On Tue, 2015-12-29 at 16:21 +0800, Dave Young wrote: > Hi, Mimi > > On 12/28/15 at 07:51am, Mimi Zohar wrote: > > On Mon, 2015-12-28 at 10:08 +0800, Dave Young wrote: > > > On 12/25/15 at 09:45am, Mimi Zohar wrote: > > > > IMA calculates the file hash, in this case, based on the buffer > > > > contents. The hash is calculated once and used for both measurement > > > > and appraisal. If the file integrity appraisal fails (eg. hash > > > > comparison or signature failure), IMA prevents the kexec files from > > > > being used. > > > > > > > > > > Ok, thanks for the explanatioin. But I have another question, why do we > > > need a special hook for KEXEC? Shouldn't all files use same way to do the > > > measurement and appraisal? > > > > "By all files" are you referring to all files read by the kernel or all > > files opened, executed or mmapped by the system? > > Hmm, I means any kind of files read by the kernel. > > > > > Currently IMA allocates a page sized buffer, reads a file a page chunk > > at a time calculating the file hash as it does so, and then frees the > > buffer before returning to the caller. This method of calculating the > > file hash is used for measuring and appraising files opened > > (FILE_CHECK), executed (BPRM_CHECK) or mmapped (MMAP_CHECK) by the > > system. > > > > This patch set addresses files being read by kernel. A single new > > generic hook named ima_hash_and_process_file() is defined to not only > > measure and appraise the kexec image and initramfs, but firmware and the > > IMA policy. As we identify other places that the kernel is reading > > files, this hook would be called in those places as well. > > What I can not understand is why IMA need know the caller information and > why cann't introduce a generic interface. kexec and firmware and other > caller all read files, so a common file based interface should be better?
The next patch set will define a common function for reading files by the kernel. Luis set up a wiki http://kernelnewbies.org/KernelProjects/common-kernel-loader with some details. This patch set defines a generic interface for measuring and appraising files being read by the kernel, with the ability to define a policy based on the caller information. For the details on expressing a policy, refer to Documentation/ABI/testing/ima-policy. For example, the new rules could be expressed like: measure func=KEXEC_CHECK appraise func=KEXEC_CHECK appraise_type=imasig # measure func=INITRAMFS_CHECK appraise func=INITRAMFS_CHECK appraise_type=imasig # measure func=FIRMWARE_CHECK appraise func=FIRMWARE_CHECK appraise_type=imasig # measure func=POLICY_CHECK appraise func=POLICY_CHECK appraise_type=imasig This policy flexibility is needed at least until all files come from software providers with file signatures. (RPM has been modified to include file signatures.) Even then, in terms of kexec, some distros generate the initramfs on the target host and, therefore, can not sign the initramfs. The local user could, however, sign the initramfs on their own system. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html