Received: by 10.192.165.148 with SMTP id m20csp115671imm;
        Thu, 3 May 2018 16:05:58 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZrdCM8fBspq2qhb/5XyA+bDPzQbth8Jg5W9iA725rKEtzf8Re3Ip18VErgRm6Q9ZlvUuc9s
X-Received: by 2002:a63:7e5c:: with SMTP id o28-v6mr20262727pgn.194.1525388758233;
        Thu, 03 May 2018 16:05:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525388758; cv=none;
        d=google.com; s=arc-20160816;
        b=YDF+psIrt5zFQnDZZHOUBH9nNc6v/rVlv4EY2tbYeheJlu8R6XHq49vIv+FUDqKqBw
         UpsYSsn3pR2+gWpCXugpUZiIDJHUBguvCVCtOsgVqvoFxbP6QkAVk9lIvDhC0gvHg3AQ
         VSlUZO6ZjcCiFJYTP7kHDXlUNQmqusr60FktmiqGbsPJhG/J+yRdOa1NX0cg09tuplxu
         9b7KK+Loqhe08nEmY2czmSkXcMgRZI0fi5Nefgkr8+WzJf/HqZQn1Crx0Kgqn3rLrIbu
         AKoJGbtoeaVvOGzRi6+LzjuxxmqyfdP8rv+5eJmPt+61M5XVVOm/yFUv1fSc+hdkUH88
         Xb+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:subject:content-transfer-encoding
         :mime-version:user-agent:message-id:in-reply-to:date:references:cc
         :to:from:arc-authentication-results;
        bh=AsDxC3OWnVg8SaKjM+LWRYo7ExmONdwoHswR2TNccBI=;
        b=FqgRqYIBa8mow9OFKThrmYkwdTMitiNRi6EoJbbK4kuTD8aLCgVwDCKM56XV/9G45X
         U/3z+4lkvWUhg9gaY1gjW/hZdy1j9hXyLy/b6TNbVO+Wz/e00ZG9egVbwicp/GPYBN5L
         ujIN42aP9fJSSPHusQL4GfAkxvhP5+EIa2QOMJnM5hklvOrNVHsh+v2bHB4tUvmr2sCj
         rOcab9qf4nGRMCpmzhEjn6TnCkUVksj2FdU/7INMylIpe3pWIqdr2mOqmjGwM+O3dsu/
         nFvQzMQSQYDX+J+zgLOSuxypidF5wCxXQ89aMrXov8+KjRiy+A5BJDjeLinh8okiMAgp
         3zsg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b3-v6si8995304plc.14.2018.05.03.16.05.43;
        Thu, 03 May 2018 16:05:58 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751414AbeECXD6 convert rfc822-to-8bit (ORCPT
        <rfc822;ereslibre@gmail.com> + 99 others);
        Thu, 3 May 2018 19:03:58 -0400
Received: from out02.mta.xmission.com ([166.70.13.232]:59403 "EHLO
        out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751111AbeECXD4 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 3 May 2018 19:03:56 -0400
Received: from in01.mta.xmission.com ([166.70.13.51])
        by out02.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.87)
        (envelope-from <ebiederm@xmission.com>)
        id 1fENGV-00055U-2r; Thu, 03 May 2018 17:03:55 -0600
Received: from [97.119.174.25] (helo=x220.xmission.com)
        by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.87)
        (envelope-from <ebiederm@xmission.com>)
        id 1fENGU-00076t-Dn; Thu, 03 May 2018 17:03:54 -0600
From:   ebiederm@xmission.com (Eric W. Biederman)
To:     Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc:     Kees Cook <keescook@chromium.org>,
        David Howells <dhowells@redhat.com>,
        Matthew Garrett <mjg59@google.com>,
        linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org, kexec@lists.infradead.org,
        linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com
References: <1523572911-16363-1-git-send-email-zohar@linux.vnet.ibm.com>
        <87r2mso5up.fsf@xmission.com>
        <1525383075.3539.67.camel@linux.vnet.ibm.com>
        <87d0yco1vy.fsf@xmission.com>
        <1525384675.3539.89.camel@linux.vnet.ibm.com>
Date:   Thu, 03 May 2018 18:03:47 -0500
In-Reply-To: <1525384675.3539.89.camel@linux.vnet.ibm.com> (Mimi Zohar's
        message of "Thu, 03 May 2018 17:57:55 -0400")
Message-ID: <87fu38jq98.fsf@xmission.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8BIT
X-XM-SPF: eid=1fENGU-00076t-Dn;;;mid=<87fu38jq98.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=97.119.174.25;;;frm=ebiederm@xmission.com;;;spf=neutral
X-XM-AID: U2FsdGVkX1+P25tpP9YJLDTEGMrKaV2jYisUSJQYpKI=
X-SA-Exim-Connect-IP: 97.119.174.25
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa07.xmission.com
X-Spam-Level: **
X-Spam-Status: No, score=2.3 required=8.0 tests=ALL_TRUSTED,BAYES_50,
        DCC_CHECK_NEGATIVE,T_TM2_M_HEADER_IN_MSG,T_TooManySym_01,T_XMDrugObfuBody_08,
        XMNoVowels autolearn=disabled version=3.4.1
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
        *  1.5 XMNoVowels Alpha-numberic number with no vowels
        *  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
        *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
        *      [score: 0.5000]
        * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
        *      [sa07 1397; Body=1 Fuz1=1 Fuz2=1]
        *  1.0 T_XMDrugObfuBody_08 obfuscated drug references
        *  0.0 T_TooManySym_01 4+ unique symbols in subject
X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: **;Mimi Zohar <zohar@linux.vnet.ibm.com>
X-Spam-Relay-Country: 
X-Spam-Timing: total 313 ms - load_scoreonly_sql: 0.04 (0.0%),
        signal_user_changed: 2.3 (0.7%), b_tie_ro: 1.57 (0.5%), parse: 1.24 (0.4%),
        extract_message_metadata: 6 (2.0%), get_uri_detail_list: 3.5 (1.1%),
        tests_pri_-1000: 5 (1.7%), tests_pri_-950: 1.56 (0.5%), tests_pri_-900: 1.30
        (0.4%), tests_pri_-400: 34 (10.9%), check_bayes: 33 (10.5%), b_tokenize: 14
        (4.6%), b_tok_get_all: 9 (2.7%), b_comp_prob: 4.2 (1.3%), b_tok_touch_all:
        3.7 (1.2%), b_finish: 0.61 (0.2%), tests_pri_0: 246 (78.5%),
        check_dkim_signature: 0.78 (0.2%), check_dkim_adsp: 3.1 (1.0%),
        tests_pri_500: 3.8 (1.2%), rewrite_mail: 0.00 (0.0%)
Subject: Re: [PATCH 0/3] kexec: limit kexec_load syscall
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Mimi Zohar <zohar@linux.vnet.ibm.com> writes:

> On Thu, 2018-05-03 at 16:38 -0500, Eric W. Biederman wrote:
>> Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
>> 
>> > [Cc'ing Kees and kernel-hardening]
>> >
>> > On Thu, 2018-05-03 at 15:13 -0500, Eric W. Biederman wrote:
>> >> Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
>> >> 
>> >> > In environments that require the kexec kernel image to be signed, prevent
>> >> > using the kexec_load syscall.  In order for LSMs and IMA to differentiate
>> >> > between kexec_load and kexec_file_load syscalls, this patch set adds a
>> >> > call to security_kernel_read_file() in kexec_load_check().
>> >> 
>> >> Having thought about it some more this justification for these changes
>> >> does not work.  The functionality of kexec_load is already root-only.
>> >> So in environments that require the kernel image to be signed just don't
>> >> use kexec_load.  Possibly even compile kexec_load out to save space
>> >> because you will never need it.  You don't need a new security hook to
>> >> do any of that.  Userspace is a very fine mechanism for being the
>> >> instrument of policy.
>> >
>> > True, for those building their own kernel, they can disable the old
>> > syscalls.  The concern is not for those building their own kernels,
>> > but for those using stock kernels.  
>> >
>> > By adding an LSM hook here in the kexec_load syscall, as opposed to an
>> > IMA specific hook, other LSMs can piggy back on top of it.  Currently,
>> > both load_pin and SELinux are gating the kernel module syscalls based
>> > on security_kernel_read_file.
>> >
>> > If there was a similar option for the kernel image, I'm pretty sure
>> > other LSMs would use it.
>> >
>> > From an IMA perspective, there needs to be some method for only
>> > allowing signed code to be loaded, executed, etc. - kernel modules,
>> > kernel image/initramfs, firmware, policies.
>> 
>> What is the IMA perspective.  Why can't IMA trust appropriately
>> authorized userspace?
>
> Suppose a system owner wants to define a system wide policy that
> requires all code be signed - kernel modules, firmware, kexec image &
> initramfs, executables, mmapped files, etc - without having to rebuild
> the kernel.  Without a call in kexec_load that isn't possible.

Of course it is.  You just make it a requirement that before an
executable will be signed it will be audited to see that it doesn't
call sys_kexec_load.  Signing presumably means something.  So it should
not be hard to enforce a policy like that on a specialty system call
that most applications will never call.

>> >> If you don't trust userspace that needs to be spelled out very clearly.
>> >> You need to talk about what your threat models are.
>> >> 
>> >> If the only justification is so that that we can't boot windows if
>> >> someone hacks into userspace it has my nack because that is another kind
>> >> of complete non-sense.
>> >
>> > The usecase is the ability to gate the kexec_load usage in stock
>> > kernels.
>> 
>> But kexec_load is already gated.  It requires CAP_SYS_BOOT.
>
> It isn't a matter of kexec_load already being gated, but of wanting a
> single place for defining a system wide policy, as described above.

Signing is only a tool to enforce a policy.  Signing by itself is not a
policy.  Enforcing any quality controls in the signed executables should
trivially prevent kexec_load from being used.

Eric