -490,7 +491,11 @@ int ima_post_read_file(struct file *file, void *buf,=
 loff_t size,
>  		return 0;
>  	}
> =20
> -	if (!file && read_id =3D=3D READING_MODULE) /* MODULE_SIG_FORCE enabled=
 */
> +	/*
> +	 * If both IMA-appraisal and appended signature verification are
> +	 * enabled, rely on the appended signature verification.
> +	 */
> +	if (sig_enforce && read_id =3D=3D READING_MODULE)
>  		return 0;
> =20
>  	/* permit signed certs */
> --=20
> 2.7.5
>=20

I agree with the solution.

Acked-by: Bruno E. O. Meneguele <bmeneg@redhat.com>

--E/DnYTRukya0zdZ1
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEdWo6nTbnZdbDmXutYdRkFR+RokMFAlrRFbkACgkQYdRkFR+R
okM9RQgAusqmb5vXEVaJ+PFyiKcqHJInZJDywwwuS8emd68anOr78WFp9eNQ4X5x
CbcJUNPC/pdX8dacb2D6KATja+tN1wnyQ1NIeKbuXWmW0xaYh9KfNcYxgTIUX3am
g2uIpKXfIxobGVtIDDtpLfCnaTKaASg1i3m2TnA9WcMnGqEzm7vcBCdfk3FoEr3d
MZDnVhl3XgzxXF3c+0Z2xpXbPvQGj7Vk8JPRLQQYoKu/xHN+SPT4QPFQEB49T3/6
gWK9DqGG3105sBx9QQ6KBonCdDehv5I9HnK9ViFpTtFaBWBtemwtjol4IOcOkkrt
y5Lh+13cUg8LTKcEOhYddl8CDjsf7g==
=gbxv
-----END PGP SIGNATURE-----

--E/DnYTRukya0zdZ1--