Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down
[Corrected Matthew Garrett's email address. Cc'ed Bruno Meneguele] On Mon, 2017-10-30 at 17:00 +, David Howells wrote: > Mimi Zohar wrote: > > > This kernel_is_locked_down() check is being called for both the > > original and new module_load syscalls. We need to be able > > differentiate them. This is fine for the original syscall, but for > > the new syscall we would need an additional IMA check - > > !is_ima_appraise_enabled(). > > IMA can only be used with finit_module()? Yes, without the file descriptor, IMA-appraisal can't access the xattrs. You should really look at Bruno's patches, which are in my next branch: 8168913c50d5 "ima: check signature enforcement against cmdline param instead of CONFIG" 404090509894 module: export module signature enforcement status Can we get an Ack on the module one? Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down
Mimi Zohar wrote: > This kernel_is_locked_down() check is being called for both the > original and new module_load syscalls. We need to be able > differentiate them. This is fine for the original syscall, but for > the new syscall we would need an additional IMA check - > !is_ima_appraise_enabled(). IMA can only be used with finit_module()? David -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set
On Mon, 2017-10-30 at 15:49 +, David Howells wrote: > Mimi Zohar wrote: > > > Huh?! With the "secure_boot" policy enabled on the boot command line, > > IMA-appraisal would verify the kexec kernel image, firmware, kernel > > modules, and custom IMA policy signatures. > > What happens if the "secure_boot" policy isn't enabled on the boot command > line? Can you sum up both cases in a paragraph I can add to the patch > description? The other patch automatically enables "secure_boot" for lockdown mode. So there is no need to specify "secure_boot" on the boot command line. Reordering the patches so that the other patch comes before any call to is_ima_appraise_enabled() will simplify this patch description. > > Other patches in this patch series need to be updated as well to check > > if IMA-appraisal is enabled. > > Which exactly? I've added your "!is_ima_appraise_enabled() &&" line to > kexec_file() and module_sig_check(). Anything else? load_module(), which calls module_sig_check(), is called by both the old and new kernel module syscalls. IMA is only on the new syscall. Did you differentiate between the kernel module syscalls? There doesn't seem to be any other patches affected. That said, the IMA "secure_boot" policy is more stringent than what you have without it. For example, with the "secure_boot" policy enabled, firwmware needs to be signed as well. At some point, we'll want to also require the initramfs be signed as well. Both methods work independently of each other, but there needs to be better coordination for when both methods are enabled at the same time (eg. are both signatures required?). For testing purposes, you can use the same certs/signing_key to sign the kexec image, kernel modules and firmware, by loading the signing_key on the .ima keyring. Using evmctl, sign the files (eg. evmctl ima_sign -a sha256 -k certs/signing_key.pem --imasig /boot/). Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set
Mimi Zohar wrote: > Huh?! With the "secure_boot" policy enabled on the boot command line, > IMA-appraisal would verify the kexec kernel image, firmware, kernel > modules, and custom IMA policy signatures. What happens if the "secure_boot" policy isn't enabled on the boot command line? Can you sum up both cases in a paragraph I can add to the patch description? > Other patches in this patch series need to be updated as well to check > if IMA-appraisal is enabled. Which exactly? I've added your "!is_ima_appraise_enabled() &&" line to kexec_file() and module_sig_check(). Anything else? David -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set
On Mon, 2017-10-30 at 09:00 +, David Howells wrote: > Mimi Zohar wrote: > > > Yes, that works. Thanks! Remember is_ima_appraise_enabled() is > > dependent on the "ima: require secure_boot rules in lockdown mode" > > patch - http://kernsec.org/pipermail/linux-security-module-archive/201 > > 7-October/003910.html. > > What happens if the file in question is being accessed from a filesystem that > doesn't have xattrs and doesn't provide support for appraisal? Is it rejected > outright or just permitted? IMA-appraisal returns -EACCES for any error, including lack of xattr support. Thiago Bauermann posted the "Appended signatures support for IMA appraisal" patch set. This patch set allows the current kernel module appended signature format to be used for verifying the kernel image. Once that patch set is upstreamed, we'll be able to update the IMA "secure_boot" policy to permit appended signatures. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set
Mimi Zohar wrote: > Yes, that works. Thanks! Remember is_ima_appraise_enabled() is > dependent on the "ima: require secure_boot rules in lockdown mode" > patch - http://kernsec.org/pipermail/linux-security-module-archive/201 > 7-October/003910.html. What happens if the file in question is being accessed from a filesystem that doesn't have xattrs and doesn't provide support for appraisal? Is it rejected outright or just permitted? David -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html