Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp139393imj; Wed, 13 Feb 2019 06:03:32 -0800 (PST) X-Google-Smtp-Source: AHgI3IZQnw7dOu1O3uzKp46Pn203AKDfW/FYzXKb5SJ22jAYptSwBotc1MK3Vj+qXm1xiqYvtHvD X-Received: by 2002:a17:902:f01:: with SMTP id 1mr675767ply.41.1550066612578; Wed, 13 Feb 2019 06:03:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550066612; cv=none; d=google.com; s=arc-20160816; b=Psbk8tIyVQCuktAYydIkkUHhehY3bG3O0vfDoK+H3Eq0DWIz9A1MQsc1V+zqEEY4HG T/J9wWR0Qk0gWSxPfHlRnf6ORl7GbqN67fwSvHQkClETRX9Bess1jdaGcR/BG3omlvvj MaEuPqG06l521gbuunb8gsvihvz2/eXDWlP/0LkHR5bcfdXfrkL+Q+PVU7T7LKOaspVO qZdcMHylQj9To+vciVQNrBzqipzdV39Aq6AHV0xCddvrSGa30J4TJSA92y1v27aTlERF ep4DN53a0v0eCy7ek0XnLtyuqwZ9ClbYJlaAjg62XentS84rChWOd+0piIbMV0asGt9S 213g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from; bh=Ke2sXZV/UV8gCNcZfIlGIu9gG6OaRhq/Ctfwn7xTx3Y=; b=aAbQEJN5+kTQ/950G9nmmkJmjtmngcuGG3g5fQv8QK8j9OaJyicTxzrkB/IH6n7w34 8FPMaIbH4zlzpYvilaFE2EdP8nZ7qOdvpnFBP9LaubS3YZyO1kruoru4+odM0vwmnLx+ 0TQ/H0I6CbYwetBR17A1fJRNdDm9MokvWHsr38+nTl08zILFIo+R98Vbe7R2MLwdwhYC fze9uezjD7TMOmtfuj3vii0F+mqp+7hb7DHpuRtMG3YGuOHom3O4c+XS1wlPrXx1oBp9 1LttG5uhvF/7jw++G8kQYI54tgJdk5N/9jDG2CwbHB/Q7sSOFViPOd+DnqYviWiZlZxU yGZA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h62si14699346pgc.227.2019.02.13.06.03.12; Wed, 13 Feb 2019 06:03:32 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392062AbfBMMSp (ORCPT + 99 others); Wed, 13 Feb 2019 07:18:45 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:53038 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730329AbfBMMSp (ORCPT ); Wed, 13 Feb 2019 07:18:45 -0500 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x1DCARjo118263 for ; Wed, 13 Feb 2019 07:18:44 -0500 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 2qmh4xdsar-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 13 Feb 2019 07:18:43 -0500 Received: from localhost by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 13 Feb 2019 12:18:41 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp02.uk.ibm.com (192.168.101.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Wed, 13 Feb 2019 12:18:37 -0000 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x1DCIaGK51249296 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 13 Feb 2019 12:18:36 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C75014C052; Wed, 13 Feb 2019 12:18:36 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AACAF4C044; Wed, 13 Feb 2019 12:18:35 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.92.165]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 13 Feb 2019 12:18:35 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Jessica Yu , Luis Chamberlain , David Howells , Seth Forshee , "Bruno E . O . Meneguele" , Mimi Zohar Subject: [PATCH v2] x86/ima: require signed kernel modules Date: Wed, 13 Feb 2019 07:17:59 -0500 X-Mailer: git-send-email 2.7.5 X-TM-AS-GCONF: 00 x-cbid: 19021312-0008-0000-0000-000002BFF769 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19021312-0009-0000-0000-0000222C1572 Message-Id: <1550060279-8624-1-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-02-13_07:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1902130090 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Require signed kernel modules on systems with secure boot mode enabled. Requiring appended kernel module signatures may be configured, enabled on the boot command line, or with this patch enabled in secure boot mode. This patch defines set_module_sig_enforced(). To coordinate between appended kernel module signatures and IMA signatures, only define an IMA MODULE_CHECK policy rule if CONFIG_MODULE_SIG is not enabled. Signed-off-by: Mimi Zohar --- Changelog: - Removed new "sig_required" flag and associated functions, directly set sig_enforce. arch/x86/kernel/ima_arch.c | 9 ++++++++- include/linux/module.h | 1 + kernel/module.c | 5 +++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c index e47cd9390ab4..3fb9847f1cad 100644 --- a/arch/x86/kernel/ima_arch.c +++ b/arch/x86/kernel/ima_arch.c @@ -64,12 +64,19 @@ static const char * const sb_arch_rules[] = { "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig", #endif /* CONFIG_KEXEC_VERIFY_SIG */ "measure func=KEXEC_KERNEL_CHECK", +#if !IS_ENABLED(CONFIG_MODULE_SIG) + "appraise func=MODULE_CHECK appraise_type=imasig", +#endif + "measure func=MODULE_CHECK", NULL }; const char * const *arch_get_ima_policy(void) { - if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) + if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) { + if (IS_ENABLED(CONFIG_MODULE_SIG)) + set_module_sig_enforced(); return sb_arch_rules; + } return NULL; } diff --git a/include/linux/module.h b/include/linux/module.h index 8fa38d3e7538..75e2a5c24a2b 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -660,6 +660,7 @@ static inline bool is_livepatch_module(struct module *mod) #endif /* CONFIG_LIVEPATCH */ bool is_module_sig_enforced(void); +void set_module_sig_enforced(void); #else /* !CONFIG_MODULES... */ diff --git a/kernel/module.c b/kernel/module.c index 2ad1b5239910..4cb5b733fb18 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -286,6 +286,11 @@ bool is_module_sig_enforced(void) } EXPORT_SYMBOL(is_module_sig_enforced); +void set_module_sig_enforced(void) +{ + sig_enforce = true; +} + /* Block module loading/unloading? */ int modules_disabled = 0; core_param(nomodule, modules_disabled, bint, 0); -- 2.7.5