Received: by 10.223.164.221 with SMTP id h29csp476259wrb;
        Sat, 28 Oct 2017 01:36:51 -0700 (PDT)
X-Google-Smtp-Source: ABhQp+Qk3wTWgTM/0yaliX4sl5m2KgwS7bms1S7XFdAwb64fAwpi4zI+5xwCr8fQxr+HMrSgI2S9
X-Received: by 10.99.116.76 with SMTP id e12mr2487817pgn.126.1509179811476;
        Sat, 28 Oct 2017 01:36:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1509179811; cv=none;
        d=google.com; s=arc-20160816;
        b=M+5ue5IBLRmByjzT6HURMIUpg76B09Ot7UIrdB0kmGkFyWU4f71px2wTf4rIyw7UDR
         cn+l5GturgD5t8VRGX3SwICvVn9YdglQ6Cpprr0rfioFShl3pIDqrt8J879+GNcIGkqS
         W8DGDf39C8lYNuHztd2gRcy8ug1uToEWCcpjPVfpHWcuAdtBFHlnmTNKQxuMKbarrykL
         S+WPOagDky8pddyatBrR/NKDvhNMTXD8kLcKAAigzKO2NIg/63bggeifeWITZpoRQYBC
         tMeaa94q9MFWiyIomJKfZ7hyYrrPRtiuXYvnkjutTeJv9olM8t0oZPP9WfoHi46yOYK7
         jaiQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-transfer-encoding:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date
         :arc-authentication-results;
        bh=U7/s60CtlzomnHWbC6nyXNImcUvYm29j+4Mhy0a9Pak=;
        b=mzkRI0XJqtV13P4CxpUgAKTkZCRoaZL2/0/rFgJTI+A60jJzDBVUEqqwbHBKaOD8ur
         GpWiFwEz6mfb95104cWsT5rsfy2bSVZAwGWdFzGUeMTqaAHsWFG2S15bqCeI2BLUKyEq
         HPKlSpN/bg/MNHsYgIJui+QJf5WE3SokEr8dV1bnmkR20whVtTW5E2z11ZHQUYdPSpXc
         NSceV286fX35Q8DMisgQhQy9nmjK8MU4EpQnJbl1YE2hap+SiqGgN3aI99/+zwaYH6cb
         gBL6egaQa3XyrZIAvKdBJpyJ3VYOt9p+lmKaWQr75+k1aiUDG+gpRO3ZQXbGGhsGjH+q
         4AQw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s8si3175625pgp.374.2017.10.28.01.36.26;
        Sat, 28 Oct 2017 01:36:51 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751486AbdJ1If0 (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 99 others); Sat, 28 Oct 2017 04:35:26 -0400
Received: from smtp.nue.novell.com ([195.135.221.5]:43209 "EHLO
        smtp.nue.novell.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750803AbdJ1IfV (ORCPT
        <rfc822;groupwise-linux-kernel@vger.kernel.org:0:0>);
        Sat, 28 Oct 2017 04:35:21 -0400
Received: from linux-l9pv.suse (124-11-22-254.static.tfn.net.tw [124.11.22.254])
        by smtp.nue.novell.com with ESMTP (TLS encrypted); Sat, 28 Oct 2017 10:35:15 +0200
Date:   Sat, 28 Oct 2017 16:34:46 +0800
From:   joeyli <jlee@suse.com>
To:     Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc:     David Howells <dhowells@redhat.com>,
        linux-security-module@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk,
        linux-efi@vger.kernel.org, gregkh@linuxfoundation.org,
        linux-kernel@vger.kernel.org, jforbes@redhat.com,
        Matthew Garrett <mjg59@google.com>
Subject: Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has
 been set
Message-ID: <20171028083446.GG20348@linux-l9pv.suse>
References: <150842463163.7923.11081723749106843698.stgit@warthog.procyon.org.uk>
 <150842468754.7923.10037578333644594134.stgit@warthog.procyon.org.uk>
 <1508774083.3639.124.camel@linux.vnet.ibm.com>
 <20171026074243.GM8550@linux-l9pv.suse>
 <1509027463.5886.26.camel@linux.vnet.ibm.com>
 <1509132746.3729.9.camel@linux.vnet.ibm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <1509132746.3729.9.camel@linux.vnet.ibm.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Oct 27, 2017 at 03:32:26PM -0400, Mimi Zohar wrote:
> On Thu, 2017-10-26 at 10:17 -0400, Mimi Zohar wrote:
> > On Thu, 2017-10-26 at 15:42 +0800, joeyli wrote:
> > > Hi Mimi,
> > > 
> > > Thank you for reviewing.
> > > 
> > > On Mon, Oct 23, 2017 at 11:54:43AM -0400, Mimi Zohar wrote:
> > > > On Thu, 2017-10-19 at 15:51 +0100, David Howells wrote:
> > > > > From: Chun-Yi Lee <joeyli.kernel@gmail.com>
> > > > > 
> > > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> > > > > through kexec_file systemcall if securelevel has been set.
> > > > 
> > > > The patch title and description needs to be updated to refer to
> > > > lockdown, not securelevel.
> > > > 
> > > > As previously mentioned the last time these patches were posted, this
> > > > leaves out testing to see if the integrity subsystem is enabled.
> > > > 
> > > > Commit 503ceaef8e2e "ima: define a set of appraisal rules requiring
> > > > file signatures" was upstreamed. �An additional patch could force
> > > > these rules to be added to the custom policy, if lockdown is enabled.
> > > > �This and other patches in this series could then check to see if
> > > > is_ima_appraise_enabled() is true.
> > > > 
> > > > Mimi
> > > >
> > > 
> > > I have updated the patch title and description, and I also added
> > > is_ima_appraise_enabled() as the following. Is it good to you?
> > 
> > Yes, that works. �Thanks! �Remember is_ima_appraise_enabled() is
> > dependent on the "ima: require secure_boot rules in lockdown mode"
> > patch -�http://kernsec.org/pipermail/linux-security-module-archive/201
> > 7-October/003910.html.
> > 
> > The IMA "secure_boot" policy can be specified on the boot command line
> > as ima_policy="secure_boot". �It requires kernel modules, firmware,
> > kexec kernel image and the IMA custom policy to be signed. �In
> > lockdown mode, these rules are enabled by default and added to the
> > custom policy.
> > 
> > > On the other hand, I am not good on IMA. I have traced the code path
> > > in kimage_file_prepare_segments(). Looks that the READING_KEXEC_IMAGE
> > > doesn't show in selinux_kernel_read_file(). Where is the exact code
> > > in IMA for checking the signature when loading crash kernel file?
> > 
> > kernel_read_file_from_fd() calls the security_kernel_read_file() and
> > security_kernel_post_read_file() hooks, which call ima_read_file() and
> > ima_post_read_file() respectively.
> 
> Hm, with "lockdown" enabled on the boot command line, I'm now able to
> do the kexec load, but not the unload.  :/ � After the kexec load with

I have tried on Qemu with OVMF, I can load and unload second kernel by
kexec tool (on openSUSE is in kexec-tools RPM):  

# kexec -u -s

I add -s for using kexec-load-file, and I signed kernel by pesign.

> the "--reuse-cmdline" option, the system reboots, but isn't in
> "lockdown" mode.
>

Either enabling secure boot in EFI firmware or using _lockdown_ kernel
parameter, the second kernel can be locked down on my OVMF VM.

I used following commands:

# kexec -s -l /boot/vmlinuz-4.14.0-rc2-default+ --append="$(cat /proc/cmdline)" --initrd=/boot/initrd-4.14.0-rc2-default+
# umount -a; mount -o remount,ro /
# kexec -e

The kernel source is from David's linux-fs git with lockdown-20171026 tag.
The kernel is also signed by pesign.

Regards
Joey Lee 

From 1582440463469175131@xxx Fri Oct 27 19:33:47 +0000 2017
X-GM-THRID: 1581706022474432608
X-Gmail-Labels: Inbox,Category Forums