From: Mimi Zohar <zohar@linux.ibm.com>
To: Nayna Jain <nayna@linux.ibm.com>,
linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org,
linux-integrity@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
Michael Ellerman <mpe@ellerman.id.au>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Jeremy Kerr <jk@ozlabs.org>,
Matthew Garret <matthew.garret@nebula.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Claudio Carvalho <cclaudio@linux.ibm.com>,
George Wilson <gcwilson@linux.ibm.com>,
Elaine Palmer <erpalmer@us.ibm.com>,
Eric Ricther <erichte@linux.ibm.com>,
"Oliver O'Halloran" <oohall@gmail.com>,
Prakhar Srivastava <prsriva02@gmail.com>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Subject: Re: [PATCH v9 0/8] powerpc: Enabling IMA arch specific secure boot policies
Date: Mon, 28 Oct 2019 08:10:43 -0400 [thread overview]
Message-ID: <1572264643.4532.244.camel@linux.ibm.com> (raw)
In-Reply-To: <20191024034717.70552-1-nayna@linux.ibm.com>
On Wed, 2019-10-23 at 22:47 -0500, Nayna Jain wrote:
> This patchset extends the previous version[1] by adding support for
> checking against a blacklist of binary hashes.
>
> The IMA subsystem supports custom, built-in, arch-specific policies to
> define the files to be measured and appraised. These policies are honored
> based on priority, where arch-specific policy is the highest and custom
> is the lowest.
>
> PowerNV system uses a Linux-based bootloader to kexec the OS. The
> bootloader kernel relies on IMA for signature verification of the OS
> kernel before doing the kexec. This patchset adds support for powerpc
> arch-specific IMA policies that are conditionally defined based on a
> system's secure boot and trusted boot states. The OS secure boot and
> trusted boot states are determined via device-tree properties.
>
> The verification needs to be performed only for binaries that are not
> blacklisted. The kernel currently only checks against the blacklist of
> keys. However, doing so results in blacklisting all the binaries that
> are signed by the same key. In order to prevent just one particular
> binary from being loaded, it must be checked against a blacklist of
> binary hashes. This patchset also adds support to IMA for checking
> against a hash blacklist for files. signed by appended signature.
>
> [1] http://patchwork.ozlabs.org/cover/1149262/
Thanks, Nayna.
Please feel free to add my Signed-off-by tag on patches (2, 4, 5, 7 &
8).
thanks,
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Nayna Jain <nayna@linux.ibm.com>,
linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org,
linux-integrity@vger.kernel.org
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Eric Ricther <erichte@linux.ibm.com>,
Prakhar Srivastava <prsriva02@gmail.com>,
linux-kernel@vger.kernel.org,
Claudio Carvalho <cclaudio@linux.ibm.com>,
Matthew Garret <matthew.garret@nebula.com>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Paul Mackerras <paulus@samba.org>, Jeremy Kerr <jk@ozlabs.org>,
Elaine Palmer <erpalmer@us.ibm.com>,
Oliver O'Halloran <oohall@gmail.com>,
George Wilson <gcwilson@linux.ibm.com>
Subject: Re: [PATCH v9 0/8] powerpc: Enabling IMA arch specific secure boot policies
Date: Mon, 28 Oct 2019 08:10:43 -0400 [thread overview]
Message-ID: <1572264643.4532.244.camel@linux.ibm.com> (raw)
In-Reply-To: <20191024034717.70552-1-nayna@linux.ibm.com>
On Wed, 2019-10-23 at 22:47 -0500, Nayna Jain wrote:
> This patchset extends the previous version[1] by adding support for
> checking against a blacklist of binary hashes.
>
> The IMA subsystem supports custom, built-in, arch-specific policies to
> define the files to be measured and appraised. These policies are honored
> based on priority, where arch-specific policy is the highest and custom
> is the lowest.
>
> PowerNV system uses a Linux-based bootloader to kexec the OS. The
> bootloader kernel relies on IMA for signature verification of the OS
> kernel before doing the kexec. This patchset adds support for powerpc
> arch-specific IMA policies that are conditionally defined based on a
> system's secure boot and trusted boot states. The OS secure boot and
> trusted boot states are determined via device-tree properties.
>
> The verification needs to be performed only for binaries that are not
> blacklisted. The kernel currently only checks against the blacklist of
> keys. However, doing so results in blacklisting all the binaries that
> are signed by the same key. In order to prevent just one particular
> binary from being loaded, it must be checked against a blacklist of
> binary hashes. This patchset also adds support to IMA for checking
> against a hash blacklist for files. signed by appended signature.
>
> [1] http://patchwork.ozlabs.org/cover/1149262/
Thanks, Nayna.
Please feel free to add my Signed-off-by tag on patches (2, 4, 5, 7 &
8).
thanks,
Mimi
next prev parent reply other threads:[~2019-10-28 12:11 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-24 3:47 [PATCH v9 0/8] powerpc: Enabling IMA arch specific secure boot policies Nayna Jain
2019-10-24 3:47 ` Nayna Jain
2019-10-24 3:47 ` [PATCH v9 1/8] powerpc: detect the secure boot mode of the system Nayna Jain
2019-10-24 3:47 ` Nayna Jain
2019-10-24 17:26 ` Lakshmi Ramasubramanian
2019-10-24 17:26 ` Lakshmi Ramasubramanian
2019-10-25 16:49 ` Nayna Jain
2019-10-25 16:49 ` Nayna Jain
2019-10-24 3:47 ` [PATCH v9 2/8] powerpc/ima: add support to initialize ima policy rules Nayna Jain
2019-10-24 3:47 ` Nayna Jain
2019-10-24 17:35 ` Lakshmi Ramasubramanian
2019-10-24 17:35 ` Lakshmi Ramasubramanian
2019-10-25 17:02 ` Nayna Jain
2019-10-25 17:02 ` Nayna Jain
2019-10-25 18:03 ` Lakshmi Ramasubramanian
2019-10-25 18:03 ` Lakshmi Ramasubramanian
2019-10-28 23:42 ` Michael Ellerman
2019-10-28 23:42 ` Michael Ellerman
2019-10-26 23:52 ` Mimi Zohar
2019-10-26 23:52 ` Mimi Zohar
2019-10-28 11:54 ` Mimi Zohar
2019-10-28 11:54 ` Mimi Zohar
2019-10-24 3:47 ` [PATCH v9 3/8] powerpc: detect the trusted boot state of the system Nayna Jain
2019-10-24 3:47 ` Nayna Jain
2019-10-24 17:38 ` Lakshmi Ramasubramanian
2019-10-24 17:38 ` Lakshmi Ramasubramanian
2019-10-25 16:50 ` Nayna Jain
2019-10-25 16:50 ` Nayna Jain
2019-10-24 3:47 ` [PATCH v9 4/8] powerpc/ima: define trusted boot policy Nayna Jain
2019-10-24 3:47 ` Nayna Jain
2019-10-24 17:40 ` Lakshmi Ramasubramanian
2019-10-24 17:40 ` Lakshmi Ramasubramanian
2019-10-24 3:47 ` [PATCH v9 5/8] ima: make process_buffer_measurement() generic Nayna Jain
2019-10-24 3:47 ` Nayna Jain
2019-10-24 15:20 ` Lakshmi Ramasubramanian
2019-10-24 15:20 ` Lakshmi Ramasubramanian
2019-10-25 17:24 ` Nayna Jain
2019-10-25 17:24 ` Nayna Jain
2019-10-25 17:32 ` Lakshmi Ramasubramanian
2019-10-25 17:32 ` Lakshmi Ramasubramanian
2019-10-27 0:13 ` Mimi Zohar
2019-10-27 0:13 ` Mimi Zohar
2019-10-30 15:22 ` Lakshmi Ramasubramanian
2019-10-30 15:22 ` Lakshmi Ramasubramanian
2019-10-30 16:35 ` Mimi Zohar
2019-10-30 16:35 ` Mimi Zohar
2019-10-24 3:47 ` [PATCH v9 6/8] certs: add wrapper function to check blacklisted binary hash Nayna Jain
2019-10-24 3:47 ` Nayna Jain
2019-10-24 3:47 ` [PATCH v9 7/8] ima: check against blacklisted hashes for files with modsig Nayna Jain
2019-10-24 3:47 ` Nayna Jain
2019-10-24 17:48 ` Lakshmi Ramasubramanian
2019-10-24 17:48 ` Lakshmi Ramasubramanian
2019-10-25 17:36 ` Nayna Jain
2019-10-25 17:36 ` Nayna Jain
2019-10-24 3:47 ` [PATCH v9 8/8] powerpc/ima: update ima arch policy to check for blacklist Nayna Jain
2019-10-24 3:47 ` Nayna Jain
2019-10-28 12:10 ` Mimi Zohar [this message]
2019-10-28 12:10 ` [PATCH v9 0/8] powerpc: Enabling IMA arch specific secure boot policies Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1572264643.4532.244.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=ard.biesheuvel@linaro.org \
--cc=benh@kernel.crashing.org \
--cc=cclaudio@linux.ibm.com \
--cc=erichte@linux.ibm.com \
--cc=erpalmer@us.ibm.com \
--cc=gcwilson@linux.ibm.com \
--cc=gregkh@linuxfoundation.org \
--cc=jk@ozlabs.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@ozlabs.org \
--cc=matthew.garret@nebula.com \
--cc=mpe@ellerman.id.au \
--cc=nayna@linux.ibm.com \
--cc=nramas@linux.microsoft.com \
--cc=oohall@gmail.com \
--cc=paulus@samba.org \
--cc=prsriva02@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.