From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1gj4pY-0006a7-CN for kexec@lists.infradead.org; Mon, 14 Jan 2019 16:11:18 +0000 Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id x0EFRo72054330 for ; Mon, 14 Jan 2019 11:11:13 -0500 Received: from e06smtp01.uk.ibm.com (e06smtp01.uk.ibm.com [195.75.94.97]) by mx0a-001b2d01.pphosted.com with ESMTP id 2q0u2n0ts2-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 14 Jan 2019 11:11:12 -0500 Received: from localhost by e06smtp01.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 14 Jan 2019 16:11:10 -0000 Subject: Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify From: Mimi Zohar Date: Mon, 14 Jan 2019 11:10:51 -0500 In-Reply-To: <20190113013958.GA14019@dhcp-128-65.nay.redhat.com> References: <20190109164824.19708-1-kasong@redhat.com> <20190109164824.19708-3-kasong@redhat.com> <20190111134303.GA12760@dhcp-128-65.nay.redhat.com> <1547223220.19931.471.camel@linux.ibm.com> <20190113013958.GA14019@dhcp-128-65.nay.redhat.com> Mime-Version: 1.0 Message-Id: <1547482251.4156.127.camel@linux.ibm.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "kexec" Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: Dave Young Cc: jwboyer@fedoraproject.org, Kairui Song , ebiggers@google.com, nayna@linux.ibm.com, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, jmorris@namei.org, dhowells@redhat.com, keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, dwmw2@infradead.org, bauerman@linux.ibm.com, serge@hallyn.com T24gU3VuLCAyMDE5LTAxLTEzIGF0IDA5OjM5ICswODAwLCBEYXZlIFlvdW5nIHdyb3RlOgo+IEhp LAo+IAo+IE9uIDAxLzExLzE5IGF0IDExOjEzYW0sIE1pbWkgWm9oYXIgd3JvdGU6Cj4gPiBPbiBG cmksIDIwMTktMDEtMTEgYXQgMjE6NDMgKzA4MDAsIERhdmUgWW91bmcgd3JvdGU6Cj4gPiBbc25p cF0KPiA+IAo+ID4gPiBQZXJzb25hbGx5IEkgd291bGQgbGlrZSB0byBzZWUgcGxhdGZvcm0ga2V5 IHNlcGFyYXRlZCBmcm9tIGludGVncml0eS4KPiA+ID4gQnV0IGZvciB0aGUga2V4ZWNfZmlsZSBw YXJ0IEkgdGhpbmsgaXQgaXMgZ29vZCBhdCBsZWFzdCBpdCB3b3JrcyB3aXRoCj4gPiA+IHRoaXMg Zml4Lgo+ID4gPiAKPiA+ID4gQWNrZWQtYnk6IERhdmUgWW91bmcgPGR5b3VuZ0ByZWRoYXQuY29t Pgo+ID4gCj4gPiBUaGUgb3JpZ2luYWwgInBsYXRmb3JtIiBrZXlyaW5nIHBhdGNoZXMgdGhhdCBO YXluYSBwb3N0ZWQgbXVsdGlwbGUKPiA+IHRpbWVzIHdlcmUgaW4gdGhlIGNlcnRzIGRpcmVjdG9y eSwgYnV0IG5vYm9keSBjb21tZW50ZWQvcmVzcG9uZGVkLiDCoFNvCj4gPiBzaGUgcmV3b3JrZWQg dGhlIHBhdGNoZXMsIG1vdmluZyB0aGVtIHRvIHRoZSBpbnRlZ3JpdHkgZGlyZWN0b3J5IGFuZAo+ ID4gcG9zdGVkIHRoZW0gKGNjJ2luZyB0aGUga2V4ZWMgbWFpbGluZyBsaXN0KS4gwqBJdCdzIGEg Yml0IGxhdGUgdG8gYmUKPiA+IGFza2luZyB0byBtb3ZlIGl0LCBpc24ndCBpdD8KPiAKPiBIbW0s IGFwb2xvZ2l6ZSBmb3IgYmVpbmcgbGF0ZSwgIEkgZGlkIG5vdCBnZXQgY2hhbmNlIHRvIGhhdmUg YSBsb29rIHRoZQo+IG9sZCBzZXJpZXMuICBTaW5jZSB3ZSBoYXZlIHRoZSBuZWVkcyBub3csIGl0 IHNob3VsZCBiZSBzdGlsbCBmaW5lCj4gCj4gTWF5YmUgS2FpcnVpIGNhbiBjaGVjayBOYXluYSdz IG9sZCBzZXJpZXMsIHNlZSBpZiBoZSBjYW4gZG8gc29tZXRoaW5nCj4gYWdhaW4/CgpXaGV0aGVy IHRoZSBwbGF0Zm9ybSBrZXlyaW5nIGlzIGRlZmluZWQgaW4gY2VydHMvIG9yIGluIGludGVncml0 eS8gdGhlCmtleXJpbmcgaWQgbmVlZHMgdG8gYmUgYWNjZXNzaWJsZSB0byB0aGUgb3RoZXIsIHdp dGhvdXQgbWFraW5nIHRoZQprZXlyaW5nIGlkIGdsb2JhbC4gwqBNb3Zpbmcgd2hlcmUgdGhlIHBs YXRmb3JtIGtleXJpbmcgaXMgZGVmaW5lZCBpcwpub3QgdGhlIHByb2JsZW0uCgpDb21taXQgYTIx MGZkMzJhNDZiICgia2V4ZWM6IGFkZCBjYWxsIHRvIExTTSBob29rIGluIG9yaWdpbmFsCmtleGVj X2xvYWQgc3lzY2FsbCIpIGludHJvZHVjZWQgYSBuZXcgTFNNIGhvb2suIMKgQXNzdW1pbmcKQ09O RklHX0tFWEVDX1ZFUklGWV9TSUcgaXMgZW5hYmxlZCwgd2l0aCBjb21taXQgYjVjYTExNzM2NWQ5 ICgiaW1hOgpwcmV2ZW50IGtleGVjX2xvYWQgc3lzY2FsbCBiYXNlZCBvbiBydW50aW1lIHNlY3Vy ZWJvb3QgZmxhZyIpIHdlIGNhbgpub3cgYmxvY2sgdGhlIGtleGVjX2xvYWQgc3lzY2FsbC4gwqBX aXRob3V0IGJlaW5nIGFibGUgdG8gYmxvY2sgdGhlCmtleGVjX2xvYWQgc3lzY2FsbCwgdmVyaWZ5 aW5nIHRoZSBrZXhlYyBpbWFnZSBzaWduYXR1cmUgdmlhIHRoZQprZXhlY19maWxlX2xvYWQgc3lz Y2FsbCBpcyBraW5kIG9mIHBvaW50bGVzcy4KClVubGVzcyB5b3UncmUgcGxhbm5pbmcgb24gd3Jp dGluZyBhbiBMU00gdG8gcHJldmVudCB0aGUga2V4ZWNfbG9hZApzeXNjYWxsLCBJIGFzc3VtZSB5 b3UnbGwgd2FudCB0byBlbmFibGUgaW50ZWdyaXR5IGFueXdheS4KCk1pbWkKCgpfX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwprZXhlYyBtYWlsaW5nIGxpc3QK a2V4ZWNAbGlzdHMuaW5mcmFkZWFkLm9yZwpodHRwOi8vbGlzdHMuaW5mcmFkZWFkLm9yZy9tYWls bWFuL2xpc3RpbmZvL2tleGVjCg== From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mimi Zohar Date: Mon, 14 Jan 2019 16:10:51 +0000 Subject: Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify Message-Id: <1547482251.4156.127.camel@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit List-Id: References: <20190109164824.19708-1-kasong@redhat.com> <20190109164824.19708-3-kasong@redhat.com> <20190111134303.GA12760@dhcp-128-65.nay.redhat.com> <1547223220.19931.471.camel@linux.ibm.com> <20190113013958.GA14019@dhcp-128-65.nay.redhat.com> In-Reply-To: <20190113013958.GA14019@dhcp-128-65.nay.redhat.com> To: Dave Young Cc: Kairui Song , linux-kernel@vger.kernel.org, dhowells@redhat.com, dwmw2@infradead.org, jwboyer@fedoraproject.org, keyrings@vger.kernel.org, jmorris@namei.org, serge@hallyn.com, bauerman@linux.ibm.com, ebiggers@google.com, nayna@linux.ibm.com, linux-integrity@vger.kernel.org, kexec@lists.infradead.org On Sun, 2019-01-13 at 09:39 +0800, Dave Young wrote: > Hi, > > On 01/11/19 at 11:13am, Mimi Zohar wrote: > > On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote: > > [snip] > > > > > Personally I would like to see platform key separated from integrity. > > > But for the kexec_file part I think it is good at least it works with > > > this fix. > > > > > > Acked-by: Dave Young > > > > The original "platform" keyring patches that Nayna posted multiple > > times were in the certs directory, but nobody commented/responded.  So > > she reworked the patches, moving them to the integrity directory and > > posted them (cc'ing the kexec mailing list).  It's a bit late to be > > asking to move it, isn't it? > > Hmm, apologize for being late, I did not get chance to have a look the > old series. Since we have the needs now, it should be still fine > > Maybe Kairui can check Nayna's old series, see if he can do something > again? Whether the platform keyring is defined in certs/ or in integrity/ the keyring id needs to be accessible to the other, without making the keyring id global.  Moving where the platform keyring is defined is not the problem. Commit a210fd32a46b ("kexec: add call to LSM hook in original kexec_load syscall") introduced a new LSM hook.  Assuming CONFIG_KEXEC_VERIFY_SIG is enabled, with commit b5ca117365d9 ("ima: prevent kexec_load syscall based on runtime secureboot flag") we can now block the kexec_load syscall.  Without being able to block the kexec_load syscall, verifying the kexec image signature via the kexec_file_load syscall is kind of pointless. Unless you're planning on writing an LSM to prevent the kexec_load syscall, I assume you'll want to enable integrity anyway. Mimi From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6D6CFC43387 for ; Mon, 14 Jan 2019 16:11:16 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 443002086D for ; Mon, 14 Jan 2019 16:11:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726640AbfANQLP (ORCPT ); Mon, 14 Jan 2019 11:11:15 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:40756 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726679AbfANQLO (ORCPT ); Mon, 14 Jan 2019 11:11:14 -0500 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id x0EFr3xv068862 for ; Mon, 14 Jan 2019 11:11:13 -0500 Received: from e06smtp01.uk.ibm.com (e06smtp01.uk.ibm.com [195.75.94.97]) by mx0a-001b2d01.pphosted.com with ESMTP id 2q0wf48ygx-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 14 Jan 2019 11:11:12 -0500 Received: from localhost by e06smtp01.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 14 Jan 2019 16:11:10 -0000 Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196) by e06smtp01.uk.ibm.com (192.168.101.131) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 14 Jan 2019 16:11:05 -0000 Received: from d06av24.portsmouth.uk.ibm.com (mk.ibm.com [9.149.105.60]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x0EGB3sY5243184 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 14 Jan 2019 16:11:03 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 88B5D42049; Mon, 14 Jan 2019 16:11:03 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CC69242042; Mon, 14 Jan 2019 16:11:01 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.106.167]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 14 Jan 2019 16:11:01 +0000 (GMT) Subject: Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify From: Mimi Zohar To: Dave Young Cc: Kairui Song , linux-kernel@vger.kernel.org, dhowells@redhat.com, dwmw2@infradead.org, jwboyer@fedoraproject.org, keyrings@vger.kernel.org, jmorris@namei.org, serge@hallyn.com, bauerman@linux.ibm.com, ebiggers@google.com, nayna@linux.ibm.com, linux-integrity@vger.kernel.org, kexec@lists.infradead.org Date: Mon, 14 Jan 2019 11:10:51 -0500 In-Reply-To: <20190113013958.GA14019@dhcp-128-65.nay.redhat.com> References: <20190109164824.19708-1-kasong@redhat.com> <20190109164824.19708-3-kasong@redhat.com> <20190111134303.GA12760@dhcp-128-65.nay.redhat.com> <1547223220.19931.471.camel@linux.ibm.com> <20190113013958.GA14019@dhcp-128-65.nay.redhat.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 19011416-4275-0000-0000-000002FF115C X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19011416-4276-0000-0000-0000380D2B76 Message-Id: <1547482251.4156.127.camel@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-01-14_07:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901140114 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org On Sun, 2019-01-13 at 09:39 +0800, Dave Young wrote: > Hi, > > On 01/11/19 at 11:13am, Mimi Zohar wrote: > > On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote: > > [snip] > > > > > Personally I would like to see platform key separated from integrity. > > > But for the kexec_file part I think it is good at least it works with > > > this fix. > > > > > > Acked-by: Dave Young > > > > The original "platform" keyring patches that Nayna posted multiple > > times were in the certs directory, but nobody commented/responded.  So > > she reworked the patches, moving them to the integrity directory and > > posted them (cc'ing the kexec mailing list).  It's a bit late to be > > asking to move it, isn't it? > > Hmm, apologize for being late, I did not get chance to have a look the > old series. Since we have the needs now, it should be still fine > > Maybe Kairui can check Nayna's old series, see if he can do something > again? Whether the platform keyring is defined in certs/ or in integrity/ the keyring id needs to be accessible to the other, without making the keyring id global.  Moving where the platform keyring is defined is not the problem. Commit a210fd32a46b ("kexec: add call to LSM hook in original kexec_load syscall") introduced a new LSM hook.  Assuming CONFIG_KEXEC_VERIFY_SIG is enabled, with commit b5ca117365d9 ("ima: prevent kexec_load syscall based on runtime secureboot flag") we can now block the kexec_load syscall.  Without being able to block the kexec_load syscall, verifying the kexec image signature via the kexec_file_load syscall is kind of pointless. Unless you're planning on writing an LSM to prevent the kexec_load syscall, I assume you'll want to enable integrity anyway. Mimi