Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp2211314imj; Mon, 18 Feb 2019 01:53:30 -0800 (PST) X-Google-Smtp-Source: AHgI3IZS/V2NEk95B//+x+nv4cLX2GNTdeUzpbQDS7VkWVy3WZWwK6y8CD15Z3p+7wDtaINB5mar X-Received: by 2002:a17:902:380c:: with SMTP id l12mr23989560plc.326.1550483610114; Mon, 18 Feb 2019 01:53:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550483610; cv=none; d=google.com; s=arc-20160816; b=HvUAxDHDZT0XRtuqj2BASiIlBttQt3L1PYVetcc0boFgLys8J36lYmUFBba5kPsn8z mzrWr8vcJ5rVtEJPvJTCUoikUzcV6tYB7IG3bt4LxNe8pkJyeQcaqJCd6fqAf5Iin5Wj iMy9KsJBJXQV5eqIHZn8eN9UsnHpF+AOwb7wEmyR+xFqyaWtMssPAj3E7naCnIDJVYVT 8IYy6gTaYiHATzTLHE8YOHXkD1jCwYfpMJGrIsyHqPyHUlzrjp6GV4cxM9kFB1Y3dliY RvWlfukjI7pj0tiF0Ul/Yiwx3pyZ6oU7flgvECQCgFTbWn9/aa7jAnaB7Jw/RyWLXvkz 0/Ew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=owaRwK+4LcMHCAVUvalzSoV5Wt2MgI74+DkdtWhUnAc=; b=k70Q8NNa3SUsSUrWPXyNspWN7qG3b+FFGiemdwlpV92cWRORagZ45k7au5IaLuBxaT fR2UWeOszi05zOkbg9Iz2aRGOVDBmSqqyAOb1v1SC7RrRrGD8IeC1+AnAibNWKU2uzLw c8Q0tNvXVu8pLKCN5vg7maH+2ynuCbcOlkjjbNpGGuiIFKEwEnzhZmud/X1ie8HF0F8U NrU0TCB9Far2QxBA1nbIeN/HGmZfb4c6nYhZu03ufsawk60Kr38ziJtAxCjhXzQbtuoM Xg5bwF3Qu60g1daYFFKHXSHxoPwuSHfk6OI6TpAnIHS+AQFsTIrCpXSCu4GiJMTkqtlM 6bDg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=rzJVQkO8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b2si12186799pgw.113.2019.02.18.01.53.14; Mon, 18 Feb 2019 01:53:30 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=rzJVQkO8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729758AbfBRJnV (ORCPT + 99 others); Mon, 18 Feb 2019 04:43:21 -0500 Received: from mail.kernel.org ([198.145.29.99]:43730 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727228AbfBRJnU (ORCPT ); Mon, 18 Feb 2019 04:43:20 -0500 Received: from linux-8ccs (ip5f5adbd6.dynamic.kabel-deutschland.de [95.90.219.214]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6A2E22177E; Mon, 18 Feb 2019 09:43:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1550482999; bh=5KQyjcgHMMJvQhYRe9+MzGsF49jugRElnB4gy2U8kfQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=rzJVQkO8Hk69UziSZkHvvTTvc6v5DwuFfktadgZz9jl5Ear/TdWqJOvPf6T0YDUPQ /r9hdNPNrc27dT17sgF8XUBBiURP5TiNZd9kdNrzfQpcS7YWYr8WR/gsiMuX8eU+LR L6TOUUbRjfx0csEV8OR7Xa0ZSN1AelLVUcSFJV+E= Date: Mon, 18 Feb 2019 10:43:14 +0100 From: Jessica Yu To: Mimi Zohar Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Luis Chamberlain , David Howells , Seth Forshee , "Bruno E . O . Meneguele" Subject: Re: [PATCH v3] x86/ima: require signed kernel modules Message-ID: <20190218094313.GA9296@linux-8ccs> References: <1550249418-7986-1-git-send-email-zohar@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <1550249418-7986-1-git-send-email-zohar@linux.ibm.com> X-OS: Linux linux-8ccs 4.12.14-lp150.12.28-default x86_64 User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org +++ Mimi Zohar [15/02/19 11:50 -0500]: >Have the IMA architecture specific policy require signed kernel modules >on systems with secure boot mode enabled; and coordinate the different >signature verification methods, so only one signature is required. > >Requiring appended kernel module signatures may be configured, enabled >on the boot command line, or with this patch enabled in secure boot >mode. This patch defines set_module_sig_enforced(). > >To coordinate between appended kernel module signatures and IMA >signatures, only define an IMA MODULE_CHECK policy rule if >CONFIG_MODULE_SIG is not enabled. A custom IMA policy may still define >and require an IMA signature. > >Signed-off-by: Mimi Zohar Acked-by: Jessica Yu Thanks! >--- > arch/x86/kernel/ima_arch.c | 9 ++++++++- > include/linux/module.h | 5 +++++ > kernel/module.c | 5 +++++ > 3 files changed, 18 insertions(+), 1 deletion(-) > >diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c >index e47cd9390ab4..3fb9847f1cad 100644 >--- a/arch/x86/kernel/ima_arch.c >+++ b/arch/x86/kernel/ima_arch.c >@@ -64,12 +64,19 @@ static const char * const sb_arch_rules[] = { > "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig", > #endif /* CONFIG_KEXEC_VERIFY_SIG */ > "measure func=KEXEC_KERNEL_CHECK", >+#if !IS_ENABLED(CONFIG_MODULE_SIG) >+ "appraise func=MODULE_CHECK appraise_type=imasig", >+#endif >+ "measure func=MODULE_CHECK", > NULL > }; > > const char * const *arch_get_ima_policy(void) > { >- if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) >+ if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) { >+ if (IS_ENABLED(CONFIG_MODULE_SIG)) >+ set_module_sig_enforced(); > return sb_arch_rules; >+ } > return NULL; > } >diff --git a/include/linux/module.h b/include/linux/module.h >index 8fa38d3e7538..5aaa9359adc8 100644 >--- a/include/linux/module.h >+++ b/include/linux/module.h >@@ -660,6 +660,7 @@ static inline bool is_livepatch_module(struct module *mod) > #endif /* CONFIG_LIVEPATCH */ > > bool is_module_sig_enforced(void); >+void set_module_sig_enforced(void); > > #else /* !CONFIG_MODULES... */ > >@@ -780,6 +781,10 @@ static inline bool is_module_sig_enforced(void) > return false; > } > >+static inline void set_module_sig_enforced(void) >+{ >+} >+ > /* Dereference module function descriptor */ > static inline > void *dereference_module_function_descriptor(struct module *mod, void *ptr) >diff --git a/kernel/module.c b/kernel/module.c >index 2ad1b5239910..73cada04bd24 100644 >--- a/kernel/module.c >+++ b/kernel/module.c >@@ -286,6 +286,11 @@ bool is_module_sig_enforced(void) > } > EXPORT_SYMBOL(is_module_sig_enforced); > >+void set_module_sig_enforced(void) >+{ >+ sig_enforce = true; >+} >+ > /* Block module loading/unloading? */ > int modules_disabled = 0; > core_param(nomodule, modules_disabled, bint, 0); >-- >2.7.5 >