From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 985A6C43381 for ; Thu, 14 Mar 2019 01:08:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6CDC921019 for ; Thu, 14 Mar 2019 01:08:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726405AbfCNBIg (ORCPT ); Wed, 13 Mar 2019 21:08:36 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:57306 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726218AbfCNBIg (ORCPT ); Wed, 13 Mar 2019 21:08:36 -0400 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2E18VhS026890 for ; Wed, 13 Mar 2019 21:08:35 -0400 Received: from e06smtp04.uk.ibm.com (e06smtp04.uk.ibm.com [195.75.94.100]) by mx0a-001b2d01.pphosted.com with ESMTP id 2r7c22j5v3-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 13 Mar 2019 21:08:35 -0400 Received: from localhost by e06smtp04.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 14 Mar 2019 01:08:32 -0000 Received: from b06cxnps4076.portsmouth.uk.ibm.com (9.149.109.198) by e06smtp04.uk.ibm.com (192.168.101.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 14 Mar 2019 01:08:30 -0000 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x2E18T3229032476 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 14 Mar 2019 01:08:30 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D80DE4C04E; Thu, 14 Mar 2019 01:08:29 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 482224C046; Thu, 14 Mar 2019 01:08:29 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.106.195]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 14 Mar 2019 01:08:29 +0000 (GMT) Subject: Re: [RFC] kexec: Allow kexec_file() with appropriate IMA policy when locked down From: Mimi Zohar To: Matthew Garrett Cc: linux-integrity , David Howells , Dmitry Kasatkin Date: Wed, 13 Mar 2019 21:08:18 -0400 In-Reply-To: References: <20190312195715.101995-1-matthewgarrett@google.com> <1552478316.24794.210.camel@linux.ibm.com> <1552512556.24794.229.camel@linux.ibm.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 19031401-0016-0000-0000-000002620965 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19031401-0017-0000-0000-000032BD0A15 Message-Id: <1552525698.24794.237.camel@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-13_14:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903140005 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org On Wed, 2019-03-13 at 14:59 -0700, Matthew Garrett wrote: > On Wed, Mar 13, 2019 at 2:29 PM Mimi Zohar wrote: > > > > On Wed, 2019-03-13 at 13:36 -0700, Matthew Garrett wrote: > > > Oh hm. The only case I can see where this isn't sufficient is if the > > > filesystem returns EOPNOTSUPP for the EVM xattr, but in that case we > > > should already have failed to get the IMA xattr and will fail > > > appraisal as a result? > > > > The evm_initialized flag is an indication that EVM has been > > initialized on the system. Both hmac and signatures could be > > supported. Even checking for EVM_INIT_X509 doesn't provide any > > guarantees that the particular file has an EVM signature. > > > > (The hmac can be updated (eg. change in security xattrs, > > remove/additional of protected xattr), so we can't rely on them.) > > So having IMA appraisal of the hash and hmac-based EVM validation of > the xattr security isn't sufficient? Is this just because of the > offline attack case? The IMA hash and EVM hmac combination is fine for offline protection. It's used for mutable files.  For immutable files, there must be either an IMA or EVM signature. Mimi