Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp1623377ybd;
        Wed, 26 Jun 2019 22:00:16 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwld4JwQ4gkpSyHcsRLUaFMytDrfaYm63tC+qvNiypoLfxUr4y+MnZy+gFCISF8q3lRPa8Y
X-Received: by 2002:a63:2b47:: with SMTP id r68mr1757786pgr.352.1561611615924;
        Wed, 26 Jun 2019 22:00:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1561611615; cv=none;
        d=google.com; s=arc-20160816;
        b=RL+xaYVHo3WoZjPH37x2Qw01zbywk14p9KRnJn7XPesqiiY9+AngNvoQzzTDJhT9GU
         RIQ95rondiXwPo8lBtqHSe93NDb8779QD1J9Hxa6Ak77iRj8I95Y+pntFjdcg7b2hO3N
         HwnDKO+d+Vlb2YpWRQLaKNHQAMz16GwGuYXckHnd7X1dAalua1Mxh7/MCt2MMtaAeQpn
         uob+mmhztxgP4TM9+OQ7v0r+wZ0ZXoebrPriz2AdraPvY+y4vXEGIYRMa6IsPDSozb7v
         ceJvO5c/epshDBoUk1MeDghRFOnFUwPsr/H1S/dhczJrmm1Ez5g0yDRJAXmu98PZ7JHB
         /jZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=FEN66ucUtL1qXIj4syhRHrQpQpOqWmEsAJiDSDhZGFo=;
        b=NzAY9VkX+Rq4ON0UHMUmhAr/JXm9xuzWvRkl5ogJyML6dAprMwUKGR0qPNoQuWWDkr
         AtXel0L7nX4L6WLNJSsaGB55/wT3vWtweJzb0nzheJpTTYuHNDZ2jlaVKC25+oVUtQF4
         Ogv/9vQtCeKlaFSLepjRI7WpgZNa8yLpXt7q5t9DJ8gc3UusOPRYZuLkyd5fPHW4TLxc
         +eZwehUUQgoAvByC/fCNYxa1bxdRPRHS2CJICnwOzW5Ehbz21hlHEJUk0ORzbrAnnPoQ
         mGA7S3kervqQ2AKyjxM1SbUbRofroLUfHg7VC2j6My3ZSKpDWqmxRCM67bqGDc65FW9O
         mbeA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g18si1126160pgk.477.2019.06.26.21.59.39;
        Wed, 26 Jun 2019 22:00:15 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727017AbfF0E7f (ORCPT <rfc822;busarih159@gmail.com>
        + 99 others); Thu, 27 Jun 2019 00:59:35 -0400
Received: from namei.org ([65.99.196.166]:48942 "EHLO namei.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725385AbfF0E7f (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 27 Jun 2019 00:59:35 -0400
Received: from localhost (localhost [127.0.0.1])
        by namei.org (8.14.4/8.14.4) with ESMTP id x5R4x9Cl020018;
        Thu, 27 Jun 2019 04:59:09 GMT
Date:   Thu, 27 Jun 2019 14:59:09 +1000 (AEST)
From:   James Morris <jmorris@namei.org>
To:     Matthew Garrett <matthewgarrett@google.com>
cc:     linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, linux-api@vger.kernel.org,
        Jiri Bohac <jbohac@suse.cz>,
        David Howells <dhowells@redhat.com>,
        Matthew Garrett <mjg59@google.com>, kexec@lists.infradead.org
Subject: Re: [PATCH V34 09/29] kexec_file: Restrict at runtime if the kernel
 is locked down
In-Reply-To: <20190622000358.19895-10-matthewgarrett@google.com>
Message-ID: <alpine.LRH.2.21.1906271423070.16512@namei.org>
References: <20190622000358.19895-1-matthewgarrett@google.com> <20190622000358.19895-10-matthewgarrett@google.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, 21 Jun 2019, Matthew Garrett wrote:

> From: Jiri Bohac <jbohac@suse.cz>
> 
> When KEXEC_SIG is not enabled, kernel should not load images through
> kexec_file systemcall if the kernel is locked down.

This is not a criticism of the patch but a related issue which I haven't 
seen discussed (apologies if it has).

If signed code is loaded into ring 0, verified by the kernel, then 
executed, you still lose your secure/trusted/verified boot state. If the 
currently running kernel has been runtime-compromised, any signature 
verification performed by the kernel cannot be trusted.

This problem is out of scope for the lockdown threat model (which 
naturally cannot include a compromised kernel), but folk should be aware 
that signature-verified kexec does not provide equivalent assurance to a 
full reboot on a secure-boot system.

Potential mitigations here include runtime integrity verification of the
kernel via a separate security monitor (hypervisor, SMM, TEE etc.) or some
kind of platform support for kexec verification.


-- 
James Morris
<jmorris@namei.org>