From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1cwOaP-0001Qh-5E for kexec@lists.infradead.org; Fri, 07 Apr 2017 07:45:39 +0000 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v377cjBt001649 for ; Fri, 7 Apr 2017 03:45:15 -0400 Received: from e28smtp06.in.ibm.com (e28smtp06.in.ibm.com [125.16.236.6]) by mx0a-001b2d01.pphosted.com with ESMTP id 29p61qsrng-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Fri, 07 Apr 2017 03:45:15 -0400 Received: from localhost by e28smtp06.in.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 7 Apr 2017 13:15:12 +0530 Received: from d28av03.in.ibm.com (d28av03.in.ibm.com [9.184.220.65]) by d28relay08.in.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v377houl15073500 for ; Fri, 7 Apr 2017 13:13:50 +0530 Received: from d28av03.in.ibm.com (localhost [127.0.0.1]) by d28av03.in.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id v377j8J6001417 for ; Fri, 7 Apr 2017 13:15:09 +0530 Subject: Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set From: Mimi Zohar Date: Fri, 07 Apr 2017 03:45:01 -0400 In-Reply-To: <20170407061935.GB10100@dhcp-128-65.nay.redhat.com> References: <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142335441.5101.2294976563846442575.stgit@warthog.procyon.org.uk> <20170407030545.GA4296@dhcp-128-65.nay.redhat.com> <1491536950.4184.10.camel@linux.vnet.ibm.com> <20170407061935.GB10100@dhcp-128-65.nay.redhat.com> Mime-Version: 1.0 Message-Id: <1491551101.4184.48.camel@linux.vnet.ibm.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "kexec" Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: Dave Young Cc: Matthew Garrett , linux-efi@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, Chun-Yi Lee , gregkh@linuxfoundation.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, David Howells , linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, matthew.garrett@nebula.com T24gRnJpLCAyMDE3LTA0LTA3IGF0IDE0OjE5ICswODAwLCBEYXZlIFlvdW5nIHdyb3RlOgo+IE9u IDA0LzA2LzE3IGF0IDExOjQ5cG0sIE1pbWkgWm9oYXIgd3JvdGU6Cj4gPiBPbiBGcmksIDIwMTct MDQtMDcgYXQgMTE6MDUgKzA4MDAsIERhdmUgWW91bmcgd3JvdGU6Cj4gPiA+IE9uIDA0LzA1LzE3 IGF0IDA5OjE1cG0sIERhdmlkIEhvd2VsbHMgd3JvdGU6Cj4gPiA+ID4gRnJvbTogQ2h1bi1ZaSBM ZWUgPGpvZXlsaS5rZXJuZWxAZ21haWwuY29tPgo+ID4gPiA+IAo+ID4gPiA+IFdoZW4gS0VYRUNf VkVSSUZZX1NJRyBpcyBub3QgZW5hYmxlZCwga2VybmVsIHNob3VsZCBub3QgbG9hZHMgaW1hZ2UK PiA+ID4gPiB0aHJvdWdoIGtleGVjX2ZpbGUgc3lzdGVtY2FsbCBpZiBzZWN1cmVsZXZlbCBoYXMg YmVlbiBzZXQuCj4gPiA+ID4gCj4gPiA+ID4gVGhpcyBjb2RlIHdhcyBzaG93ZWQgaW4gTWF0dGhl dydzIHBhdGNoIGJ1dCBub3QgaW4gZ2l0Ogo+ID4gPiA+IGh0dHBzOi8vbGttbC5vcmcvbGttbC8y MDE1LzMvMTMvNzc4CgpJIHNwZWNpZmljYWxseSBjaGVja2VkIHRvIG1ha2Ugc3VyZSB0aGF0IGVp dGhlciBrZXhlY19maWxlKCkgc2lnbmF0dXJlCnZlcmlmaWNhdGlvbiB3YXMgYWNjZXB0YWJsZSBh bmQgd291bGQgaGF2ZSBjb21tZW50ZWQgdGhlbiwgaWYgaXQgaGFkCm5vdCBiZWVuIGluY2x1ZGVk LgoKPiA+ID4gPiBDYzogTWF0dGhldyBHYXJyZXR0IDxtamc1OUBzcmNmLnVjYW0ub3JnPgo+ID4g PiA+IFNpZ25lZC1vZmYtYnk6IENodW4tWWkgTGVlIDxqbGVlQHN1c2UuY29tPgo+ID4gPiA+IFNp Z25lZC1vZmYtYnk6IERhdmlkIEhvd2VsbHMgPGRob3dlbGxzQHJlZGhhdC5jb20+Cj4gPiA+ID4g Y2M6IGtleGVjQGxpc3RzLmluZnJhZGVhZC5vcmcKPiA+ID4gPiAtLS0KPiA+ID4gPiAKPiA+ID4g PiAga2VybmVsL2tleGVjX2ZpbGUuYyB8ICAgIDYgKysrKysrCj4gPiA+ID4gIDEgZmlsZSBjaGFu Z2VkLCA2IGluc2VydGlvbnMoKykKPiA+ID4gPiAKPiA+ID4gPiBkaWZmIC0tZ2l0IGEva2VybmVs L2tleGVjX2ZpbGUuYyBiL2tlcm5lbC9rZXhlY19maWxlLmMKPiA+ID4gPiBpbmRleCBiMTE4NzM1 ZmVhOWQuLmY2OTM3ZWVjZDFlYiAxMDA2NDQKPiA+ID4gPiAtLS0gYS9rZXJuZWwva2V4ZWNfZmls ZS5jCj4gPiA+ID4gKysrIGIva2VybmVsL2tleGVjX2ZpbGUuYwo+ID4gPiA+IEBAIC0yNjgsNiAr MjY4LDEyIEBAIFNZU0NBTExfREVGSU5FNShrZXhlY19maWxlX2xvYWQsIGludCwga2VybmVsX2Zk LCBpbnQsIGluaXRyZF9mZCwKPiA+ID4gPiAgCWlmICghY2FwYWJsZShDQVBfU1lTX0JPT1QpIHx8 IGtleGVjX2xvYWRfZGlzYWJsZWQpCj4gPiA+ID4gIAkJcmV0dXJuIC1FUEVSTTsKPiA+ID4gPiAg Cj4gPiA+ID4gKwkvKiBEb24ndCBwZXJtaXQgaW1hZ2VzIHRvIGJlIGxvYWRlZCBpbnRvIHRydXN0 ZWQga2VybmVscyBpZiB3ZSdyZSBub3QKPiA+ID4gPiArCSAqIGdvaW5nIHRvIHZlcmlmeSB0aGUg c2lnbmF0dXJlIG9uIHRoZW0KPiA+ID4gPiArCSAqLwo+ID4gPiA+ICsJaWYgKCFJU19FTkFCTEVE KENPTkZJR19LRVhFQ19WRVJJRllfU0lHKSAmJiBrZXJuZWxfaXNfbG9ja2VkX2Rvd24oKSkKPiA+ ID4gPiArCQlyZXR1cm4gLUVQRVJNOwo+ID4gPiA+ICsKPiA+ID4gPiAgCj4gPiAKPiA+IElNQSBj YW4gYmUgdXNlZCB0byB2ZXJpZnkgZmlsZSBzaWduYXR1cmVzIHRvbywgYmFzZWQgb24gdGhlIExT TSBob29rcwo+ID4gaW4gwqBrZXJuZWxfcmVhZF9maWxlX2Zyb21fZmQoKS4gwqBDT05GSUdfS0VY RUNfVkVSSUZZX1NJRyBzaG91bGQgbm90IGJlCj4gPiByZXF1aXJlZC4KPiAKPiBNaW1pLCBJIHJl bWVtYmVyIHdlIHRhbGtlZCBzb210aGluZyBiZWZvcmUgYWJvdXQgdGhlIHR3byBzaWduYXR1cmUg Cj4gdmVyaWZpY2F0aW9uLiBPbmUgY2FuIGNoYW5nZSBJTUEgcG9saWN5IGluIGluaXRyYW1mcyB1 c2Vyc3BhY2UsCj4gYWxzbyB0aGVyZSBhcmUga2VybmVsIGNtZGxpbmUgcGFyYW0gdG8gZGlzYWJs ZSBJTUEsIHNvIGl0IGNhbiBicmVhayB0aGUKPiBsb2NrZG93bj8gU3VwcG9zZSBrZXhlYyBib290 IHdpdGggaW1hIGRpc2FibGVkIGNtZGxpbmUgcGFyYW0gYW5kIHRoZW4KPiBrZXhlYyByZWJvb3Qg YWdhaW4uLgoKUmlnaHQsIHdlIGRpc2N1c3NlZCB0aGF0IHRoZSBzYW1lIG1ldGhvZCBvZiBtZWFz dXJpbmcgdGhlIGtleGVjIGltYWdlCmFuZCBpbml0cmFtZnMsIGZvciBleHRlbmRpbmcgdHJ1c3Rl ZCBib290IHRvIHRoZSBPUywgY291bGQgYWxzbyBiZQp1c2VkIGZvciB2ZXJpZnlpbmcgdGhlIGtl eGVjIGltYWdlIGFuZCBpbml0cmFtZnMgc2lnbmF0dXJlcywgZm9yCmV4dGVuZGluZyBzZWN1cmUg Ym9vdCB0byB0aGUgT1MuIMKgVGhlIGZpbGUgaGFzaCB3b3VsZCBiZSBjYWxjdWxhdGVkCm9uY2Ug Zm9yIGJvdGguCgpBbGwgb2YgeW91ciBjb25jZXJucyBjb3VsZCBiZSBhZGRyZXNzZWQgd2l0aCB2 ZXJ5IG1pbm9yIGNoYW5nZXMgdG8KSU1BLiDCoChDb250aW51ZWQgaW4gcmVzcG9uc2UgdG8gRGF2 aWQuKQoKPiA+IAo+ID4gPiAJLyogTWFrZSBzdXJlIHdlIGhhdmUgYSBsZWdhbCBzZXQgb2YgZmxh Z3MgKi8KPiA+ID4gPiAgCWlmIChmbGFncyAhPSAoZmxhZ3MgJiBLRVhFQ19GSUxFX0ZMQUdTKSkK PiA+ID4gPiAgCQlyZXR1cm4gLUVJTlZBTDsKPiA+ID4gPiAKPiA+ID4gPiAKPiA+ID4gPiBfX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwo+ID4gPiA+IGtleGVj IG1haWxpbmcgbGlzdAo+ID4gPiA+IGtleGVjQGxpc3RzLmluZnJhZGVhZC5vcmcKPiA+ID4gPiBo dHRwOi8vbGlzdHMuaW5mcmFkZWFkLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2tleGVjCj4gPiA+IAo+ ID4gPiBBY2tlZC1ieTogRGF2ZSBZb3VuZyA8ZHlvdW5nQHJlZGhhdC5jb20+Cj4gPiA+IAo+ID4g PiBUaGFua3MKPiA+ID4gRGF2ZQo+ID4gPiAtLQo+ID4gPiBUbyB1bnN1YnNjcmliZSBmcm9tIHRo aXMgbGlzdDogc2VuZCB0aGUgbGluZSAidW5zdWJzY3JpYmUgbGludXgtc2VjdXJpdHktbW9kdWxl IiBpbgo+ID4gPiB0aGUgYm9keSBvZiBhIG1lc3NhZ2UgdG8gbWFqb3Jkb21vQHZnZXIua2VybmVs Lm9yZwo+ID4gPiBNb3JlIG1ham9yZG9tbyBpbmZvIGF0ICBodHRwOi8vdmdlci5rZXJuZWwub3Jn L21ham9yZG9tby1pbmZvLmh0bWwKPiA+ID4gCj4gPiAKPiAKCgpfX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fXwprZXhlYyBtYWlsaW5nIGxpc3QKa2V4ZWNAbGlz dHMuaW5mcmFkZWFkLm9yZwpodHRwOi8vbGlzdHMuaW5mcmFkZWFkLm9yZy9tYWlsbWFuL2xpc3Rp bmZvL2tleGVjCg== From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mimi Zohar Subject: Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set Date: Fri, 07 Apr 2017 03:45:01 -0400 Message-ID: <1491551101.4184.48.camel@linux.vnet.ibm.com> References: <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142335441.5101.2294976563846442575.stgit@warthog.procyon.org.uk> <20170407030545.GA4296@dhcp-128-65.nay.redhat.com> <1491536950.4184.10.camel@linux.vnet.ibm.com> <20170407061935.GB10100@dhcp-128-65.nay.redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <20170407061935.GB10100@dhcp-128-65.nay.redhat.com> Sender: owner-linux-security-module@vger.kernel.org To: Dave Young Cc: David Howells , linux-kernel@vger.kernel.org, Matthew Garrett , linux-efi@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, Chun-Yi Lee , gregkh@linuxfoundation.org, kexec@lists.infradead.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, matthew.garrett@nebula.com List-Id: linux-efi@vger.kernel.org On Fri, 2017-04-07 at 14:19 +0800, Dave Young wrote: > On 04/06/17 at 11:49pm, Mimi Zohar wrote: > > On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote: > > > On 04/05/17 at 09:15pm, David Howells wrote: > > > > From: Chun-Yi Lee > > > > > > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > > > > through kexec_file systemcall if securelevel has been set. > > > > > > > > This code was showed in Matthew's patch but not in git: > > > > https://lkml.org/lkml/2015/3/13/778 I specifically checked to make sure that either kexec_file() signature verification was acceptable and would have commented then, if it had not been included. > > > > Cc: Matthew Garrett > > > > Signed-off-by: Chun-Yi Lee > > > > Signed-off-by: David Howells > > > > cc: kexec@lists.infradead.org > > > > --- > > > > > > > > kernel/kexec_file.c | 6 ++++++ > > > > 1 file changed, 6 insertions(+) > > > > > > > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > > > > index b118735fea9d..f6937eecd1eb 100644 > > > > --- a/kernel/kexec_file.c > > > > +++ b/kernel/kexec_file.c > > > > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd, > > > > if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) > > > > return -EPERM; > > > > > > > > + /* Don't permit images to be loaded into trusted kernels if we're not > > > > + * going to verify the signature on them > > > > + */ > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) > > > > + return -EPERM; > > > > + > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be > > required. > > Mimi, I remember we talked somthing before about the two signature > verification. One can change IMA policy in initramfs userspace, > also there are kernel cmdline param to disable IMA, so it can break the > lockdown? Suppose kexec boot with ima disabled cmdline param and then > kexec reboot again.. Right, we discussed that the same method of measuring the kexec image and initramfs, for extending trusted boot to the OS, could also be used for verifying the kexec image and initramfs signatures, for extending secure boot to the OS.  The file hash would be calculated once for both. All of your concerns could be addressed with very minor changes to IMA.  (Continued in response to David.) > > > > > /* Make sure we have a legal set of flags */ > > > > if (flags != (flags & KEXEC_FILE_FLAGS)) > > > > return -EINVAL; > > > > > > > > > > > > _______________________________________________ > > > > kexec mailing list > > > > kexec@lists.infradead.org > > > > http://lists.infradead.org/mailman/listinfo/kexec > > > > > > Acked-by: Dave Young > > > > > > Thanks > > > Dave > > > -- > > > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > > > the body of a message to majordomo@vger.kernel.org > > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > > > From mboxrd@z Thu Jan 1 00:00:00 1970 From: zohar@linux.vnet.ibm.com (Mimi Zohar) Date: Fri, 07 Apr 2017 03:45:01 -0400 Subject: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set In-Reply-To: <20170407061935.GB10100@dhcp-128-65.nay.redhat.com> References: <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142335441.5101.2294976563846442575.stgit@warthog.procyon.org.uk> <20170407030545.GA4296@dhcp-128-65.nay.redhat.com> <1491536950.4184.10.camel@linux.vnet.ibm.com> <20170407061935.GB10100@dhcp-128-65.nay.redhat.com> Message-ID: <1491551101.4184.48.camel@linux.vnet.ibm.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Fri, 2017-04-07 at 14:19 +0800, Dave Young wrote: > On 04/06/17 at 11:49pm, Mimi Zohar wrote: > > On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote: > > > On 04/05/17 at 09:15pm, David Howells wrote: > > > > From: Chun-Yi Lee > > > > > > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > > > > through kexec_file systemcall if securelevel has been set. > > > > > > > > This code was showed in Matthew's patch but not in git: > > > > https://lkml.org/lkml/2015/3/13/778 I specifically checked to make sure that either kexec_file() signature verification was acceptable and would have commented then, if it had not been included. > > > > Cc: Matthew Garrett > > > > Signed-off-by: Chun-Yi Lee > > > > Signed-off-by: David Howells > > > > cc: kexec at lists.infradead.org > > > > --- > > > > > > > > kernel/kexec_file.c | 6 ++++++ > > > > 1 file changed, 6 insertions(+) > > > > > > > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > > > > index b118735fea9d..f6937eecd1eb 100644 > > > > --- a/kernel/kexec_file.c > > > > +++ b/kernel/kexec_file.c > > > > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd, > > > > if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) > > > > return -EPERM; > > > > > > > > + /* Don't permit images to be loaded into trusted kernels if we're not > > > > + * going to verify the signature on them > > > > + */ > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) > > > > + return -EPERM; > > > > + > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > in ?kernel_read_file_from_fd(). ?CONFIG_KEXEC_VERIFY_SIG should not be > > required. > > Mimi, I remember we talked somthing before about the two signature > verification. One can change IMA policy in initramfs userspace, > also there are kernel cmdline param to disable IMA, so it can break the > lockdown? Suppose kexec boot with ima disabled cmdline param and then > kexec reboot again.. Right, we discussed that the same method of measuring the kexec image and initramfs, for extending trusted boot to the OS, could also be used for verifying the kexec image and initramfs signatures, for extending secure boot to the OS. ?The file hash would be calculated once for both. All of your concerns could be addressed with very minor changes to IMA. ?(Continued in response to David.) > > > > > /* Make sure we have a legal set of flags */ > > > > if (flags != (flags & KEXEC_FILE_FLAGS)) > > > > return -EINVAL; > > > > > > > > > > > > _______________________________________________ > > > > kexec mailing list > > > > kexec at lists.infradead.org > > > > http://lists.infradead.org/mailman/listinfo/kexec > > > > > > Acked-by: Dave Young > > > > > > Thanks > > > Dave > > > -- > > > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > > > the body of a message to majordomo at vger.kernel.org > > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > > > -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html