From: Mimi Zohar <zohar@linux.ibm.com>
To: Michal Suchanek <msuchanek@suse.de>,
keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-integrity@vger.kernel.org
Cc: kexec@lists.infradead.org, Philipp Rudo <prudo@redhat.com>,
Nayna <nayna@linux.vnet.ibm.com>, Rob Herring <robh@kernel.org>,
linux-s390@vger.kernel.org, Vasily Gorbik <gor@linux.ibm.com>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Heiko Carstens <hca@linux.ibm.com>, Jessica Yu <jeyu@kernel.org>,
linux-kernel@vger.kernel.org, David Howells <dhowells@redhat.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
Luis Chamberlain <mcgrof@kernel.org>,
Paul Mackerras <paulus@samba.org>,
Hari Bathini <hbathini@linux.ibm.com>,
Alexander Gordeev <agordeev@linux.ibm.com>,
linuxppc-dev@lists.ozlabs.org,
Frank van der Linden <fllinden@amazon.com>,
Thiago Jung Bauermann <bauerman@linux.ibm.com>,
Daniel Axtens <dja@axtens.net>,
buendgen@de.ibm.com, Michael Ellerman <mpe@ellerman.id.au>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Christian Borntraeger <borntraeger@linux.ibm.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Sven Schnelle <svens@linux.ibm.com>, Baoquan He <bhe@redhat.com>,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v5 2/6] powerpc/kexec_file: Add KEXEC_SIG support.
Date: Mon, 14 Feb 2022 10:14:16 -0500 [thread overview]
Message-ID: <a8d717a44e5e919676e9b1e197cac781db46da87.camel@linux.ibm.com> (raw)
In-Reply-To: <cff97dbe262919ff709a5ad2c4af6a702cc72a95.camel@linux.ibm.com>
Hi Michal,
On Sun, 2022-02-13 at 21:59 -0500, Mimi Zohar wrote:
>
> On Tue, 2022-01-11 at 12:37 +0100, Michal Suchanek wrote:
> > diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> > index dea74d7717c0..1cde9b6c5987 100644
> > --- a/arch/powerpc/Kconfig
> > +++ b/arch/powerpc/Kconfig
> > @@ -560,6 +560,22 @@ config KEXEC_FILE
> > config ARCH_HAS_KEXEC_PURGATORY
> > def_bool KEXEC_FILE
> >
> > +config KEXEC_SIG
> > + bool "Verify kernel signature during kexec_file_load() syscall"
> > + depends on KEXEC_FILE && MODULE_SIG_FORMAT
> > + help
> > + This option makes kernel signature verification mandatory for
> > + the kexec_file_load() syscall.
>
> When KEXEC_SIG is enabled on other architectures, IMA does not define a
> kexec 'appraise' policy rule. Refer to the policy rules in
> security/ima/ima_efi.c. Similarly the kexec 'appraise' policy rule in
> arch/powerpc/kernel/ima_policy.c should not be defined.
The discussion shouldn't only be about IMA vs. KEXEC_SIG kernel image
signature verification. Let's try and reframe the problem a bit.
1. Unify and simply the existing kexec signature verification so
verifying the KEXEC kernel image signature works irrespective of
signature type - PE, appended signature.
solution: enable KEXEC_SIG (This patch set, with the above powerpc IMA
policy changes.)
2. Measure and include the kexec kernel image in a log for attestation,
if desired.
solution: enable IMA_ARCH_POLICY
- Powerpc: requires trusted boot to be enabled.
- EFI: requires secure boot to be enabled. The IMA efi policy
doesn't differentiate between secure and trusted boot.
3. Carry the kexec kernel image measurement across kexec, if desired
and supported on the architecture.
solution: enable IMA_KEXEC
Comparison:
- Are there any differences between IMA vs. KEXEC_SIG measuring the
kexec kernel image?
One of the main differences is "what" is included in the measurement
list differs. In both cases, the 'd-ng' field of the IMA measurement
list template (e.g. ima-ng, ima-sig, ima-modsig) is the full file hash
including the appended signature. With IMA and the 'ima-modsig'
template, an additional hash without the appended signature is defined,
as well as including the appended signature in the 'sig' field.
Including the file hash and appended signature in the measurement list
allows an attestation server, for example, to verify the appended
signature without having to know the file hash without the signature.
Other differences are already included in the Kconfig KEXEC_SIG "Notes"
section.
--
thanks,
Mimi
next prev parent reply other threads:[~2022-02-14 15:15 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-11 11:37 [PATCH v5 0/6] KEXEC_SIG with appended signature Michal Suchanek
2022-01-11 11:37 ` [PATCH v5 1/6] s390/kexec_file: Don't opencode appended signature check Michal Suchanek
2022-01-11 11:37 ` [PATCH v5 2/6] powerpc/kexec_file: Add KEXEC_SIG support Michal Suchanek
2022-02-09 4:43 ` Michael Ellerman
2022-02-09 6:44 ` Paul Menzel
2022-02-09 12:01 ` Michal Suchánek
2022-02-11 15:31 ` Paul Menzel
2022-02-13 17:50 ` Mimi Zohar
2022-02-14 2:59 ` Mimi Zohar
2022-02-14 15:14 ` Mimi Zohar [this message]
2022-02-14 15:55 ` Michal Suchánek
2022-02-14 17:09 ` Mimi Zohar
2022-01-11 11:37 ` [PATCH v5 3/6] kexec_file: Don't opencode appended signature verification Michal Suchanek
2022-01-25 20:15 ` Luis Chamberlain
2022-02-03 10:49 ` Michal Suchánek
2022-01-11 11:37 ` [PATCH v5 4/6] module: strip the signature marker in the verification function Michal Suchanek
2022-01-25 20:23 ` Luis Chamberlain
2022-01-11 11:37 ` [PATCH v5 5/6] module: Use key_being_used_for for log messages in verify_appended_signature Michal Suchanek
2022-01-25 20:24 ` Luis Chamberlain
2022-01-11 11:37 ` [PATCH v5 6/6] module: Move duplicate mod_check_sig users code to mod_parse_sig Michal Suchanek
2022-01-25 20:27 ` Luis Chamberlain
2022-01-25 20:30 ` [PATCH v5 0/6] KEXEC_SIG with appended signature Luis Chamberlain
2022-02-09 4:46 ` Michael Ellerman
2022-02-10 23:30 ` Luis Chamberlain
2022-02-13 18:53 ` Mimi Zohar
2022-02-13 20:27 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a8d717a44e5e919676e9b1e197cac781db46da87.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=agordeev@linux.ibm.com \
--cc=bauerman@linux.ibm.com \
--cc=benh@kernel.crashing.org \
--cc=bhe@redhat.com \
--cc=borntraeger@de.ibm.com \
--cc=borntraeger@linux.ibm.com \
--cc=buendgen@de.ibm.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dja@axtens.net \
--cc=dmitry.kasatkin@gmail.com \
--cc=fllinden@amazon.com \
--cc=gor@linux.ibm.com \
--cc=hbathini@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=herbert@gondor.apana.org.au \
--cc=jeyu@kernel.org \
--cc=jmorris@namei.org \
--cc=kexec@lists.infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mcgrof@kernel.org \
--cc=mpe@ellerman.id.au \
--cc=msuchanek@suse.de \
--cc=nayna@linux.vnet.ibm.com \
--cc=nramas@linux.microsoft.com \
--cc=paulus@samba.org \
--cc=prudo@redhat.com \
--cc=robh@kernel.org \
--cc=serge@hallyn.com \
--cc=svens@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).