From: jlee@suse.com (joeyli)
To: linux-security-module@vger.kernel.org
Subject: An actual suggestion (Re: [GIT PULL] Kernel lockdown for secure boot)
Date: Thu, 5 Apr 2018 10:16:50 +0800 [thread overview]
Message-ID: <20180405021650.GC7362@linux-l9pv.suse> (raw)
In-Reply-To: <1119.1522858644@warthog.procyon.org.uk>
Hi David,
On Wed, Apr 04, 2018 at 05:17:24PM +0100, David Howells wrote:
> Andy Lutomirski <luto@kernel.org> wrote:
>
> > Since this thread has devolved horribly, I'm going to propose a solution.
> >
> > 1. Split the "lockdown" state into three levels: (please don't
> > bikeshed about the names right now.)
> >
> > LOCKDOWN_NONE: normal behavior
> >
> > LOCKDOWN_PROTECT_INTEGREITY: kernel tries to keep root from writing to
> > kernel memory
> >
> > LOCKDOWN_PROTECT_INTEGRITY_AND_SECRECY: kernel tries to keep root from
> > reading or writing kernel memory.
>
> In theory, it's good idea, but in practice it's not as easy to implement as I
> think you think.
>
> Let me list here the things that currently get restricted by lockdown:
>
[...snip]
> (5) Kexec.
>
About IMA with kernel module signing and kexec(not on x86_64 yet)...
Because IMA can be used to verify the integrity of kernel module or even
the image for kexec. I think that the
IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY must be enabled at runtime
when kernel is locked-down.
Because the root can enroll master key to keyring then IMA trusts the ima key
derived from master key. It causes that the arbitrary signed module can be loaded
when the root compromised.
Thanks
Joey Lee
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-04-05 2:16 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-04 14:49 An actual suggestion (Re: [GIT PULL] Kernel lockdown for secure boot) Andy Lutomirski
2018-04-04 16:17 ` David Howells
2018-04-04 16:23 ` Jann Horn
2018-04-04 16:36 ` Andy Lutomirski
2018-04-04 22:19 ` David Howells
2018-04-05 1:48 ` joeyli
2018-04-04 23:25 ` James Morris
2018-04-05 0:22 ` Matthew Garrett
2018-04-05 2:16 ` joeyli [this message]
2018-04-05 14:01 ` Mimi Zohar
2018-04-05 16:11 ` jlee at suse.com
2018-04-05 1:45 ` joeyli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180405021650.GC7362@linux-l9pv.suse \
--to=jlee@suse.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).