From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5] helo=mx0a-001b2d01.pphosted.com) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1d5d4R-0000Lw-Vq for kexec@lists.infradead.org; Tue, 02 May 2017 19:02:49 +0000 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v42IrqXG026053 for ; Tue, 2 May 2017 15:02:26 -0400 Received: from e23smtp06.au.ibm.com (e23smtp06.au.ibm.com [202.81.31.148]) by mx0b-001b2d01.pphosted.com with ESMTP id 2a6x8qwbh4-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Tue, 02 May 2017 15:02:26 -0400 Received: from localhost by e23smtp06.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 3 May 2017 05:02:22 +1000 Received: from d23av04.au.ibm.com (d23av04.au.ibm.com [9.190.235.139]) by d23relay10.au.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v42J2D817143770 for ; Wed, 3 May 2017 05:02:21 +1000 Received: from d23av04.au.ibm.com (localhost [127.0.0.1]) by d23av04.au.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id v42J1lwn012171 for ; Wed, 3 May 2017 05:01:47 +1000 Subject: Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set From: Mimi Zohar Date: Tue, 02 May 2017 15:01:22 -0400 In-Reply-To: <13679.1491830392@warthog.procyon.org.uk> References: <1491568577.4184.97.camel@linux.vnet.ibm.com> <1491551180.4184.50.camel@linux.vnet.ibm.com> <1491536950.4184.10.camel@linux.vnet.ibm.com> <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142335441.5101.2294976563846442575.stgit@warthog.procyon.org.uk> <20170407030545.GA4296@dhcp-128-65.nay.redhat.com> <21572.1491548994@warthog.procyon.org.uk> <27362.1491556638@warthog.procyon.org.uk> <13679.1491830392@warthog.procyon.org.uk> Mime-Version: 1.0 Message-Id: <1493751682.3680.11.camel@linux.vnet.ibm.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "kexec" Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: David Howells Cc: Matthew Garrett , linux-efi@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, gregkh@linuxfoundation.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Chun-Yi Lee , linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, matthew.garrett@nebula.com, Dave Young SGkgRGF2aWQsCgpPbiBNb24sIDIwMTctMDQtMTAgYXQgMTQ6MTkgKzAxMDAsIERhdmlkIEhvd2Vs bHMgd3JvdGU6Cj4gTWltaSBab2hhciA8em9oYXJAbGludXgudm5ldC5pYm0uY29tPiB3cm90ZToK PiAKPiA+IEZyb20gYW4gSU1BIHBlcnNwZWN0aXZlLCBlaXRoZXIgYSBmaWxlIGhhc2ggb3Igc2ln bmF0dXJlIGFyZSB2YWxpZCwKPiA+IGJ1dCBmb3IgdGhpcyB1c2FnZSBpdCBtdXN0IGJlIGEgc2ln bmF0dXJlLgo+IAo+IE5vdCBuZWNlc3NhcmlseS4gIElmIElNQSBjYW4gZ3VhcmFudGVlIHRoYXQg YSBtb2R1bGUgaXMgdGhlIHNhbWUgYmFzZWQgb24gaXRzCj4gaGFzaCByYXRoZXIgdGhhbiBvbiBh IGtleSwgSSB3b3VsZCd2ZSB0aG91Z2h0IHRoYXQgc2hvdWxkIGJlIGZpbmUuCgpGaWxlIGhhc2hl cyBjYW4gYmUgbW9kaWZpZWQgb24gdGhlIHJ1bm5pbmcgc3lzdGVtLCBzbyB0aGV5J3JlIG5vcm1h bGx5CnVzZWQswqBpbiBjb25qdW5jdGlvbiB3aXRoIEVWTSwgdG8gZGV0ZWN0IG9mZiBsaW5lIG1v ZGlmaWNhdGlvbiBvZgptdXRhYmxlIGZpbGVzIGFuZCBwcmV2ZW50IHRoZWlyIHVzYWdlLgoKVGhl c2UgcGF0Y2hlcyBodHRwczovL2xrbWwub3JnL2xrbWwvMjAxNy81LzIvNDY1wqBzaG91bGQgcHJv dmlkZSBzb21lCm9mIHRoZSBtaXNzaW5nIGZ1bmN0aW9uYWxpdHkuCgpNaW1pCgoKX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18Ka2V4ZWMgbWFpbGluZyBsaXN0 CmtleGVjQGxpc3RzLmluZnJhZGVhZC5vcmcKaHR0cDovL2xpc3RzLmluZnJhZGVhZC5vcmcvbWFp bG1hbi9saXN0aW5mby9rZXhlYwo= From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mimi Zohar Subject: Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set Date: Tue, 02 May 2017 15:01:22 -0400 Message-ID: <1493751682.3680.11.camel@linux.vnet.ibm.com> References: <1491568577.4184.97.camel@linux.vnet.ibm.com> <1491551180.4184.50.camel@linux.vnet.ibm.com> <1491536950.4184.10.camel@linux.vnet.ibm.com> <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142335441.5101.2294976563846442575.stgit@warthog.procyon.org.uk> <20170407030545.GA4296@dhcp-128-65.nay.redhat.com> <21572.1491548994@warthog.procyon.org.uk> <27362.1491556638@warthog.procyon.org.uk> <13679.1491830392@warthog.procyon.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <13679.1491830392-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org> Sender: linux-efi-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: David Howells Cc: Dave Young , linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Matthew Garrett , linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, gnomes-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org, Chun-Yi Lee , gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org, kexec-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org, linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, keyrings-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org List-Id: linux-efi@vger.kernel.org Hi David, On Mon, 2017-04-10 at 14:19 +0100, David Howells wrote: > Mimi Zohar wrote: > > > From an IMA perspective, either a file hash or signature are valid, > > but for this usage it must be a signature. > > Not necessarily. If IMA can guarantee that a module is the same based on its > hash rather than on a key, I would've thought that should be fine. File hashes can be modified on the running system, so they're normally used, in conjunction with EVM, to detect off line modification of mutable files and prevent their usage. These patches https://lkml.org/lkml/2017/5/2/465 should provide some of the missing functionality. Mimi From mboxrd@z Thu Jan 1 00:00:00 1970 From: zohar@linux.vnet.ibm.com (Mimi Zohar) Date: Tue, 02 May 2017 15:01:22 -0400 Subject: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set In-Reply-To: <13679.1491830392@warthog.procyon.org.uk> References: <1491568577.4184.97.camel@linux.vnet.ibm.com> <1491551180.4184.50.camel@linux.vnet.ibm.com> <1491536950.4184.10.camel@linux.vnet.ibm.com> <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142335441.5101.2294976563846442575.stgit@warthog.procyon.org.uk> <20170407030545.GA4296@dhcp-128-65.nay.redhat.com> <21572.1491548994@warthog.procyon.org.uk> <27362.1491556638@warthog.procyon.org.uk> <13679.1491830392@warthog.procyon.org.uk> Message-ID: <1493751682.3680.11.camel@linux.vnet.ibm.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org Hi David, On Mon, 2017-04-10 at 14:19 +0100, David Howells wrote: > Mimi Zohar wrote: > > > From an IMA perspective, either a file hash or signature are valid, > > but for this usage it must be a signature. > > Not necessarily. If IMA can guarantee that a module is the same based on its > hash rather than on a key, I would've thought that should be fine. File hashes can be modified on the running system, so they're normally used,?in conjunction with EVM, to detect off line modification of mutable files and prevent their usage. These patches https://lkml.org/lkml/2017/5/2/465?should provide some of the missing functionality. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751374AbdEBTCe (ORCPT ); Tue, 2 May 2017 15:02:34 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:50437 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750927AbdEBTCc (ORCPT ); Tue, 2 May 2017 15:02:32 -0400 Subject: Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set From: Mimi Zohar To: David Howells Cc: Dave Young , linux-kernel@vger.kernel.org, Matthew Garrett , linux-efi@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, Chun-Yi Lee , gregkh@linuxfoundation.org, kexec@lists.infradead.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, matthew.garrett@nebula.com Date: Tue, 02 May 2017 15:01:22 -0400 In-Reply-To: <13679.1491830392@warthog.procyon.org.uk> References: <1491568577.4184.97.camel@linux.vnet.ibm.com> <1491551180.4184.50.camel@linux.vnet.ibm.com> <1491536950.4184.10.camel@linux.vnet.ibm.com> <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142335441.5101.2294976563846442575.stgit@warthog.procyon.org.uk> <20170407030545.GA4296@dhcp-128-65.nay.redhat.com> <21572.1491548994@warthog.procyon.org.uk> <27362.1491556638@warthog.procyon.org.uk> <13679.1491830392@warthog.procyon.org.uk> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-MML: disable x-cbid: 17050219-0048-0000-0000-00000226F674 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17050219-0049-0000-0000-000047D4E93A Message-Id: <1493751682.3680.11.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-05-02_13:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705020098 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi David, On Mon, 2017-04-10 at 14:19 +0100, David Howells wrote: > Mimi Zohar wrote: > > > From an IMA perspective, either a file hash or signature are valid, > > but for this usage it must be a signature. > > Not necessarily. If IMA can guarantee that a module is the same based on its > hash rather than on a key, I would've thought that should be fine. File hashes can be modified on the running system, so they're normally used, in conjunction with EVM, to detect off line modification of mutable files and prevent their usage. These patches https://lkml.org/lkml/2017/5/2/465 should provide some of the missing functionality. Mimi