Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Hi David, On Mon, 2017-04-10 at 14:19 +0100, David Howells wrote: > Mimi Zohar wrote: > > > From an IMA perspective, either a file hash or signature are valid, > > but for this usage it must be a signature. > > Not necessarily. If IMA can guarantee that a module is

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Hi David, On Mon, 2017-04-10 at 14:19 +0100, David Howells wrote: > Mimi Zohar wrote: > > > From an IMA perspective, either a file hash or signature are valid, > > but for this usage it must be a signature. > > Not necessarily. If IMA can guarantee that a module is the same based on its >

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Mimi Zohar wrote: > From an IMA perspective, either a file hash or signature are valid, > but for this usage it must be a signature. Not necessarily. If IMA can guarantee that a module is the same based on its hash rather than on a key, I would've thought that should

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Mimi Zohar wrote: > From an IMA perspective, either a file hash or signature are valid, > but for this usage it must be a signature. Not necessarily. If IMA can guarantee that a module is the same based on its hash rather than on a key, I would've thought that should be fine. David

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

On Fri, 2017-04-07 at 10:17 +0100, David Howells wrote: > Mimi Zohar wrote: > > > > Okay, fair enough. I can stick in an OR with an IS_ENABLED on some IMA > > > symbol. CONFIG_IMA_KEXEC maybe? And also require IMA be enabled? > > > > Not quite, since as Dave pointed

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

On Fri, 2017-04-07 at 10:17 +0100, David Howells wrote: > Mimi Zohar wrote: > > > > Okay, fair enough. I can stick in an OR with an IS_ENABLED on some IMA > > > symbol. CONFIG_IMA_KEXEC maybe? And also require IMA be enabled? > > > > Not quite, since as Dave pointed out, IMA is policy

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Mimi Zohar wrote: > > Okay, fair enough. I can stick in an OR with an IS_ENABLED on some IMA > > symbol. CONFIG_IMA_KEXEC maybe? And also require IMA be enabled? > > Not quite, since as Dave pointed out, IMA is policy driven. As a > policy is installed, we could

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Mimi Zohar wrote: > > Okay, fair enough. I can stick in an OR with an IS_ENABLED on some IMA > > symbol. CONFIG_IMA_KEXEC maybe? And also require IMA be enabled? > > Not quite, since as Dave pointed out, IMA is policy driven. As a > policy is installed, we could set a flag. Does such a

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

On 04/07/17 at 04:28am, Mimi Zohar wrote: > On Fri, 2017-04-07 at 15:41 +0800, Dave Young wrote: > > On 04/07/17 at 08:07am, David Howells wrote: > > > Dave Young wrote: > > > > > > > > > > + /* Don't permit images to be loaded into trusted kernels if > > > > > > > we're not

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

On 04/07/17 at 04:28am, Mimi Zohar wrote: > On Fri, 2017-04-07 at 15:41 +0800, Dave Young wrote: > > On 04/07/17 at 08:07am, David Howells wrote: > > > Dave Young wrote: > > > > > > > > > > + /* Don't permit images to be loaded into trusted kernels if > > > > > > > we're not > > > > > > > + *

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

On Fri, 2017-04-07 at 15:41 +0800, Dave Young wrote: > On 04/07/17 at 08:07am, David Howells wrote: > > Dave Young wrote: > > > > > > > > + /* Don't permit images to be loaded into trusted kernels if > > > > > > we're not > > > > > > +* going to verify the signature on

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

On Fri, 2017-04-07 at 15:41 +0800, Dave Young wrote: > On 04/07/17 at 08:07am, David Howells wrote: > > Dave Young wrote: > > > > > > > > + /* Don't permit images to be loaded into trusted kernels if > > > > > > we're not > > > > > > +* going to verify the signature on them > > > > > > +

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

On 04/07/17 at 03:45am, Mimi Zohar wrote: > On Fri, 2017-04-07 at 14:19 +0800, Dave Young wrote: > > On 04/06/17 at 11:49pm, Mimi Zohar wrote: > > > On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote: > > > > On 04/05/17 at 09:15pm, David Howells wrote: > > > > > From: Chun-Yi Lee

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

On 04/07/17 at 03:45am, Mimi Zohar wrote: > On Fri, 2017-04-07 at 14:19 +0800, Dave Young wrote: > > On 04/06/17 at 11:49pm, Mimi Zohar wrote: > > > On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote: > > > > On 04/05/17 at 09:15pm, David Howells wrote: > > > > > From: Chun-Yi Lee > > > > > > >

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

On Fri, 2017-04-07 at 08:09 +0100, David Howells wrote: > Mimi Zohar wrote: > > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > > > > kernel_is_locked_down()) > > > > + return -EPERM; > > > > + > > > > > > > > IMA can be used to verify file

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

On Fri, 2017-04-07 at 08:09 +0100, David Howells wrote: > Mimi Zohar wrote: > > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > > > > kernel_is_locked_down()) > > > > + return -EPERM; > > > > + > > > > > > > > IMA can be used to verify file signatures too, based on

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

On Fri, 2017-04-07 at 14:19 +0800, Dave Young wrote: > On 04/06/17 at 11:49pm, Mimi Zohar wrote: > > On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote: > > > On 04/05/17 at 09:15pm, David Howells wrote: > > > > From: Chun-Yi Lee > > > > > > > > When KEXEC_VERIFY_SIG is

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

On Fri, 2017-04-07 at 14:19 +0800, Dave Young wrote: > On 04/06/17 at 11:49pm, Mimi Zohar wrote: > > On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote: > > > On 04/05/17 at 09:15pm, David Howells wrote: > > > > From: Chun-Yi Lee > > > > > > > > When KEXEC_VERIFY_SIG is not enabled, kernel

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

On 04/07/17 at 08:07am, David Howells wrote: > Dave Young wrote: > > > > > > + /* Don't permit images to be loaded into trusted kernels if > > > > > we're not > > > > > + * going to verify the signature on them > > > > > + */ > > > > > + if

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

On 04/07/17 at 08:07am, David Howells wrote: > Dave Young wrote: > > > > > > + /* Don't permit images to be loaded into trusted kernels if > > > > > we're not > > > > > + * going to verify the signature on them > > > > > + */ > > > > > + if

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Mimi Zohar wrote: > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) > > > + return -EPERM; > > > + > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > in  kernel_read_file_from_fd().  

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Mimi Zohar wrote: > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) > > > + return -EPERM; > > > + > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be >

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Dave Young wrote: > > > > + /* Don't permit images to be loaded into trusted kernels if > > > > we're not > > > > +* going to verify the signature on them > > > > +*/ > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > > > >

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Dave Young wrote: > > > > + /* Don't permit images to be loaded into trusted kernels if > > > > we're not > > > > +* going to verify the signature on them > > > > +*/ > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > > > > kernel_is_locked_down()) > > > > +

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

On 04/06/17 at 11:49pm, Mimi Zohar wrote: > On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote: > > On 04/05/17 at 09:15pm, David Howells wrote: > > > From: Chun-Yi Lee > > > > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > > > through

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

On 04/06/17 at 11:49pm, Mimi Zohar wrote: > On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote: > > On 04/05/17 at 09:15pm, David Howells wrote: > > > From: Chun-Yi Lee > > > > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > > > through kexec_file systemcall if

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote: > On 04/05/17 at 09:15pm, David Howells wrote: > > From: Chun-Yi Lee > > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > > through kexec_file systemcall if securelevel has been set. > > > >

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote: > On 04/05/17 at 09:15pm, David Howells wrote: > > From: Chun-Yi Lee > > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > > through kexec_file systemcall if securelevel has been set. > > > > This code was showed in

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

On 04/05/17 at 09:15pm, David Howells wrote: > From: Chun-Yi Lee > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > through kexec_file systemcall if securelevel has been set. > > This code was showed in Matthew's patch but not in git: >

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

On 04/05/17 at 09:15pm, David Howells wrote: > From: Chun-Yi Lee > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > through kexec_file systemcall if securelevel has been set. > > This code was showed in Matthew's patch but not in git: > https://lkml.org/lkml/2015/3/13/778

[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

From: Chun-Yi Lee When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image through kexec_file systemcall if securelevel has been set. This code was showed in Matthew's patch but not in git: https://lkml.org/lkml/2015/3/13/778 Cc: Matthew Garrett

[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

From: Chun-Yi Lee When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image through kexec_file systemcall if securelevel has been set. This code was showed in Matthew's patch but not in git: https://lkml.org/lkml/2015/3/13/778 Cc: Matthew Garrett Signed-off-by: Chun-Yi Lee

[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

From: Chun-Yi Lee When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image through kexec_file systemcall if securelevel has been set. This code was showed in Matthew's patch but not in git: https://lkml.org/lkml/2015/3/13/778 Cc: Matthew Garrett

[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

From: Chun-Yi Lee When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image through kexec_file systemcall if securelevel has been set. This code was showed in Matthew's patch but not in git: https://lkml.org/lkml/2015/3/13/778 Cc: Matthew Garrett Signed-off-by: Chun-Yi Lee