Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp3178523ybd; Mon, 24 Jun 2019 21:04:48 -0700 (PDT) X-Google-Smtp-Source: APXvYqxepsfE8dHZa10la9oZMQnlllOh5EGa0ADrJ4U0GsMpG7CDDfDlz8i3gxDjbtymfH0aW4AI X-Received: by 2002:a17:902:6b44:: with SMTP id g4mr58481291plt.152.1561435488865; Mon, 24 Jun 2019 21:04:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561435488; cv=none; d=google.com; s=arc-20160816; b=1E2oBXQsGj812BhO1OrLEmxN8Yy/l5REIg1i4HOfzzYh2WJXYWfTj6wpyINO61E5lW jTDj6qmewGQgxqakhC5uQMwhlMOtYPFzYFDXlwrph0Y9o3hAaPkiTcR9v8WFKpx7eeD5 INqwTtiPoN7bkt+CpRu/nrroawWfCSfRIywaw32di+43XXYss/wGU3IC7ftn+muvxcwG yf4st90+eMiMRrE9C2IDcFwPdB/BGBmSRtRZNw52A4cjTfkvnIDxTpYtkFlxu6vvkoqk bLl3bwj2CAIh5detc/ca2OogUOLhsIA4E9gG+i/ME/FJdJ5AhR6QuyTtlTDesBEK6GqK s2cA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=zNvnHjVZLeBkwx5DnxrnXY0O9TQzHKxcjR8STK/P0sU=; b=HwI9q1riLDAaI62oQ5+yqJqIsBVNEkdsC/xoi6d97v2aQU/JgV5Cd0AnyKb7choDNF CBWODfuXjUu5K5zupt1N6ssQV2OE8CiOKkDTvtQglfRt36VPbgb0APtiyz1lqUSOrbEg B6U5YsosuA5mgvEwQPlOZZELCS+F47DsOeUnzt2WMuYaUOwE4RMS8+egwQFTYYmnU8zC Sl7yJBIVI7U20yohPFAVVTrnM9o7vfObV39Cev/teBfuRXEEiQv2EWie23DZIb5LSkfe pUS9LyQMfisalTT2v9o11JY1IEDfUpq4xKoaFgzd2eAu4vl3urOqqtc/2a8t7sqTRdaz r7RQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=bWPW7sda; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k5si12718764pgm.297.2019.06.24.21.04.33; Mon, 24 Jun 2019 21:04:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=bWPW7sda; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729147AbfFYACm (ORCPT + 99 others); Mon, 24 Jun 2019 20:02:42 -0400 Received: from mail-io1-f65.google.com ([209.85.166.65]:44484 "EHLO mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726631AbfFYACm (ORCPT ); Mon, 24 Jun 2019 20:02:42 -0400 Received: by mail-io1-f65.google.com with SMTP id s7so891875iob.11 for ; Mon, 24 Jun 2019 17:02:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zNvnHjVZLeBkwx5DnxrnXY0O9TQzHKxcjR8STK/P0sU=; b=bWPW7sdarMCTWE6gvhCS4q5QKL5i1C9X/hSDjFhEqHaKX+WmSlTqzwUceTojfRVNUr zywbp91SXq6A+duFsrFbDYbj+v+Wrx17PIIaCFMnm7d2JtOfSum3AYB7WHgA8AAbuqWi hxdcyYR4dlz2SA27CV8fZOGRzl4123Sx/1HlAj+2oOnIKDEFan1aaahPCrAuyRremyM7 wG9vIE3BuvBF4dcemLdw/39QJTHX52qb1b1i5qvru5PYtN5F1Ddi1+RLlqP4D6LgArFm YhV6hPojZU+QHyRSv1M9+UhHbltHd3TKR3s4FtFGRmnuACTDOtQOa9aG51TNRpXrDb2Q 9pRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zNvnHjVZLeBkwx5DnxrnXY0O9TQzHKxcjR8STK/P0sU=; b=Cn6IlvTsk8qJ6okv8S4Tdw0gOY3m2f0Qocxy4ISk2YdCgWg54SQk/4eqRLccg3xwhL 3+0zJIdFkYVtsTEqWTR76N0vIPI4jPwrMEqSBkQG8tJ3+tcKaxpBgHLp/zx5LYQV9qGs WAoS4uySf1oOEsD4CCeV2RbQ1FP8hH3tKOitRqAr/aeeREqFsU2rXOGlhLhiFLenM7f4 0F/zR9NdAsClSQqFVQ493DLKlK+o1SeweSUfV3QxB2w1srNLqUJZCTOajCtlLXZhb7Ts Lc+vv9CuDYEY0tGdHQz5/4sc7qVDp2yD0A1ZBu2+x3W+oZAii+1oxjYwj1/fm9LlCs2A EwqA== X-Gm-Message-State: APjAAAX6xYymznk/AN6PczRWt5w5qbeoivoiiXxxk2ceW+Cb3bBpA9fZ jDQb7yXV4/weesJycrqu80P9cRcbcE202UfdbGa4gA== X-Received: by 2002:a5d:9d97:: with SMTP id 23mr3074338ion.204.1561420960582; Mon, 24 Jun 2019 17:02:40 -0700 (PDT) MIME-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> <20190326182742.16950-8-matthewgarrett@google.com> <20190621064340.GB4528@localhost.localdomain> <20190624015206.GB2976@dhcp-128-65.nay.redhat.com> <1561411657.4340.70.camel@linux.ibm.com> In-Reply-To: <1561411657.4340.70.camel@linux.ibm.com> From: Matthew Garrett Date: Mon, 24 Jun 2019 17:02:29 -0700 Message-ID: Subject: Re: [PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down To: Mimi Zohar Cc: Dave Young , James Morris , Jiri Bohac , Linux API , kexec@lists.infradead.org, Linux Kernel Mailing List , David Howells , LSM List , Andy Lutomirski Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 24, 2019 at 2:27 PM Mimi Zohar wrote: > I agree with Dave. There should be a stub lockdown function to > prevent enforcing lockdown when it isn't enabled. Sorry, when what isn't enabled? If no LSMs are enforcing lockdown then the check will return 0. The goal here is for distributions to be able to ship a kernel that has CONFIG_KEXEC_SIG=y, CONFIG_KEXEC_SIG_FORCE=n and at runtime be able to enforce a policy that requires signatures on kexec payloads.