Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp150358imj; Thu, 14 Feb 2019 17:25:46 -0800 (PST) X-Google-Smtp-Source: AHgI3IZes53NTXXJ5yqt9QE5bcJ4OAVdVTWm5YkjQkWDs/9lu9qsu/PV7Ey88o+q9U9lSJ6MJMFj X-Received: by 2002:a62:b408:: with SMTP id h8mr4750273pfn.74.1550193946287; Thu, 14 Feb 2019 17:25:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550193946; cv=none; d=google.com; s=arc-20160816; b=SYg998GwgAQOIzdHKwYHAdjWFeByVbcnheRYySSaOFy2AYm8eLKuUY3sFw2wBtotUc rfibmz1KBGjdYQPR2WX3ELTW3UXOw/yFcDeLA98rdDCQs567BKYU3A+7HzqXy1QvmqF8 eJLqYT02e5dDHQfIbq4gmblmFY7FVX8E8jpsnkiRRQQVui0Dl9kClNGZzVpGHy7hmPmf 488jYeKIGJwO+HtWjVknviDTstznnqU5Bt8EKqCIh+xLh+6Fzys3ehcUL8JJftgmA8AM FNBiuPYbRfY7SisL1BTMYx8J/eKV1nCaSkFr7W7hthjAE8SZ8So4iBAsI2AgW77OFlhH McVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=gz0mDdAFP0iHqS6mE6/JnB6Z9tei8hlMgres71bhWmM=; b=XOMnxG2cJ0cGBOccZZUl7P2x2TvaxknVvY1HTPCJdwsmMlfDplm6PoDipeDpBXe4EV eGC4RILkeRJLJUaAzblMg1US7FLGsqjYz2fWngfJPkWtLJ3GJI3upuA38yyP6onQCDbm zB4fn9nyeVKiF1zp/Lhwv/Bx+h8gktrpIwjfmSz6DTG++4ymiMTOtsDe4rl+34GMpQ8c VDMvBJcZq35PLUqPc1ZSwK9oyBct5ghCyCpFTc/orf4IGHdJnk2KXBntBRM2L/F6yiVi pdgsXTheSIuHGaZAEbsHPi0mYx/G03s1fmNpxVDDaVmeGIi+/hJc5J+ohtLQgntoHNAJ CiCQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1si4218637plw.344.2019.02.14.17.25.30; Thu, 14 Feb 2019 17:25:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2437959AbfBNR63 (ORCPT + 99 others); Thu, 14 Feb 2019 12:58:29 -0500 Received: from mail-pg1-f193.google.com ([209.85.215.193]:40195 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727852AbfBNR62 (ORCPT ); Thu, 14 Feb 2019 12:58:28 -0500 Received: by mail-pg1-f193.google.com with SMTP id z10so3429519pgp.7; Thu, 14 Feb 2019 09:58:28 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=gz0mDdAFP0iHqS6mE6/JnB6Z9tei8hlMgres71bhWmM=; b=nvHEyWj2vkleNgBkYxQI0Mw3S3tjSNd/p7oX2xboKo1oyzGDSQ+bAd691di8Hh1p94 OCdMAxxrioxClkXpWtc3oybxSiLsFKIqlM/i40mmnuFBWfHHHit558kdh9219G7zZGSN zOKoxTvuGa4SKyoPFOsZbX80/FDKECXlJH1W9YSVCQHgSvgX1SyrsNGcjzqnCKEK+IMp QZpCkr554lUqnbaWQZANwvhkRcHJmR94KMDgIMnIGxNffoQP5T0Hhce/r2MI9rRSPKOF V3uIdwiLaNPoQsX77sDPBzXbQB6g3n1HWbtKywIA3F9CuYDlfsYN2FaEyTVq60Y37WoW k80Q== X-Gm-Message-State: AHQUAub0aAOWEAcxXePsER30h04LYhA5w5vYxH2Bkl9qgyPFVHFx+7fy GD//NGU4pVcE/oDsmUy+U4I= X-Received: by 2002:a63:ce4f:: with SMTP id r15mr1066495pgi.303.1550167107834; Thu, 14 Feb 2019 09:58:27 -0800 (PST) Received: from garbanzo.do-not-panic.com (c-73-71-40-85.hsd1.ca.comcast.net. [73.71.40.85]) by smtp.gmail.com with ESMTPSA id h10sm3892986pgn.11.2019.02.14.09.58.25 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 14 Feb 2019 09:58:26 -0800 (PST) Received: by garbanzo.do-not-panic.com (sSMTP sendmail emulation); Thu, 14 Feb 2019 09:58:23 -0800 Date: Thu, 14 Feb 2019 09:58:23 -0800 From: Luis Chamberlain To: Mimi Zohar Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Jessica Yu , David Howells , Seth Forshee , "Bruno E . O . Meneguele" Subject: Re: [PATCH v2] x86/ima: require signed kernel modules Message-ID: <20190214175823.GG11489@garbanzo.do-not-panic.com> References: <1550060279-8624-1-git-send-email-zohar@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1550060279-8624-1-git-send-email-zohar@linux.ibm.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 13, 2019 at 07:17:59AM -0500, Mimi Zohar wrote: > Require signed kernel modules on systems with secure boot mode enabled. > > Requiring appended kernel module signatures may be configured, enabled > on the boot command line, or with this patch enabled in secure boot > mode. But only if IMA is enabled? If so, should this statement be true if IMA is disabled? Either way, this is not clear from the commit log and code, can the commit log be clear if set_module_sig_enforced() will be set if IMA is disabled but secure boot mode enabled? > This patch defines set_module_sig_enforced(). > > To coordinate between appended kernel module signatures and IMA > signatures, only define an IMA MODULE_CHECK policy rule if > CONFIG_MODULE_SIG is not enabled. > > Signed-off-by: Mimi Zohar > --- > > Changelog: > - Removed new "sig_required" flag and associated functions, directly set > sig_enforce. > > arch/x86/kernel/ima_arch.c | 9 ++++++++- > include/linux/module.h | 1 + > kernel/module.c | 5 +++++ > 3 files changed, 14 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c > index e47cd9390ab4..3fb9847f1cad 100644 > --- a/arch/x86/kernel/ima_arch.c > +++ b/arch/x86/kernel/ima_arch.c > @@ -64,12 +64,19 @@ static const char * const sb_arch_rules[] = { > "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig", > #endif /* CONFIG_KEXEC_VERIFY_SIG */ > "measure func=KEXEC_KERNEL_CHECK", > +#if !IS_ENABLED(CONFIG_MODULE_SIG) > + "appraise func=MODULE_CHECK appraise_type=imasig", > +#endif > + "measure func=MODULE_CHECK", > NULL > }; > > const char * const *arch_get_ima_policy(void) > { > - if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) > + if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) { > + if (IS_ENABLED(CONFIG_MODULE_SIG)) > + set_module_sig_enforced(); > return sb_arch_rules; > + } > return NULL; > } > diff --git a/include/linux/module.h b/include/linux/module.h > index 8fa38d3e7538..75e2a5c24a2b 100644 > --- a/include/linux/module.h > +++ b/include/linux/module.h > @@ -660,6 +660,7 @@ static inline bool is_livepatch_module(struct module *mod) > #endif /* CONFIG_LIVEPATCH */ > > bool is_module_sig_enforced(void); > +void set_module_sig_enforced(void); > > #else /* !CONFIG_MODULES... */ I think you need the !CONFIG_MODULES definition of set_module_sig_enforced() then... > diff --git a/kernel/module.c b/kernel/module.c > index 2ad1b5239910..4cb5b733fb18 100644 > --- a/kernel/module.c > +++ b/kernel/module.c > @@ -286,6 +286,11 @@ bool is_module_sig_enforced(void) > } > EXPORT_SYMBOL(is_module_sig_enforced); > > +void set_module_sig_enforced(void) > +{ > + sig_enforce = true; > +} The export is not needed as it is bool eh? Luis