Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

Hi Mimi, I've adjusted the patch as below. David --- commit bf33218ad2bf04f1b92f5c32499ab906f107864c Author: Chun-Yi Lee Date: Wed May 24 14:56:03 2017 +0100 kexec_file: Restrict at runtime if the kernel is locked down When KEXEC_VERIFY_SIG is not

Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

Mimi Zohar wrote: > At some point, we'll want to also require the initramfs be signed as well. That could be tricky. In Fedora, at least, that's assembled on the fly to include just the drivers you need to be able to mount your root fs and find the rest of your

Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

On Mon, 2017-10-30 at 15:49 +, David Howells wrote: > Mimi Zohar wrote: > > > Huh?!  With the "secure_boot" policy enabled on the boot command line, > > IMA-appraisal would verify the kexec kernel image, firmware, kernel > > modules, and custom IMA policy

Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

Mimi Zohar wrote: > Huh?!  With the "secure_boot" policy enabled on the boot command line, > IMA-appraisal would verify the kexec kernel image, firmware, kernel > modules, and custom IMA policy signatures. What happens if the "secure_boot" policy isn't enabled on the

Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

On Mon, 2017-10-30 at 09:00 +, David Howells wrote: > Mimi Zohar wrote: > > > Yes, that works.  Thanks!  Remember is_ima_appraise_enabled() is > > dependent on the "ima: require secure_boot rules in lockdown mode" > > patch - 

Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

Mimi Zohar wrote: > Yes, that works.  Thanks!  Remember is_ima_appraise_enabled() is > dependent on the "ima: require secure_boot rules in lockdown mode" > patch - http://kernsec.org/pipermail/linux-security-module-archive/201 > 7-October/003910.html. What happens if

Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

On Sat, 2017-10-28 at 16:34 +0800, joeyli wrote: > On Fri, Oct 27, 2017 at 03:32:26PM -0400, Mimi Zohar wrote: > > On Thu, 2017-10-26 at 10:17 -0400, Mimi Zohar wrote: > > > On Thu, 2017-10-26 at 15:42 +0800, joeyli wrote: > > > > Hi Mimi, > > > > > > > > Thank you for reviewing. > > > > > > > >

Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

On Thu, 2017-10-26 at 10:17 -0400, Mimi Zohar wrote: > On Thu, 2017-10-26 at 15:42 +0800, joeyli wrote: > > Hi Mimi, > > > > Thank you for reviewing. > > > > On Mon, Oct 23, 2017 at 11:54:43AM -0400, Mimi Zohar wrote: > > > On Thu, 2017-10-19 at 15:51 +0100, David Howells wrote: > > > > From:

Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

On Fri, Oct 27, 2017 at 03:32:26PM -0400, Mimi Zohar wrote: > On Thu, 2017-10-26 at 10:17 -0400, Mimi Zohar wrote: > > On Thu, 2017-10-26 at 15:42 +0800, joeyli wrote: > > > Hi Mimi, > > > > > > Thank you for reviewing. > > > > > > On Mon, Oct 23, 2017 at 11:54:43AM -0400, Mimi Zohar wrote: > >

Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

On Thu, 2017-10-26 at 10:17 -0400, Mimi Zohar wrote: > On Thu, 2017-10-26 at 15:42 +0800, joeyli wrote: > > Hi Mimi, > > > > Thank you for reviewing. > > > > On Mon, Oct 23, 2017 at 11:54:43AM -0400, Mimi Zohar wrote: > > > On Thu, 2017-10-19 at 15:51 +0100, David Howells wrote: > > > > From:

Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

[Cc'ing Matthew Garrett] On Thu, 2017-10-26 at 16:02 +0100, David Howells wrote: > joeyli wrote: > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > > + !is_ima_appraise_enabled() && > > + kernel_is_locked_down("kexec of unsigned images")) > > This doesn't seem

Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

joeyli wrote: > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > + !is_ima_appraise_enabled() && > + kernel_is_locked_down("kexec of unsigned images")) This doesn't seem right. It seems that you can then kexec unsigned images into a locked-down kernel if IMA

Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

Mimi Zohar wrote: > The patch title and description needs to be updated to refer to > lockdown, not securelevel. Fixed, thanks. > An additional patch could force these rules to be added to the custom > policy, if lockdown is enabled. I'll have a look at your patch,

Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

On Thu, 2017-10-26 at 15:42 +0800, joeyli wrote: > Hi Mimi, > > Thank you for reviewing. > > On Mon, Oct 23, 2017 at 11:54:43AM -0400, Mimi Zohar wrote: > > On Thu, 2017-10-19 at 15:51 +0100, David Howells wrote: > > > From: Chun-Yi Lee > > > > > > When

Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

Hi Mimi, Thank you for reviewing. On Mon, Oct 23, 2017 at 11:54:43AM -0400, Mimi Zohar wrote: > On Thu, 2017-10-19 at 15:51 +0100, David Howells wrote: > > From: Chun-Yi Lee > > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > > through

Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

On Thu, 2017-10-19 at 15:51 +0100, David Howells wrote: > From: Chun-Yi Lee > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > through kexec_file systemcall if securelevel has been set. The patch title and description needs to be updated to refer

Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

On Thu, 19 Oct 2017, David Howells wrote: > From: Chun-Yi Lee > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > through kexec_file systemcall if securelevel has been set. > > This code was showed in Matthew's patch but not in git: >