Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp2778664imj; Mon, 11 Feb 2019 08:19:46 -0800 (PST) X-Google-Smtp-Source: AHgI3IaOBjjP0gbS9/aafRJVUrGgoFfgnOLp6bMo/E0C1mo1H0KUKwmT+bqJWpMsKYrYp472pLw/ X-Received: by 2002:a65:4807:: with SMTP id h7mr17458268pgs.15.1549901986574; Mon, 11 Feb 2019 08:19:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549901986; cv=none; d=google.com; s=arc-20160816; b=eO8PUAtKoapb43I17A+uNcbuXHanwHREy8vqy7fp72AXnt51cTzsuvm4tk0aHg7cBW AGiFZ9kgEvhZn8VA0Bded1KREN/vD9vJPwbnZt0Zlk1nhfR30+NCGb8XzCWWHnPAyOPe xXo9N9PsABQB/sD9VEMjUbUL7I5q7BuhvXb+I6qdRopqVwng601asTZZqRNh7G5Vyw8Q NALXFBnVt4aUCBKSq579lTCY/LRTARhbtnzJ3teTsVcp7ZEJlQhR9c+ms3OgVkWakvdI xRdAy33tzQxx6blTQP05N/5rXZc4LmXaZOIndHFVIytyuMwDVsAE6IbqjamF2S+LZCi5 YRIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject; bh=GeUjRMaeLuaIk+Aa6RyIK5k2w1t7N1Z75hC6NZcIYzg=; b=b8j8B8n1B+cCVzKcEUdzjXVz6auEP5agmXWl1kK7qc9NFHQf1gTVaZuwup/1ML86iu leAfugiTwWLl1ke+jHvu/GaIiuEBiLwgLoG7CfVycE6ZrDyOG5Tv6ud9paEw6K1wShMF G1NVvAoFD0jeRfSdSNz0W+ol2mb/0HWfgQv0JOC9kCQWJuxyqucYD6yqjRatyzwJWEin 6B3WLn51uZbs1UEy4wlXqsG6x/OGiqB7HGc6YwwvrS2oVwZqD+DftNIduk4JDNP4xo3n vjDu5zuAxvkZnacwPXQpMkh8AplfN/S3rAd0wpcDqnXOLyi5kvERDNcn13yQEybxNAQu +pNg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i15si3146230pfj.162.2019.02.11.08.19.30; Mon, 11 Feb 2019 08:19:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728378AbfBKQT0 (ORCPT + 99 others); Mon, 11 Feb 2019 11:19:26 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:33400 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728126AbfBKQTZ (ORCPT ); Mon, 11 Feb 2019 11:19:25 -0500 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x1BGEtg5031957 for ; Mon, 11 Feb 2019 11:19:24 -0500 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 2qkbj1374f-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 Feb 2019 11:19:24 -0500 Received: from localhost by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 11 Feb 2019 16:19:21 -0000 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp02.uk.ibm.com (192.168.101.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 11 Feb 2019 16:19:17 -0000 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x1BGJG1A43974816 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 11 Feb 2019 16:19:16 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CAC6FAE045; Mon, 11 Feb 2019 16:19:16 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 85C70AE053; Mon, 11 Feb 2019 16:19:15 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.91.85]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 Feb 2019 16:19:15 +0000 (GMT) Subject: Re: [PATCH] x86/ima: require signed kernel modules From: Mimi Zohar To: Jessica Yu Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Luis Chamberlain , David Howells , Seth Forshee , Justin Forbes , Matthew Garrett Date: Mon, 11 Feb 2019 11:19:04 -0500 In-Reply-To: <20190211155609.GC20732@linux-8ccs> References: <1548962339-10681-1-git-send-email-zohar@linux.ibm.com> <1548962339-10681-2-git-send-email-zohar@linux.ibm.com> <20190211155609.GC20732@linux-8ccs> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 19021116-0008-0000-0000-000002BF213A X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19021116-0009-0000-0000-0000222B370A Message-Id: <1549901944.12743.162.camel@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-02-11_11:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1902110122 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2019-02-11 at 16:56 +0100, Jessica Yu wrote: > +++ Mimi Zohar [31/01/19 14:18 -0500]: > >Require signed kernel modules on systems with secure boot mode enabled. > > > >To coordinate between appended kernel module signatures and IMA > >signatures, only define an IMA MODULE_CHECK policy rule if > >CONFIG_MODULE_SIG is not enabled. > > > >This patch defines a function named set_module_sig_required() and renames > >is_module_sig_enforced() to is_module_sig_enforced_or_required(). The > >call to set_module_sig_required() is dependent on CONFIG_IMA_ARCH_POLICY > >being enabled. > > > >Signed-off-by: Mimi Zohar > >--- > > arch/x86/kernel/ima_arch.c | 9 ++++++++- > > include/linux/module.h | 7 ++++++- > > kernel/module.c | 15 +++++++++++---- > > security/integrity/ima/ima_main.c | 2 +- > > 4 files changed, 26 insertions(+), 7 deletions(-) > > > >diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c > >index e47cd9390ab4..96a023238a83 100644 > >--- a/arch/x86/kernel/ima_arch.c > >+++ b/arch/x86/kernel/ima_arch.c > >@@ -64,12 +64,19 @@ static const char * const sb_arch_rules[] = { > > "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig", > > #endif /* CONFIG_KEXEC_VERIFY_SIG */ > > "measure func=KEXEC_KERNEL_CHECK", > >+#if !IS_ENABLED(CONFIG_MODULE_SIG) > >+ "appraise func=MODULE_CHECK appraise_type=imasig", > >+#endif > >+ "measure func=MODULE_CHECK", > > NULL > > }; > > > > const char * const *arch_get_ima_policy(void) > > { > >- if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) > >+ if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) { > >+ if (IS_ENABLED(CONFIG_MODULE_SIG)) > >+ set_module_sig_required(); > > return sb_arch_rules; > >+ } > > return NULL; > > } > >diff --git a/include/linux/module.h b/include/linux/module.h > >index 8fa38d3e7538..af51c8ec755f 100644 > >--- a/include/linux/module.h > >+++ b/include/linux/module.h > >@@ -659,7 +659,8 @@ static inline bool is_livepatch_module(struct module *mod) > > } > > #endif /* CONFIG_LIVEPATCH */ > > > >-bool is_module_sig_enforced(void); > >+bool is_module_sig_enforced_or_required(void); > >+void set_module_sig_required(void); > > > > #else /* !CONFIG_MODULES... */ > > > >@@ -780,6 +781,10 @@ static inline bool is_module_sig_enforced(void) > > return false; > > } > > > >+static inline void set_module_sig_required(void) > >+{ > >+} > >+ > > /* Dereference module function descriptor */ > > static inline > > void *dereference_module_function_descriptor(struct module *mod, void *ptr) > >diff --git a/kernel/module.c b/kernel/module.c > >index 2ad1b5239910..70a9709d19eb 100644 > >--- a/kernel/module.c > >+++ b/kernel/module.c > >@@ -275,16 +275,23 @@ static void module_assert_mutex_or_preempt(void) > > > > static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE); > > module_param(sig_enforce, bool_enable_only, 0644); > >+static bool sig_required; > > > > /* > > * Export sig_enforce kernel cmdline parameter to allow other subsystems rely > > * on that instead of directly to CONFIG_MODULE_SIG_FORCE config. > > */ > >-bool is_module_sig_enforced(void) > >+bool is_module_sig_enforced_or_required(void) > > { > >- return sig_enforce; > >+ return sig_enforce || sig_required; > > } > > Hi Mimi, > > Just wondering, is there any particular reason why a distinction is > made between sig_enforce and sig_required? Doesn't sig_enforce imply > that signed modules are required? In other words, why introduce > another variable instead of just using sig_enforce? It may be > confusing in the case of a user looking at /sys/module/module/parameters/sig_enforce > and it having a value of 0 yet module signatures are being required by ima. Hi Jessica, It would definitely be a lot better not having to differentiate between the builtin CONFIG/module parm enforced and runtime enforced.  For some reason the "lockdown" patch doesn't directly modify sig_enforce. Mimi > > >-EXPORT_SYMBOL(is_module_sig_enforced); > >+EXPORT_SYMBOL(is_module_sig_enforced_or_required); > >+ > >+void set_module_sig_required(void) > >+{ > >+ sig_required = true; > >+} > >+EXPORT_SYMBOL(set_module_sig_required); > > > > /* Block module loading/unloading? */ > > int modules_disabled = 0; > >@@ -2789,7 +2796,7 @@ static int module_sig_check(struct load_info *info, int flags) > > } > > > > /* Not having a signature is only an error if we're strict. */ > >- if (err == -ENOKEY && !is_module_sig_enforced()) > >+ if (err == -ENOKEY && !is_module_sig_enforced_or_required()) > > err = 0; > > > > return err; > >diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > >index 357edd140c09..bbaf87f688be 100644 > >--- a/security/integrity/ima/ima_main.c > >+++ b/security/integrity/ima/ima_main.c > >@@ -563,7 +563,7 @@ int ima_load_data(enum kernel_load_data_id id) > > } > > break; > > case LOADING_MODULE: > >- sig_enforce = is_module_sig_enforced(); > >+ sig_enforce = is_module_sig_enforced_or_required(); > > > > if (ima_enforce && (!sig_enforce > > && (ima_appraise & IMA_APPRAISE_MODULES))) { > >-- > >2.7.5 > > >