Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp4655597imb; Wed, 6 Mar 2019 19:57:27 -0800 (PST) X-Google-Smtp-Source: APXvYqxrN5idID3hBXiyiN1T1hbGp3isUJoimJNal5l+wgs7d0XhBww6OBDnTELnMeRi69GOMh8+ X-Received: by 2002:a62:6d81:: with SMTP id i123mr10659340pfc.235.1551931046931; Wed, 06 Mar 2019 19:57:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551931046; cv=none; d=google.com; s=arc-20160816; b=P4RjODhZezjxnTkRztMoUH5bYp6hCuruXpiWc+A8k1CZqc6m8cySQzJ6U8iXIFkPJy SSIV1ZQrOMIQ58pMgsM/vkGbFSkwhQe+kgQ/TBhhPZChlbWyu1tlMQu8x3uo+VnO65tC S/uIf4qWeqAEmXUk81AoSRkSkv94GenTAlpOWjLMazTzHacVt9IDfnj+mxGeV41yDWCn bdXPohY3NyqZNMmnYkqaoS4N8mY4e3h8wzgpCaX3OE1JZUvUCsB9OoqJINMA0uRW9BGV 4rjrueMAux+9ZGD+PW6b0S8ENqnGnMFdszD6qeijHcQht9Yy887zV+k1y7eP6Bq4abG9 rN9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject; bh=l+pFtu3+YjTjTsyzIyvMU036OelXTzYL4zJh38Oiz+U=; b=R/d3NQVRafVV8rPFDaJHzRkD6XJTDKufQdT+0UIO5Zt9EkR8SdIflEKTrwC5QUSmft dpJq6aZ7R7J2i+reIWVz8qIgzjurThi9yCVOI8C+gqYfWTBMi2LsAiooCSiC5lnTWIeA 2mbEZ/IxyzcyhqM9OnnaC4cxFr6OZ3ZqnIxTsghU4Xv1bt6yxLptgB9GlX2R+io9nrlR qKaivZwWt2qZ8wAUmW2nHiNe4bY3IND6WMDUig31/zOoYnKzl+2/ak9jtE9/1LrVDUyw 31NdFs62fiBiQhX108asoBOQ+wVlaKtypGTJNZJR2vME4p8P5/1+19ErnhWY7/PSuXbQ WnGA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a13si3165212pls.101.2019.03.06.19.57.08; Wed, 06 Mar 2019 19:57:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726264AbfCGD4t (ORCPT + 99 others); Wed, 6 Mar 2019 22:56:49 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:52698 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726128AbfCGD4t (ORCPT ); Wed, 6 Mar 2019 22:56:49 -0500 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x273sqcM050824 for ; Wed, 6 Mar 2019 22:56:48 -0500 Received: from e06smtp03.uk.ibm.com (e06smtp03.uk.ibm.com [195.75.94.99]) by mx0a-001b2d01.pphosted.com with ESMTP id 2r2t3vungm-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 06 Mar 2019 22:56:48 -0500 Received: from localhost by e06smtp03.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 7 Mar 2019 03:56:46 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp03.uk.ibm.com (192.168.101.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 7 Mar 2019 03:56:43 -0000 Received: from d06av21.portsmouth.uk.ibm.com (d06av21.portsmouth.uk.ibm.com [9.149.105.232]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x273ugpC54198484 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 7 Mar 2019 03:56:42 GMT Received: from d06av21.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2EE6A52057; Thu, 7 Mar 2019 03:56:42 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.93.211]) by d06av21.portsmouth.uk.ibm.com (Postfix) with ESMTP id 751FB52051; Thu, 7 Mar 2019 03:56:41 +0000 (GMT) Subject: Re: [PULL REQUEST] Kernel lockdown patches for 5.2 From: Mimi Zohar To: Matthew Garrett , jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Date: Wed, 06 Mar 2019 22:56:30 -0500 In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com> References: <20190306235913.6631-1-matthewgarrett@google.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 19030703-0012-0000-0000-000002FF91D8 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19030703-0013-0000-0000-000021369EBD Message-Id: <1551930990.31706.279.camel@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-07_01:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903070026 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2019-03-06 at 15:58 -0800, Matthew Garrett wrote: > 3) The integration with IMA has been dropped for now. IMA is in the > process of adding support for architecture-specific policies that will > interact correctly with the lockdown feature, and a followup patch will > integrate that so we don't end up with an ordering dependency on the > merge The architecture specific policy is an attempt to coordinate between the different signature verification methods (eg. PE and IMA kexec kernel image signatures, appended and IMA kernel module signatures).  The coordination between these signature verification methods is independent of the "lockdown" feature. To prevent requiring multiple signature verifications, an IMA policy rule(s) is defined only if either KEXEC_VERIFY_SIG or MODULE_SIG is not enabled. The kexec and kernel modules patches in this patch set continues to ignore IMA.  This patch set should up front either provide an alternative solution to coordinate the different signature verification methods or rely on the architecture specific policy for that coordination. Mimi