From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5] helo=mx0a-001b2d01.pphosted.com) by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux)) id 1hfWVD-0008RS-Cd for kexec@lists.infradead.org; Mon, 24 Jun 2019 21:27:52 +0000 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x5OLNjjZ117287 for ; Mon, 24 Jun 2019 17:27:46 -0400 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) by mx0b-001b2d01.pphosted.com with ESMTP id 2tb6arg9jk-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 24 Jun 2019 17:27:46 -0400 Received: from localhost by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 24 Jun 2019 22:27:44 +0100 Subject: Re: [PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down From: Mimi Zohar Date: Mon, 24 Jun 2019 17:27:37 -0400 In-Reply-To: References: <20190326182742.16950-1-matthewgarrett@google.com> <20190326182742.16950-8-matthewgarrett@google.com> <20190621064340.GB4528@localhost.localdomain> <20190624015206.GB2976@dhcp-128-65.nay.redhat.com> Mime-Version: 1.0 Message-Id: <1561411657.4340.70.camel@linux.ibm.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "kexec" Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: Matthew Garrett , Dave Young Cc: Jiri Bohac , Linux API , kexec@lists.infradead.org, James Morris , Linux Kernel Mailing List , David Howells , LSM List , Andy Lutomirski SGkgTWF0dGhldywKCk9uIE1vbiwgMjAxOS0wNi0yNCBhdCAxNDowNiAtMDcwMCwgTWF0dGhldyBH YXJyZXR0IHdyb3RlOgo+IE9uIFN1biwgSnVuIDIzLCAyMDE5IGF0IDY6NTIgUE0gRGF2ZSBZb3Vu ZyA8ZHlvdW5nQHJlZGhhdC5jb20+IHdyb3RlOgo+ID4KPiA+IE9uIDA2LzIxLzE5IGF0IDAxOjE4 cG0sIE1hdHRoZXcgR2FycmV0dCB3cm90ZToKPiA+ID4gSSBkb24ndCB0aGluayBzbyAtIHdlIHdh bnQgaXQgdG8gYmUgcG9zc2libGUgdG8gbG9hZCBpbWFnZXMgaWYgdGhleQo+ID4gPiBoYXZlIGEg dmFsaWQgc2lnbmF0dXJlLgo+ID4KPiA+IEkga25vdyBpdCB3b3JrcyBsaWtlIHRoaXMgd2F5IGJl Y2F1c2Ugb2YgdGhlIHByZXZpb3VzIHBhdGNoLiAgQnV0IGZyb20KPiA+IHRoZSBwYXRjaCBsb2cg IldoZW4gS0VYRUNfU0lHIGlzIG5vdCBlbmFibGVkLCBrZXJuZWwgc2hvdWxkIG5vdCBsb2FkCj4g PiBpbWFnZXMiLCBpdCBpcyBzaW1wbGUgdG8gY2hlY2sgaXQgZWFybHkgZm9yICFJU19FTkFCTEVE KENPTkZJR19LRVhFQ19TSUcpICYmCj4gPiBrZXJuZWxfaXNfbG9ja2VkX2Rvd24ocmVhc29uLCBM T0NLRE9XTl9JTlRFR1JJVFkpICBpbnN0ZWFkIG9mIGRlcGVuZGluZwo+ID4gb24gdGhlIGxhdGUg Y29kZSB0byB2ZXJpZnkgc2lnbmF0dXJlLiAgSW4gdGhhdCB3YXksIGVhc2llciB0bwo+ID4gdW5k ZXJzdGFuZCB0aGUgbG9naWMsIG5vPwo+IAo+IEJ1dCB0aGF0IGNvbWJpbmF0aW9uIGRvZXNuJ3Qg ZW5mb3JjZSBzaWduYXR1cmUgdmFsaWRhdGlvbj8gV2UgY2FuJ3QKPiBkZXBlbmQgb24gIUlTX0VO QUJMRUQoQ09ORklHX0tFWEVDX1NJR19GT1JDRSkgYmVjYXVzZSB0aGVuIGl0J2xsCj4gZW5mb3Jj ZSBzaWduYXR1cmUgdmFsaWRhdGlvbiBldmVuIGlmIGxvY2tkb3duIGlzIGRpc2FibGVkLgoKSSBh Z3JlZSB3aXRoIERhdmUuIMKgVGhlcmUgc2hvdWxkIGJlIGEgc3R1YiBsb2NrZG93biBmdW5jdGlv biB0bwpwcmV2ZW50IGVuZm9yY2luZyBsb2NrZG93biB3aGVuIGl0IGlzbid0IGVuYWJsZWQuCgpN aW1pCgoKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18Ka2V4 ZWMgbWFpbGluZyBsaXN0CmtleGVjQGxpc3RzLmluZnJhZGVhZC5vcmcKaHR0cDovL2xpc3RzLmlu ZnJhZGVhZC5vcmcvbWFpbG1hbi9saXN0aW5mby9rZXhlYwo= From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mimi Zohar Subject: Re: [PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down Date: Mon, 24 Jun 2019 17:27:37 -0400 Message-ID: <1561411657.4340.70.camel@linux.ibm.com> References: <20190326182742.16950-1-matthewgarrett@google.com> <20190326182742.16950-8-matthewgarrett@google.com> <20190621064340.GB4528@localhost.localdomain> <20190624015206.GB2976@dhcp-128-65.nay.redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org To: Matthew Garrett , Dave Young Cc: James Morris , Jiri Bohac , Linux API , kexec@lists.infradead.org, Linux Kernel Mailing List , David Howells , LSM List , Andy Lutomirski List-Id: linux-api@vger.kernel.org Hi Matthew, On Mon, 2019-06-24 at 14:06 -0700, Matthew Garrett wrote: > On Sun, Jun 23, 2019 at 6:52 PM Dave Young wrote: > > > > On 06/21/19 at 01:18pm, Matthew Garrett wrote: > > > I don't think so - we want it to be possible to load images if they > > > have a valid signature. > > > > I know it works like this way because of the previous patch. But from > > the patch log "When KEXEC_SIG is not enabled, kernel should not load > > images", it is simple to check it early for !IS_ENABLED(CONFIG_KEXEC_SIG) && > > kernel_is_locked_down(reason, LOCKDOWN_INTEGRITY) instead of depending > > on the late code to verify signature. In that way, easier to > > understand the logic, no? > > But that combination doesn't enforce signature validation? We can't > depend on !IS_ENABLED(CONFIG_KEXEC_SIG_FORCE) because then it'll > enforce signature validation even if lockdown is disabled. I agree with Dave.  There should be a stub lockdown function to prevent enforcing lockdown when it isn't enabled. Mimi