From: Michael Ellerman <patch-notifications@ellerman.id.au>
To: Mimi Zohar <zohar@linux.ibm.com>,
linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org,
linux-integrity@vger.kernel.org
Cc: Jessica Yu <jeyu@kernel.org>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Eric Ricther <erichte@linux.ibm.com>,
Nayna Jain <nayna@linux.ibm.com>,
linux-kernel@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>,
David Howells <dhowells@redhat.com>,
Paul Mackerras <paulus@samba.org>, Jeremy Kerr <jk@ozlabs.org>,
Oliver O'Halloran <oohall@gmail.com>
Subject: Re: [PATCH v10 7/9] ima: check against blacklisted hashes for files with modsig
Date: Thu, 14 Nov 2019 20:08:11 +1100 (AEDT) [thread overview]
Message-ID: <47DFy33C6Yz9sSP@ozlabs.org> (raw)
In-Reply-To: <1572492694-6520-8-git-send-email-zohar@linux.ibm.com>
On Thu, 2019-10-31 at 03:31:32 UTC, Mimi Zohar wrote:
> From: Nayna Jain <nayna@linux.ibm.com>
>
> Asymmetric private keys are used to sign multiple files. The kernel
> currently supports checking against blacklisted keys. However, if the
> public key is blacklisted, any file signed by the blacklisted key will
> automatically fail signature verification. Blacklisting the public
> key is not fine enough granularity, as we might want to only blacklist
> a particular file.
>
> This patch adds support for checking against the blacklisted hash of
> the file, without the appended signature, based on the IMA policy. It
> defines a new policy option "appraise_flag=check_blacklist".
>
> In addition to the blacklisted binary hashes stored in the firmware "dbx"
> variable, the Linux kernel may be configured to load blacklisted binary
> hashes onto the .blacklist keyring as well. The following example shows
> how to blacklist a specific kernel module hash.
>
> $ sha256sum kernel/kheaders.ko
> 77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
> kernel/kheaders.ko
>
> $ grep BLACKLIST .config
> CONFIG_SYSTEM_BLACKLIST_KEYRING=y
> CONFIG_SYSTEM_BLACKLIST_HASH_LIST="blacklist-hash-list"
>
> $ cat certs/blacklist-hash-list
> "bin:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3"
>
> Update the IMA custom measurement and appraisal policy rules
> (/etc/ima-policy):
>
> measure func=MODULE_CHECK template=ima-modsig
> appraise func=MODULE_CHECK appraise_flag=check_blacklist
> appraise_type=imasig|modsig
>
> After building, installing, and rebooting the kernel:
>
> 545660333 ---lswrv 0 0 \_ blacklist:
> bin:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
>
> measure func=MODULE_CHECK template=ima-modsig
> appraise func=MODULE_CHECK appraise_flag=check_blacklist
> appraise_type=imasig|modsig
>
> modprobe: ERROR: could not insert 'kheaders': Permission denied
>
> 10 0c9834db5a0182c1fb0cdc5d3adcf11a11fd83dd ima-sig
> sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
> 2 /usr/lib/modules/5.4.0-rc3+/kernel/kernel/kheaders.ko
>
> 10 82aad2bcc3fa8ed94762356b5c14838f3bcfa6a0 ima-modsig
> sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
> 2 /usr/lib/modules/5.4.0rc3+/kernel/kernel/kheaders.ko sha256:77fa889b3
> 5a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
> 3082029a06092a864886f70d010702a082028b30820287020101310d300b0609608648
> 016503040201300b06092a864886f70d01070131820264....
>
> 10 25b72217cc1152b44b134ce2cd68f12dfb71acb3 ima-buf
> sha256:8b58427fedcf8f4b20bc8dc007f2e232bf7285d7b93a66476321f9c2a3aa132
> b blacklisted-hash
> 77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
>
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
> Cc: Jessica Yu <jeyu@kernel.org>
> Cc: David Howells <dhowells@redhat.com>
> [zohar@linux.ibm.com: updated patch description]
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Applied to powerpc next, thanks.
https://git.kernel.org/powerpc/c/273df864cf7466fb170b8dcc1abd672cd08ad8d3
cheers
WARNING: multiple messages have this Message-ID (diff)
From: Michael Ellerman <patch-notifications@ellerman.id.au>
To: Mimi Zohar <zohar@linux.ibm.com>,
linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org,
linux-integrity@vger.kernel.org
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Eric Ricther <erichte@linux.ibm.com>,
Nayna Jain <nayna@linux.ibm.com>,
linux-kernel@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>,
David Howells <dhowells@redhat.com>,
Paul Mackerras <paulus@samba.org>, Jeremy Kerr <jk@ozlabs.org>,
Jessica Yu <jeyu@kernel.org>,
Oliver O'Halloran <oohall@gmail.com>
Subject: Re: [PATCH v10 7/9] ima: check against blacklisted hashes for files with modsig
Date: Thu, 14 Nov 2019 20:08:11 +1100 (AEDT) [thread overview]
Message-ID: <47DFy33C6Yz9sSP@ozlabs.org> (raw)
In-Reply-To: <1572492694-6520-8-git-send-email-zohar@linux.ibm.com>
On Thu, 2019-10-31 at 03:31:32 UTC, Mimi Zohar wrote:
> From: Nayna Jain <nayna@linux.ibm.com>
>
> Asymmetric private keys are used to sign multiple files. The kernel
> currently supports checking against blacklisted keys. However, if the
> public key is blacklisted, any file signed by the blacklisted key will
> automatically fail signature verification. Blacklisting the public
> key is not fine enough granularity, as we might want to only blacklist
> a particular file.
>
> This patch adds support for checking against the blacklisted hash of
> the file, without the appended signature, based on the IMA policy. It
> defines a new policy option "appraise_flag=check_blacklist".
>
> In addition to the blacklisted binary hashes stored in the firmware "dbx"
> variable, the Linux kernel may be configured to load blacklisted binary
> hashes onto the .blacklist keyring as well. The following example shows
> how to blacklist a specific kernel module hash.
>
> $ sha256sum kernel/kheaders.ko
> 77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
> kernel/kheaders.ko
>
> $ grep BLACKLIST .config
> CONFIG_SYSTEM_BLACKLIST_KEYRING=y
> CONFIG_SYSTEM_BLACKLIST_HASH_LIST="blacklist-hash-list"
>
> $ cat certs/blacklist-hash-list
> "bin:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3"
>
> Update the IMA custom measurement and appraisal policy rules
> (/etc/ima-policy):
>
> measure func=MODULE_CHECK template=ima-modsig
> appraise func=MODULE_CHECK appraise_flag=check_blacklist
> appraise_type=imasig|modsig
>
> After building, installing, and rebooting the kernel:
>
> 545660333 ---lswrv 0 0 \_ blacklist:
> bin:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
>
> measure func=MODULE_CHECK template=ima-modsig
> appraise func=MODULE_CHECK appraise_flag=check_blacklist
> appraise_type=imasig|modsig
>
> modprobe: ERROR: could not insert 'kheaders': Permission denied
>
> 10 0c9834db5a0182c1fb0cdc5d3adcf11a11fd83dd ima-sig
> sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
> 2 /usr/lib/modules/5.4.0-rc3+/kernel/kernel/kheaders.ko
>
> 10 82aad2bcc3fa8ed94762356b5c14838f3bcfa6a0 ima-modsig
> sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
> 2 /usr/lib/modules/5.4.0rc3+/kernel/kernel/kheaders.ko sha256:77fa889b3
> 5a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
> 3082029a06092a864886f70d010702a082028b30820287020101310d300b0609608648
> 016503040201300b06092a864886f70d01070131820264....
>
> 10 25b72217cc1152b44b134ce2cd68f12dfb71acb3 ima-buf
> sha256:8b58427fedcf8f4b20bc8dc007f2e232bf7285d7b93a66476321f9c2a3aa132
> b blacklisted-hash
> 77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
>
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
> Cc: Jessica Yu <jeyu@kernel.org>
> Cc: David Howells <dhowells@redhat.com>
> [zohar@linux.ibm.com: updated patch description]
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Applied to powerpc next, thanks.
https://git.kernel.org/powerpc/c/273df864cf7466fb170b8dcc1abd672cd08ad8d3
cheers
next prev parent reply other threads:[~2019-11-14 9:09 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-31 3:31 [PATCH v10 0/9] powerpc: Enabling IMA arch specific secure boot policies Mimi Zohar
2019-10-31 3:31 ` Mimi Zohar
2019-10-31 3:31 ` [PATCH v10 1/9] powerpc: detect the secure boot mode of the system Mimi Zohar
2019-10-31 3:31 ` Mimi Zohar
2019-11-05 5:14 ` Eric Richter
2019-11-05 5:14 ` Eric Richter
2019-11-05 23:00 ` [PATCH v10a " Eric Richter
2019-11-05 23:00 ` Eric Richter
2019-11-14 9:08 ` Michael Ellerman
2019-11-14 9:08 ` Michael Ellerman
2019-10-31 3:31 ` [PATCH v10 2/9] powerpc/ima: add support to initialize ima policy rules Mimi Zohar
2019-10-31 3:31 ` Mimi Zohar
2019-11-14 9:08 ` Michael Ellerman
2019-10-31 3:31 ` [PATCH v10 3/9] powerpc: detect the trusted boot state of the system Mimi Zohar
2019-10-31 3:31 ` Mimi Zohar
2019-11-05 23:02 ` [PATCH v10a " Eric Richter
2019-11-05 23:02 ` Eric Richter
2019-11-14 9:08 ` Michael Ellerman
2019-11-14 9:08 ` Michael Ellerman
2019-10-31 3:31 ` [PATCH v10 4/9] powerpc/ima: define trusted boot policy Mimi Zohar
2019-10-31 3:31 ` Mimi Zohar
2019-11-14 9:08 ` Michael Ellerman
2019-10-31 3:31 ` [PATCH v10 5/9] ima: make process_buffer_measurement() generic Mimi Zohar
2019-10-31 3:31 ` Mimi Zohar
2019-10-31 17:02 ` Lakshmi Ramasubramanian
2019-10-31 17:02 ` Lakshmi Ramasubramanian
2019-10-31 17:22 ` Lakshmi Ramasubramanian
2019-10-31 17:22 ` Lakshmi Ramasubramanian
2019-11-14 9:08 ` Michael Ellerman
2019-10-31 3:31 ` [PATCH v10 6/9] certs: add wrapper function to check blacklisted binary hash Mimi Zohar
2019-10-31 3:31 ` Mimi Zohar
2019-11-14 9:08 ` Michael Ellerman
2019-10-31 3:31 ` [PATCH v10 7/9] ima: check against blacklisted hashes for files with modsig Mimi Zohar
2019-10-31 3:31 ` Mimi Zohar
2019-11-14 9:08 ` Michael Ellerman [this message]
2019-11-14 9:08 ` Michael Ellerman
2019-10-31 3:31 ` [PATCH v10 8/9] powerpc/ima: update ima arch policy to check for blacklist Mimi Zohar
2019-10-31 3:31 ` Mimi Zohar
2019-11-14 9:08 ` Michael Ellerman
2019-11-14 9:08 ` Michael Ellerman
2019-10-31 3:31 ` [RFC PATCH v10 9/9] powerpc/ima: indicate kernel modules appended signatures are enforced Mimi Zohar
2019-10-31 3:31 ` Mimi Zohar
2019-11-14 9:08 ` Michael Ellerman
2019-11-14 9:08 ` Michael Ellerman
2019-12-09 20:27 ` [PATCH v10 0/9] powerpc: Enabling IMA arch specific secure boot policies Lakshmi Ramasubramanian
2019-12-09 20:27 ` Lakshmi Ramasubramanian
2019-12-09 21:36 ` Mimi Zohar
2019-12-09 21:36 ` Mimi Zohar
[not found] ` <3322befc-d1b9-41cf-aabf-0259fe3adb2b@linux.microsoft.com>
2019-12-09 23:33 ` Verified the key measurement patches in v5.5-rc1 Lakshmi Ramasubramanian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47DFy33C6Yz9sSP@ozlabs.org \
--to=patch-notifications@ellerman.id.au \
--cc=ard.biesheuvel@linaro.org \
--cc=dhowells@redhat.com \
--cc=erichte@linux.ibm.com \
--cc=jeyu@kernel.org \
--cc=jk@ozlabs.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@ozlabs.org \
--cc=nayna@linux.ibm.com \
--cc=oohall@gmail.com \
--cc=paulus@samba.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.