[PATCH 07/24] kexec: Disable at runtime if the kernel is locked down

[PATCH 07/24] kexec: Disable at runtime if the kernel is locked down

[David Howells]

From: Matthew Garrett <matthew.garrett@nebula.com>

kexec permits the loading and execution of arbitrary code in ring 0, which
is something that lock-down is meant to prevent. It makes sense to disable
kexec in this situation.

This does not affect kexec_file_load() which can check for a signature on the
image to be booted.

Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: kexec@lists.infradead.org
---

 kernel/kexec.c |    7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/kernel/kexec.c b/kernel/kexec.c
index 980936a90ee6..46de8e6b42f4 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -194,6 +194,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
 		return -EPERM;
 
 	/*
+	 * kexec can be used to circumvent module loading restrictions, so
+	 * prevent loading in that case
+	 */
+	if (kernel_is_locked_down())
+		return -EPERM;
+
+	/*
 	 * Verify we have a legal set of flags
 	 * This leaves us room for future extensions.
 	 */


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

[PATCH 08/24] Copy secure_boot flag in boot params across kexec reboot

[David Howells]

From: Dave Young <dyoung@redhat.com>

Kexec reboot in case secure boot being enabled does not keep the secure
boot mode in new kernel, so later one can load unsigned kernel via legacy
kexec_load.  In this state, the system is missing the protections provided
by secure boot.

Adding a patch to fix this by retain the secure_boot flag in original
kernel.

secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
stub.  Fixing this issue by copying secure_boot flag across kexec reboot.

Signed-off-by: Dave Young <dyoung@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: kexec@lists.infradead.org
---

 arch/x86/kernel/kexec-bzimage64.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index d0a814a9d96a..3551bcaa1eaf 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
 	if (efi_enabled(EFI_OLD_MEMMAP))
 		return 0;
 
+	params->secure_boot = boot_params.secure_boot;
 	ei->efi_loader_signature = current_ei->efi_loader_signature;
 	ei->efi_systab = current_ei->efi_systab;
 	ei->efi_systab_hi = current_ei->efi_systab_hi;


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[David Howells]

From: Chun-Yi Lee <joeyli.kernel@gmail.com>

When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
through kexec_file systemcall if securelevel has been set.

This code was showed in Matthew's patch but not in git:
https://lkml.org/lkml/2015/3/13/778

Cc: Matthew Garrett <mjg59@srcf.ucam.org>
Signed-off-by: Chun-Yi Lee <jlee@suse.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: kexec@lists.infradead.org
---

 kernel/kexec_file.c |    6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index b118735fea9d..f6937eecd1eb 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
 	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
 		return -EPERM;
 
+	/* Don't permit images to be loaded into trusted kernels if we're not
+	 * going to verify the signature on them
+	 */
+	if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
+		return -EPERM;
+
 	/* Make sure we have a legal set of flags */
 	if (flags != (flags & KEXEC_FILE_FLAGS))
 		return -EINVAL;


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[Dave Young]

On 04/05/17 at 09:15pm, David Howells wrote:
> From: Chun-Yi Lee <joeyli.kernel@gmail.com>
> 
> When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> through kexec_file systemcall if securelevel has been set.
> 
> This code was showed in Matthew's patch but not in git:
> https://lkml.org/lkml/2015/3/13/778
> 
> Cc: Matthew Garrett <mjg59@srcf.ucam.org>
> Signed-off-by: Chun-Yi Lee <jlee@suse.com>
> Signed-off-by: David Howells <dhowells@redhat.com>
> cc: kexec@lists.infradead.org
> ---
> 
>  kernel/kexec_file.c |    6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index b118735fea9d..f6937eecd1eb 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
>  	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
>  		return -EPERM;
>  
> +	/* Don't permit images to be loaded into trusted kernels if we're not
> +	 * going to verify the signature on them
> +	 */
> +	if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
> +		return -EPERM;
> +
>  	/* Make sure we have a legal set of flags */
>  	if (flags != (flags & KEXEC_FILE_FLAGS))
>  		return -EINVAL;
> 
> 
> _______________________________________________
> kexec mailing list
> kexec@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/kexec

Acked-by: Dave Young <dyoung@redhat.com>

Thanks
Dave

_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH 07/24] kexec: Disable at runtime if the kernel is locked down

[Dave Young]

On 04/05/17 at 09:15pm, David Howells wrote:
> From: Matthew Garrett <matthew.garrett@nebula.com>
> 
> kexec permits the loading and execution of arbitrary code in ring 0, which
> is something that lock-down is meant to prevent. It makes sense to disable
> kexec in this situation.
> 
> This does not affect kexec_file_load() which can check for a signature on the
> image to be booted.
> 
> Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
> Signed-off-by: David Howells <dhowells@redhat.com>
> cc: kexec@lists.infradead.org
> ---
> 
>  kernel/kexec.c |    7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/kernel/kexec.c b/kernel/kexec.c
> index 980936a90ee6..46de8e6b42f4 100644
> --- a/kernel/kexec.c
> +++ b/kernel/kexec.c
> @@ -194,6 +194,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
>  		return -EPERM;
>  
>  	/*
> +	 * kexec can be used to circumvent module loading restrictions, so
> +	 * prevent loading in that case
> +	 */
> +	if (kernel_is_locked_down())
> +		return -EPERM;
> +
> +	/*
>  	 * Verify we have a legal set of flags
>  	 * This leaves us room for future extensions.
>  	 */
> 
> 
> _______________________________________________
> kexec mailing list
> kexec@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/kexec

Acked-by: Dave Young <dyoung@redhat.com>

Thanks
Dave

_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[Mimi Zohar]

On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote:
> On 04/05/17 at 09:15pm, David Howells wrote:
> > From: Chun-Yi Lee <joeyli.kernel@gmail.com>
> > 
> > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> > through kexec_file systemcall if securelevel has been set.
> > 
> > This code was showed in Matthew's patch but not in git:
> > https://lkml.org/lkml/2015/3/13/778
> > 
> > Cc: Matthew Garrett <mjg59@srcf.ucam.org>
> > Signed-off-by: Chun-Yi Lee <jlee@suse.com>
> > Signed-off-by: David Howells <dhowells@redhat.com>
> > cc: kexec@lists.infradead.org
> > ---
> > 
> >  kernel/kexec_file.c |    6 ++++++
> >  1 file changed, 6 insertions(+)
> > 
> > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> > index b118735fea9d..f6937eecd1eb 100644
> > --- a/kernel/kexec_file.c
> > +++ b/kernel/kexec_file.c
> > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
> >  	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
> >  		return -EPERM;
> >  
> > +	/* Don't permit images to be loaded into trusted kernels if we're not
> > +	 * going to verify the signature on them
> > +	 */
> > +	if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
> > +		return -EPERM;
> > +
> >  

IMA can be used to verify file signatures too, based on the LSM hooks
in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
required.

Mimi


> 	/* Make sure we have a legal set of flags */
> >  	if (flags != (flags & KEXEC_FILE_FLAGS))
> >  		return -EINVAL;
> > 
> > 
> > _______________________________________________
> > kexec mailing list
> > kexec@lists.infradead.org
> > http://lists.infradead.org/mailman/listinfo/kexec
> 
> Acked-by: Dave Young <dyoung@redhat.com>
> 
> Thanks
> Dave
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[Dave Young]

On 04/06/17 at 11:49pm, Mimi Zohar wrote:
> On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote:
> > On 04/05/17 at 09:15pm, David Howells wrote:
> > > From: Chun-Yi Lee <joeyli.kernel@gmail.com>
> > > 
> > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> > > through kexec_file systemcall if securelevel has been set.
> > > 
> > > This code was showed in Matthew's patch but not in git:
> > > https://lkml.org/lkml/2015/3/13/778
> > > 
> > > Cc: Matthew Garrett <mjg59@srcf.ucam.org>
> > > Signed-off-by: Chun-Yi Lee <jlee@suse.com>
> > > Signed-off-by: David Howells <dhowells@redhat.com>
> > > cc: kexec@lists.infradead.org
> > > ---
> > > 
> > >  kernel/kexec_file.c |    6 ++++++
> > >  1 file changed, 6 insertions(+)
> > > 
> > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> > > index b118735fea9d..f6937eecd1eb 100644
> > > --- a/kernel/kexec_file.c
> > > +++ b/kernel/kexec_file.c
> > > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
> > >  	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
> > >  		return -EPERM;
> > >  
> > > +	/* Don't permit images to be loaded into trusted kernels if we're not
> > > +	 * going to verify the signature on them
> > > +	 */
> > > +	if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
> > > +		return -EPERM;
> > > +
> > >  
> 
> IMA can be used to verify file signatures too, based on the LSM hooks
> in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> required.

Mimi, I remember we talked somthing before about the two signature 
verification. One can change IMA policy in initramfs userspace,
also there are kernel cmdline param to disable IMA, so it can break the
lockdown? Suppose kexec boot with ima disabled cmdline param and then
kexec reboot again..

> 
> Mimi
> 
> 
> > 	/* Make sure we have a legal set of flags */
> > >  	if (flags != (flags & KEXEC_FILE_FLAGS))
> > >  		return -EINVAL;
> > > 
> > > 
> > > _______________________________________________
> > > kexec mailing list
> > > kexec@lists.infradead.org
> > > http://lists.infradead.org/mailman/listinfo/kexec
> > 
> > Acked-by: Dave Young <dyoung@redhat.com>
> > 
> > Thanks
> > Dave
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > 
> 

_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[David Howells]

Dave Young <dyoung@redhat.com> wrote:

> > > > +	/* Don't permit images to be loaded into trusted kernels if we're not
> > > > +	 * going to verify the signature on them
> > > > +	 */
> > > > +	if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
> > > > +		return -EPERM;
> > > > +
> > > >  
> > 
> > IMA can be used to verify file signatures too, based on the LSM hooks
> > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> > required.
> 
> Mimi, I remember we talked somthing before about the two signature 
> verification. One can change IMA policy in initramfs userspace,
> also there are kernel cmdline param to disable IMA, so it can break the
> lockdown? Suppose kexec boot with ima disabled cmdline param and then
> kexec reboot again..

I guess I should lock down the parameter to disable IMA too.

David

_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[David Howells]

Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:

> > > +	if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
> > > +		return -EPERM;
> > > +
> > >  
> 
> IMA can be used to verify file signatures too, based on the LSM hooks
> in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> required.

Okay, fair enough.  I can stick in an OR with an IS_ENABLED on some IMA
symbol.  CONFIG_IMA_KEXEC maybe?  And also require IMA be enabled?

David

_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[Dave Young]

On 04/07/17 at 08:07am, David Howells wrote:
> Dave Young <dyoung@redhat.com> wrote:
> 
> > > > > +	/* Don't permit images to be loaded into trusted kernels if we're not
> > > > > +	 * going to verify the signature on them
> > > > > +	 */
> > > > > +	if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
> > > > > +		return -EPERM;
> > > > > +
> > > > >  
> > > 
> > > IMA can be used to verify file signatures too, based on the LSM hooks
> > > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> > > required.
> > 
> > Mimi, I remember we talked somthing before about the two signature 
> > verification. One can change IMA policy in initramfs userspace,
> > also there are kernel cmdline param to disable IMA, so it can break the
> > lockdown? Suppose kexec boot with ima disabled cmdline param and then
> > kexec reboot again..
> 
> I guess I should lock down the parameter to disable IMA too.

That is one thing, user can change IMA policy in initramfs userspace,
I'm not sure if IMA enforce the signed policy now, if no it will be also
a problem.

Thanks
Dave

_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[Mimi Zohar]

On Fri, 2017-04-07 at 14:19 +0800, Dave Young wrote:
> On 04/06/17 at 11:49pm, Mimi Zohar wrote:
> > On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote:
> > > On 04/05/17 at 09:15pm, David Howells wrote:
> > > > From: Chun-Yi Lee <joeyli.kernel@gmail.com>
> > > > 
> > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> > > > through kexec_file systemcall if securelevel has been set.
> > > > 
> > > > This code was showed in Matthew's patch but not in git:
> > > > https://lkml.org/lkml/2015/3/13/778

I specifically checked to make sure that either kexec_file() signature
verification was acceptable and would have commented then, if it had
not been included.

> > > > Cc: Matthew Garrett <mjg59@srcf.ucam.org>
> > > > Signed-off-by: Chun-Yi Lee <jlee@suse.com>
> > > > Signed-off-by: David Howells <dhowells@redhat.com>
> > > > cc: kexec@lists.infradead.org
> > > > ---
> > > > 
> > > >  kernel/kexec_file.c |    6 ++++++
> > > >  1 file changed, 6 insertions(+)
> > > > 
> > > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> > > > index b118735fea9d..f6937eecd1eb 100644
> > > > --- a/kernel/kexec_file.c
> > > > +++ b/kernel/kexec_file.c
> > > > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
> > > >  	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
> > > >  		return -EPERM;
> > > >  
> > > > +	/* Don't permit images to be loaded into trusted kernels if we're not
> > > > +	 * going to verify the signature on them
> > > > +	 */
> > > > +	if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
> > > > +		return -EPERM;
> > > > +
> > > >  
> > 
> > IMA can be used to verify file signatures too, based on the LSM hooks
> > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> > required.
> 
> Mimi, I remember we talked somthing before about the two signature 
> verification. One can change IMA policy in initramfs userspace,
> also there are kernel cmdline param to disable IMA, so it can break the
> lockdown? Suppose kexec boot with ima disabled cmdline param and then
> kexec reboot again..

Right, we discussed that the same method of measuring the kexec image
and initramfs, for extending trusted boot to the OS, could also be
used for verifying the kexec image and initramfs signatures, for
extending secure boot to the OS.  The file hash would be calculated
once for both.

All of your concerns could be addressed with very minor changes to
IMA.  (Continued in response to David.)

> > 
> > > 	/* Make sure we have a legal set of flags */
> > > >  	if (flags != (flags & KEXEC_FILE_FLAGS))
> > > >  		return -EINVAL;
> > > > 
> > > > 
> > > > _______________________________________________
> > > > kexec mailing list
> > > > kexec@lists.infradead.org
> > > > http://lists.infradead.org/mailman/listinfo/kexec
> > > 
> > > Acked-by: Dave Young <dyoung@redhat.com>
> > > 
> > > Thanks
> > > Dave
> > > --
> > > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> > > the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > > 
> > 
> 


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[Mimi Zohar]

On Fri, 2017-04-07 at 08:09 +0100, David Howells wrote:
> Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> 
> > > > +	if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
> > > > +		return -EPERM;
> > > > +
> > > >  
> > 
> > IMA can be used to verify file signatures too, based on the LSM hooks
> > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> > required.
> 
> Okay, fair enough.  I can stick in an OR with an IS_ENABLED on some IMA
> symbol.  CONFIG_IMA_KEXEC maybe?  And also require IMA be enabled?

Not quite, since as Dave pointed out, IMA is policy driven.  As a
policy is installed, we could set a flag.

Mimi


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[Dave Young]

On 04/07/17 at 03:45am, Mimi Zohar wrote:
> On Fri, 2017-04-07 at 14:19 +0800, Dave Young wrote:
> > On 04/06/17 at 11:49pm, Mimi Zohar wrote:
> > > On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote:
> > > > On 04/05/17 at 09:15pm, David Howells wrote:
> > > > > From: Chun-Yi Lee <joeyli.kernel@gmail.com>
> > > > > 
> > > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> > > > > through kexec_file systemcall if securelevel has been set.
> > > > > 
> > > > > This code was showed in Matthew's patch but not in git:
> > > > > https://lkml.org/lkml/2015/3/13/778
> 
> I specifically checked to make sure that either kexec_file() signature
> verification was acceptable and would have commented then, if it had
> not been included.
> 
> > > > > Cc: Matthew Garrett <mjg59@srcf.ucam.org>
> > > > > Signed-off-by: Chun-Yi Lee <jlee@suse.com>
> > > > > Signed-off-by: David Howells <dhowells@redhat.com>
> > > > > cc: kexec@lists.infradead.org
> > > > > ---
> > > > > 
> > > > >  kernel/kexec_file.c |    6 ++++++
> > > > >  1 file changed, 6 insertions(+)
> > > > > 
> > > > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> > > > > index b118735fea9d..f6937eecd1eb 100644
> > > > > --- a/kernel/kexec_file.c
> > > > > +++ b/kernel/kexec_file.c
> > > > > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
> > > > >  	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
> > > > >  		return -EPERM;
> > > > >  
> > > > > +	/* Don't permit images to be loaded into trusted kernels if we're not
> > > > > +	 * going to verify the signature on them
> > > > > +	 */
> > > > > +	if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
> > > > > +		return -EPERM;
> > > > > +
> > > > >  
> > > 
> > > IMA can be used to verify file signatures too, based on the LSM hooks
> > > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> > > required.
> > 
> > Mimi, I remember we talked somthing before about the two signature 
> > verification. One can change IMA policy in initramfs userspace,
> > also there are kernel cmdline param to disable IMA, so it can break the
> > lockdown? Suppose kexec boot with ima disabled cmdline param and then
> > kexec reboot again..
> 
> Right, we discussed that the same method of measuring the kexec image
> and initramfs, for extending trusted boot to the OS, could also be
> used for verifying the kexec image and initramfs signatures, for
> extending secure boot to the OS.  The file hash would be calculated
> once for both.
> 
> All of your concerns could be addressed with very minor changes to
> IMA.  (Continued in response to David.)

Thanks! As long as IMA can ensure not breaking the lockdown it should be
fine to add an check for either !CONFIG_KEXEC_VERIFY_SIG or !IMA
enforced.

> 
> > > 
> > > > 	/* Make sure we have a legal set of flags */
> > > > >  	if (flags != (flags & KEXEC_FILE_FLAGS))
> > > > >  		return -EINVAL;
> > > > > 
> > > > > 
> > > > > _______________________________________________
> > > > > kexec mailing list
> > > > > kexec@lists.infradead.org
> > > > > http://lists.infradead.org/mailman/listinfo/kexec
> > > > 
> > > > Acked-by: Dave Young <dyoung@redhat.com>
> > > > 
> > > > Thanks
> > > > Dave
> > > > --
> > > > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> > > > the body of a message to majordomo@vger.kernel.org
> > > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > > > 
> > > 
> > 
> 

_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[Mimi Zohar]

On Fri, 2017-04-07 at 15:41 +0800, Dave Young wrote:
> On 04/07/17 at 08:07am, David Howells wrote:
> > Dave Young <dyoung@redhat.com> wrote:
> > 
> > > > > > +	/* Don't permit images to be loaded into trusted kernels if we're not
> > > > > > +	 * going to verify the signature on them
> > > > > > +	 */
> > > > > > +	if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
> > > > > > +		return -EPERM;
> > > > > > +
> > > > > >  
> > > > 
> > > > IMA can be used to verify file signatures too, based on the LSM hooks
> > > > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> > > > required.
> > > 
> > > Mimi, I remember we talked somthing before about the two signature 
> > > verification. One can change IMA policy in initramfs userspace,
> > > also there are kernel cmdline param to disable IMA, so it can break the
> > > lockdown? Suppose kexec boot with ima disabled cmdline param and then
> > > kexec reboot again..
> > 
> > I guess I should lock down the parameter to disable IMA too.
> 
> That is one thing, user can change IMA policy in initramfs userspace,
> I'm not sure if IMA enforce the signed policy now, if no it will be also
> a problem.

I'm not sure how this relates to the question of whether IMA verifies
the kexec kernel image signature, as the test would not be based on a
Kconfig option, but on a runtime variable.

To answer your question, the rule for requiring the policy to be
signed is:  appraise func=POLICY_CHECK appraise_type=imasig

When the ability to append rules is Kconfig enabled, the builtin
policy requires the new policy or additional rules to be signed.
 Unfortunately, always requiring the policy to be signed, would have
broken userspace.

Mimi


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[Dave Young]

On 04/07/17 at 04:28am, Mimi Zohar wrote:
> On Fri, 2017-04-07 at 15:41 +0800, Dave Young wrote:
> > On 04/07/17 at 08:07am, David Howells wrote:
> > > Dave Young <dyoung@redhat.com> wrote:
> > > 
> > > > > > > +	/* Don't permit images to be loaded into trusted kernels if we're not
> > > > > > > +	 * going to verify the signature on them
> > > > > > > +	 */
> > > > > > > +	if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
> > > > > > > +		return -EPERM;
> > > > > > > +
> > > > > > >  
> > > > > 
> > > > > IMA can be used to verify file signatures too, based on the LSM hooks
> > > > > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> > > > > required.
> > > > 
> > > > Mimi, I remember we talked somthing before about the two signature 
> > > > verification. One can change IMA policy in initramfs userspace,
> > > > also there are kernel cmdline param to disable IMA, so it can break the
> > > > lockdown? Suppose kexec boot with ima disabled cmdline param and then
> > > > kexec reboot again..
> > > 
> > > I guess I should lock down the parameter to disable IMA too.
> > 
> > That is one thing, user can change IMA policy in initramfs userspace,
> > I'm not sure if IMA enforce the signed policy now, if no it will be also
> > a problem.
> 
> I'm not sure how this relates to the question of whether IMA verifies
> the kexec kernel image signature, as the test would not be based on a
> Kconfig option, but on a runtime variable.

I assumed one can change the policy to avoid kexec and initramfs check
And we use a global IMA status in the -EPERM check for the lockdown
checking.  But if there is some fine grained checking to ensure kernel
signature verification it should be fine.
> 
> To answer your question, the rule for requiring the policy to be
> signed is:  appraise func=POLICY_CHECK appraise_type=imasig
> 
> When the ability to append rules is Kconfig enabled, the builtin
> policy requires the new policy or additional rules to be signed.
>  Unfortunately, always requiring the policy to be signed, would have
> broken userspace.
> 
> Mimi
> 

Thanks
Dave

_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[David Howells]

Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:

> > Okay, fair enough.  I can stick in an OR with an IS_ENABLED on some IMA
> > symbol.  CONFIG_IMA_KEXEC maybe?  And also require IMA be enabled?
> 
> Not quite, since as Dave pointed out, IMA is policy driven.  As a
> policy is installed, we could set a flag.

Does such a flag exist as yet?

David

_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[Mimi Zohar]

On Fri, 2017-04-07 at 10:17 +0100, David Howells wrote:
> Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> 
> > > Okay, fair enough.  I can stick in an OR with an IS_ENABLED on some IMA
> > > symbol.  CONFIG_IMA_KEXEC maybe?  And also require IMA be enabled?
> > 
> > Not quite, since as Dave pointed out, IMA is policy driven.  As a
> > policy is installed, we could set a flag.
> 
> Does such a flag exist as yet?

Not exactly what is needed.  There's a flag named ima_appraise, which
is used internally in IMA. A temporary flag is created, while
validating the rules.

	if (default_appraise_rules[i].func == POLICY_CHECK)
        	temp_ima_appraise |= IMA_APPRAISE_POLICY;

        if (!result && (entry->action == UNKNOWN))
                result = -EINVAL;
        else if (entry->func == MODULE_CHECK)
                temp_ima_appraise |= IMA_APPRAISE_MODULES;
        else if (entry->func == FIRMWARE_CHECK)
                temp_ima_appraise |= IMA_APPRAISE_FIRMWARE;
        else if (entry->func == POLICY_CHECK)
                temp_ima_appraise |= IMA_APPRAISE_POLICY;

If the entire policy is valid,   ima_update_policy_flag() sets the ima_appraise flag.

        ima_appraise |= temp_ima_appraise;

From an IMA perspective, either a file hash or signature are valid,
but for this usage it must be a signature.  So in addition to testing
entry->func, above, entry->flags would need to be tested as well to
detect if IMA_DIGSIG_REQUIRED is set.

Mimi


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[David Howells]

Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:

> From an IMA perspective, either a file hash or signature are valid,
> but for this usage it must be a signature.

Not necessarily.  If IMA can guarantee that a module is the same based on its
hash rather than on a key, I would've thought that should be fine.

David

_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[Mimi Zohar]

Hi David,

On Mon, 2017-04-10 at 14:19 +0100, David Howells wrote:
> Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> 
> > From an IMA perspective, either a file hash or signature are valid,
> > but for this usage it must be a signature.
> 
> Not necessarily.  If IMA can guarantee that a module is the same based on its
> hash rather than on a key, I would've thought that should be fine.

File hashes can be modified on the running system, so they're normally
used, in conjunction with EVM, to detect off line modification of
mutable files and prevent their usage.

These patches https://lkml.org/lkml/2017/5/2/465 should provide some
of the missing functionality.

Mimi


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec