From: Mimi Zohar <zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
To: David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
gnomes-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org,
linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org,
gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
jforbes-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
Subject: Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down
Date: Thu, 02 Nov 2017 17:41:21 -0400 [thread overview]
Message-ID: <1509658881.3416.10.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <12321.1509658211-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
On Thu, 2017-11-02 at 21:30 +0000, David Howells wrote:
> Mimi Zohar <zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> wrote:
>
> > By this point, IMA-appraisal has already verified the kernel module
> > signature back in kernel_read_file_from_fd(), if it was required.
> > Having a key with which to verify the appended signature or requiring
> > an appended signature, should not be required as well.
>
> I guess I don't need to put in any support for IMA here, then, and you've
> taken care of it in your patchset such that it won't actually go into
> module_sig_check() in that case (or will at least return immediately).
Right, it would never get here if the IMA signature verification
fails. If sig_enforce is not enabled, then it will also work. So the
only case is if sig_enforced is enabled and there is no key.
eg.
else if (can_do_ima_check && is_ima_appraise_enabled())
err = 0;
Mimi
next prev parent reply other threads:[~2017-11-02 21:41 UTC|newest]
Thread overview: 149+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-19 14:50 [PATCH 00/27] security, efi: Add kernel lockdown David Howells
2017-10-19 14:50 ` [PATCH 01/27] Add the ability to lock down access to the running kernel image David Howells
2017-10-20 23:19 ` James Morris
2017-10-19 14:50 ` [PATCH 02/27] Add a SysRq option to lift kernel lockdown David Howells
[not found] ` <150842464774.7923.7951986297563109339.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-10-19 17:20 ` Randy Dunlap
[not found] ` <97659d0c-6992-3025-0f85-819d23e954cc-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
2017-10-19 22:12 ` David Howells
2017-11-07 17:39 ` Thiago Jung Bauermann
2017-11-07 22:56 ` David Howells
2017-10-19 14:50 ` [PATCH 03/27] Enforce module signatures if the kernel is locked down David Howells
[not found] ` <150842465546.7923.6762214527898273559.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-10-20 6:33 ` joeyli
2017-10-20 23:21 ` James Morris
2017-10-27 18:48 ` Mimi Zohar
2017-10-30 17:00 ` David Howells
2017-10-30 17:52 ` Mimi Zohar
[not found] ` <1509130095.3716.13.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-11-02 17:22 ` David Howells
2017-11-02 19:13 ` Mimi Zohar
[not found] ` <1509650031.3507.20.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-11-02 21:30 ` David Howells
[not found] ` <12321.1509658211-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-11-02 21:41 ` Mimi Zohar [this message]
[not found] ` <1509658881.3416.10.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-11-02 22:01 ` David Howells
2017-11-02 22:18 ` Mimi Zohar
2017-10-19 14:51 ` [PATCH 04/27] Restrict /dev/mem and /dev/kmem when " David Howells
2017-10-20 6:37 ` joeyli
2017-10-20 23:21 ` James Morris
2017-10-19 14:51 ` [PATCH 05/27] kexec: Disable at runtime if " David Howells
2017-10-20 6:38 ` joeyli
2017-10-20 23:22 ` James Morris
2017-10-19 14:51 ` [PATCH 06/27] Copy secure_boot flag in boot params across kexec reboot David Howells
[not found] ` <150842468009.7923.5512653689857540199.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-10-20 6:40 ` joeyli
2017-10-19 14:51 ` [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set David Howells
2017-10-20 23:26 ` James Morris
[not found] ` <150842468754.7923.10037578333644594134.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-10-23 15:54 ` Mimi Zohar
2017-10-26 7:42 ` joeyli
2017-10-26 14:17 ` Mimi Zohar
2017-10-27 19:30 ` Mimi Zohar
[not found] ` <1509027463.5886.26.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-10-27 19:32 ` Mimi Zohar
2017-10-28 8:34 ` joeyli
[not found] ` <20171028083446.GG20348-g7OFGfmEpDh8S/rGE13EwQ@public.gmane.org>
2017-10-29 22:26 ` Mimi Zohar
2017-10-30 9:00 ` David Howells
2017-10-30 12:01 ` Mimi Zohar
2017-10-26 15:02 ` David Howells
[not found] ` <26694.1509030144-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-10-26 15:46 ` Mimi Zohar
2017-10-30 15:49 ` David Howells
[not found] ` <32764.1509378584-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-10-30 16:43 ` Mimi Zohar
2017-11-02 17:00 ` David Howells
[not found] ` <1508774083.3639.124.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-10-26 14:51 ` David Howells
2017-11-02 17:29 ` David Howells
2017-10-19 14:51 ` [PATCH 08/27] hibernate: Disable when the kernel is locked down David Howells
[not found] ` <150842469486.7923.10376463083069013490.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-10-20 6:40 ` joeyli
2017-10-19 14:51 ` [PATCH 09/27] uswsusp: " David Howells
2017-10-20 6:41 ` joeyli
[not found] ` <150842470227.7923.15293760935442172683.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-10-20 23:29 ` James Morris
2017-10-19 14:51 ` [PATCH 10/27] PCI: Lock down BAR access " David Howells
[not found] ` <150842470945.7923.134066103094708461.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-10-20 6:42 ` joeyli
2017-10-19 14:51 ` [PATCH 11/27] x86: Lock down IO port " David Howells
2017-10-20 6:43 ` joeyli
2017-10-19 14:52 ` [PATCH 12/27] x86/msr: Restrict MSR " David Howells
2017-10-20 6:43 ` joeyli
2017-10-20 18:09 ` Alan Cox
2017-10-20 20:48 ` David Howells
2017-10-21 4:39 ` joeyli
2017-10-23 14:49 ` David Howells
2017-10-25 14:03 ` joeyli
2017-10-19 14:52 ` [PATCH 13/27] asus-wmi: Restrict debugfs interface " David Howells
2017-10-20 6:44 ` joeyli
2017-10-19 14:52 ` [PATCH 14/27] ACPI: Limit access to custom_method " David Howells
2017-10-20 6:45 ` joeyli
2017-10-19 14:52 ` [PATCH 15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been " David Howells
2017-10-20 6:45 ` joeyli
2017-10-19 14:52 ` [PATCH 16/27] acpi: Disable ACPI table override if the kernel is " David Howells
[not found] ` <150842475442.7923.12198790224494561644.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-10-20 6:46 ` joeyli
2017-10-19 14:52 ` [PATCH 17/27] acpi: Disable APEI error injection " David Howells
[not found] ` <150842476188.7923.14340260837257633120.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-10-20 6:47 ` joeyli
2017-10-19 14:52 ` [PATCH 18/27] bpf: Restrict kernel image access functions when " David Howells
2017-10-19 22:18 ` Alexei Starovoitov
2017-10-19 22:48 ` David Howells
[not found] ` <482.1508453314-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-10-19 23:31 ` Alexei Starovoitov
2017-11-09 17:15 ` David Howells
2017-10-20 2:47 ` joeyli
2017-10-20 8:08 ` David Howells
2017-10-20 15:57 ` jlee
2017-10-20 16:03 ` David Howells
2017-10-20 16:43 ` jlee
2017-10-23 14:53 ` David Howells
[not found] ` <21530.1508770380-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-10-25 7:07 ` joeyli
2017-10-19 14:52 ` [PATCH 19/27] scsi: Lock down the eata driver David Howells
2017-10-19 14:53 ` [PATCH 20/27] Prohibit PCMCIA CIS storage when the kernel is locked down David Howells
2017-10-19 14:53 ` [PATCH 21/27] Lock down TIOCSSERIAL David Howells
2017-10-19 14:53 ` [PATCH 22/27] Lock down module params that specify hardware parameters (eg. ioport) David Howells
2017-10-19 14:53 ` [PATCH 23/27] x86/mmiotrace: Lock down the testmmiotrace module David Howells
2017-10-19 14:53 ` [PATCH 24/27] debugfs: Disallow use of debugfs files when the kernel is locked down David Howells
2017-10-19 14:53 ` [PATCH 25/27] Lock down /proc/kcore David Howells
2017-10-21 2:11 ` James Morris
2017-10-23 14:56 ` David Howells
2017-10-19 14:53 ` [PATCH 26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode David Howells
[not found] ` <150842483172.7923.2791223614506312745.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-10-21 2:19 ` James Morris
2017-10-23 14:58 ` David Howells
2017-10-19 14:53 ` [PATCH 27/27] efi: Lock down the kernel if booted in " David Howells
2017-10-19 22:39 ` [PATCH 00/27] security, efi: Add kernel lockdown David Howells
[not found] ` <150842466261.7923.14359746674406637357.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-10-23 14:34 ` [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down David Howells
[not found] ` <18778.1508769258-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-10-24 10:48 ` Ethan Zhao
2017-10-24 14:56 ` David Howells
2017-11-02 22:01 ` [PATCH 00/27] security, efi: Add kernel lockdown Mimi Zohar
[not found] ` <1509660086.3416.15.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-11-02 22:04 ` Firmware signing -- " David Howells
2017-11-02 22:10 ` Mimi Zohar
[not found] ` <1509660641.3416.24.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-11-07 23:07 ` Luis R. Rodriguez
[not found] ` <20171107230700.GJ22894-B4tOwbsTzaBolqkO4TVVkw@public.gmane.org>
2017-11-08 6:15 ` AKASHI, Takahiro
[not found] ` <20171108061551.GD7859-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
2017-11-08 19:46 ` Luis R. Rodriguez
[not found] ` <20171108194626.GQ22894-B4tOwbsTzaBolqkO4TVVkw@public.gmane.org>
2017-11-09 1:48 ` AKASHI, Takahiro
2017-11-09 2:17 ` Mimi Zohar
2017-11-09 4:46 ` AKASHI, Takahiro
2017-11-10 13:37 ` Mimi Zohar
[not found] ` <20171109044619.GG7859-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
2017-11-11 2:32 ` Alan Cox
2017-11-13 11:49 ` Mimi Zohar
2017-11-13 17:42 ` Luis R. Rodriguez
2017-11-13 21:08 ` Alan Cox
2017-11-13 21:44 ` David Howells
[not found] ` <454.1510609487-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-11-13 22:09 ` Linus Torvalds
[not found] ` <CA+55aFzrK29hbxoKs3GsvVUY4_uR7aBgZv2eeVyVq7MzfATY3w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-11-14 0:20 ` Alan Cox
2017-11-14 12:21 ` Mimi Zohar
2017-11-14 12:38 ` Greg Kroah-Hartman
[not found] ` <20171114123856.GA31142-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2017-11-14 13:17 ` Mimi Zohar
[not found] ` <1510662098.3711.139.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-11-14 17:34 ` Linus Torvalds
[not found] ` <CA+55aFzvuvqOfsJ9arzcc1QbTGs+U-TsNmsyem9UAVVQC8YkZQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-11-14 19:58 ` Matthew Garrett
[not found] ` <CACdnJuvP=0AHGtfGJ5+cT+kHRy3fU4BLjwkvzP0rLO6q5ejAQQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-11-14 20:18 ` Linus Torvalds
[not found] ` <CA+55aFxeLwgwxh2iJTf6Dz0T_a_TZfTdhBw5TkcSsCmjt2N5pw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-11-14 20:31 ` Matthew Garrett
2017-11-14 20:35 ` Linus Torvalds
[not found] ` <CA+55aFwN+yaLg_-jPKiQ4xYBc2zz3ogcHCY9nxMHGiAJxoCU6w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-11-14 20:37 ` Matthew Garrett
2017-12-05 10:27 ` Pavel Machek
2017-12-07 23:02 ` Luis R. Rodriguez
[not found] ` <20171207230238.GW729-B4tOwbsTzaBolqkO4TVVkw@public.gmane.org>
2017-12-08 17:11 ` Alan Cox
2017-11-14 20:50 ` Luis R. Rodriguez
[not found] ` <20171114205014.GJ729-B4tOwbsTzaBolqkO4TVVkw@public.gmane.org>
2017-11-14 20:55 ` Matthew Garrett
2017-11-14 22:14 ` James Bottomley
[not found] ` <1510697658.7703.12.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-11-14 22:17 ` Matthew Garrett
[not found] ` <CACdnJuuYasij2_JAvdvof-8PRgKMSAT1NOBzHG=Vr-4MN79SNg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-11-14 22:31 ` James Bottomley
[not found] ` <1510698696.7703.21.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-11-14 22:34 ` Matthew Garrett
2017-11-15 11:49 ` Mimi Zohar
[not found] ` <1510746597.3711.268.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-11-15 17:52 ` Luis R. Rodriguez
2017-11-15 19:56 ` Mimi Zohar
2017-11-15 20:46 ` Luis R. Rodriguez
2017-11-16 0:05 ` Mimi Zohar
2017-12-04 19:51 ` Luis R. Rodriguez
[not found] ` <20171204195155.GU729-B4tOwbsTzaBolqkO4TVVkw@public.gmane.org>
2017-12-07 15:32 ` Alan Cox
[not found] ` <20171109014841.GF7859-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
2017-11-10 1:46 ` Luis R. Rodriguez
[not found] ` <20171110014641.GO22894-B4tOwbsTzaBolqkO4TVVkw@public.gmane.org>
2017-11-10 13:45 ` Mimi Zohar
2017-11-13 18:50 ` Luis R. Rodriguez
[not found] ` <20171113185035.GB22894-B4tOwbsTzaBolqkO4TVVkw@public.gmane.org>
2017-11-13 19:08 ` Luis R. Rodriguez
2017-11-08 20:01 ` Mimi Zohar
2017-11-08 20:09 ` Luis R. Rodriguez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1509658881.3416.10.camel@linux.vnet.ibm.com \
--to=zohar-23vcf4htsmix0ybbhkvfkdbpr1lh4cv8@public.gmane.org \
--cc=dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=gnomes-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org \
--cc=gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org \
--cc=jforbes-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).