From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: "Luis R. Rodriguez" <mcgrof@suse.com>
Cc: "Kees Cook" <keescook@chromium.org>,
"David Woodhouse" <dwmw2@infradead.org>,
"David Howells" <dhowells@redhat.com>,
"Andy Lutomirski" <luto@amacapital.net>,
"Roberts, William C" <william.c.roberts@intel.com>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
linux-wireless <linux-wireless@vger.kernel.org>,
"james.l.morris@oracle.com" <james.l.morris@oracle.com>,
"serge@hallyn.com" <serge@hallyn.com>,
"Vitaly Kuznetsov" <vkuznets@redhat.com>,
"Paul Moore" <paul@paul-moore.com>,
"Eric Paris" <eparis@parisplace.org>,
"SE Linux" <selinux@tycho.nsa.gov>,
"Stephen Smalley" <sds@tycho.nsa.gov>,
"Schaufler, Casey" <casey.schaufler@intel.com>,
"Luis R. Rodriguez" <mcgrof@do-not-panic.com>,
"Dmitry Kasatkin" <dmitry.kasatkin@gmail.com>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Peter Jones" <pjones@redhat.com>, "Takashi Iwai" <tiwai@suse.de>,
"Ming Lei" <ming.lei@canonical.com>, "Joey Lee" <jlee@suse.de>,
"Vojtěch Pavlík" <vojtech@suse.com>,
"Kyle McMartin" <kyle@kernel.org>,
"Seth Forshee" <seth.forshee@canonical.com>,
"Matthew Garrett" <mjg59@srcf.ucam.org>,
"Johannes Berg" <johannes@sipsolutions.net>,
"Jay Schulist" <jschlst@samba.org>,
"Daniel Borkmann" <dborkman@redhat.com>,
"Alexei Starovoitov" <ast@plumgrid.com>
Subject: Re: Linux Firmware Signing
Date: Wed, 02 Sep 2015 20:05:36 -0400 [thread overview]
Message-ID: <1441238736.4172.12.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20150902184604.GB8051@wotan.suse.de>
On Wed, 2015-09-02 at 20:46 +0200, Luis R. Rodriguez wrote:
> On Tue, Sep 01, 2015 at 11:35:05PM -0400, Mimi Zohar wrote:
> > > OK great, I think that instead of passing the actual routine name we should
> > > instead pass an enum type for to the LSM, that'd be easier to parse and we'd
> > > then have each case well documented. Each LSM then could add its own
> > > documetnation for this and can switch on it. If we went with a name we'd have
> > > to to use something like __func__ and then parse that, its not clear if we need
> > > to get that specific.
> >
> > Agreed. IMA already defines an enumeration.
> >
> > /* IMA policy related functions */
> > enum ima_hooks { FILE_CHECK = 1, MMAP_CHECK, BPRM_CHECK, MODULE_CHECK,
> > FIRMWARE_CHECK, POLICY_CHECK, POST_SETATTR };
> >
>
> We want something that is not only useful for IMA but any other LSM,
> and FILE_CHECK seems very broad, not sure what BPRM_CHECK is even upon
> inspecting kernel code. Likewise for POST_SETATTR. POLICY_CHECK might
> be broad, perhaps its best we define then a generic set of enums to
> which IMA can map them to then and let it decide. This would ensure
> that the kernel defines each use caes for file inspection carefully,
> documents and defines them and if an LSM wants to bunch a set together
> it can do so easily with a switch statement to map set of generic
> file checks in kernel to a group it already handles.
The names are based on the calling security hook. For a description of
each of these security hooks refer to include/linux/lsm_hooks.h.
> For instance at least in the short term we'd try to unify:
>
> security_kernel_fw_from_file()
> security_kernel_module_from_file()
>
> to perhaps:
>
> security_kernel_from_file()
>
> As far, as far as I can tell, the only ones we'd be ready to start
> grouping immediately or with small amount of work rather soon:
>
> /**
> *
> * enum security_filecheck - known kernel security file checks types
> *
> * @__SECURITY_FILECHECK_UNSPEC: attribute 0 reserved
> * @SECURITY_FILECHECK_MODULE: the file being processed is a Linux kernel module
> * @SECURITY_FILECHECK_SYSDATA: the file being processed is either a firmware
> * file or a system data file read from /lib/firmware/* by firmware_class
> * @SECURITY_FILECHECK_KEXEC_KERNEL: the file being processed is a kernel file
> * used by kexec
> * @SECURITY_FILECHECK_KEXEC_INITRAMFS: the file being processed is an initramfs
> * used by kexec
>
> * The kernel reads files directly from the filesystem for a series of
> * operations. The list of files the kernel reads from the filesystem are
> * limited and each type of file consumed may have a different format and
> * security vetting procedures. The kernel enables LSMs to vet for these files
> * through a shared LSM hook prior to consumption. This list documents the
> * different special kernel file types read by the kernel, it enables LSMs
> * to vet for each differently if needed.
> enum security_filecheck {
> SECURITY_FILECHECK_UNSPEC,
> SECURITY_FILECHECK_MODULE,
> SECURITY_FILECHECK_SYSDATA,
> SECURITY_FILECHECK_KEXEC_KERNEL,
> SECURITY_FILECHECK_KEXEC_INITRAMFS,
> };
>
> Provided the MOK thing or alternative gets addressed we could also soon add
> something for SELinux policy files but that needs to be discussed further
> it seems. If MOK is used would SECURITY_FILECHECK_POLICY_MOK be OK? Again
> this would likely need further discussion, its why I didn't list it above.
Oh, I'm really confused as to why MOK would be a separate hook. I
thought the discussion was about using a key in the UEFI MOK DB for
verifying locally signed files.
Mimi
next prev parent reply other threads:[~2015-09-03 0:05 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20150824210234.GI8051@wotan.suse.de>
[not found] ` <476DC76E7D1DF2438D32BFADF679FC5601057D32@ORSMSX103.amr.corp.intel.com>
[not found] ` <20150824225713.GJ8051@wotan.suse.de>
[not found] ` <CAGXu5jLDHCgygaVNHpuvszN6SXNKAjRW83q3-D2ZfRpO4uAmdw@mail.gmail.com>
[not found] ` <476DC76E7D1DF2438D32BFADF679FC5601058E78@ORSMSX103.amr.corp.intel.com>
[not found] ` <CAGXu5jJuwPfnQhu9u4-90UkmjWTBF_GLpJ7J1VaaT2D0d_-Mhg@mail.gmail.com>
[not found] ` <1440462367.2737.4.camel@linux.vnet.ibm.com>
[not found] ` <CALCETrXWBBdOKz-fSdM7YVu_sWQbA3YsHPeZAkRmtj+eawqZGQ@mail.gmail.com>
[not found] ` <1440464705.2737.36.camel@linux.vnet.ibm.com>
[not found] ` <14540.1440599584@warthog.procyon.org.uk>
2015-08-26 23:26 ` Linux Firmware Signing Luis R. Rodriguez
2015-08-27 2:35 ` Paul Moore
2015-08-27 19:36 ` Luis R. Rodriguez
2015-08-27 23:46 ` Paul Moore
2015-08-27 10:38 ` David Howells
2015-08-27 10:57 ` David Woodhouse
2015-08-27 11:07 ` David Woodhouse
2015-08-27 21:29 ` Luis R. Rodriguez
2015-08-27 23:54 ` Mimi Zohar
2015-08-29 2:16 ` Luis R. Rodriguez
2015-08-31 14:18 ` Mimi Zohar
2015-08-31 16:05 ` David Woodhouse
2015-08-31 16:45 ` Mimi Zohar
2015-09-02 0:00 ` Luis R. Rodriguez
2015-09-01 23:43 ` Luis R. Rodriguez
2015-09-02 3:08 ` Kees Cook
2015-09-02 3:44 ` Mimi Zohar
2015-09-02 15:28 ` Kees Cook
2015-09-02 16:45 ` Mimi Zohar
2015-09-02 17:36 ` Austin S Hemmelgarn
2015-09-02 23:54 ` Mimi Zohar
2015-09-03 0:18 ` Luis R. Rodriguez
2015-08-27 23:56 ` Paul Moore
2015-08-28 11:20 ` Roberts, William C
2015-08-28 11:20 ` Roberts, William C
2015-08-28 11:20 ` Roberts, William C
2015-08-28 22:26 ` Paul Moore
2015-08-29 2:03 ` Luis R. Rodriguez
2015-09-01 2:52 ` Paul Moore
2015-09-01 14:12 ` Joshua Brindle
2015-09-01 20:08 ` Roberts, William C
2015-09-01 20:46 ` Joshua Brindle
2015-09-01 22:17 ` William Roberts
2015-09-01 22:21 ` Eric Paris
2015-08-29 1:56 ` Luis R. Rodriguez
2015-09-01 20:20 ` Kees Cook
2015-09-02 0:09 ` Luis R. Rodriguez
2015-09-02 3:35 ` Mimi Zohar
2015-09-02 18:46 ` Luis R. Rodriguez
2015-09-02 20:54 ` Kees Cook
2015-09-02 21:37 ` Luis R. Rodriguez
2015-09-03 21:14 ` Kees Cook
2015-09-30 20:34 ` Luis R. Rodriguez
2015-09-03 0:05 ` Mimi Zohar [this message]
2015-09-03 0:29 ` Luis R. Rodriguez
2015-09-03 3:00 ` Mimi Zohar
2015-08-27 19:37 ` Luis R. Rodriguez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1441238736.4172.12.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=ast@plumgrid.com \
--cc=casey.schaufler@intel.com \
--cc=dborkman@redhat.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=eparis@parisplace.org \
--cc=gregkh@linuxfoundation.org \
--cc=james.l.morris@oracle.com \
--cc=jlee@suse.de \
--cc=johannes@sipsolutions.net \
--cc=jschlst@samba.org \
--cc=keescook@chromium.org \
--cc=kyle@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mcgrof@do-not-panic.com \
--cc=mcgrof@suse.com \
--cc=ming.lei@canonical.com \
--cc=mjg59@srcf.ucam.org \
--cc=paul@paul-moore.com \
--cc=pjones@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=serge@hallyn.com \
--cc=seth.forshee@canonical.com \
--cc=tiwai@suse.de \
--cc=vkuznets@redhat.com \
--cc=vojtech@suse.com \
--cc=william.c.roberts@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.