From: Mimi Zohar <zohar@linux.ibm.com>
To: Nayna Jain <nayna@linux.vnet.ibm.com>, linux-integrity@vger.kernel.org
Cc: linux-efi@vger.kernel.org, Nayna Jain <nayna@linux.ibm.com>,
kexec@lists.infradead.org, linux-kernel@vger.kernel.org,
dhowells@redhat.com, seth.forshee@canonical.com,
linux-security-module@vger.kernel.org, jforbes@redhat.com
Subject: Re: [PATCH v5 0/6] Add support for architecture specific IMA policies
Date: Mon, 08 Oct 2018 07:20:25 -0400 [thread overview]
Message-ID: <1538997625.15382.87.camel@linux.ibm.com> (raw)
In-Reply-To: <20181005174015.21939-1-nayna@linux.vnet.ibm.com>
On Fri, 2018-10-05 at 23:10 +0530, Nayna Jain wrote:
> From: Nayna Jain <nayna@linux.ibm.com>
>
> The architecture specific policy, introduced in this patch set, permits
> different architectures to define IMA policy rules based on kernel
> configuration and system runtime information.
>
> For example, on x86, there are two methods of verifying the kexec'ed kernel
> image signature - CONFIG_KEXEC_VERIFY_SIG and IMA appraisal policy
> KEXEC_KERNEL_CHECK. CONFIG_KEXEC_VERIFY_SIG enforces the kexec_file_load
> syscall to verify file signatures, but does not prevent the kexec_load
> syscall. The IMA KEXEC_KERNEL_CHECK policy rule verifies the kexec'ed
> kernel image, loaded via the kexec_file_load syscall, is validly signed and
> prevents loading a kernel image via the kexec_load syscall. When secure
> boot is enabled, the kexec'ed kernel image needs to be signed and the
> signature verified. In this environment, either method of verifying the
> kexec'ed kernel image is acceptable, as long as the kexec_load syscall is
> disabled.
>
> The previous version of this patchset introduced a new IMA policy rule to
> disable the kexec_load syscall, when CONFIG_KEXEC_VERIFY_SIG was enabled,
> however that is removed from this version by introducing a different
> mechanism, as described below.
>
> The patchset defines an arch_ima_get_secureboot() function to retrieve the
> secureboot state of the system. If secureboot is enabled and
> CONFIG_KEXEC_VERIFY_SIG is configured, it denies permission to kexec_load
> syscall.
>
> To support architecture specific policies, a new function
> arch_get_ima_policy() is defined. This patch set defines IMA
> KERNEL_KEXEC_POLICY rules for x86 *only* if CONFIG_KEXEC_VERIFY_SIG is
> disabled and secure boot is enabled.
>
> This patch set includes a patch, which refactors ima_init_policy() to
> remove code duplication.
Other than a couple of #ifdef's in .c files, which should be converted
to use IS_ENABLED(<config-option>), the patch set is looking really
good.
thanks!
Mimi
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Nayna Jain <nayna@linux.vnet.ibm.com>, linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org,
linux-kernel@vger.kernel.org, dhowells@redhat.com,
jforbes@redhat.com, seth.forshee@canonical.com,
kexec@lists.infradead.org, Nayna Jain <nayna@linux.ibm.com>
Subject: Re: [PATCH v5 0/6] Add support for architecture specific IMA policies
Date: Mon, 08 Oct 2018 07:20:25 -0400 [thread overview]
Message-ID: <1538997625.15382.87.camel@linux.ibm.com> (raw)
In-Reply-To: <20181005174015.21939-1-nayna@linux.vnet.ibm.com>
On Fri, 2018-10-05 at 23:10 +0530, Nayna Jain wrote:
> From: Nayna Jain <nayna@linux.ibm.com>
>
> The architecture specific policy, introduced in this patch set, permits
> different architectures to define IMA policy rules based on kernel
> configuration and system runtime information.
>
> For example, on x86, there are two methods of verifying the kexec'ed kernel
> image signature - CONFIG_KEXEC_VERIFY_SIG and IMA appraisal policy
> KEXEC_KERNEL_CHECK. CONFIG_KEXEC_VERIFY_SIG enforces the kexec_file_load
> syscall to verify file signatures, but does not prevent the kexec_load
> syscall. The IMA KEXEC_KERNEL_CHECK policy rule verifies the kexec'ed
> kernel image, loaded via the kexec_file_load syscall, is validly signed and
> prevents loading a kernel image via the kexec_load syscall. When secure
> boot is enabled, the kexec'ed kernel image needs to be signed and the
> signature verified. In this environment, either method of verifying the
> kexec'ed kernel image is acceptable, as long as the kexec_load syscall is
> disabled.
>
> The previous version of this patchset introduced a new IMA policy rule to
> disable the kexec_load syscall, when CONFIG_KEXEC_VERIFY_SIG was enabled,
> however that is removed from this version by introducing a different
> mechanism, as described below.
>
> The patchset defines an arch_ima_get_secureboot() function to retrieve the
> secureboot state of the system. If secureboot is enabled and
> CONFIG_KEXEC_VERIFY_SIG is configured, it denies permission to kexec_load
> syscall.
>
> To support architecture specific policies, a new function
> arch_get_ima_policy() is defined. This patch set defines IMA
> KERNEL_KEXEC_POLICY rules for x86 *only* if CONFIG_KEXEC_VERIFY_SIG is
> disabled and secure boot is enabled.
>
> This patch set includes a patch, which refactors ima_init_policy() to
> remove code duplication.
Other than a couple of #ifdef's in .c files, which should be converted
to use IS_ENABLED(<config-option>), the patch set is looking really
good.
thanks!
Mimi
next prev parent reply other threads:[~2018-10-08 11:21 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-05 17:40 [PATCH v5 0/6] Add support for architecture specific IMA policies Nayna Jain
2018-10-05 17:40 ` Nayna Jain
2018-10-05 17:40 ` [PATCH v5 1/5] x86/ima: define arch_ima_get_secureboot Nayna Jain
2018-10-05 17:40 ` Nayna Jain
2018-10-05 17:40 ` [PATCH v5 2/5] ima: prevent kexec_load syscall based on runtime secureboot flag Nayna Jain
2018-10-05 17:40 ` Nayna Jain
2018-10-05 17:40 ` [PATCH v5 3/5] ima: refactor ima_init_policy() Nayna Jain
2018-10-05 17:40 ` Nayna Jain
2018-10-05 17:40 ` [PATCH v5 4/5] ima: add support for arch specific policies Nayna Jain
2018-10-05 17:40 ` Nayna Jain
2018-10-05 17:40 ` [PATCH v5 5/5] x86/ima: define arch_get_ima_policy() for x86 Nayna Jain
2018-10-05 17:40 ` Nayna Jain
2018-10-08 11:20 ` Mimi Zohar [this message]
2018-10-08 11:20 ` [PATCH v5 0/6] Add support for architecture specific IMA policies Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1538997625.15382.87.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=jforbes@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=nayna@linux.vnet.ibm.com \
--cc=seth.forshee@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.