Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AB4A2C433EF for ; Sat, 18 Dec 2021 02:27:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231713AbhLRC1k (ORCPT ); Fri, 17 Dec 2021 21:27:40 -0500 Received: from de-smtp-delivery-102.mimecast.com ([194.104.109.102]:57138 "EHLO de-smtp-delivery-102.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230037AbhLRC1i (ORCPT ); Fri, 17 Dec 2021 21:27:38 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=mimecast20200619; t=1639794456; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=G0+U/fL0R/UF7Sjy/Rfh0wLT91FUfkQboF5f5i2NKko=; b=QKNzbmx3iA9bJrqMrzt4AbDEM8UOJn4mCpvD8X88S4KLAAcAI/S7oOxTIRFnM/3PlnzTSA meYf1vtLfQaftmd81sJVztNtHL83wDcc72N7nn5gF7L8Bs2A6ro+D3iqfvaiiLxaqATpm/ ce6BVbrj16Fua0HhUB//kEyeNR0gnJQ= Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01lp2058.outbound.protection.outlook.com [104.47.2.58]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id de-mta-15-fDVnKHv3N8yc8vC4NjcBzQ-1; Sat, 18 Dec 2021 03:27:35 +0100 X-MC-Unique: fDVnKHv3N8yc8vC4NjcBzQ-1 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Cpp4bXQJdoCu/cpgR7T4Gmr7KmCJDEaAMAbc/ND8LSUBqUxSTyTZnaUfeyYH/qgbxc7ftNByxw2sLc/mMhxQRH+p7Jvt3zEJXJazISgM0DxGKJdyGwvMeiL7CNAHvpTtjodHAGXxT7TAigO6f7uOXnmbLxlow2xIU9nLtTEcnDdPGYcwTnfeM0IGSv0iQ2paPDdL1Vc8zhi4H1+DTaR6JgDacGDO+eBfsnzdWA+t1PspwwfQnS0YzuKKeKbjZYFdAc9L2iTInr03GziudTrQFvCPSSx1aAnYS4gqCTEIlv1IysmmYpBxadeZkBEjNffHxNhm7JXi/x/mXJ/4PsSvbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=G0+U/fL0R/UF7Sjy/Rfh0wLT91FUfkQboF5f5i2NKko=; b=c5vTIaH0/EEoXXZTrKjkmdIZnOqivFIAiMrHukixsBqxpHjov/tqTgbniF3i12RwOJaobAWfnsKDeLZrdsZKsvHSuLHn5WOTKIdTval8PBy2OVlNjEYatvH8wom68X8FiRmN+CFWx4lAblV3e/TfspohvbIjEf1qDG2UX4lBT+5JAG52+WeqpkuRP82fOLSCYSWNfJv+2F8baTFePPTCB3rmYr9/j86nr2aUm9DOHY3tqJIXFrtn6QOXXh/n9kHwPmKN6YLORR4xaOiJ1vAkyFExhQU7TXQ5JlhbHb0/6o/kBUsqkNvc+MYEzE7cfgaStRJp2RUmO2hAakEi0LXUhg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com; Received: from VI1PR04MB7102.eurprd04.prod.outlook.com (2603:10a6:800:124::12) by VI1PR04MB5245.eurprd04.prod.outlook.com (2603:10a6:803:5a::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4778.16; Sat, 18 Dec 2021 02:27:33 +0000 Received: from VI1PR04MB7102.eurprd04.prod.outlook.com ([fe80::ed2c:83e2:fbe4:c891]) by VI1PR04MB7102.eurprd04.prod.outlook.com ([fe80::ed2c:83e2:fbe4:c891%9]) with mapi id 15.20.4801.017; Sat, 18 Dec 2021 02:27:32 +0000 Date: Sat, 18 Dec 2021 10:27:20 +0800 From: joeyli To: Mimi Zohar Cc: Takashi Iwai , Dmitry Kasatkin , linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, Eric Snowberg , Jarkko Sakkinen Subject: Re: [PATCH] ima: Fix undefined arch_ima_get_secureboot() and co Message-ID: <20211218022720.GP3786@linux-l9pv.suse> References: <20211213161145.3447-1-tiwai@suse.de> <20211215160345.GF3786@linux-l9pv.suse> <20211216043212.GG3786@linux-l9pv.suse> <72b57e7f22a593ea7fe38e340ba11de944658554.camel@linux.ibm.com> Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <72b57e7f22a593ea7fe38e340ba11de944658554.camel@linux.ibm.com> User-Agent: Mutt/1.11.4 (2019-03-13) X-ClientProxiedBy: HK2PR02CA0193.apcprd02.prod.outlook.com (2603:1096:201:21::29) To VI1PR04MB7102.eurprd04.prod.outlook.com (2603:10a6:800:124::12) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 7d7a8a07-eea9-44a6-136e-08d9c1cdf100 X-MS-TrafficTypeDiagnostic: VI1PR04MB5245:EE_ X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: juFALcnEfHINgQ8qvhaukcteWaQbDSELj0vf4gVRPhY3av4WCSJ/rU+mEj1SFiyHZdP3sGVFHGzWfjtnEY3jBXmdUeUZbQZszgOj4D5e+NMe0DkkEOSRP7XRmUIk5e8c9up2aV/XW12+PPE0/M/WPr0L5y/Wr1fjWIAwzNorNxMw6TVDG8500aOKOfk0RkYtT+UnLPYEA6L/DCEao4r4rWxaLjYN9jYo98R3HP0m8Il4K5qK1puBfQyo3Yf0QoUE5RsX98PtxYwVDDTPoR1Zg8HRAsGhmphijK9gqYJjopwC2plHcVjJmBPac+EwgrWd6Sfid9E3GfDFTDb5xa9HsQ8UR4+mStemmK9LPSRp9VIDtN2A4Pf3EtSrWC6SLdxFUc3yTElTxyhodFPn7JedmlpL0NZ9MhQ/7NUP7LIz/nZMpQWyfBDPhsBfztB9UOkzNupkFE3k7kId/6AccW6c3JXv5ZmME7uLGDjOFynZX9bMLkJGMh5RAw5RTGqhnVbcT7uLmrkWLFpWk0Aumxd3G8GwMqdcb6NFZCfYOSVAWU6FwB4cU6k3Sa9WPuZzmFPOx3Y5m+S9vGJIk/CiJLeV8It7ZpPsiS6c39nK07pJOzi56JveraOfO/9jeJUKOFPP/BA1Yog1VZErl+ldgwJiYdHTtYdHO8fROA95O18oJf7lNDCq12qkhLNy9IedJO3ID1sjdyEceBxdV9WzxAJ2aw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:VI1PR04MB7102.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(83380400001)(66946007)(66556008)(54906003)(508600001)(33656002)(1076003)(86362001)(66476007)(36756003)(8936002)(5660300002)(6486002)(2906002)(186003)(6506007)(26005)(8676002)(316002)(6512007)(9686003)(6666004)(4001150100001)(4326008)(6916009)(38100700002)(43062005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?s2B9p0ZQB68E3NWl4Ee15O2kPl4VzWxCKbU2gbWX3mw6qWOhHiQnbspRwpHS?= =?us-ascii?Q?Pccx8v5qsrvm7JETYTXRNrqlAqF4lXMjuBe59bXDZ6xxr2K9VaV727+HEDNZ?= =?us-ascii?Q?FTF0g9U7pZFd+B3vI1pInFbSWZSGXnma8RgVzTBkQwkM28/6SoUu5T5LVj9V?= =?us-ascii?Q?N2Psh5nZXL+DOYz7SWL5msy8KArWIet8+4F4xFDHySvgonsfSIxRkLb+58cf?= =?us-ascii?Q?oMa5wjDw06XSwNFpRr3Y7Q+SOuqrGhg5SIpRF1uzQf/uKqFlHMYjHLEYMbd2?= =?us-ascii?Q?9U1VAxi6slqJjFQHLLTf/wVkCIl8M+BnfdMoSd/8EKqeCw7pV3Rk34VGbTMJ?= =?us-ascii?Q?DWLN8gWvzsq+J626RKSXuD990wCi3+ojc7BipGiUbgBTHiMpOgBeew/mf39D?= =?us-ascii?Q?7QstBJ1hjzkSR9yNgziCwG74nVtWEgR1GIfw2R0fKegppK8IHm2wDzAp7u6S?= =?us-ascii?Q?Hl/3JKY6JkpLus2U4F7k6fOKndQjJvjwlLFB2OSskG1d4oHBca6PsajjXCH5?= =?us-ascii?Q?7yQcgeqGlzUoyx6OyA46EBDr62YgZO3sie2ZQELatH72cdDDCt3jRQwvPn5Y?= =?us-ascii?Q?pvjIt0KZ/OffrK+BwTGF5O4aGavYL/gCz4OmUZkL8kHC6P4kiptX5QrPV67V?= =?us-ascii?Q?ErQzUVow6M81Nn77hpXTfBziGTJ+eBVDEVbF2AaWcJavnYPOhG4XYgE2fdlw?= =?us-ascii?Q?PEBIuOF0FM019/ANQxL9ISD/zw2O2UKhJNaCLI44yr+qTejmeEbJCueaaqBw?= =?us-ascii?Q?DqbPZwSXghsZQbIwGi4q2Eq0HYtmJlupsq0G4yZDXc/LXTW+Qqz5FBHmM0g0?= =?us-ascii?Q?EtujoKuMeCEV6roZhNQaCMTtt89yf2o05IdOiv4DC0Gz+rYIuU8AKywfnslx?= =?us-ascii?Q?e9et3PjjQeEYSyZgTvoc9yW6jFVxF5JwNiVVKZ6uD8AFxR0QPNpWXUQC3jIo?= =?us-ascii?Q?tvnSVfxLKoog8B3q6mV99JhBRCQ4mM4QGigI5cZ087/1w7AndXxfqqkI35zb?= =?us-ascii?Q?umi2AKAdsNKmsPOpQFZSZFoksigWeg1hOWBQx9G+IqbKr3c+NmjHczYl7vTq?= =?us-ascii?Q?p7mAlLWEkP5wxeaHulmvROmq0g6BWKwooqL1nFtyE/GxKga+ucwYPW0zWGhA?= =?us-ascii?Q?wRQQMC/Pwif/npoxo7TUTfiKPH6ZEKiEd7WWa6bgh2B14ha7m1ZF4wEXHlQF?= =?us-ascii?Q?BvS2a9DT+9J+jte1hxdrSWXcwo9acq4hY7cIxh2y1km0qIbjMXzXrzNIFNEu?= =?us-ascii?Q?d0YyvNaSoqO1AbBGM2cPhXAOPIdzwSbxHyJc1z/ziYGrKo4F9ftivXIYJLA1?= =?us-ascii?Q?sJMFKYNXXkWUnEcas5mTKgMz93zpt8yZaV2BYr3hulexPHFd/GG/Doxoy4Mf?= =?us-ascii?Q?UzMBweUtnDi9ao5dVUCtpbmoJrGcDgWQ9QUpBShGlxjJU66Fq+tPr6rHzET+?= =?us-ascii?Q?eQBZ4SdoC8NiYf05/P6v4Nvsy3isRHU58ttqqXQNJxxgVSYIx3rOUn59uTsl?= =?us-ascii?Q?1rUMxrPQYO3PvUC6ea9H931f7HObXGlRqHjYk7M/4K4oysc6eTy488ShAGXu?= =?us-ascii?Q?GtuxQxbi7NOI0EXJDAc=3D?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7d7a8a07-eea9-44a6-136e-08d9c1cdf100 X-MS-Exchange-CrossTenant-AuthSource: VI1PR04MB7102.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Dec 2021 02:27:32.5856 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 97A+3Iz3j8W0caqFhC2jpKWrxRj3PtO28crQoLwzSkSLfud/vW5Pd9LjawowjXAX X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR04MB5245 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Dec 16, 2021 at 08:22:56AM -0500, Mimi Zohar wrote: > On Thu, 2021-12-16 at 12:32 +0800, joeyli wrote: > > On Wed, Dec 15, 2021 at 01:16:48PM -0500, Mimi Zohar wrote: > > > [Cc'ing Eric Snowberg, Jarkko] > > > > > > Hi Joey, > > > > > > On Thu, 2021-12-16 at 00:03 +0800, joeyli wrote: > > > > Hi Takashi, Mimi, > > > > > > > > On Tue, Dec 14, 2021 at 04:58:47PM +0100, Takashi Iwai wrote: > > > > > On Tue, 14 Dec 2021 16:31:21 +0100, > > > > > Mimi Zohar wrote: > > > > > > > > > > > > Hi Takashi, > > > > > > > > > > > > On Mon, 2021-12-13 at 17:11 +0100, Takashi Iwai wrote: > > > > > > > Currently arch_ima_get_secureboot() and arch_get_ima_policy() are > > > > > > > defined only when CONFIG_IMA is set, and this makes the code calling > > > > > > > those functions without CONFIG_IMA failing. Although there is no such > > > > > > > in-tree users, but the out-of-tree users already hit it. > > > > > > > > > > > > > > Move the declaration and the dummy definition of those functions > > > > > > > outside ifdef-CONFIG_IMA block for fixing the undefined symbols. > > > > > > > > > > > > > > Signed-off-by: Takashi Iwai > > > > > > > > > > > > Before lockdown was upstreamed, we made sure that IMA and lockdown > > > > > > could co-exist. This patch makes the stub functions available even > > > > > > when IMA is not configured. Do the remaining downstream patches > > > > > > require IMA to be disabled or can IMA co-exist? > > > > > > > > > > I guess Joey (Cc'ed) can explain this better. AFAIK, currently it's > > > > > used in a part of MODSIGN stuff in SUSE kernels, and it's calling > > > > > unconditionally this function for checking whether the system is with > > > > > the Secure Boot or not. > > > > > > > > > > > > > Actually in downstream code, I used arch_ima_get_secureboot() in > > > > load_uefi_certs() to prevent the mok be loaded when secure boot is > > > > disabled. Because the security of MOK relies on secure boot. > > > > > > > > The downstream code likes this: > > > > > > > > /* the MOK and MOKx can not be trusted when secure boot is disabled */ > > > > - if (!efi_enabled(EFI_SECURE_BOOT)) > > > > + if (!arch_ima_get_secureboot()) > > > > return 0; > > > > > > > > The old EFI_SECURE_BOOT bit can only be available on x86_64, so I switch > > > > the code to to arch_ima_get_secureboot() for cross-architectures and sync > > > > with upstream api. > > > > > > > > The load_uefi.c depends on CONFIG_INTEGRITY but not CONFIG_IMA. So > > > > load_uefi.c still be built when CONFIG_INTEGRITY=y and CONFIG_IMA=n. > > > > Then "implicit declaration of function 'arch_ima_get_secureboot'" is > > > > happened. > > > > > > The existing upstream code doesn't require secureboot to load the > > > MOK/MOKx keys. Why is your change being made downstream? > > > > > Because the security of MOK relies on secure boot. When secure boot is > > disabled, EFI firmware will not verify binary code. So arbitrary efi > > binary code can modify MOK when rebooting. > > > > When user disabled secure boot, a hacker can just replace shim.efi then > > reboot for enrolling new MOK without any interactive. Or hacker can just > > replace shim.efi and wait user to reboot their machine. A hacker's MOK can > > also be enrolled by hacked shim. User can't perceive. > > > > > Are you aware of Eric Snowberg's "Enroll kernel keys thru MOK" patch > > > set? When INTEGRITY_MACHINE_KEYRING is enabled and new UEFI variables > > > are enabled, instead of loading the MOK keys onto the .platform > > > keyring, they're loaded onto a new keyring name ".machine", which is > > > linked to the secondary keyring. > > > > > > Eric's patchset doesn't add a new check either to make sure secure boot > > > is enabled before loading the MOK/MOKx keys. > > > > > > > Kernel doesn't know how was a MOK enrolled. Kernel can only detect the > > state of secure boot. If kernel doesn't want to check the state of secure > > boot before loading MOK, then user should understands that they can not disable > > secure boot when using MOK. > > Thanks, Joey, for the detailed explained. I was agreeing with you that > MOK/MOKx keys should only be loaded when secure boot is enabled. A > better way for me to have phrased the questions would have been, why > are you making this change downstream and not upstream? > I just sent patch. The patch may changes behavior of kernel functions who used MOK/MOKx. We can discuss in that patch. Thanks Joey Lee